diff options
author | Yurii Matsiuk <ymatsiuk@users.noreply.github.com> | 2021-10-04 12:54:13 +0200 |
---|---|---|
committer | Yurii Matsiuk <ymatsiuk@users.noreply.github.com> | 2021-10-07 15:58:02 +0200 |
commit | e8fe1c9efeda44fa7241ec6cd4ffd72522c30132 (patch) | |
tree | 6b41d95c68f5cf4ceae5b401f6c9a63a27a937ef /nixos/tests/systemd-cryptenroll.nix | |
parent | 73ac07a127d91a7fedd23cc508fe59c5a935dbe2 (diff) |
nixos/tests/systemd-cryptenroll: add basic TPM2 test
Diffstat (limited to 'nixos/tests/systemd-cryptenroll.nix')
-rw-r--r-- | nixos/tests/systemd-cryptenroll.nix | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/nixos/tests/systemd-cryptenroll.nix b/nixos/tests/systemd-cryptenroll.nix new file mode 100644 index 0000000000000..2c436f2de890b --- /dev/null +++ b/nixos/tests/systemd-cryptenroll.nix @@ -0,0 +1,55 @@ +import ./make-test-python.nix ({ pkgs, ... }: { + name = "systemd-cryptenroll"; + meta = with pkgs.lib.maintainers; { + maintainers = [ ymatsiuk ]; + }; + + machine = { pkgs, lib, ... }: { + environment.systemPackages = [ pkgs.cryptsetup ]; + virtualisation = { + emptyDiskImages = [ 512 ]; + memorySize = 1024; + qemu.options = [ + "-chardev socket,id=chrtpm,path=/tmp/swtpm-sock" + "-tpmdev emulator,id=tpm0,chardev=chrtpm" + "-device tpm-tis,tpmdev=tpm0" + ]; + }; + }; + + testScript = '' + import subprocess + import tempfile + + def start_swtpm(tpmstate): + subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"]) + + with tempfile.TemporaryDirectory() as tpmstate: + start_swtpm(tpmstate) + machine.start() + + # Verify the TPM device is available and accessible by systemd-cryptenroll + machine.succeed("test -e /dev/tpm0") + machine.succeed("test -e /dev/tpmrm0") + machine.succeed("systemd-cryptenroll --tpm2-device=list") + + # Create LUKS partition + machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -") + # Enroll new LUKS key and bind it to Secure Boot state + # For more details on PASSWORD variable, check the following issue: + # https://github.com/systemd/systemd/issues/20955 + machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb") + # Add LUKS partition to /etc/crypttab to test auto unlock + machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab") + machine.shutdown() + + start_swtpm(tpmstate) + machine.start() + + # Test LUKS partition automatic unlock on boot + machine.wait_for_unit("systemd-cryptsetup@luks.service") + # Wipe TPM2 slot + machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb") + ''; +}) + |