2021-10-04 12:54:13 +02:00
|
|
|
import ./make-test-python.nix ({ pkgs, ... }: {
|
|
|
|
name = "systemd-cryptenroll";
|
|
|
|
meta = with pkgs.lib.maintainers; {
|
|
|
|
maintainers = [ ymatsiuk ];
|
|
|
|
};
|
|
|
|
|
2022-03-21 00:15:30 +01:00
|
|
|
nodes.machine = { pkgs, lib, ... }: {
|
2021-10-04 12:54:13 +02:00
|
|
|
environment.systemPackages = [ pkgs.cryptsetup ];
|
|
|
|
virtualisation = {
|
|
|
|
emptyDiskImages = [ 512 ];
|
2023-04-30 04:02:51 +02:00
|
|
|
tpm.enable = true;
|
2021-10-04 12:54:13 +02:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
2023-04-30 04:02:51 +02:00
|
|
|
machine.start()
|
|
|
|
|
|
|
|
# Verify the TPM device is available and accessible by systemd-cryptenroll
|
|
|
|
machine.succeed("test -e /dev/tpm0")
|
|
|
|
machine.succeed("test -e /dev/tpmrm0")
|
|
|
|
machine.succeed("systemd-cryptenroll --tpm2-device=list")
|
|
|
|
|
|
|
|
# Create LUKS partition
|
|
|
|
machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")
|
|
|
|
# Enroll new LUKS key and bind it to Secure Boot state
|
|
|
|
# For more details on PASSWORD variable, check the following issue:
|
|
|
|
# https://github.com/systemd/systemd/issues/20955
|
|
|
|
machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
|
|
|
|
# Add LUKS partition to /etc/crypttab to test auto unlock
|
|
|
|
machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")
|
|
|
|
|
|
|
|
machine.shutdown()
|
|
|
|
machine.start()
|
|
|
|
|
|
|
|
# Test LUKS partition automatic unlock on boot
|
|
|
|
machine.wait_for_unit("systemd-cryptsetup@luks.service")
|
|
|
|
# Wipe TPM2 slot
|
|
|
|
machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")
|
2021-10-04 12:54:13 +02:00
|
|
|
'';
|
|
|
|
})
|
|
|
|
|