- Linux-kselftest-mirror - lists.linaro.org

[PATCH v9 00/10] bpf: Add kfuncs for PKCS#7 signature verification

by Roberto Sassu

One of the desirable features in security is the ability to restrict import of data to a given system based on data authenticity. If data import can be restricted, it would be possible to enforce a system-wide policy based on the signing keys the system owner trusts. This feature is widely used in the kernel. For example, if the restriction is enabled, kernel modules can be plugged in only if they are signed with a key whose public part is in the primary or secondary keyring. For eBPF, it can be useful as well. For example, it might be useful to authenticate data an eBPF program makes security decisions on. After a discussion in the eBPF mailing list, it was decided that the stated goal should be accomplished by introducing four new kfuncs: bpf_lookup_user_key() and bpf_lookup_system_key(), for retrieving a keyring with keys trusted for signature verification, respectively from its serial and from a pre-determined ID; bpf_key_put(), to release the reference obtained with the former two kfuncs, bpf_verify_pkcs7_signature(), for verifying PKCS#7 signatures. Other than the key serial, bpf_lookup_user_key() also accepts key lookup flags, that influence the behavior of the lookup. bpf_lookup_system_key() accepts pre-determined IDs defined in include/linux/verification.h. bpf_key_put() accepts the new bpf_key structure, introduced to tell whether the other structure member, a key pointer, is valid or not. The reason is that verify_pkcs7_signature() also accepts invalid pointers, set with the pre-determined ID, to select a system-defined keyring. key_put() must be called only for valid key pointers. Since the two key lookup functions allocate memory and one increments a key reference count, they must be used in conjunction with bpf_key_put(). The latter must be called only if the lookup functions returned a non-NULL pointer. The verifier denies the execution of eBPF programs that don't respect this rule. The two key lookup functions should be used in alternative, depending on the use case. While bpf_lookup_user_key() provides great flexibility, it seems suboptimal in terms of security guarantees, as even if the eBPF program is assumed to be trusted, the serial used to obtain the key pointer might come from untrusted user space not choosing one that the system administrator approves to enforce a mandatory policy. bpf_lookup_system_key() instead provides much stronger guarantees, especially if the pre-determined ID is not passed by user space but is hardcoded in the eBPF program, and that program is signed. In this case, bpf_verify_pkcs7_signature() will always perform signature verification with a key that the system administrator approves, i.e. the primary, secondary or platform keyring. Nevertheless, key permission checks need to be done accurately. Since bpf_lookup_user_key() cannot determine how a key will be used by other kfuncs, it has to defer the permission check to the actual kfunc using the key. It does it by calling lookup_user_key() with KEY_DEFER_PERM_CHECK as needed permission. Later, bpf_verify_pkcs7_signature(), if called, completes the permission check by calling key_validate(). It does not need to call key_task_permission() with permission KEY_NEED_SEARCH, as it is already done elsewhere by the key subsystem. Future kfuncs using the bpf_key structure need to implement the proper checks as well. Finally, the last kfunc, bpf_verify_pkcs7_signature(), accepts the data and signature to verify as eBPF dynamic pointers, to minimize the number of kfunc parameters, and the keyring with keys for signature verification as a bpf_key structure, returned by one of the two key lookup functions. All kfuncs except bpf_key_put() can be called only from sleepable programs, because of memory allocation and crypto operations. For example, the lsm.s/bpf attach point is suitable, fexit/array_map_update_elem is not. The correctness of implementation of the new kfuncs and of their usage is checked with the introduced tests. The patch set includes patches from other authors (dependencies) for sake of completeness. It is organized as follows. Patch 1 from Benjamin Tissoires introduces the new KF_SLEEPABLE kfunc flag. Patch 2 from KP Singh allows kfuncs to be used by LSM programs. Patch 3 allows dynamic pointers to be used as kfunc parameters. Patch 4 exports bpf_dynptr_get_size(), to obtain the real size of data carried by a dynamic pointer. Patch 5 makes available for new eBPF kfuncs some key-related definitions. Patch 6 introduces the bpf_lookup_*_key() and bpf_key_put() kfuncs. Patch 7 introduces the bpf_verify_pkcs7_signature() kfunc. Finally, patches 8-10 introduce the tests. Changelog v8: - Define the new bpf_key structure to carry the key pointer and whether that pointer is valid or not (suggested by Daniel) - Drop patch to mark a kfunc parameter with the __maybe_null suffix - Improve documentation of kfuncs - Introduce bpf_lookup_system_key() to obtain a key pointer suitable for verify_pkcs7_signature() (suggested by Daniel) - Use the new kfunc registration API - Drop patch to test the __maybe_null suffix - Add tests for bpf_lookup_system_key() v7: - Add support for using dynamic and NULL pointers in kfunc (suggested by Alexei) - Add new kfunc-related tests v6: - Switch back to key lookup