diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-10-23 12:02:04 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-23 12:02:04 +0000 |
| commit | 2c2c0379b759c234413de63478847266cdc8ed93 (patch) | |
| tree | 92ebd45d1cd2a17d5fb63ff5c6c006a4d8f25f7e /nixos | |
| parent | 1026189bd67abfd6f7def1c697988217caafbc5c (diff) | |
| parent | a3b463e8874fe9182e758919eeb18bb44070097c (diff) | |
Merge staging-next into staging
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/programs/browserpass.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/programs/firefox.nix | 103 | ||||
| -rw-r--r-- | nixos/modules/services/desktops/gnome/gnome-browser-connector.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/matrix/synapse.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/vhost-options.nix | 5 | ||||
| -rw-r--r-- | nixos/modules/services/x11/desktop-managers/plasma5.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 67 | ||||
| -rw-r--r-- | nixos/tests/firefox.nix | 30 | ||||
| -rw-r--r-- | nixos/tests/systemd-credentials-tpm2.nix | 59 | ||||
| -rw-r--r-- | nixos/tests/systemd-cryptenroll.nix | 61 | ||||
| -rw-r--r-- | nixos/tests/systemd-initrd-luks-tpm2.nix | 27 |
12 files changed, 180 insertions, 182 deletions
diff --git a/nixos/modules/programs/browserpass.nix b/nixos/modules/programs/browserpass.nix index abd99056ff3ba..a9670a37e618c 100644 --- a/nixos/modules/programs/browserpass.nix +++ b/nixos/modules/programs/browserpass.nix @@ -27,6 +27,6 @@ with lib; "opt/brave/native-messaging-hosts/${appId}".source = source "hosts/chromium"; "opt/brave/policies/managed/${appId}".source = source "policies/chromium"; }; - programs.firefox.wrapperConfig.enableBrowserpass = true; + programs.firefox.nativeMessagingHosts.packages = [ pkgs.browserpass ]; }; } diff --git a/nixos/modules/programs/firefox.nix b/nixos/modules/programs/firefox.nix index 813e0e0105f69..85f47530cf5af 100644 --- a/nixos/modules/programs/firefox.nix +++ b/nixos/modules/programs/firefox.nix @@ -5,8 +5,6 @@ with lib; let cfg = config.programs.firefox; - nmh = cfg.nativeMessagingHosts; - policyFormat = pkgs.formats.json { }; organisationInfo = '' @@ -17,6 +15,50 @@ let given control of your browser, unless of course they also control your NixOS configuration. ''; + + # deprecated per-native-messaging-host options + nmhOptions = { + browserpass = { + name = "Browserpass"; + package = pkgs.browserpass; + }; + bukubrow = { + name = "Bukubrow"; + package = pkgs.bukubrow; + }; + euwebid = { + name = "Web eID"; + package = pkgs.web-eid-app; + }; + ff2mpv = { + name = "ff2mpv"; + package = pkgs.ff2mpv; + }; + fxCast = { + name = "fx_cast"; + package = pkgs.fx-cast-bridge; + }; + gsconnect = { + name = "GSConnect"; + package = pkgs.gnomeExtensions.gsconnect; + }; + jabref = { + name = "JabRef"; + package = pkgs.jabref; + }; + passff = { + name = "PassFF"; + package = pkgs.passff-host; + }; + tridactyl = { + name = "Tridactyl"; + package = pkgs.tridactyl-native; + }; + ugetIntegrator = { + name = "Uget Integrator"; + package = pkgs.uget-integrator; + }; + }; in { options.programs.firefox = { @@ -204,46 +246,31 @@ in ''; }; - nativeMessagingHosts = mapAttrs (_: v: mkEnableOption (mdDoc v)) { - browserpass = "Browserpass support"; - bukubrow = "Bukubrow support"; - euwebid = "Web eID support"; - ff2mpv = "ff2mpv support"; - fxCast = "fx_cast support"; - gsconnect = "GSConnect support"; - jabref = "JabRef support"; - passff = "PassFF support"; - tridactyl = "Tridactyl support"; - ugetIntegrator = "Uget Integrator support"; - }; + nativeMessagingHosts = ({ + packages = mkOption { + type = types.listOf types.package; + default = []; + description = mdDoc '' + Additional packages containing native messaging hosts that should be made available to Firefox extensions. + ''; + }; + }) // (mapAttrs (k: v: mkEnableOption (mdDoc "${v.name} support")) nmhOptions); }; - config = mkIf cfg.enable { + config = let + forEachEnabledNmh = fn: flatten (mapAttrsToList (k: v: lib.optional cfg.nativeMessagingHosts.${k} (fn k v)) nmhOptions); + in mkIf cfg.enable { + warnings = forEachEnabledNmh (k: v: + "The `programs.firefox.nativeMessagingHosts.${k}` option is deprecated, " + + "please add `${v.package.pname}` to `programs.firefox.nativeMessagingHosts.packages` instead." + ); + programs.firefox.nativeMessagingHosts.packages = forEachEnabledNmh (_: v: v.package); + environment.systemPackages = [ (cfg.package.override (old: { - extraPrefs = cfg.autoConfig; - extraNativeMessagingHosts = - old.extraNativeMessagingHosts or [] - ++ optional nmh.ff2mpv pkgs.ff2mpv - ++ optional nmh.euwebid pkgs.web-eid-app - ++ optional nmh.gsconnect pkgs.gnomeExtensions.gsconnect - ++ optional nmh.jabref pkgs.jabref - ++ optional nmh.passff pkgs.passff-host; - cfg = let - # copy-pasted from the wrapper; TODO: figure out fix - applicationName = cfg.package.binaryName or (lib.getName cfg.package); - - oldCfg = old.cfg or {}; - nixpkgsConfig = pkgs.config.