nixos/tests/systemd-initrd-luks-unl0kr.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-initrd-luks-unl0kr.nix
at master 3.0 kB view raw
  1{ lib, pkgs, ... }:
  2let
  3  passphrase = "secret";
  4
  5  debugPackages = with pkgs; [
  6    coreutils-prefixed
  7    toybox
  8
  9    micro
 10    nano
 11  ];
 12in
 13{
 14  name = "systemd-initrd-luks-unl0kr";
 15  meta = {
 16    maintainers = [ ];
 17  };
 18
 19  # TODO: Fix OCR: #302965
 20  # enableOCR = true;
 21
 22  nodes.machine =
 23    { pkgs, ... }:
 24    {
 25      virtualisation = {
 26        emptyDiskImages = [
 27          512
 28          512
 29        ];
 30        useBootLoader = true;
 31        mountHostNixStore = true;
 32        useEFIBoot = true;
 33        qemu.options = [
 34          "-vga virtio"
 35        ];
 36      };
 37      boot.loader.systemd-boot.enable = true;
 38
 39      boot.kernelParams = [
 40        "rd.systemd.debug_shell"
 41      ];
 42
 43      environment.systemPackages =
 44        with pkgs;
 45        [
 46          cryptsetup
 47        ]
 48        ++ debugPackages;
 49      boot.initrd = {
 50        systemd = {
 51          enable = true;
 52          emergencyAccess = true;
 53
 54          storePaths = debugPackages;
 55        };
 56        unl0kr = {
 57          enable = true;
 58
 59          settings = {
 60            general.backend = "drm";
 61            # TODO: Fix OCR. See above.
 62            # theme.default = "adwaita-dark"; # Improves contrast quite a bit, helpful for OCR.
 63          };
 64        };
 65      };
 66
 67      specialisation.boot-luks.configuration = {
 68        testing.initrdBackdoor = true;
 69        boot.initrd.luks.devices = lib.mkVMOverride {
 70          # We have two disks and only type one password - key reuse is in place
 71          cryptroot.device = "/dev/vdb";
 72          cryptroot2.device = "/dev/vdc";
 73        };
 74        virtualisation.rootDevice = "/dev/mapper/cryptroot";
 75        virtualisation.fileSystems."/".autoFormat = true;
 76        # test mounting device unlocked in initrd after switching root
 77        virtualisation.fileSystems."/cryptroot2".device = "/dev/mapper/cryptroot2";
 78      };
 79    };
 80
 81  testScript = ''
 82    # Create encrypted volume
 83    machine.wait_for_unit("multi-user.target")
 84    machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
 85    machine.succeed("echo -n ${passphrase} | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
 86    machine.succeed("echo -n ${passphrase} | cryptsetup luksOpen   -q               /dev/vdc cryptroot2")
 87    machine.succeed("mkfs.ext4 /dev/mapper/cryptroot2")
 88
 89    # Boot from the encrypted disk
 90    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
 91    machine.succeed("sync")
 92    machine.crash()
 93
 94    # Boot and decrypt the disk. This part of the test is SLOW.
 95    machine.start()
 96    machine.wait_for_unit("unl0kr-agent.service")
 97    machine.screenshot("prompt")
 98    machine.send_chars("${passphrase}")
 99    machine.screenshot("pw")
100    machine.send_chars("\n")
101    machine.switch_root()
102    machine.wait_for_unit("multi-user.target")
103
104    assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount"), "/dev/mapper/cryptroot do not appear in mountpoints list"
105    assert "/dev/mapper/cryptroot2 on /cryptroot2 type ext4" in machine.succeed("mount")
106  '';
107}