helpers + signature verification (until v5), and defer permission check from bpf_lookup_user_key() to bpf_verify_pkcs7_signature() - Add additional key lookup test to illustrate the usage of the KEY_LOOKUP_CREATE flag and validate the flags (suggested by Daniel) - Make description of flags of bpf_lookup_user_key() more user-friendly (suggested by Daniel) - Fix validation of flags parameter in bpf_lookup_user_key() (reported by Daniel) - Rename bpf_verify_pkcs7_signature() keyring-related parameters to user_keyring and system_keyring to make their purpose more clear - Accept keyring-related parameters of bpf_verify_pkcs7_signature() as alternatives (suggested by KP) - Replace unsigned long type with u64 in helper declaration (suggested by Daniel) - Extend the bpf_verify_pkcs7_signature() test by calling the helper without data, by ensuring that the helper enforces the keyring-related parameters as alternatives, by ensuring that the helper rejects inaccessible and expired keyrings, and by checking all system keyrings - Move bpf_lookup_user_key() and bpf_key_put() usage tests to ref_tracking.c (suggested by John) - Call bpf_lookup_user_key() and bpf_key_put() only in sleepable programs v5: - Move KEY_LOOKUP_ to include/linux/key.h for validation of bpf_verify_pkcs7_signature() parameter - Remove bpf_lookup_user_key() and bpf_key_put() helpers, and the corresponding tests - Replace struct key parameter of bpf_verify_pkcs7_signature() with the keyring serial and lookup flags - Call lookup_user_key() and key_put() in bpf_verify_pkcs7_signature() code, to ensure that the retrieved key is used according to the permission requested at lookup time - Clarified keyring precedence in the description of bpf_verify_pkcs7_signature() (suggested by John) - Remove newline in the second argument of ASSERT_ - Fix helper prototype regular expression in bpf_doc.py v4: - Remove bpf_request_key_by_id(), don't return an invalid pointer that other helpers can use - Pass the keyring ID (without ULONG_MAX, suggested by Alexei) to bpf_verify_pkcs7_signature() - Introduce bpf_lookup_user_key() and bpf_key_put() helpers (suggested by Alexei) - Add lookup_key_norelease test, to ensure that the verifier blocks eBPF programs which don't decrement the key reference count - Parse raw PKCS#7 signature instead of module-style signature in the verify_pkcs7_signature test (suggested by Alexei) - Parse kernel module in user space and pass raw PKCS#7 signature to the eBPF program for signature verification v3: - Rename bpf_verify_signature() back to bpf_verify_pkcs7_signature() to avoid managing different parameters for each signature verification function in one helper (suggested by Daniel) - Use dynamic pointers and export bpf_dynptr_get_size() (suggested by Alexei) - Introduce bpf_request_key_by_id() to give more flexibility to the caller of bpf_verify_pkcs7_signature() to retrieve the appropriate keyring (suggested by Alexei) - Fix test by reordering the gcc command line, always compile sign-file - Improve helper support check mechanism in the test v2: - Rename bpf_verify_pkcs7_signature() to a more generic bpf_verify_signature() and pass the signature type (suggested by KP) - Move the helper and prototype declaration under #ifdef so that user space can probe for support for the helper (suggested by Daniel) - Describe better the keyring types (suggested by Daniel) - Include linux/bpf.h instead of vmlinux.h to avoid implicit or redeclaration - Make the test selfcontained (suggested by Alexei) v1: - Don't define new map flag but introduce simple wrapper of verify_pkcs7_signature() (suggested by Alexei and KP) Benjamin Tissoires (1): btf: Add a new kfunc flag which allows to mark a function to be sleepable KP Singh (1): bpf: Allow kfuncs to be used in LSM programs Roberto Sassu (8): btf: Handle dynamic pointer parameter in kfuncs bpf: Export bpf_dynptr_get_size() KEYS: Move KEY_LOOKUP_ to include/linux/key.h bpf: Add bpf_lookup_*_key() and bpf_key_put() kfuncs bpf: Add bpf_verify_pkcs7_signature() kfunc selftests/bpf: Add verifier tests for bpf_lookup_*_key() and bpf_key_put() selftests/bpf: Add additional tests for bpf_lookup_*_key() selftests/bpf: Add test for bpf_verify_pkcs7_signature() kfunc Documentation/bpf/kfuncs.rst | 6 + include/linux/bpf.h | 7 + include/linux/bpf_verifier.h | 3 + include/linux/btf.h | 1 + include/linux/key.h | 3 + kernel/bpf/btf.c | 27 ++ kernel/bpf/helpers.c | 2 +- kernel/bpf/verifier.c | 4 +- kernel/trace/bpf_trace.c | 207 +++++++++ security/keys/internal.h | 2 - tools/testing/selftests/bpf/Makefile | 14 +- tools/testing/selftests/bpf/config | 2 + .../selftests/bpf/prog_tests/lookup_key.c | 112 +++++ .../bpf/prog_tests/verify_pkcs7_sig.c | 399 ++++++++++++++++++ .../selftests/bpf/progs/test_lookup_key.c | 46 ++ .../bpf/progs/test_verify_pkcs7_sig.c | 100 +++++ tools/testing/selftests/bpf/test_verifier.c | 3 +- .../selftests/bpf/verifier/ref_tracking.c | 139 ++++++ .../testing/selftests/bpf/verify_sig_setup.sh | 104 +++++ 19 files changed, 1172 insertions(+), 9 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/lookup_key.c create mode 100644 tools/testing/selftests/bpf/prog_tests/verify_pkcs7_sig.c create mode 100644 tools/testing/selftests/bpf/progs/test_lookup_key.c create mode 100644 tools/testing/selftests/bpf/progs/test_verify_pkcs7_sig.c create mode 100755 tools/testing/selftests/bpf/verify_sig_setup.sh -- 2.25.1

