pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / initrd-luks-empty-passphrase.nix
at 25.11-pre 3.9 kB view raw
1{ 2 system ? builtins.currentSystem, 3 config ? { }, 4 pkgs ? import ../.. { inherit system config; }, 5 systemdStage1 ? false, 6}: 7import ./make-test-python.nix ( 8 { lib, pkgs, ... }: 9 let 10 11 keyfile = pkgs.writeText "luks-keyfile" '' 12 MIGHAoGBAJ4rGTSo/ldyjQypd0kuS7k2OSsmQYzMH6TNj3nQ/vIUjDn7fqa3slt2 13 gV6EK3TmTbGc4tzC1v4SWx2m+2Bjdtn4Fs4wiBwn1lbRdC6i5ZYCqasTWIntWn+6 14 FllUkMD5oqjOR/YcboxG8Z3B5sJuvTP9llsF+gnuveWih9dpbBr7AgEC 15 ''; 16 17 in 18 { 19 name = "initrd-luks-empty-passphrase"; 20 21 nodes.machine = 22 { pkgs, ... }: 23 { 24 imports = lib.optionals (!systemdStage1) [ ./common/auto-format-root-device.nix ]; 25 26 virtualisation = { 27 emptyDiskImages = [ 512 ]; 28 useBootLoader = true; 29 useEFIBoot = true; 30 # This requires to have access 31 # to a host Nix store as 32 # the new root device is /dev/vdb 33 # an empty 512MiB drive, containing no Nix store. 34 mountHostNixStore = true; 35 fileSystems."/".autoFormat = lib.mkIf systemdStage1 true; 36 }; 37 38 boot.loader.systemd-boot.enable = true; 39 boot.initrd.systemd = lib.mkIf systemdStage1 { 40 enable = true; 41 emergencyAccess = true; 42 }; 43 environment.systemPackages = with pkgs; [ cryptsetup ]; 44 45 specialisation.boot-luks-wrong-keyfile.configuration = { 46 boot.initrd.luks.devices = lib.mkVMOverride { 47 cryptroot = { 48 device = "/dev/vdb"; 49 keyFile = "/etc/cryptroot.key"; 50 tryEmptyPassphrase = true; 51 fallbackToPassword = !systemdStage1; 52 }; 53 }; 54 virtualisation.rootDevice = "/dev/mapper/cryptroot"; 55 boot.initrd.secrets."/etc/cryptroot.key" = keyfile; 56 }; 57 58 specialisation.boot-luks-missing-keyfile.configuration = { 59 boot.initrd.luks.devices = lib.mkVMOverride { 60 cryptroot = { 61 device = "/dev/vdb"; 62 keyFile = "/etc/cryptroot.key"; 63 tryEmptyPassphrase = true; 64 fallbackToPassword = !systemdStage1; 65 }; 66 }; 67 virtualisation.rootDevice = "/dev/mapper/cryptroot"; 68 }; 69 }; 70 71 testScript = '' 72 # Encrypt key with empty key so boot should try keyfile and then fallback to empty passphrase 73 74 75 def grub_select_boot_luks_wrong_key_file(): 76 """ 77 Selects "boot-luks" from the GRUB menu 78 to trigger a login request. 79 """ 80 machine.send_monitor_command("sendkey down") 81 machine.send_monitor_command("sendkey down") 82 machine.send_monitor_command("sendkey ret") 83 84 def grub_select_boot_luks_missing_key_file(): 85 """ 86 Selects "boot-luks" from the GRUB menu 87 to trigger a login request. 88 """ 89 machine.send_monitor_command("sendkey down") 90 machine.send_monitor_command("sendkey ret") 91 92 # Create encrypted volume 93 machine.wait_for_unit("multi-user.target") 94 machine.succeed("echo "" | cryptsetup luksFormat /dev/vdb --batch-mode") 95 machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-wrong-keyfile.conf") 96 machine.succeed("sync") 97 machine.crash() 98 99 # Check if rootfs is on /dev/mapper/cryptroot 100 machine.wait_for_unit("multi-user.target") 101 assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") 102 103 # Choose boot-luks-missing-keyfile specialisation 104 machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks-missing-keyfile.conf") 105 machine.succeed("sync") 106 machine.crash() 107 108 # Check if rootfs is on /dev/mapper/cryptroot 109 machine.wait_for_unit("multi-user.target") 110 assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") 111 ''; 112 } 113)