diff options
author | Guillaume Girol <symphorien@users.noreply.github.com> | 2023-03-12 18:50:33 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-03-12 18:50:33 +0000 |
commit | db901673ea512cce8a05ee6a7b79938bf4c02a12 (patch) | |
tree | 33541c0cff0a63de8a476f9ebcc5dd2276a43221 /nixos/tests | |
parent | f71d96a585d18e05c4c194f94db5374dd624268e (diff) | |
parent | 678eed323ffd90117472cd432ebe85dddaff07f1 (diff) |
Merge pull request #209156 from pwaller/issue-114594
nixos/grub: Name initrd-secrets by system, not by initrd
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/initrd-secrets-changing.nix | 58 |
2 files changed, 59 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 0c3310cabe420..c1059f8c98417 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -311,6 +311,7 @@ in { initrd-network-ssh = handleTest ./initrd-network-ssh {}; initrdNetwork = handleTest ./initrd-network.nix {}; initrd-secrets = handleTest ./initrd-secrets.nix {}; + initrd-secrets-changing = handleTest ./initrd-secrets-changing.nix {}; input-remapper = handleTest ./input-remapper.nix {}; inspircd = handleTest ./inspircd.nix {}; installer = handleTest ./installer.nix {}; diff --git a/nixos/tests/initrd-secrets-changing.nix b/nixos/tests/initrd-secrets-changing.nix new file mode 100644 index 0000000000000..775c69d0142db --- /dev/null +++ b/nixos/tests/initrd-secrets-changing.nix @@ -0,0 +1,58 @@ +{ system ? builtins.currentSystem +, config ? {} +, pkgs ? import ../.. { inherit system config; } +, lib ? pkgs.lib +, testing ? import ../lib/testing-python.nix { inherit system pkgs; } +}: + +let + secret1InStore = pkgs.writeText "topsecret" "iamasecret1"; + secret2InStore = pkgs.writeText "topsecret" "iamasecret2"; +in + +testing.makeTest { + name = "initrd-secrets-changing"; + + nodes.machine = { ... }: { + virtualisation.useBootLoader = true; + virtualisation.persistBootDevice = true; + + boot.loader.grub.device = "/dev/vda"; + + boot.initrd.secrets = { + "/test" = secret1InStore; + "/run/keys/test" = secret1InStore; + }; + boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs"; + + specialisation.secrets2System.configuration = { + boot.initrd.secrets = lib.mkForce { + "/test" = secret2InStore; + "/run/keys/test" = secret2InStore; + }; + }; + }; + + testScript = '' + start_all() + + machine.wait_for_unit("multi-user.target") + print(machine.succeed("cat /run/keys/test")) + machine.succeed( + "cmp ${secret1InStore} /secret-from-initramfs", + "cmp ${secret1InStore} /run/keys/test", + ) + # Select the second boot entry corresponding to the specialisation secrets2System. + machine.succeed("grub-reboot 1") + machine.shutdown() + + with subtest("Check that the specialisation's secrets are distinct despite identical kernels"): + machine.wait_for_unit("multi-user.target") + print(machine.succeed("cat /run/keys/test")) + machine.succeed( + "cmp ${secret2InStore} /secret-from-initramfs", + "cmp ${secret2InStore} /run/keys/test", + ) + machine.shutdown() + ''; +} |