pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / systemd-cryptenroll.nix
at 23.11-pre 2.0 kB view raw
1import ./make-test-python.nix ({ pkgs, ... }: { 2 name = "systemd-cryptenroll"; 3 meta = with pkgs.lib.maintainers; { 4 maintainers = [ ymatsiuk ]; 5 }; 6 7 nodes.machine = { pkgs, lib, ... }: { 8 environment.systemPackages = [ pkgs.cryptsetup ]; 9 virtualisation = { 10 emptyDiskImages = [ 512 ]; 11 qemu.options = [ 12 "-chardev socket,id=chrtpm,path=/tmp/swtpm-sock" 13 "-tpmdev emulator,id=tpm0,chardev=chrtpm" 14 "-device tpm-tis,tpmdev=tpm0" 15 ]; 16 }; 17 }; 18 19 testScript = '' 20 import subprocess 21 import tempfile 22 23 def start_swtpm(tpmstate): 24 subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"]) 25 26 with tempfile.TemporaryDirectory() as tpmstate: 27 start_swtpm(tpmstate) 28 machine.start() 29 30 # Verify the TPM device is available and accessible by systemd-cryptenroll 31 machine.succeed("test -e /dev/tpm0") 32 machine.succeed("test -e /dev/tpmrm0") 33 machine.succeed("systemd-cryptenroll --tpm2-device=list") 34 35 # Create LUKS partition 36 machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -") 37 # Enroll new LUKS key and bind it to Secure Boot state 38 # For more details on PASSWORD variable, check the following issue: 39 # https://github.com/systemd/systemd/issues/20955 40 machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb") 41 # Add LUKS partition to /etc/crypttab to test auto unlock 42 machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab") 43 machine.shutdown() 44 45 start_swtpm(tpmstate) 46 machine.start() 47 48 # Test LUKS partition automatic unlock on boot 49 machine.wait_for_unit("systemd-cryptsetup@luks.service") 50 # Wipe TPM2 slot 51 machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb") 52 ''; 53}) 54