pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / initrd-luks-empty-passphrase.nix
at 23.11-pre 3.2 kB view raw
1{ system ? builtins.currentSystem 2, config ? {} 3, pkgs ? import ../.. {inherit system config; } 4, systemdStage1 ? false }: 5import ./make-test-python.nix ({ lib, pkgs, ... }: let 6 7 keyfile = pkgs.writeText "luks-keyfile" '' 8 MIGHAoGBAJ4rGTSo/ldyjQypd0kuS7k2OSsmQYzMH6TNj3nQ/vIUjDn7fqa3slt2 9 gV6EK3TmTbGc4tzC1v4SWx2m+2Bjdtn4Fs4wiBwn1lbRdC6i5ZYCqasTWIntWn+6 10 FllUkMD5oqjOR/YcboxG8Z3B5sJuvTP9llsF+gnuveWih9dpbBr7AgEC 11 ''; 12 13in { 14 name = "initrd-luks-empty-passphrase"; 15 16 nodes.machine = { pkgs, ... }: { 17 virtualisation = { 18 emptyDiskImages = [ 512 ]; 19 useBootLoader = true; 20 useEFIBoot = true; 21 }; 22 23 boot.loader.systemd-boot.enable = true; 24 boot.initrd.systemd = lib.mkIf systemdStage1 { 25 enable = true; 26 emergencyAccess = true; 27 }; 28 environment.systemPackages = with pkgs; [ cryptsetup ]; 29 30 specialisation.boot-luks-wrong-keyfile.configuration = { 31 boot.initrd.luks.devices = lib.mkVMOverride { 32 cryptroot = { 33 device = "/dev/vdb"; 34 keyFile = "/etc/cryptroot.key"; 35 tryEmptyPassphrase = true; 36 fallbackToPassword = !systemdStage1; 37 }; 38 }; 39 virtualisation.rootDevice = "/dev/mapper/cryptroot"; 40 boot.initrd.secrets."/etc/cryptroot.key" = keyfile; 41 }; 42 43 specialisation.boot-luks-missing-keyfile.configuration = { 44 boot.initrd.luks.devices = lib.mkVMOverride { 45 cryptroot = { 46 device = "/dev/vdb"; 47 keyFile = "/etc/cryptroot.key"; 48 tryEmptyPassphrase = true; 49 fallbackToPassword = !systemdStage1; 50 }; 51 }; 52 virtualisation.rootDevice = "/dev/mapper/cryptroot"; 53 }; 54 }; 55 56 testScript = '' 57 # Encrypt key with empty key so boot should try keyfile and then fallback to empty passphrase 58 59 60 def grub_select_boot_luks_wrong_key_file(): 61 """ 62 Selects "boot-luks" from the GRUB menu 63 to trigger a login request. 64 """ 65 machine.send_monitor_command("sendkey down") 66 machine.send_monitor_command("sendkey down") 67 machine.send_monitor_command("sendkey ret") 68 69 def grub_select_boot_luks_missing_key_file(): 70 """ 71 Selects "boot-luks" from the GRUB menu 72 to trigger a login request. 73 """ 74 machine.send_monitor_command("sendkey down") 75 machine.send_monitor_command("sendkey ret") 76 77 # Create encrypted volume 78 machine.wait_for_unit("multi-user.target") 79 machine.succeed("echo "" | cryptsetup luksFormat /dev/vdb --batch-mode") 80 machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-wrong-keyfile.conf") 81 machine.succeed("sync") 82 machine.crash() 83 84 # Check if rootfs is on /dev/mapper/cryptroot 85 machine.wait_for_unit("multi-user.target") 86 assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") 87 88 # Choose boot-luks-missing-keyfile specialisation 89 machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-missing-keyfile.conf") 90 machine.succeed("sync") 91 machine.crash() 92 93 # Check if rootfs is on /dev/mapper/cryptroot 94 machine.wait_for_unit("multi-user.target") 95 assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") 96 ''; 97})