pyrox.dev / nixpkgs
lol
fork atom

nixos/tests: adopt newest TPM support in test infra

Raito Bezarius 83b131bb 25872524

options
unified split
Changed files
+23 -116
nixos
tests
systemd-credentials-tpm2.nix
systemd-cryptenroll.nix
systemd-initrd-luks-tpm2.nix
+2 -57
nixos/tests/systemd-credentials-tpm2.nix 
···

       
1

       

       
-

       
import ./make-test-python.nix ({ lib, pkgs, system, ... }:


     

       
2

       

       
-

       



     

       
3

       

       
-

       
let


     

       
4

       

       
-

       
  tpmSocketPath = "/tmp/swtpm-sock";


     

       
5

       

       
-

       
  tpmDeviceModels = {


     

       
6

       

       
-

       
    x86_64-linux = "tpm-tis";


     

       
7

       

       
-

       
    aarch64-linux = "tpm-tis-device";


     

       
8

       

       
-

       
  };


     

       
9

       

       
-

       
in


     

       
10

       

       
-

       



     

       

       
1

       
+

       
import ./make-test-python.nix ({ lib, pkgs, ... }:


     

       
11

       
2

       
 

       
{


     

       
12

       
3

       
 

       
  name = "systemd-credentials-tpm2";


     

       
13

       
4

       
 

       



     
···

       
16

       
7

       
 

       
  };


     

       
17

       
8

       
 

       



     

       
18

       
9

       
 

       
  nodes.machine = { pkgs, ... }: {


     

       
19

       

       
-

       
    virtualisation = {


     

       
20

       

       
-

       
      qemu.options = [


     

       
21

       

       
-

       
        "-chardev socket,id=chrtpm,path=${tpmSocketPath}"


     

       
22

       

       
-

       
        "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm"


     

       
23

       

       
-

       
        "-device ${tpmDeviceModels.${system}},tpmdev=tpm_dev_0"


     

       
24

       

       
-

       
      ];


     

       
25

       

       
-

       
    };


     

       
26

       

       
-

       



     

       
27

       

       
-

       
    boot.initrd.availableKernelModules = [ "tpm_tis" ];


     

       
28

       

       
-

       



     

       

       
10

       
+

       
    virtualisation.tpm.enable = true;


     

       
29

       
11

       
 

       
    environment.systemPackages = with pkgs; [ diffutils ];


     

       
30

       
12

       
 

       
  };


     

       
31

       
13

       
 

       



     

       
32

       
14

       
 

       
  testScript = ''


     

       
33

       

       
-

       
    import subprocess


     

       
34

       

       
-

       
    from tempfile import TemporaryDirectory


     

       
35

       

       
-

       



     

       
36

       

       
-

       
    # From systemd-initrd-luks-tpm2.nix


     

       
37

       

       
-

       
    class Tpm:


     

       
38

       

       
-

       
        def __init__(self):


     

       
39

       

       
-

       
            self.state_dir = TemporaryDirectory()


     

       
40

       

       
-

       
            self.start()


     

       
41

       

       
-

       



     

       
42

       

       
-

       
        def start(self):


     

       
43

       

       
-

       
            self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm",


     

       
44

       

       
-

       
                "socket",


     

       
45

       

       
-

       
                "--tpmstate", f"dir={self.state_dir.name}",


     

       
46

       

       
-

       
                "--ctrl", "type=unixio,path=${tpmSocketPath}",


     

       
47

       

       
-

       
                "--tpm2",


     

       
48

       

       
-

       
                ])


     

       
49

       

       
-

       



     

       
50

       

       
-

       
            # Check whether starting swtpm failed


     

       
51

       

       
-

       
            try:


     

       
52

       

       
-

       
                exit_code = self.proc.wait(timeout=0.2)


     

       
53

       

       
-

       
                if exit_code is not None and exit_code != 0:


     

       
54

       

       
-

       
                    raise Exception("failed to start swtpm")


     

       
55

       

       
-

       
            except subprocess.TimeoutExpired:


     

       
56

       

       
-

       
                pass


     

       
57

       

       
-

       



     

       
58

       

       
-

       
        """Check whether the swtpm process exited due to an error"""


     

       
59

       

       
-

       
        def check(self):


     

       
60

       

       
-

       
            exit_code = self.proc.poll()


     

       
61

       

       
-

       
            if exit_code is not None and exit_code != 0:


     

