nixos/tests/aesmd.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / aesmd.nix
at 23.05-pre 2.4 kB view raw
 1{ pkgs, lib, ... }: {
 2  name = "aesmd";
 3  meta = {
 4    maintainers = with lib.maintainers; [ veehaitch ];
 5  };
 6
 7  nodes.machine = { lib, ... }: {
 8    services.aesmd = {
 9      enable = true;
10      settings = {
11        defaultQuotingType = "ecdsa_256";
12        proxyType = "direct";
13        whitelistUrl = "http://nixos.org";
14      };
15    };
16
17    # Should have access to the AESM socket
18    users.users."sgxtest" = {
19      isNormalUser = true;
20      extraGroups = [ "sgx" ];
21    };
22
23    # Should NOT have access to the AESM socket
24    users.users."nosgxtest".isNormalUser = true;
25
26    # We don't have a real SGX machine in NixOS tests
27    systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ];
28  };
29
30  testScript = ''
31    with subtest("aesmd.service starts"):
32      machine.wait_for_unit("aesmd.service")
33      status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service")
34      assert status == 0, "Could not get MainPID of aesmd.service"
35      main_pid = main_pid.strip()
36
37    with subtest("aesmd.service runtime directory permissions"):
38      runtime_dir = "/run/aesmd";
39      res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip()
40      assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}"
41
42    with subtest("aesm.socket available on host"):
43      socket_path = "/var/run/aesmd/aesm.socket"
44      machine.wait_until_succeeds(f"test -S {socket_path}")
45      machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})")
46      for op in [ "-r", "-w", "-x" ]:
47        machine.succeed(f"sudo -u sgxtest test {op} {socket_path}")
48        machine.fail(f"sudo -u nosgxtest test {op} {socket_path}")
49
50    with subtest("Copies white_list_cert_to_be_verify.bin"):
51      whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin"
52      whitelist_perms = machine.succeed(
53        f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}"
54      ).strip()
55      assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}"
56
57    with subtest("Writes and binds aesm.conf in service namespace"):
58      aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf")
59
60      assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs"
61  '';
62}