2 years, 2 months

7
27
0 0

[PATCH bpf-next v5 0/6] bpf trampoline for arm64

by Xu Kuohai

Add bpf trampoline support for arm64. Most of the logic is the same as x86. Tested on raspberry pi 4b and qemu with KASLR disabled (avoid long jump), result: #9 /1 bpf_cookie/kprobe:OK #9 /2 bpf_cookie/multi_kprobe_link_api:FAIL #9 /3 bpf_cookie/multi_kprobe_attach_api:FAIL #9 /4 bpf_cookie/uprobe:OK #9 /5 bpf_cookie/tracepoint:OK #9 /6 bpf_cookie/perf_event:OK #9 /7 bpf_cookie/trampoline:OK #9 /8 bpf_cookie/lsm:OK #9 bpf_cookie:FAIL #18 /1 bpf_tcp_ca/dctcp:OK #18 /2 bpf_tcp_ca/cubic:OK #18 /3 bpf_tcp_ca/invalid_license:OK #18 /4 bpf_tcp_ca/dctcp_fallback:OK #18 /5 bpf_tcp_ca/rel_setsockopt:OK #18 bpf_tcp_ca:OK #51 /1 dummy_st_ops/dummy_st_ops_attach:OK #51 /2 dummy_st_ops/dummy_init_ret_value:OK #51 /3 dummy_st_ops/dummy_init_ptr_arg:OK #51 /4 dummy_st_ops/dummy_multiple_args:OK #51 dummy_st_ops:OK #55 fentry_fexit:OK #56 fentry_test:OK #57 /1 fexit_bpf2bpf/target_no_callees:OK #57 /2 fexit_bpf2bpf/target_yes_callees:OK #57 /3 fexit_bpf2bpf/func_replace:OK #57 /4 fexit_bpf2bpf/func_replace_verify:OK #57 /5 fexit_bpf2bpf/func_sockmap_update:OK #57 /6 fexit_bpf2bpf/func_replace_return_code:OK #57 /7 fexit_bpf2bpf/func_map_prog_compatibility:OK #57 /8 fexit_bpf2bpf/func_replace_multi:OK #57 /9 fexit_bpf2bpf/fmod_ret_freplace:OK #57 fexit_bpf2bpf:OK #58 fexit_sleep:OK #59 fexit_stress:OK #60 fexit_test:OK #67 get_func_args_test:OK #68 get_func_ip_test:OK #104 modify_return:OK #237 xdp_bpf2bpf:OK bpf_cookie/multi_kprobe_link_api and bpf_cookie/multi_kprobe_attach_api failed due to lack of multi_kprobe on arm64. v5: - As Alexei suggested, remove is_valid_bpf_tramp_flags() v4: https://lore.kernel.org/bpf/20220517071838.3366093-1-xukuohai@huawei.com/ - Run the test cases on raspberry pi 4b - Rebase and add cookie to trampoline - As Steve suggested, move trace_direct_tramp() back to entry-ftrace.S to avoid messing up generic code with architecture specific code - As Jakub suggested, merge patch 4 and patch 5 of v3 to provide full function in one patch - As Mark suggested, add a comment for the use of aarch64_insn_patch_text_nosync() - Do not generate trampoline for long jump to avoid triggering ftrace_bug - Round stack size to multiples of 16B to avoid SPAlignmentFault - Use callee saved register x20 to reduce the use of mov_i64 - Add missing BTI J instructions - Trivial spelling and code style fixes v3: https://lore.kernel.org/bpf/20220424154028.1698685-1-xukuohai@huawei.com/ - Append test results for bpf_tcp_ca, dummy_st_ops, fexit_bpf2bpf, xdp_bpf2bpf - Support to poke bpf progs - Fix return value of arch_prepare_bpf_trampoline() to the total number of bytes instead of number of instructions - Do not check whether CONFIG_DYNAMIC_FTRACE_WITH_REGS is enabled in arch_prepare_bpf_trampoline, since the trampoline may be hooked to a bpf prog - Restrict bpf_arch_text_poke() to poke bpf text only, as kernel functions are poked by ftrace - Rewrite trace_direct_tramp() in inline assembly in trace_selftest.c to avoid messing entry-ftrace.S - isolate arch_ftrace_set_direct_caller() with macro CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS to avoid compile error when this macro is disabled - Some trivial code sytle fixes v2: https://lore.kernel.org/bpf/20220414162220.1985095-1-xukuohai@huawei.com/ - Add Song's ACK - Change the multi-line comment in is_valid_bpf_tramp_flags() into net style (patch 3) - Fix a deadloop issue in ftrace selftest (patch 2) - Replace pt_regs->x0 with pt_regs->orig_x0 in patch 1 commit message - Replace "bpf trampoline" with "custom trampoline" in patch 1, as ftrace direct call is not only used by bpf trampoline. v1: https://lore.kernel.org/bpf/20220413054959.1053668-1-xukuohai@huawei.com/ Xu Kuohai (6): arm64: ftrace: Add ftrace direct call support ftrace: Fix deadloop caused by direct call in ftrace selftest bpf: Remove is_valid_bpf_tramp_flags() bpf, arm64: Impelment bpf_arch_text_poke() for arm64 bpf, arm64: bpf trampoline for arm64 selftests/bpf: Fix trivial typo in fentry_fexit.c arch/arm64/Kconfig | 2 + arch/arm64/include/asm/ftrace.h | 22 + arch/arm64/kernel/asm-offsets.c | 1 + arch/arm64/kernel/entry-ftrace.S | 28 +- arch/arm64/net/bpf_jit.h | 1 + arch/arm64/net/bpf_jit_comp.c | 523 +++++++++++++++++- arch/x86/net/bpf_jit_comp.c | 20 - kernel/bpf/bpf_struct_ops.c | 3 + kernel/bpf/trampoline.c | 3 + kernel/trace/trace_selftest.c | 2 + .../selftests/bpf/prog_tests/fentry_fexit.c | 4 +- 11 files changed, 570 insertions(+), 39 deletions(-) -- 2.30.2

