nixos/tests/systemd-cryptenroll.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-cryptenroll.nix
at 25.11-pre 1.5 kB view raw
 1import ./make-test-python.nix (
 2  { pkgs, ... }:
 3  {
 4    name = "systemd-cryptenroll";
 5    meta = with pkgs.lib.maintainers; {
 6      maintainers = [ ymatsiuk ];
 7    };
 8
 9    nodes.machine =
10      { pkgs, lib, ... }:
11      {
12        environment.systemPackages = [ pkgs.cryptsetup ];
13        virtualisation = {
14          emptyDiskImages = [ 512 ];
15          tpm.enable = true;
16        };
17      };
18
19    testScript = ''
20      machine.start()
21
22      # Verify the TPM device is available and accessible by systemd-cryptenroll
23      machine.succeed("test -e /dev/tpm0")
24      machine.succeed("test -e /dev/tpmrm0")
25      machine.succeed("systemd-cryptenroll --tpm2-device=list")
26
27      # Create LUKS partition
28      machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")
29      # Enroll new LUKS key and bind it to Secure Boot state
30      # For more details on PASSWORD variable, check the following issue:
31      # https://github.com/systemd/systemd/issues/20955
32      machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
33      # Add LUKS partition to /etc/crypttab to test auto unlock
34      machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")
35
36      machine.shutdown()
37      machine.start()
38
39      # Test LUKS partition automatic unlock on boot
40      machine.wait_for_unit("systemd-cryptsetup@luks.service")
41      # Wipe TPM2 slot
42      machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")
43    '';
44  }
45)