nixos/tests/swap-random-encryption.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / swap-random-encryption.nix
at master 2.7 kB view raw
 1{ lib, pkgs, ... }:
 2{
 3  name = "swap-random-encryption";
 4
 5  nodes.machine =
 6    {
 7      config,
 8      pkgs,
 9      lib,
10      ...
11    }:
12    {
13      environment.systemPackages = [ pkgs.cryptsetup ];
14
15      virtualisation.useDefaultFilesystems = false;
16
17      virtualisation.rootDevice = "/dev/vda1";
18
19      boot.initrd.postDeviceCommands = ''
20        if ! test -b /dev/vda1; then
21          ${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
22          ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
23          ${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
24          sync
25        fi
26
27        FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
28        if test -z "$FSTYPE"; then
29          ${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
30        fi
31      '';
32
33      virtualisation.fileSystems = {
34        "/" = {
35          device = "/dev/disk/by-label/root";
36          fsType = "ext4";
37        };
38      };
39
40      swapDevices = [
41        {
42          device = "/dev/vda2";
43
44          randomEncryption = {
45            enable = true;
46            cipher = "aes-xts-plain64";
47            keySize = 512;
48            sectorSize = 4096;
49          };
50        }
51      ];
52    };
53
54  testScript = ''
55    machine.wait_for_unit("multi-user.target")
56
57    with subtest("Swap is active"):
58      # Doesn't matter if the numbers reported by `free` are slightly off due to unit conversions.
59      machine.succeed("free -h | grep -E 'Swap:\s+2[45][0-9]Mi'")
60
61    with subtest("Swap device has 4k sector size"):
62      import json
63      result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))
64      block_devices = result["blockdevices"]
65      if len(block_devices) != 1:
66        raise Exception ("lsblk output did not report exactly one block device")
67
68      swapDevice = block_devices[0];
69      if not (swapDevice["phy-sec"] == 4096 and swapDevice["log-sec"] == 4096):
70        raise Exception ("swap device does not have the sector size specified in the configuration")
71
72    with subtest("Swap encrypt has assigned cipher and keysize"):
73      import re
74
75      results = machine.succeed("cryptsetup status dev-vda2").splitlines()
76
77      cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")
78      if not any(cipher_pattern.fullmatch(line) for line in results):
79        raise Exception ("swap device encryption does not use the cipher specified in the configuration")
80
81      key_size_pattern = re.compile(r"\s*keysize:\s+512\s+bits\s*")
82      if not any(key_size_pattern.fullmatch(line) for line in results):
83        raise Exception ("swap device encryption does not use the key size specified in the configuration")
84  '';
85}