2 years, 2 months

5
29
0 0

[PATCH net v2 1/2] selftests: include bonding tests into the kselftest infra

by Jonathan Toppins

This creates a test collection in drivers/net/bonding for bonding specific kernel selftests. The first test is a reproducer that provisions a bond and given the specific order in how the ip-link(8) commands are issued the bond never transmits an LACPDU frame on any of its slaves. Signed-off-by: Jonathan Toppins <jtoppins(a)redhat.com> --- Notes: v2: * fully integrated the test into the kselftests infrastructure * moved the reproducer to under tools/testing/selftests/drivers/net/bonding * reduced the test to its minimial amount and used ip-link(8) for all bond interface configuration MAINTAINERS | 1 + tools/testing/selftests/Makefile | 1 + .../selftests/drivers/net/bonding/Makefile | 6 ++ .../net/bonding/bond-break-lacpdu-tx.sh | 82 +++++++++++++++++++ .../selftests/drivers/net/bonding/config | 1 + .../selftests/drivers/net/bonding/settings | 1 + 6 files changed, 92 insertions(+) create mode 100644 tools/testing/selftests/drivers/net/bonding/Makefile create mode 100755 tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh create mode 100644 tools/testing/selftests/drivers/net/bonding/config create mode 100644 tools/testing/selftests/drivers/net/bonding/settings diff --git a/MAINTAINERS b/MAINTAINERS index 386178699ae7..6e7cebc1bca3 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3636,6 +3636,7 @@ F: Documentation/networking/bonding.rst F: drivers/net/bonding/ F: include/net/bond* F: include/uapi/linux/if_bonding.h +F: tools/testing/selftests/net/bonding/ BOSCH SENSORTEC BMA400 ACCELEROMETER IIO DRIVER M: Dan Robertson <dan(a)dlrobertson.com> diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 5047d8eef53e..86f5f6d65526 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -12,6 +12,7 @@ TARGETS += cpu-hotplug TARGETS += damon TARGETS += drivers/dma-buf TARGETS += drivers/s390x/uvdevice +TARGETS += drivers/net/bonding TARGETS += efivarfs TARGETS += exec TARGETS += filesystems diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile b/tools/testing/selftests/drivers/net/bonding/Makefile new file mode 100644 index 000000000000..ab6c54b12098 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 +# Makefile for net selftests + +TEST_PROGS := bond-break-lacpdu-tx.sh + +include ../../../lib.mk diff --git a/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh new file mode 100755 index 000000000000..a4f174aeabd9 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/bond-break-lacpdu-tx.sh @@ -0,0 +1,82 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Regression Test: +# Verify LACPDUs get transmitted after setting the MAC address of +# the bond. +# +# https://bugzilla.redhat.com/show_bug.cgi?id=2020773 +# +# +---------+ +# | fab-br0 | +# +---------+ +# | +# +---------+ +# | fbond | +# +---------+ +# | | +# +------+ +------+ +# |veth1 | |veth2 | +# +------+ +------+ +# +# We use veths instead of physical interfaces + +set -e +#set -x +tmp=$(mktemp -q dump.XXXXXX) +cleanup() { + ip link del fab-br0 >/dev/null 2>&1 || : + ip link del fbond >/dev/null 2>&1 || : + ip link del veth1-bond >/dev/null 2>&1 || : + ip link del veth2-bond >/dev/null 2>&1 || : + modprobe -r bonding >/dev/null 2>&1 || : + rm -f -- ${tmp} +} + +trap cleanup 0 1 2 +cleanup +sleep 1 + +# create the bridge +ip link add fab-br0 address 52:54:00:3B:7C:A6 mtu 1500 type bridge \ + forward_delay 15 + +# create the bond +ip link add fbond type bond mode 4 miimon 200 xmit_hash_policy 1 \ + ad_actor_sys_prio 65535 lacp_rate fast + +# set bond address +ip link set fbond address 52:54:00:3B:7C:A6 +ip link set fbond up + +# set again bond sysfs parameters +ip link set fbond type bond ad_actor_sys_prio 65535 + +# create veths +ip link add name veth1-bond type veth peer name veth1-end +ip link add name veth2-bond type veth peer name veth2-end + +# add ports +ip link set fbond master fab-br0 +ip link set veth1-bond down master fbond +ip link set veth2-bond down master fbond + +# bring up +ip link set veth1-end up +ip link set veth2-end up +ip link set fab-br0 up +ip link set fbond up +ip addr add dev fab-br0 10.0.0.3 + +tcpdump -n -i veth1-end -e ether proto 0x8809 >${tmp} 2>&1 & +sleep 15 +pkill tcpdump >/dev/null 2>&1 +rc=0 +num=$(grep "packets captured" ${tmp} | awk '{print $1}') +if test "$num" -gt 0; then + echo "PASS, captured ${num}" +else + echo "FAIL" + rc=1 +fi +exit $rc diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config new file mode 100644 index 000000000000..dc1c22de3c92 --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/config @@ -0,0 +1 @@ +CONFIG_BONDING=y diff --git a/tools/testing/selftests/drivers/net/bonding/settings b/tools/testing/selftests/drivers/net/bonding/settings new file mode 100644 index 000000000000..867e118223cd --- /dev/null +++ b/tools/testing/selftests/drivers/net/bonding/settings @@ -0,0 +1 @@ +timeout=60 -- 2.31.1

