1 #!/bin/bash
2 # Milestone-2 verification: spawn-inherited lockdown channel.
3 #
4 # Builds tests/secalloc-spawn/main.go and runs the binary as the parent.
5 # The parent forks a child, hands the child a pipe write fd via
6 # SetSecureLockdownFd, and the child triggers a guard-page fault. The
7 # signal handler must route the lockdown notification through the
8 # inherited pipe, NOT to stderr. The parent reads the byte and prints
9 # LOCKDOWN_RECEIVED if the cross-process notification arrived.
10 #
11 # Verifies:
12 # - parent exit status is 0 (parent did not crash)
13 # - parent stdout contains LOCKDOWN_RECEIVED
14 # - parent stdout contains CHILD_EXITED_SIGSEGV
15 # - the raw secret pattern does NOT appear anywhere in stdout/stderr
16 # - parent stderr does NOT contain MOXIE_SECALLOC_LOCKDOWN
17 # (the marker should travel through the pipe, not via stderr)
18 set -euo pipefail
19 20 MOXIEROOT="${MOXIEROOT:-$(cd "$(dirname "$0")/../.." && pwd)}"
21 MOXIE="${MOXIE:-$MOXIEROOT/moxie}"
22 TMPDIR=$(mktemp -d)
23 trap "rm -rf $TMPDIR" EXIT
24 25 export PATH="/usr/lib/llvm19/bin:$PATH"
26 export MOXIEROOT
27 28 BIN="$TMPDIR/secalloc_spawn_test"
29 30 cd "$MOXIEROOT"
31 32 if ! "$MOXIE" build -o "$BIN" ./tests/secalloc-spawn 2>"$TMPDIR/build.err"; then
33 echo "FAIL secalloc-spawn: compilation failed"
34 cat "$TMPDIR/build.err"
35 exit 1
36 fi
37 38 set +e
39 bash -c "\"$BIN\" >\"$TMPDIR/stdout\" 2>\"$TMPDIR/stderr\"" 2>/dev/null
40 rc=$?
41 set -e
42 43 stdout=$(cat "$TMPDIR/stdout")
44 stderr=$(cat "$TMPDIR/stderr")
45 46 fail=0
47 48 if [ "$rc" -ne 0 ]; then
49 echo "FAIL secalloc-spawn: parent exited non-zero (got $rc)"
50 fail=1
51 fi
52 53 if ! echo "$stdout" | grep -q "LOCKDOWN_RECEIVED"; then
54 echo "FAIL secalloc-spawn: lockdown marker did not arrive via inherited pipe"
55 fail=1
56 fi
57 58 if ! echo "$stdout" | grep -q "CHILD_EXITED_SIGSEGV"; then
59 echo "FAIL secalloc-spawn: child did not exit on SIGSEGV"
60 fail=1
61 fi
62 63 if echo "$stdout$stderr" | grep -q "MOXIE_SECRET_PAYLOAD"; then
64 echo "FAIL secalloc-spawn: raw secret pattern leaked"
65 fail=1
66 fi
67 68 # stderr must NOT contain the lockdown marker — it should have been
69 # routed through the pipe instead. If it shows up on stderr, the fd
70 # override didn't take effect.
71 if echo "$stderr" | grep -q "MOXIE_SECALLOC_LOCKDOWN"; then
72 echo "FAIL secalloc-spawn: marker leaked to stderr instead of pipe"
73 fail=1
74 fi
75 76 if [ "$fail" -eq 0 ]; then
77 echo "OK secalloc-spawn (lockdown routed via inherited pipe)"
78 exit 0
79 fi
80 81 echo "--- stdout ---"
82 echo "$stdout"
83 echo "--- stderr ---"
84 echo "$stderr"
85 exit 1
86