diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2023-01-15 03:25:17 +0100 |
|---|---|---|
| committer | rnhmjoj <rnhmjoj@inventati.org> | 2023-01-16 02:31:01 +0100 |
| commit | 928181b5f38b5dacfa011a48fc66e10c1fefafd7 (patch) | |
| tree | 7f430977adab7ac4ae2e5f2fb75dd19ab8a17c55 /nixos/tests/installer.nix | |
| parent | 9fc47e6db3f2369e90cc0dec6c99b7a2501693e7 (diff) | |
| download | nixpkgs-928181b5f38b5dacfa011a48fc66e10c1fefafd7.tar nixpkgs-928181b5f38b5dacfa011a48fc66e10c1fefafd7.tar.gz nixpkgs-928181b5f38b5dacfa011a48fc66e10c1fefafd7.tar.bz2 nixpkgs-928181b5f38b5dacfa011a48fc66e10c1fefafd7.tar.lz nixpkgs-928181b5f38b5dacfa011a48fc66e10c1fefafd7.tar.xz nixpkgs-928181b5f38b5dacfa011a48fc66e10c1fefafd7.tar.zst nixpkgs-928181b5f38b5dacfa011a48fc66e10c1fefafd7.zip | |
nixos/tests/installer: add full disk encryption test
This tests a common full disk encryption setup: https://gist.github.com/ladinu/bfebdd90a5afd45dec811296016b2a3f
Diffstat (limited to 'nixos/tests/installer.nix')
| -rw-r--r-- | nixos/tests/installer.nix | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 0884b0436f8..db17e092247 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -150,8 +150,7 @@ let ) with subtest("Shutdown system after installation"): - machine.succeed("umount /mnt/boot || true") - machine.succeed("umount /mnt") + machine.succeed("umount -R /mnt") machine.succeed("sync") machine.shutdown() @@ -672,6 +671,55 @@ in { ''; }; + # Full disk encryption (root, kernel and initrd encrypted) using GRUB, GPT/UEFI, + # LVM-on-LUKS and a keyfile in initrd.secrets to enter the passphrase once + fullDiskEncryption = makeInstallerTest "fullDiskEncryption" { + createPartitions = '' + machine.succeed( + "flock /dev/vda parted --script /dev/vda -- mklabel gpt" + + " mkpart ESP fat32 1M 100MiB" # /boot/efi + + " set 1 boot on" + + " mkpart primary ext2 1024MiB -1MiB", # LUKS + "udevadm settle", + "modprobe dm_mod dm_crypt", + "dd if=/dev/random of=luks.key bs=256 count=1", + "echo -n supersecret | cryptsetup luksFormat -q --pbkdf-force-iterations 1000 --type luks1 /dev/vda2 -", + "echo -n supersecret | cryptsetup luksAddKey -q --pbkdf-force-iterations 1000 --key-file - /dev/vda2 luks.key", + "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vda2 crypt", + "pvcreate /dev/mapper/crypt", + "vgcreate crypt /dev/mapper/crypt", + "lvcreate -L 100M -n swap crypt", + "lvcreate -l '100%FREE' -n nixos crypt", + "mkfs.vfat -n efi /dev/vda1", + "mkfs.ext4 -L nixos /dev/crypt/nixos", + "mkswap -L swap /dev/crypt/swap", + "mount LABEL=nixos /mnt", + "mkdir -p /mnt/{etc/nixos,boot/efi}", + "mount LABEL=efi /mnt/boot/efi", + "swapon -L swap", + "mv luks.key /mnt/etc/nixos/" + ) + ''; + bootLoader = "grub"; + grubUseEfi = true; + extraConfig = '' + boot.loader.grub.enableCryptodisk = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + boot.initrd.secrets."/luks.key" = ./luks.key; + boot.initrd.luks.devices.crypt = + { device = "/dev/vda2"; + keyFile = "/luks.key"; + }; + ''; + enableOCR = true; + preBootCommands = '' + machine.start() + machine.wait_for_text("Enter passphrase for") + machine.send_chars("supersecret\n") + ''; + }; + swraid = makeInstallerTest "swraid" { createPartitions = '' machine.succeed( |