diff options
| author | Yurii Matsiuk <ymatsiuk@users.noreply.github.com> | 2021-10-04 12:54:13 +0200 |
|---|---|---|
| committer | Yurii Matsiuk <ymatsiuk@users.noreply.github.com> | 2021-10-07 15:58:02 +0200 |
| commit | e8fe1c9efeda44fa7241ec6cd4ffd72522c30132 (patch) | |
| tree | 6b41d95c68f5cf4ceae5b401f6c9a63a27a937ef | |
| parent | 73ac07a127d91a7fedd23cc508fe59c5a935dbe2 (diff) | |
| download | nixpkgs-e8fe1c9efeda44fa7241ec6cd4ffd72522c30132.tar nixpkgs-e8fe1c9efeda44fa7241ec6cd4ffd72522c30132.tar.gz nixpkgs-e8fe1c9efeda44fa7241ec6cd4ffd72522c30132.tar.bz2 nixpkgs-e8fe1c9efeda44fa7241ec6cd4ffd72522c30132.tar.lz nixpkgs-e8fe1c9efeda44fa7241ec6cd4ffd72522c30132.tar.xz nixpkgs-e8fe1c9efeda44fa7241ec6cd4ffd72522c30132.tar.zst nixpkgs-e8fe1c9efeda44fa7241ec6cd4ffd72522c30132.zip | |
nixos/tests/systemd-cryptenroll: add basic TPM2 test
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/systemd-cryptenroll.nix | 55 |
2 files changed, 56 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 0328727cc39..c5ce32cf0f7 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -429,6 +429,7 @@ in systemd-binfmt = handleTestOn ["x86_64-linux"] ./systemd-binfmt.nix {}; systemd-boot = handleTest ./systemd-boot.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {}; systemd-journal = handleTest ./systemd-journal.nix {}; systemd-networkd = handleTest ./systemd-networkd.nix {}; systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {}; diff --git a/nixos/tests/systemd-cryptenroll.nix b/nixos/tests/systemd-cryptenroll.nix new file mode 100644 index 00000000000..2c436f2de89 --- /dev/null +++ b/nixos/tests/systemd-cryptenroll.nix @@ -0,0 +1,55 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "systemd-cryptenroll"; + meta = with pkgs.lib.maintainers; { + maintainers = [ ymatsiuk ]; + }; + + machine = { pkgs, lib, ... }: { + environment.systemPackages = [ pkgs.cryptsetup ]; + virtualisation = { + emptyDiskImages = [ 512 ]; + memorySize = 1024; + qemu.options = [ + "-chardev socket,id=chrtpm,path=/tmp/swtpm-sock" + "-tpmdev emulator,id=tpm0,chardev=chrtpm" + "-device tpm-tis,tpmdev=tpm0" + ]; + }; + }; + + testScript = '' + import subprocess + import tempfile + + def start_swtpm(tpmstate): + subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"]) + + with tempfile.TemporaryDirectory() as tpmstate: + start_swtpm(tpmstate) + machine.start() + + # Verify the TPM device is available and accessible by systemd-cryptenroll + machine.succeed("test -e /dev/tpm0") + machine.succeed("test -e /dev/tpmrm0") + machine.succeed("systemd-cryptenroll --tpm2-device=list") + + # Create LUKS partition + machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -") + # Enroll new LUKS key and bind it to Secure Boot state + # For more details on PASSWORD variable, check the following issue: + # https://github.com/systemd/systemd/issues/20955 + machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb") + # Add LUKS partition to /etc/crypttab to test auto unlock + machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab") + machine.shutdown() + + start_swtpm(tpmstate) + machine.start() + + # Test LUKS partition automatic unlock on boot + machine.wait_for_unit("systemd-cryptsetup@luks.service") + # Wipe TPM2 slot + machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb") + ''; +}) + |