1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
import ./make-test-python.nix ({ pkgs, ... }: {
name = "systemd-cryptenroll";
meta = with pkgs.lib.maintainers; {
maintainers = [ ymatsiuk ];
};
machine = { pkgs, lib, ... }: {
environment.systemPackages = [ pkgs.cryptsetup ];
virtualisation = {
emptyDiskImages = [ 512 ];
qemu.options = [
"-chardev socket,id=chrtpm,path=/tmp/swtpm-sock"
"-tpmdev emulator,id=tpm0,chardev=chrtpm"
"-device tpm-tis,tpmdev=tpm0"
];
};
};
testScript = ''
import subprocess
import tempfile
def start_swtpm(tpmstate):
subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"])
with tempfile.TemporaryDirectory() as tpmstate:
start_swtpm(tpmstate)
machine.start()
# Verify the TPM device is available and accessible by systemd-cryptenroll
machine.succeed("test -e /dev/tpm0")
machine.succeed("test -e /dev/tpmrm0")
machine.succeed("systemd-cryptenroll --tpm2-device=list")
# Create LUKS partition
machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")
# Enroll new LUKS key and bind it to Secure Boot state
# For more details on PASSWORD variable, check the following issue:
# https://github.com/systemd/systemd/issues/20955
machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
# Add LUKS partition to /etc/crypttab to test auto unlock
machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")
machine.shutdown()
start_swtpm(tpmstate)
machine.start()
# Test LUKS partition automatic unlock on boot
machine.wait_for_unit("systemd-cryptsetup@luks.service")
# Wipe TPM2 slot
machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")
'';
})
|