nixos/tests/swap-random-encryption.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / swap-random-encryption.nix
at 25.11-pre 2.9 kB view raw
 1import ./make-test-python.nix (
 2  { lib, pkgs, ... }:
 3  {
 4    name = "swap-random-encryption";
 5
 6    nodes.machine =
 7      {
 8        config,
 9        pkgs,
10        lib,
11        ...
12      }:
13      {
14        environment.systemPackages = [ pkgs.cryptsetup ];
15
16        virtualisation.useDefaultFilesystems = false;
17
18        virtualisation.rootDevice = "/dev/vda1";
19
20        boot.initrd.postDeviceCommands = ''
21          if ! test -b /dev/vda1; then
22            ${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
23            ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
24            ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
25            sync
26          fi
27
28          FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
29          if test -z "$FSTYPE"; then
30            ${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
31          fi
32        '';
33
34        virtualisation.fileSystems = {
35          "/" = {
36            device = "/dev/disk/by-label/root";
37            fsType = "ext4";
38          };
39        };
40
41        swapDevices = [
42          {
43            device = "/dev/vda2";
44
45            randomEncryption = {
46              enable = true;
47              cipher = "aes-xts-plain64";
48              keySize = 512;
49              sectorSize = 4096;
50            };
51          }
52        ];
53      };
54
55    testScript = ''
56      machine.wait_for_unit("multi-user.target")
57
58      with subtest("Swap is active"):
59        # Doesn't matter if the numbers reported by `free` are slightly off due to unit conversions.
60        machine.succeed("free -h | grep -E 'Swap:\s+2[45][0-9]Mi'")
61
62      with subtest("Swap device has 4k sector size"):
63        import json
64        result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))
65        block_devices = result["blockdevices"]
66        if len(block_devices) != 1:
67          raise Exception ("lsblk output did not report exactly one block device")
68
69        swapDevice = block_devices[0];
70        if not (swapDevice["phy-sec"] == 4096 and swapDevice["log-sec"] == 4096):
71          raise Exception ("swap device does not have the sector size specified in the configuration")
72
73      with subtest("Swap encrypt has assigned cipher and keysize"):
74        import re
75
76        results = machine.succeed("cryptsetup status dev-vda2").splitlines()
77
78        cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")
79        if not any(cipher_pattern.fullmatch(line) for line in results):
80          raise Exception ("swap device encryption does not use the cipher specified in the configuration")
81
82        key_size_pattern = re.compile(r"\s*keysize:\s+512\s+bits\s*")
83        if not any(key_size_pattern.fullmatch(line) for line in results):
84          raise Exception ("swap device encryption does not use the key size specified in the configuration")
85    '';
86  }
87)