nixos/tests/systemd-initrd-luks-unl0kr.nix at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-initrd-luks-unl0kr.nix
at 24.11-pre 2.5 kB view raw
 1import ./make-test-python.nix ({ lib, pkgs, ... }: let
 2  passphrase = "secret";
 3in {
 4  name = "systemd-initrd-luks-unl0kr";
 5  meta = with pkgs.lib.maintainers; {
 6    maintainers = [ tomfitzhenry ];
 7  };
 8
 9  enableOCR = true;
10
11  nodes.machine = { pkgs, ... }: {
12    virtualisation = {
13      emptyDiskImages = [ 512 512 ];
14      useBootLoader = true;
15      mountHostNixStore = true;
16      useEFIBoot = true;
17      qemu.options = [
18        "-vga virtio"
19      ];
20    };
21    boot.loader.systemd-boot.enable = true;
22
23    boot.initrd.availableKernelModules = [
24      "evdev" # for entering pw
25      "bochs"
26    ];
27
28    environment.systemPackages = with pkgs; [ cryptsetup ];
29    boot.initrd = {
30      systemd = {
31        enable = true;
32        emergencyAccess = true;
33      };
34      unl0kr.enable = true;
35    };
36
37    specialisation.boot-luks.configuration = {
38      boot.initrd.luks.devices = lib.mkVMOverride {
39        # We have two disks and only type one password - key reuse is in place
40        cryptroot.device = "/dev/vdb";
41        cryptroot2.device = "/dev/vdc";
42      };
43      virtualisation.rootDevice = "/dev/mapper/cryptroot";
44      virtualisation.fileSystems."/".autoFormat = true;
45      # test mounting device unlocked in initrd after switching root
46      virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2";
47    };
48  };
49
50  testScript = ''
51    # Create encrypted volume
52    machine.wait_for_unit("multi-user.target")
53    machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
54    machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
55    machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen   -q               /dev/vdc cryptroot2")
56    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")
57
58    # Boot from the encrypted disk
59    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
60    machine.succeed("sync")
61    machine.crash()
62
63    # Boot and decrypt the disk
64    machine.start()
65    machine.wait_for_text("Password required for booting")
66    machine.screenshot("prompt")
67    machine.send_chars("${passphrase}")
68    machine.screenshot("pw")
69    machine.send_chars("\n")
70    machine.wait_for_unit("multi-user.target")
71
72    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list"
73    assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount")
74  '';
75})