pyrox.dev
1{
2 system ? builtins.currentSystem,
3 config ? { },
4 pkgs ? import ../.. { inherit system config; },
5 lib ? pkgs.lib,
6 testing ? import ../lib/testing-python.nix { inherit system pkgs; },
7}:
8
9let
10 secret1InStore = pkgs.writeText "topsecret" "iamasecret1";
11 secret2InStore = pkgs.writeText "topsecret" "iamasecret2";
12in
13
14testing.makeTest {
15 name = "initrd-secrets-changing";
16
17 nodes.machine =
18 { ... }:
19 {
20 virtualisation.useBootLoader = true;
21
22 boot.loader.grub.device = "/dev/vda";
23
24 boot.initrd.secrets = {
25 "/test" = secret1InStore;
26 "/run/keys/test" = secret1InStore;
27 };
28 boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";
29
30 specialisation.secrets2System.configuration = {
31 boot.initrd.secrets = lib.mkForce {
32 "/test" = secret2InStore;
33 "/run/keys/test" = secret2InStore;
34 };
35 };
36 };
37
38 testScript = ''
39 start_all()
40
41 machine.wait_for_unit("multi-user.target")
42 print(machine.succeed("cat /run/keys/test"))
43 machine.succeed(
44 "cmp ${secret1InStore} /secret-from-initramfs",
45 "cmp ${secret1InStore} /run/keys/test",
46 )
47 # Select the second boot entry corresponding to the specialisation secrets2System.
48 machine.succeed("grub-reboot 1")
49 machine.shutdown()
50
51 with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):
52 machine.wait_for_unit("multi-user.target")
53 print(machine.succeed("cat /run/keys/test"))
54 machine.succeed(
55 "cmp ${secret2InStore} /secret-from-initramfs",
56 "cmp ${secret2InStore} /run/keys/test",
57 )
58 machine.shutdown()
59 '';
60}