pyrox.dev
1import ./make-test-python.nix ({ pkgs, ... }: {
2 name = "systemd-cryptenroll";
3 meta = with pkgs.lib.maintainers; {
4 maintainers = [ ymatsiuk ];
5 broken = true; # times out after two hours, details -> https://github.com/NixOS/nixpkgs/issues/167994
6 };
7
8 nodes.machine = { pkgs, lib, ... }: {
9 environment.systemPackages = [ pkgs.cryptsetup ];
10 virtualisation = {
11 emptyDiskImages = [ 512 ];
12 qemu.options = [
13 "-chardev socket,id=chrtpm,path=/tmp/swtpm-sock"
14 "-tpmdev emulator,id=tpm0,chardev=chrtpm"
15 "-device tpm-tis,tpmdev=tpm0"
16 ];
17 };
18 };
19
20 testScript = ''
21 import subprocess
22 import tempfile
23
24 def start_swtpm(tpmstate):
25 subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"])
26
27 with tempfile.TemporaryDirectory() as tpmstate:
28 start_swtpm(tpmstate)
29 machine.start()
30
31 # Verify the TPM device is available and accessible by systemd-cryptenroll
32 machine.succeed("test -e /dev/tpm0")
33 machine.succeed("test -e /dev/tpmrm0")
34 machine.succeed("systemd-cryptenroll --tpm2-device=list")
35
36 # Create LUKS partition
37 machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")
38 # Enroll new LUKS key and bind it to Secure Boot state
39 # For more details on PASSWORD variable, check the following issue:
40 # https://github.com/systemd/systemd/issues/20955
41 machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
42 # Add LUKS partition to /etc/crypttab to test auto unlock
43 machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")
44 machine.shutdown()
45
46 start_swtpm(tpmstate)
47 machine.start()
48
49 # Test LUKS partition automatic unlock on boot
50 machine.wait_for_unit("systemd-cryptsetup@luks.service")
51 # Wipe TPM2 slot
52 machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")
53 '';
54})
55