pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / systemd-cryptenroll.nix
at master 1.4 kB view raw
1{ pkgs, ... }: 2{ 3 name = "systemd-cryptenroll"; 4 meta = with pkgs.lib.maintainers; { 5 maintainers = [ ymatsiuk ]; 6 }; 7 8 nodes.machine = 9 { pkgs, lib, ... }: 10 { 11 environment.systemPackages = [ pkgs.cryptsetup ]; 12 virtualisation = { 13 emptyDiskImages = [ 512 ]; 14 tpm.enable = true; 15 }; 16 }; 17 18 testScript = '' 19 machine.start() 20 21 # Verify the TPM device is available and accessible by systemd-cryptenroll 22 machine.succeed("test -e /dev/tpm0") 23 machine.succeed("test -e /dev/tpmrm0") 24 machine.succeed("systemd-cryptenroll --tpm2-device=list") 25 26 # Create LUKS partition 27 machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -") 28 # Enroll new LUKS key and bind it to Secure Boot state 29 # For more details on PASSWORD variable, check the following issue: 30 # https://github.com/systemd/systemd/issues/20955 31 machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb") 32 # Add LUKS partition to /etc/crypttab to test auto unlock 33 machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab") 34 35 machine.shutdown() 36 machine.start() 37 38 # Test LUKS partition automatic unlock on boot 39 machine.wait_for_unit("systemd-cryptsetup@luks.service") 40 # Wipe TPM2 slot 41 machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb") 42 ''; 43}