2 years, 2 months

2
1
0 0

[PATCH v4 0/3] kunit: Introduce KUNIT_EXPECT_MEMEQ and KUNIT_EXPECT_MEMNEQ macros

by Maíra Canal

Currently, in order to compare memory blocks in KUnit, the KUNIT_EXPECT_EQ or KUNIT_EXPECT_FALSE macros are used in conjunction with the memcmp function, such as: KUNIT_EXPECT_EQ(test, memcmp(foo, bar, size), 0); Although this usage produces correct results for the test cases, if the expectation fails the error message is not very helpful, indicating only the return of the memcmp function. Therefore, create a new set of macros KUNIT_EXPECT_MEMEQ and KUNIT_EXPECT_MEMNEQ that compare memory blocks until a determined size. In case of expectation failure, those macros print the hex dump of the memory blocks, making it easier to debug test failures for memory blocks. The v4 doesn't bring many changes. The output is aligned just like the previous version but it fixes some mail client problems (sorry about that) and mentions that this macros are not recommended for structured data. The first patch of the series introduces the KUNIT_EXPECT_MEMEQ and KUNIT_EXPECT_MEMNEQ. The second patch adds an example of memory block expectations on the kunit-example-test.c. And the last patch replaces the KUNIT_EXPECT_EQ for KUNIT_EXPECT_MEMEQ on the existing occurrences. Best Regards, - Maíra Canal v1 -> v2: https://lore.kernel.org/linux-kselftest/2a0dcd75-5461-5266-2749-808f638f4c5… - Change "determinated" to "specified" (Daniel Latypov). - Change the macro KUNIT_EXPECT_ARREQ to KUNIT_EXPECT_MEMEQ, in order to make it easier for users to infer the right size unit (Daniel Latypov). - Mark the different bytes on the failure message with a <> (Daniel Latypov). - Replace a constant number of array elements for ARRAY_SIZE() (André Almeida). - Rename "array" and "expected" variables to "array1" and "array2" (Daniel Latypov). v2 -> v3: https://lore.kernel.org/linux-kselftest/20220802212621.420840-1-mairacanal@… - Make the bytes aligned at output. - Add KUNIT_SUBSUBTEST_INDENT to the output for the indentation (Daniel Latypov). - Line up the trailing \ at macros using tabs (Daniel Latypov). - Line up the params to the functions (Daniel Latypov). - Change "Increament" to "Augment" (Daniel Latypov). - Use sizeof() for array sizes (Daniel Latypov). - Add Daniel Latypov's tags. v3 -> v4: https://lore.kernel.org/linux-kselftest/CABVgOSm_59Yr82deQm2C=18jjSv_akmn66… - Fix wrapped lines by the mail client (David Gow). - Mention on documentation that KUNIT_EXPECT_MEMEQ is not recommended for structured data (David Gow). - Add Muhammad Usama Anjum's tag. Maíra Canal (3): kunit: Introduce KUNIT_EXPECT_MEMEQ and KUNIT_EXPECT_MEMNEQ macros kunit: Add KUnit memory block assertions to the example_all_expect_macros_test kunit: Use KUNIT_EXPECT_MEMEQ macro .../gpu/drm/tests/drm_format_helper_test.c | 6 +- include/kunit/assert.h | 34 ++++++++ include/kunit/test.h | 84 +++++++++++++++++++ lib/kunit/assert.c | 56 +++++++++++++ lib/kunit/kunit-example-test.c | 7 ++ net/core/dev_addr_lists_test.c | 4 +- 6 files changed, 186 insertions(+), 5 deletions(-) -- 2.37.1

