pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / initrd-luks-empty-passphrase.nix
at 23.11-beta 3.6 kB view raw
1{ system ? builtins.currentSystem 2, config ? {} 3, pkgs ? import ../.. {inherit system config; } 4, systemdStage1 ? false }: 5import ./make-test-python.nix ({ lib, pkgs, ... }: let 6 7 keyfile = pkgs.writeText "luks-keyfile" '' 8 MIGHAoGBAJ4rGTSo/ldyjQypd0kuS7k2OSsmQYzMH6TNj3nQ/vIUjDn7fqa3slt2 9 gV6EK3TmTbGc4tzC1v4SWx2m+2Bjdtn4Fs4wiBwn1lbRdC6i5ZYCqasTWIntWn+6 10 FllUkMD5oqjOR/YcboxG8Z3B5sJuvTP9llsF+gnuveWih9dpbBr7AgEC 11 ''; 12 13in { 14 name = "initrd-luks-empty-passphrase"; 15 16 nodes.machine = { pkgs, ... }: { 17 imports = lib.optionals (!systemdStage1) [ ./common/auto-format-root-device.nix ]; 18 19 virtualisation = { 20 emptyDiskImages = [ 512 ]; 21 useBootLoader = true; 22 useEFIBoot = true; 23 # This requires to have access 24 # to a host Nix store as 25 # the new root device is /dev/vdb 26 # an empty 512MiB drive, containing no Nix store. 27 mountHostNixStore = true; 28 fileSystems."/".autoFormat = lib.mkIf systemdStage1 true; 29 }; 30 31 boot.loader.systemd-boot.enable = true; 32 boot.initrd.systemd = lib.mkIf systemdStage1 { 33 enable = true; 34 emergencyAccess = true; 35 }; 36 environment.systemPackages = with pkgs; [ cryptsetup ]; 37 38 specialisation.boot-luks-wrong-keyfile.configuration = { 39 boot.initrd.luks.devices = lib.mkVMOverride { 40 cryptroot = { 41 device = "/dev/vdb"; 42 keyFile = "/etc/cryptroot.key"; 43 tryEmptyPassphrase = true; 44 fallbackToPassword = !systemdStage1; 45 }; 46 }; 47 virtualisation.rootDevice = "/dev/mapper/cryptroot"; 48 boot.initrd.secrets."/etc/cryptroot.key" = keyfile; 49 }; 50 51 specialisation.boot-luks-missing-keyfile.configuration = { 52 boot.initrd.luks.devices = lib.mkVMOverride { 53 cryptroot = { 54 device = "/dev/vdb"; 55 keyFile = "/etc/cryptroot.key"; 56 tryEmptyPassphrase = true; 57 fallbackToPassword = !systemdStage1; 58 }; 59 }; 60 virtualisation.rootDevice = "/dev/mapper/cryptroot"; 61 }; 62 }; 63 64 testScript = '' 65 # Encrypt key with empty key so boot should try keyfile and then fallback to empty passphrase 66 67 68 def grub_select_boot_luks_wrong_key_file(): 69 """ 70 Selects "boot-luks" from the GRUB menu 71 to trigger a login request. 72 """ 73 machine.send_monitor_command("sendkey down") 74 machine.send_monitor_command("sendkey down") 75 machine.send_monitor_command("sendkey ret") 76 77 def grub_select_boot_luks_missing_key_file(): 78 """ 79 Selects "boot-luks" from the GRUB menu 80 to trigger a login request. 81 """ 82 machine.send_monitor_command("sendkey down") 83 machine.send_monitor_command("sendkey ret") 84 85 # Create encrypted volume 86 machine.wait_for_unit("multi-user.target") 87 machine.succeed("echo "" | cryptsetup luksFormat /dev/vdb --batch-mode") 88 machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-wrong-keyfile.conf") 89 machine.succeed("sync") 90 machine.crash() 91 92 # Check if rootfs is on /dev/mapper/cryptroot 93 machine.wait_for_unit("multi-user.target") 94 assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") 95 96 # Choose boot-luks-missing-keyfile specialisation 97 machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-missing-keyfile.conf") 98 machine.succeed("sync") 99 machine.crash() 100 101 # Check if rootfs is on /dev/mapper/cryptroot 102 machine.wait_for_unit("multi-user.target") 103 assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") 104 ''; 105})