       
62

       

       
-

       
                raise Exception("swtpm process died")


     

       
63

       

       
-

       



     

       
64

       
15

       
 

       
    CRED_NAME = "testkey"


     

       
65

       
16

       
 

       
    CRED_RAW_FILE = f"/root/{CRED_NAME}"


     

       
66

       
17

       
 

       
    CRED_FILE = f"/root/{CRED_NAME}.cred"


     
···

       
84

       
35

       
 

       
            raise Exception(f"systemd_run failed (status {status})")


     

       
85

       
36

       
 

       



     

       
86

       
37

       
 

       
        machine.log("systemd-run finished successfully")


     

       
87

       

       
-

       



     

       
88

       

       
-

       
    tpm = Tpm()


     

       
89

       

       
-

       



     

       
90

       

       
-

       
    @polling_condition


     

       
91

       

       
-

       
    def swtpm_running():


     

       
92

       

       
-

       
        tpm.check()


     

       
93

       
38

       
 

       



     

       
94

       
39

       
 

       
    machine.wait_for_unit("multi-user.target")


     

       
95

       
40
+20 -33
nixos/tests/systemd-cryptenroll.nix 
···

       
8

       
8

       
 

       
    environment.systemPackages = [ pkgs.cryptsetup ];


     

       
9

       
9

       
 

       
    virtualisation = {


     

       
10

       
10

       
 

       
      emptyDiskImages = [ 512 ];


     

       
11

       

       
-

       
      qemu.options = [


     

       
12

       

       
-

       
        "-chardev socket,id=chrtpm,path=/tmp/swtpm-sock"


     

       
13

       

       
-

       
        "-tpmdev emulator,id=tpm0,chardev=chrtpm"


     

       
14

       

       
-

       
        "-device tpm-tis,tpmdev=tpm0"


     

       
15

       

       
-

       
      ];


     

       

       
11

       
+

       
      tpm.enable = true;


     

       
16

       
12

       
 

       
    };


     

       
17

       
13

       
 

       
  };


     

       
18

       
14

       
 

       



     

       
19

       
15

       
 

       
  testScript = ''


     

       
20

       

       
-

       
    import subprocess


     

       
21

       

       
-

       
    import tempfile


     

       

       
16

       
+

       
    machine.start()


     

       
22

       
17

       
 

       



     

       
23

       

       
-

       
    def start_swtpm(tpmstate):


     

       
24

       

       
-

       
        subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"])


     

       

       
18

       
+

       
    # Verify the TPM device is available and accessible by systemd-cryptenroll


     

       

       
19

       
+

       
    machine.succeed("test -e /dev/tpm0")


     

       

       
20

       
+

       
    machine.succeed("test -e /dev/tpmrm0")


     

       

       
21

       
+

       
    machine.succeed("systemd-cryptenroll --tpm2-device=list")


     

       
25

       
22

       
 

       



     

       
26

       

       
-

       
    with tempfile.TemporaryDirectory() as tpmstate:


     

       
27

       

       
-

       
        start_swtpm(tpmstate)


     

       
28

       

       
-

       
        machine.start()


     

       

       
23

       
+

       
    # Create LUKS partition


     

       

       
24

       
+

       
    machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")


     

       

       
25

       
+

       
    # Enroll new LUKS key and bind it to Secure Boot state


     

       

       
26

       
+

       
    # For more details on PASSWORD variable, check the following issue:


     

       

       
27

       
+

       
    # https://github.com/systemd/systemd/issues/20955


     

       

       
28

       
+

       
    machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")


     

       

       
29

       
+

       
    # Add LUKS partition to /etc/crypttab to test auto unlock


     

       

       
30

       
+

       
    machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")


     

       
29

       
31

       
 

       



     

       
30

       

       
-

       
        # Verify the TPM device is available and accessible by systemd-cryptenroll


     

       
31

       

       
-

       
        machine.succeed("test -e /dev/tpm0")


     

       
32

       

       
-

       
        machine.succeed("test -e /dev/tpmrm0")


     

       
33

       

       
-

       
        machine.succeed("systemd-cryptenroll --tpm2-device=list")


     

       
34

       

       
-

       



     

       
35

       

       
-

       
        # Create LUKS partition


     

       
36

       

       
-

       
        machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")


     

       
37

       

       
-

       
        # Enroll new LUKS key and bind it to Secure Boot state


     

       
38

       