2 years, 2 months

2
4
0 0

[RFC net] bonding: 802.3ad: fix no transmission of LACPDUs

by Jonathan Toppins

Running the script in `tools/testing/selftests/net/bonding/bond-break-lacpdu-tx.sh` puts bonding into a state where it never transmits LACPDUs. line 53: echo 65535 > /sys/class/net/fbond/bonding/ad_actor_sys_prio setting bond param: ad_actor_sys_prio given: params.ad_actor_system = 0 call stack: bond_option_ad_actor_sys_prio() -> bond_3ad_update_ad_actor_settings() -> set ad.system.sys_priority = bond->params.ad_actor_sys_prio -> ad.system.sys_mac_addr = bond->dev->dev_addr; because params.ad_actor_system == 0 results: ad.system.sys_mac_addr = bond->dev->dev_addr line 59: ip link set fbond address 52:54:00:3B:7C:A6 setting bond MAC addr call stack: bond->dev->dev_addr = new_mac line 63: echo 65535 > /sys/class/net/fbond/bonding/ad_actor_sys_prio setting bond param: ad_actor_sys_prio given: params.ad_actor_system = 0 call stack: bond_option_ad_actor_sys_prio() -> bond_3ad_update_ad_actor_settings() -> set ad.system.sys_priority = bond->params.ad_actor_sys_prio -> ad.system.sys_mac_addr = bond->dev->dev_addr; because params.ad_actor_system == 0 results: ad.system.sys_mac_addr = bond->dev->dev_addr line 71: ip link set veth1-bond down master fbond given: params.ad_actor_system = 0 params.mode = BOND_MODE_8023AD ad.system.sys_mac_addr == bond->dev->dev_addr call stack: bond_enslave -> bond_3ad_initialize(); because first slave -> if ad.system.sys_mac_addr != bond->dev->dev_addr return results: Nothing is run in bond_3ad_initialize() because dev_add equals sys_mac_addr leaving the global ad_ticks_per_sec zero as it is never initialized anywhere else. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jonathan Toppins <jtoppins(a)redhat.com> --- MAINTAINERS | 1 + drivers/net/bonding/bond_3ad.c | 2 +- .../net/bonding/bond-break-lacpdu-tx.sh | 88 +++++++++++++++++++ 3 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/bonding/bond-break-lacpdu-tx.sh diff --git a/MAINTAINERS b/MAINTAINERS index 386178699ae7..6e7cebc1bca3 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3636,6 +3636,7 @@ F: Documentation/networking/bonding.rst F: drivers/net/bonding/ F: include/net/bond* F: include/uapi/linux/if_bonding.h +F: tools/testing/selftests/net/bonding/ BOSCH SENSORTEC BMA400 ACCELEROMETER IIO DRIVER M: Dan Robertson <dan(a)dlrobertson.com> diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c index d7fb33c078e8..e357bc6b8e05 100644 --- a/drivers/net/bonding/bond_3ad.c +++ b/drivers/net/bonding/bond_3ad.c @@ -84,7 +84,7 @@ enum ad_link_speed_type { static const u8 null_mac_addr[ETH_ALEN + 2] __long_aligned = { 0, 0, 0, 0, 0, 0 }; -static u16 ad_ticks_per_sec; +static u16 ad_ticks_per_sec = 1000/AD_TIMER_INTERVAL; static const int ad_delta_in_ticks = (AD_TIMER_INTERVAL * HZ) / 1000; static const u8 lacpdu_mcast_addr[ETH_ALEN + 2] __long_aligned = diff --git a/tools/testing/selftests/net/bonding/bond-break-lacpdu-tx.sh b/tools/testing/selftests/net/bonding/bond-break-lacpdu-tx.sh new file mode 100644 index 000000000000..be9f1b64e89e --- /dev/null +++ b/tools/testing/selftests/net/bonding/bond-break-lacpdu-tx.sh @@ -0,0 +1,88 @@ +#!/bin/sh + +# Regression Test: +# Verify LACPDUs get transmitted after setting the MAC address of +# the bond. +# +# https://bugzilla.redhat.com/show_bug.cgi?id=2020773 +# +# +---------+ +# | fab-br0 | +# +---------+ +# | +# +---------+ +# | fbond | +# +---------+ +# | | +# +------+ +------+ +# |veth1 | |veth2 | +# +------+ +------+ +# +# We use veths instead of physical interfaces + +set -e +#set -x +tmp=$(mktemp -q dump.XXXXXX) +cleanup() { + ip link del fab-br0 >/dev/null 2>&1 || : + ip link del fbond >/dev/null 2>&1 || : + ip link del veth1-bond >/dev/null 2>&1 || : + ip link del veth2-bond >/dev/null 2>&1 || : + modprobe -r bonding >/dev/null 2>&1 || : + rm -f -- ${tmp} +} + +trap cleanup 0 1 2 +cleanup +sleep 1 + +# create the bridge +ip link add fab-br0 address 52:54:00:3B:7C:A6 mtu 1500 type bridge \ + forward_delay 15 + +# create the bond +ip link add fbond type bond +ip link set fbond up + +# set bond sysfs parameters +ip link set fbond down +echo 802.3ad > /sys/class/net/fbond/bonding/mode +echo 200 > /sys/class/net/fbond/bonding/miimon +echo 1 > /sys/class/net/fbond/bonding/xmit_hash_policy +echo 65535 > /sys/class/net/fbond/bonding/ad_actor_sys_prio +echo stable > /sys/class/net/fbond/bonding/ad_select +echo slow > /sys/class/net/fbond/bonding/lacp_rate +echo any > /sys/class/net/fbond/bonding/arp_all_targets + +# set bond address +ip link set fbond address 52:54:00:3B:7C:A6 +ip link set fbond up + +# set again bond sysfs parameters +echo 65535 > /sys/class/net/fbond/bonding/ad_actor_sys_prio + +# create veths +ip link add name veth1-bond type veth peer name veth1-end +ip link add name veth2-bond type veth peer name veth2-end + +# add ports +ip link set fbond master fab-br0 +ip link set veth1-bond down master fbond +ip link set veth2-bond down master fbond + +# bring up +ip link set veth1-end up +ip link set veth2-end up +ip link set fab-br0 up +ip link set fbond up +ip addr add dev fab-br0 10.0.0.3 + +tcpdump -n -i veth1-end -e ether proto 0x8809 >${tmp} 2>&1 & +sleep 60 +pkill tcpdump >/dev/null 2>&1 +num=$(grep "packets captured" ${tmp} | awk '{print $1}') +if test "$num" -gt 0; then + echo "PASS, captured ${num}" +else + echo "FAIL" +fi -- 2.31.1

