6 files changed, 153 insertions, 10 deletions

diff --git a/tools/go_marshal/gomarshal/generator.go b/tools/go_marshal/gomarshal/generator.go
index abd6f69ea..634abd1af 100644
--- a/tools/go_marshal/gomarshal/generator.go
+++ b/tools/go_marshal/gomarshal/generator.go
@@ -427,7 +427,7 @@ func (g *Generator) generateOne(t *marshallableType, fset *token.FileSet) *inter
 // implementations type t.
 func (g *Generator) generateOneTestSuite(t *marshallableType) *testGenerator {
 	i := newTestGenerator(t.spec, t.recv)
-	i.emitTests(t.slice, t.dynamic)
+	i.emitTests(t.slice)
 	return i
 }
 
@@ -488,7 +488,11 @@ func (g *Generator) Run() error {
 					panic(fmt.Sprintf("Generated code for '%s' referenced a non-existent import with local name '%s'. Either go-marshal needs to add an import to the generated file, or a package in an input source file has a package name differ from the final component of its path, which go-marshal doesn't know how to detect; use an import alias to work around this limitation.", impl.typeName(), name))
 				}
 			}
-			ts = append(ts, g.generateOneTestSuite(t))
+			// Do not generate tests for dynamic types because they inherently
+			// violate some go_marshal requirements.
+			if !t.dynamic {
+				ts = append(ts, g.generateOneTestSuite(t))
+			}
 		}
 	}
 
diff --git a/tools/go_marshal/gomarshal/generator_tests.go b/tools/go_marshal/gomarshal/generator_tests.go
index ca3e15c16..6cf00843f 100644
--- a/tools/go_marshal/gomarshal/generator_tests.go
+++ b/tools/go_marshal/gomarshal/generator_tests.go
@@ -216,16 +216,12 @@ func (g *testGenerator) emitTestSizeBytesOnTypedNilPtr() {
 	})
 }
 
-func (g *testGenerator) emitTests(slice *sliceAPI, isDynamic bool) {
+func (g *testGenerator) emitTests(slice *sliceAPI) {
 	g.emitTestNonZeroSize()
 	g.emitTestSuspectAlignment()
-	if !isDynamic {
-		// Do not test these for dynamic structs because they violate some
-		// assumptions that these tests make.
-		g.emitTestMarshalUnmarshalPreservesData()
-		g.emitTestWriteToUnmarshalPreservesData()
-		g.emitTestSizeBytesOnTypedNilPtr()
-	}
+	g.emitTestMarshalUnmarshalPreservesData()
+	g.emitTestWriteToUnmarshalPreservesData()
+	g.emitTestSizeBytesOnTypedNilPtr()
 
 	if slice != nil {
 		g.emitTestMarshalUnmarshalSlicePreservesData(slice)
diff --git a/tools/make_apt.sh b/tools/make_apt.sh
index 68f6973ec..935c4db2d 100755
--- a/tools/make_apt.sh
+++ b/tools/make_apt.sh
@@ -107,7 +107,9 @@ for pkg in "$@"; do
   cp -a -L "$(dirname "${pkg}")/${name}.deb" "${destdir}"
   cp -a -L "$(dirname "${pkg}")/${name}.changes" "${destdir}"
   chmod 0644 "${destdir}"/"${name}".*
+  # Sign a package only if it isn't signed yet.
   # We use [*] here to expand the gpg_opts array into a single shell-word.
+  dpkg-sig -g "${gpg_opts[*]}" --verify "${destdir}/${name}.deb" ||
   dpkg-sig -g "${gpg_opts[*]}" --sign builder "${destdir}/${name}.deb"
 done
 
diff --git a/tools/verity/BUILD b/tools/verity/BUILD
new file mode 100644
index 000000000..77d16359c
--- /dev/null
+++ b/tools/verity/BUILD
@@ -0,0 +1,15 @@
+load("//tools:defs.bzl", "go_binary")
+
+licenses(["notice"])
+
+go_binary(
+    name = "measure_tool",
+    srcs = [
+        "measure_tool.go",
+        "measure_tool_unsafe.go",
+    ],
+    pure = True,
+    deps = [
+        "//pkg/abi/linux",
+    ],
+)
diff --git a/tools/verity/measure_tool.go b/tools/verity/measure_tool.go
new file mode 100644
index 000000000..0d314ae70
--- /dev/null
+++ b/tools/verity/measure_tool.go
@@ -0,0 +1,87 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This binary can be used to run a measurement of the verity file system,
+// generate the corresponding Merkle tree files, and return the root hash.
+package main
+
+import (
+	"flag"
+	"io/ioutil"
+	"log"
+	"os"
+	"syscall"
+
+	"gvisor.dev/gvisor/pkg/abi/linux"
+)
+
+var path = flag.String("path", "", "path to the verity file system.")
+
+const maxDigestSize = 64
+
+type digest struct {
+	metadata linux.DigestMetadata
+	digest   [maxDigestSize]byte
+}
+
+func main() {
+	flag.Parse()
+	if *path == "" {
+		log.Fatalf("no path provided")
+	}
+	if err := enableDir(*path); err != nil {
+		log.Fatalf("Failed to enable file system %s: %v", *path, err)
+	}
+	// Print the root hash of the file system to stdout.
+	if err := measure(*path); err != nil {
+		log.Fatalf("Failed to measure file system %s: %v", *path, err)
+	}
+}
+
+// enableDir enables verity features on all the files and sub-directories within
+// path.
+func enableDir(path string) error {
+	files, err := ioutil.ReadDir(path)
+	if err != nil {
+		return err
+	}
+	for _, file := range files {
+		if file.IsDir() {
+			// For directories, first enable its children.
+			if err := enableDir(path + "/" + file.Name()); err != nil {
+				return err
+			}
+		} else if file.Mode().IsRegular() {
+			// For regular files, open and enable verity feature.
+			f, err := os.Open(path + "/" + file.Name())
+			if err != nil {
+				return err
+			}
+			var p uintptr
+			if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(f.Fd()), uintptr(linux.FS_IOC_ENABLE_VERITY), p); err != 0 {
+				return err
+			}
+		}
+	}
+	// Once all children are enabled, enable the parent directory.
+	f, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	var p uintptr
+	if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(f.Fd()), uintptr(linux.FS_IOC_ENABLE_VERITY), p); err != 0 {
+		return err
+	}
+	return nil
+}
diff --git a/tools/verity/measure_tool_unsafe.go b/tools/verity/measure_tool_unsafe.go
new file mode 100644
index 000000000..d4079be9e
--- /dev/null
+++ b/tools/verity/measure_tool_unsafe.go
@@ -0,0 +1,39 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"os"
+	"syscall"
+	"unsafe"
+
+	"gvisor.dev/gvisor/pkg/abi/linux"
+)
+
+// measure prints the hash of path to stdout.
+func measure(path string) error {
+	f, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	var digest digest
+	digest.metadata.DigestSize = maxDigestSize
+	if _, _, err := syscall.Syscall(syscall.SYS_IOCTL, uintptr(f.Fd()), uintptr(linux.FS_IOC_MEASURE_VERITY), uintptr(unsafe.Pointer(&digest))); err != 0 {
+		return err
+	}
+	fmt.Fprintf(os.Stdout, "%s\n", hex.EncodeToString(digest.digest[:digest.metadata.DigestSize]))
+	return err
+}