nixos/tests/systemd-initrd-luks-tpm2.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-initrd-luks-tpm2.nix
at 23.05-pre 2.3 kB view raw
 1import ./make-test-python.nix ({ lib, pkgs, ... }: {
 2  name = "systemd-initrd-luks-tpm2";
 3
 4  nodes.machine = { pkgs, ... }: {
 5    # Use systemd-boot
 6    virtualisation = {
 7      emptyDiskImages = [ 512 ];
 8      useBootLoader = true;
 9      useEFIBoot = true;
10      qemu.options = ["-chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"];
11    };
12    boot.loader.systemd-boot.enable = true;
13
14    boot.initrd.availableKernelModules = [ "tpm_tis" ];
15
16    environment.systemPackages = with pkgs; [ cryptsetup ];
17    boot.initrd.systemd = {
18      enable = true;
19    };
20
21    specialisation.boot-luks.configuration = {
22      boot.initrd.luks.devices = lib.mkVMOverride {
23        cryptroot = {
24          device = "/dev/vdc";
25          crypttabExtraOpts = [ "tpm2-device=auto" ];
26        };
27      };
28      virtualisation.bootDevice = "/dev/mapper/cryptroot";
29    };
30  };
31
32  testScript = ''
33    import subprocess
34    import os
35    import time
36
37
38    class Tpm:
39        def __init__(self):
40            os.mkdir("/tmp/mytpm1")
41            self.start()
42
43        def start(self):
44            self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir=/tmp/mytpm1", "--ctrl", "type=unixio,path=/tmp/mytpm1/swtpm-sock", "--log", "level=20", "--tpm2"])
45
46        def wait_for_death_then_restart(self):
47            while self.proc.poll() is None:
48                print("waiting for tpm to die")
49                time.sleep(1)
50            assert self.proc.returncode == 0
51            self.start()
52
53    tpm = Tpm()
54
55
56    # Create encrypted volume
57    machine.wait_for_unit("multi-user.target")
58    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
59    machine.succeed("PASSWORD=supersecret SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --tpm2-pcrs= --tpm2-device=auto /dev/vdc |& systemd-cat")
60
61    # Boot from the encrypted disk
62    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
63    machine.succeed("sync")
64    machine.crash()
65
66    tpm.wait_for_death_then_restart()
67
68    # Boot and decrypt the disk
69    machine.wait_for_unit("multi-user.target")
70    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
71  '';
72})