2 years, 2 months

3
4
0 0

Good Day,

by Dr. Ali Moses

-- Hello, We the Board Directors believe you are in good health, doing great and with the hope that this mail will meet you in good condition, We are privileged and delighted to reach you via email" And we are urgently waiting to hear from you. and again your number is not connecting. My regards, Dr. Ali Moses.. Sincerely, Prof. Chin Guang

2 years, 2 months

1
0
0 0

lkft kselftest for next-20220809

by lkft＠linaro.org

## Build * kernel: 5.19.0 * git: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next * git branch: master * git commit: 6c8f479764ebe2848589de3249743ea552ed2495 * git describe: next-20220809 * test details: https://qa-reports.linaro.org/lkft/linux-next-master/build/next-20220809 ## Test Regressions (compared to next-20220808) No test regressions found. ## Metric Regressions (compared to next-20220808) No metric regressions found. Tested-by: Linux Kernel Functional Testing <lkft(a)linaro.org> ## Test Fixes (compared to next-20220808) No test fixes found. ## Metric Fixes (compared to next-20220808) No metric fixes found. ## Test result summary total: 0, pass: 0, fail: 0, skip: 0, xfail: 0 ## Build Summary ## Test suites summary -- Linaro LKFT https://lkft.linaro.org

2 years, 2 months

1
0
0 0

tools/testing/selftests/kvm/rseq_test and glibc 2.35

by Florian Weimer

It has come to my attention that the KVM rseq test apparently needs to be ported to glibc 2.35. The background is that on aarch64, rseq is the only way to get a practically useful sched_getcpu. (There's no hidden per-task CPU state the vDSO could reveal as the CPU ID.) The main rseq tests have already been adjusted via: commit 233e667e1ae3e348686bd9dd0172e62a09d852e1 Author: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Date: Mon Jan 24 12:12:45 2022 -0500 selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35 glibc-2.35 (upcoming release date 2022-02-01) exposes the rseq per-thread data in the TCB, accessible at an offset from the thread pointer, rather than through an actual Thread-Local Storage (TLS) variable, as the Linux kernel selftests initially expected. The __rseq_abi TLS and glibc-2.35's ABI for per-thread data cannot actively coexist in a process, because the kernel supports only a single rseq registration per thread. Here is the scheme introduced to ensure selftests can work both with an older glibc and with glibc-2.35+: - librseq exposes its own "rseq_offset, rseq_size, rseq_flags" ABI. - librseq queries for glibc rseq ABI (__rseq_offset, __rseq_size, __rseq_flags) using dlsym() in a librseq library constructor. If those are found, copy their values into rseq_offset, rseq_size, and rseq_flags. - Else, if those glibc symbols are not found, handle rseq registration from librseq and use its own IE-model TLS to implement the rseq ABI per-thread storage. Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lkml.kernel.org/r/20220124171253.22072-8-mathieu.desnoyers@efficios… But I don't see a similar adjustment for tools/testing/selftests/kvm/rseq_test.c. As an additional wrinkle, you'd have to start calling getcpu (glibc function or system call) because comparing rseq.cpu_id against sched_getcpu won't test anything anymore once glibc implements sched_getcpu using rseq. We noticed this because our downstream glibc version, while based on 2.34, enables rseq registration by default. To facilitate coordination with rseq application usage, we also backported the __rseq_* ABI symbols, so the selftests could use that even in our downstream version. (We enable the glibc tunables downstream, but they are an optional glibc feature, so it's probably better in the long run to fix the kernel selftests rather than using the tunables as a workaround.) Thanks, Florian