       
-

       
        # For more details on PASSWORD variable, check the following issue:


     

       
39

       

       
-

       
        # https://github.com/systemd/systemd/issues/20955


     

       
40

       

       
-

       
        machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")


     

       
41

       

       
-

       
        # Add LUKS partition to /etc/crypttab to test auto unlock


     

       
42

       

       
-

       
        machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")


     

       
43

       

       
-

       
        machine.shutdown()


     

       

       
32

       
+

       
    machine.shutdown()


     

       

       
33

       
+

       
    machine.start()


     

       
44

       
34

       
 

       



     

       
45

       

       
-

       
        start_swtpm(tpmstate)


     

       
46

       

       
-

       
        machine.start()


     

       
47

       

       
-

       



     

       
48

       

       
-

       
        # Test LUKS partition automatic unlock on boot


     

       
49

       

       
-

       
        machine.wait_for_unit("systemd-cryptsetup@luks.service")


     

       
50

       

       
-

       
        # Wipe TPM2 slot


     

       
51

       

       
-

       
        machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")


     

       

       
35

       
+

       
    # Test LUKS partition automatic unlock on boot


     

       

       
36

       
+

       
    machine.wait_for_unit("systemd-cryptsetup@luks.service")


     

       

       
37

       
+

       
    # Wipe TPM2 slot


     

       

       
38

       
+

       
    machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")


     

       
52

       
39

       
 

       
  '';


     

       
53

       
40

       
 

       
})


     

       
54

       
41
+1 -26
nixos/tests/systemd-initrd-luks-tpm2.nix 
···

       
9

       
9

       
 

       
      # Booting off the TPM2-encrypted device requires an available init script


     

       
10

       
10

       
 

       
      mountHostNixStore = true;


     

       
11

       
11

       
 

       
      useEFIBoot = true;


     

       
12

       

       
-

       
      qemu.options = ["-chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"];


     

       

       
12

       
+

       
      tpm.enable = true;


     

       
13

       
13

       
 

       
    };


     

       
14

       
14

       
 

       
    boot.loader.systemd-boot.enable = true;


     

       
15

       
15

       
 

       



     
···

       
33

       
33

       
 

       
  };


     

       
34

       
34

       
 

       



     

       
35

       
35

       
 

       
  testScript = ''


     

       
36

       

       
-

       
    import subprocess


     

       
37

       

       
-

       
    import os


     

       
38

       

       
-

       
    import time


     

       
39

       

       
-

       



     

       
40

       

       
-

       



     

       
41

       

       
-

       
    class Tpm:


     

       
42

       

       
-

       
        def __init__(self):


     

       
43

       

       
-

       
            os.mkdir("/tmp/mytpm1")


     

       
44

       

       
-

       
            self.start()


     

       
45

       

       
-

       



     

       
46

       

       
-

       
        def start(self):


     

       
47

       

       
-

       
            self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir=/tmp/mytpm1", "--ctrl", "type=unixio,path=/tmp/mytpm1/swtpm-sock", "--log", "level=20", "--tpm2"])


     

       
48

       

       
-

       



     

       
49

       

       
-

       
        def wait_for_death_then_restart(self):


     

       
50

       

       
-

       
            while self.proc.poll() is None:


     

       
51

       

       
-

       
                print("waiting for tpm to die")


     

       
52

       

       
-

       
                time.sleep(1)


     

       
53

       

       
-

       
            assert self.proc.returncode == 0


     

       
54

       

       
-

       
            self.start()


     

       
55

       

       
-

       



     

       
56

       

       
-

       
    tpm = Tpm()


     

       
57

       

       
-

       



     

       
58

       

       
-

       



     

       
59

       
36

       
 

       
    # Create encrypted volume


     

       
60

       
37

       
 

       
    machine.wait_for_unit("multi-user.target")


     

       
61

       
38

       
 

       
    machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")


     
···

       
65

       
42

       
 

       
    machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")


     

       
66

       
43

       
 

       
    machine.succeed("sync")


     

       
67

       
44

       
 

       
    machine.crash()


     

       
68

       

       
-

       



     

       
69

       

       
-

       
    tpm.wait_for_death_then_restart()


     

       
70

       
45

       
 

       



     

       
71

       
46

       
 

       
    # Boot and decrypt the disk


     

       
72

       
47

       
 

       
    machine.wait_for_unit("multi-user.target")