nixos/tests/systemd-cryptenroll.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / tests / systemd-cryptenroll.nix

at 23.11-beta 1.4 kB view raw

 1import ./make-test-python.nix ({ pkgs, ... }: {
 2  name = "systemd-cryptenroll";
 3  meta = with pkgs.lib.maintainers; {
 4    maintainers = [ ymatsiuk ];
 5  };
 6
 7  nodes.machine = { pkgs, lib, ... }: {
 8    environment.systemPackages = [ pkgs.cryptsetup ];
 9    virtualisation = {
10      emptyDiskImages = [ 512 ];
11      tpm.enable = true;
12    };
13  };
14
15  testScript = ''
16    machine.start()
17
18    # Verify the TPM device is available and accessible by systemd-cryptenroll
19    machine.succeed("test -e /dev/tpm0")
20    machine.succeed("test -e /dev/tpmrm0")
21    machine.succeed("systemd-cryptenroll --tpm2-device=list")
22
23    # Create LUKS partition
24    machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")
25    # Enroll new LUKS key and bind it to Secure Boot state
26    # For more details on PASSWORD variable, check the following issue:
27    # https://github.com/systemd/systemd/issues/20955
28    machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
29    # Add LUKS partition to /etc/crypttab to test auto unlock
30    machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")
31
32    machine.shutdown()
33    machine.start()
34
35    # Test LUKS partition automatic unlock on boot
36    machine.wait_for_unit("systemd-cryptsetup@luks.service")
37    # Wipe TPM2 slot
38    machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")
39  '';
40})
41