nixos/tests/swap-random-encryption.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / swap-random-encryption.nix
at 23.11-pre 2.7 kB view raw
 1import ./make-test-python.nix ({ lib, pkgs, ... }:
 2{
 3  name = "swap-random-encryption";
 4
 5  nodes.machine =
 6    { config, pkgs, lib, ... }:
 7    {
 8      environment.systemPackages = [ pkgs.cryptsetup ];
 9
10      virtualisation.useDefaultFilesystems = false;
11
12      virtualisation.rootDevice = "/dev/vda1";
13
14      boot.initrd.postDeviceCommands = ''
15        if ! test -b /dev/vda1; then
16          ${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
17          ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
18          ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
19          sync
20        fi
21
22        FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
23        if test -z "$FSTYPE"; then
24          ${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
25        fi
26      '';
27
28      virtualisation.fileSystems = {
29        "/" = {
30          device = "/dev/disk/by-label/root";
31          fsType = "ext4";
32        };
33      };
34
35      swapDevices = [
36        {
37          device = "/dev/vda2";
38
39          randomEncryption = {
40            enable = true;
41            cipher = "aes-xts-plain64";
42            keySize = 512;
43            sectorSize = 4096;
44          };
45        }
46      ];
47    };
48
49  testScript = ''
50    machine.wait_for_unit("multi-user.target")
51
52    with subtest("Swap is active"):
53      # Doesn't matter if the numbers reported by `free` are slightly off due to unit conversions.
54      machine.succeed("free -h | grep -E 'Swap:\s+2[45][0-9]Mi'")
55
56    with subtest("Swap device has 4k sector size"):
57      import json
58      result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))
59      block_devices = result["blockdevices"]
60      if len(block_devices) != 1:
61        raise Exception ("lsblk output did not report exactly one block device")
62
63      swapDevice = block_devices[0];
64      if not (swapDevice["phy-sec"] == 4096 and swapDevice["log-sec"] == 4096):
65        raise Exception ("swap device does not have the sector size specified in the configuration")
66
67    with subtest("Swap encrypt has assigned cipher and keysize"):
68      import re
69
70      results = machine.succeed("cryptsetup status dev-vda2").splitlines()
71
72      cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")
73      if not any(cipher_pattern.fullmatch(line) for line in results):
74        raise Exception ("swap device encryption does not use the cipher specified in the configuration")
75
76      key_size_pattern = re.compile(r"\s*keysize:\s+512\s+bits\s*")
77      if not any(key_size_pattern.fullmatch(line) for line in results):
78        raise Exception ("swap device encryption does not use the key size specified in the configuration")
79  '';
80})