2 years, 2 months

3
5
0 0

[RFC net-next v2 0/6] net: support QUIC crypto

by Adel Abouchaev

QUIC requires end to end encryption of the data. The application usually prepares the data in clear text, encrypts and calls send() which implies multiple copies of the data before the packets hit the networking stack. Similar to kTLS, QUIC kernel offload of cryptography reduces the memory pressure by reducing the number of copies. The scope of kernel support is limited to the symmetric cryptography, leaving the handshake to the user space library. For QUIC in particular, the application packets that require symmetric cryptography are the 1RTT packets with short headers. Kernel will encrypt the application packets on transmission and decrypt on receive. This series implements Tx only, because in QUIC server applications Tx outweighs Rx by orders of magnitude. Supporting the combination of QUIC and GSO requires the application to correctly place the data and the kernel to correctly slice it. The encryption process appends an arbitrary number of bytes (tag) to the end of the message to authenticate it. The GSO value should include this overhead, the offload would then subtract the tag size to parse the input on Tx before chunking and encrypting it. With the kernel cryptography, the buffer copy operation is conjoined with the encryption operation. The memory bandwidth is reduced by 5-8%. When devices supporting QUIC encryption in hardware come to the market, we will be able to free further 7% of CPU utilization which is used today for crypto operations. Adel Abouchaev (6): Documentation on QUIC kernel Tx crypto. Define QUIC specific constants, control and data plane structures Add UDP ULP operations, initialization and handling prototype functions. Implement QUIC offload functions Add flow counters and Tx processing error counter Add self tests for ULP operations, flow setup and crypto tests v2: Moved the inner QUIC Kconfig from the ULP patch to QUIC patch. v2: Updated the tests to match the uAPI context structure fields. v2: Formatted the quic.rst document. Documentation/networking/index.rst | 1 + Documentation/networking/quic.rst | 186 +++ include/net/inet_sock.h | 2 + include/net/netns/mib.h | 3 + include/net/quic.h | 59 + include/net/snmp.h | 6 + include/net/udp.h | 33 + include/uapi/linux/quic.h | 61 + include/uapi/linux/snmp.h | 11 + include/uapi/linux/udp.h | 4 + net/Kconfig | 1 + net/Makefile | 1 + net/ipv4/Makefile | 3 +- net/ipv4/udp.c | 14 + net/ipv4/udp_ulp.c | 190 ++++ net/quic/Kconfig | 16 + net/quic/Makefile | 8 + net/quic/quic_main.c | 1446 ++++++++++++++++++++++++ net/quic/quic_proc.c | 45 + tools/testing/selftests/net/.gitignore | 3 +- tools/testing/selftests/net/Makefile | 2 +- tools/testing/selftests/net/quic.c | 1024 +++++++++++++++++ tools/testing/selftests/net/quic.sh | 45 + 23 files changed, 3161 insertions(+), 3 deletions(-) create mode 100644 Documentation/networking/quic.rst create mode 100644 include/net/quic.h create mode 100644 include/uapi/linux/quic.h create mode 100644 net/ipv4/udp_ulp.c create mode 100644 net/quic/Kconfig create mode 100644 net/quic/Makefile create mode 100644 net/quic/quic_main.c create mode 100644 net/quic/quic_proc.c create mode 100644 tools/testing/selftests/net/quic.c create mode 100755 tools/testing/selftests/net/quic.sh -- 2.30.2

2 years, 2 months

2
8
0 0

[kvm-unit-tests PATCH v2 0/5] Test for illegal LEA & related fixes

by Michal Luczaj

Is this a correct way to put Sean's and Paolo's patches into this series? I wasn't sure which patches are accepted or what is the current base-commit, but I haven't seen the tip of kvm-unit-tests repo moving, so here is it. Michal Luczaj (3): x86: emulator.c cleanup: Save and restore exception handlers x86: emulator.c cleanup: Use ASM_TRY() for the UD_VECTOR cases x86: Test emulator's handling of LEA with /reg Paolo Bonzini (1): x86: Introduce ASM_TRY_FEP() to handle exceptions thrown by FEP-triggered emulator Sean Christopherson (1): x86: Dedup 32-bit vs. 64-bit ASM_TRY() by stealing kernel's __ASM_SEL() lib/x86/desc.h | 22 +++---- lib/x86/processor.h | 12 ++++ x86/emulator.c | 136 ++++++++++++++++++++++++-------------------- 3 files changed, 93 insertions(+), 77 deletions(-) -- 2.37.1

2 years, 2 months

2
7
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror