nixos/tests/systemd-initrd-luks-unl0kr.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-initrd-luks-unl0kr.nix
at 25.11-pre 3.3 kB view raw
  1import ./make-test-python.nix (
  2  { lib, pkgs, ... }:
  3  let
  4    passphrase = "secret";
  5
  6    debugPackages = with pkgs; [
  7      coreutils-prefixed
  8      toybox
  9
 10      micro
 11      nano
 12    ];
 13  in
 14  {
 15    name = "systemd-initrd-luks-unl0kr";
 16    meta = {
 17      maintainers = [ ];
 18    };
 19
 20    # TODO: Fix OCR: #302965
 21    # enableOCR = true;
 22
 23    nodes.machine =
 24      { pkgs, ... }:
 25      {
 26        virtualisation = {
 27          emptyDiskImages = [
 28            512
 29            512
 30          ];
 31          useBootLoader = true;
 32          mountHostNixStore = true;
 33          useEFIBoot = true;
 34          qemu.options = [
 35            "-vga virtio"
 36          ];
 37        };
 38        boot.loader.systemd-boot.enable = true;
 39
 40        boot.kernelParams = [
 41          "rd.systemd.debug_shell"
 42        ];
 43
 44        environment.systemPackages =
 45          with pkgs;
 46          [
 47            cryptsetup
 48          ]
 49          ++ debugPackages;
 50        boot.initrd = {
 51          systemd = {
 52            enable = true;
 53            emergencyAccess = true;
 54
 55            storePaths = debugPackages;
 56          };
 57          unl0kr = {
 58            enable = true;
 59
 60            settings = {
 61              general.backend = "drm";
 62              # TODO: Fix OCR. See above.
 63              # theme.default = "adwaita-dark"; # Improves contrast quite a bit, helpful for OCR.
 64            };
 65          };
 66        };
 67
 68        specialisation.boot-luks.configuration = {
 69          testing.initrdBackdoor = true;
 70          boot.initrd.luks.devices = lib.mkVMOverride {
 71            # We have two disks and only type one password - key reuse is in place
 72            cryptroot.device = "/dev/vdb";
 73            cryptroot2.device = "/dev/vdc";
 74          };
 75          virtualisation.rootDevice = "/dev/mapper/cryptroot";
 76          virtualisation.fileSystems."/".autoFormat = true;
 77          # test mounting device unlocked in initrd after switching root
 78          virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2";
 79        };
 80      };
 81
 82    testScript = ''
 83      # Create encrypted volume
 84      machine.wait_for_unit("multi-user.target")
 85      machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
 86      machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
 87      machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen   -q               /dev/vdc cryptroot2")
 88      machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")
 89
 90      # Boot from the encrypted disk
 91      machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
 92      machine.succeed("sync")
 93      machine.crash()
 94
 95      # Boot and decrypt the disk. This part of the test is SLOW.
 96      machine.start()
 97      machine.wait_for_unit("unl0kr-agent.service")
 98      machine.screenshot("prompt")
 99      machine.send_chars("${passphrase}")
100      machine.screenshot("pw")
101      machine.send_chars("\n")
102      machine.switch_root()
103      machine.wait_for_unit("multi-user.target")
104
105      assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list"
106      assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount")
107    '';
108  }
109)