${applicationName} or {}; - optionConfig = cfg.wrapperConfig; - nmhConfig = { - enableBrowserpass = nmh.browserpass; - enableBukubrow = nmh.bukubrow; - enableTridactylNative = nmh.tridactyl; - enableUgetIntegrator = nmh.ugetIntegrator; - enableFXCastBridge = nmh.fxCast; - }; - in oldCfg // nixpkgsConfig // optionConfig // nmhConfig; + extraPrefsFiles = old.extraPrefsFiles or [] ++ [(pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig)]; + nativeMessagingHosts = old.nativeMessagingHosts or [] ++ cfg.nativeMessagingHosts.packages; + cfg = (old.cfg or {}) // cfg.wrapperConfig; })) ]; diff --git a/nixos/modules/services/desktops/gnome/gnome-browser-connector.nix b/nixos/modules/services/desktops/gnome/gnome-browser-connector.nix index d18e303891e47..4f680eabbe15c 100644 --- a/nixos/modules/services/desktops/gnome/gnome-browser-connector.nix +++ b/nixos/modules/services/desktops/gnome/gnome-browser-connector.nix @@ -42,6 +42,6 @@ in services.dbus.packages = [ pkgs.gnome-browser-connector ]; - programs.firefox.wrapperConfig.enableGnomeExtensions = true; + programs.firefox.nativeMessagingHosts.packages = [ pkgs.gnome-browser-connector ]; }; } diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index b38b35361cf02..12e27ef26ff3e 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -60,7 +60,6 @@ let ++ lib.optional (cfg.settings ? oidc_providers) "oidc" ++ lib.optional (cfg.settings ? jwt_config) "jwt" ++ lib.optional (cfg.settings ? saml2_config) "saml2" - ++ lib.optional (cfg.settings ? opentracing) "opentracing" ++ lib.optional (cfg.settings ? redis) "redis" ++ lib.optional (cfg.settings ? sentry) "sentry" ++ lib.optional (cfg.settings ? user_directory) "user-search" @@ -334,7 +333,6 @@ in { [ "cache-memory" # Provide statistics about caching memory consumption "jwt" # JSON Web Token authentication - "opentracing" # End-to-end tracing support using Jaeger "oidc" # OpenID Connect authentication "postgres" # PostgreSQL database backend "redis" # Redis support for the replication stream between worker processes diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix index c82f02ecefecd..9db4c8e23025b 100644 --- a/nixos/modules/services/web-servers/nginx/vhost-options.nix +++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix @@ -35,7 +35,10 @@ with lib; }; port = mkOption { type = types.nullOr port; - description = lib.mdDoc "Port number."; + description = lib.mdDoc '' + Port number to listen on. + If unset and the listen address is not a socket then nginx defaults to 80. + ''; default = null; }; ssl = mkOption { diff --git a/nixos/modules/services/x11/desktop-managers/plasma5.nix b/nixos/modules/services/x11/desktop-managers/plasma5.nix index 285d0a1819317..fc32870457101 100644 --- a/nixos/modules/services/x11/desktop-managers/plasma5.nix +++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix @@ -379,7 +379,7 @@ in # Update the start menu for each user that is currently logged in system.userActivationScripts.plasmaSetup = activationScript; - programs.firefox.wrapperConfig.enablePlasmaBrowserIntegration = true; + programs.firefox.nativeMessagingHosts.packages = [ pkgs.plasma5Packages.plasma-browser-integration ]; }) (mkIf (cfg.kwinrc != {}) { diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index 64c8ab74bba6a..6f0a62d0ea899 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -49,7 +49,7 @@ let ''; }; - checkedSystemdBootBuilder = pkgs.runCommandLocal "systemd-boot" { + checkedSystemdBootBuilder = pkgs.runCommand "systemd-boot" { nativeBuildInputs = [ pkgs.mypy ]; } '' install -m755 ${systemdBootBuilder} $out diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 737a935711ae6..55d23b6fb8b5d 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -198,6 +198,39 @@ let fi ''} + ${lib.optionalString cfg.tpm.enable '' + NIX_SWTPM_DIR=$(readlink -f "''${NIX_SWTPM_DIR:-${config.system.name}-swtpm}") + mkdir -p "$NIX_SWTPM_DIR" + ${lib.getExe cfg.tpm.package} \ + socket \ + --tpmstate dir="$NIX_SWTPM_DIR" \ + --ctrl type=unixio,path="$NIX_SWTPM_DIR"/socket,terminate \ + --pid file="$NIX_SWTPM_DIR"/pid --daemon \ + --tpm2 \ + --log file="$NIX_SWTPM_DIR"/stdout,level=6 + + # Enable `fdflags` builtin in Bash + # We will need it to perform surgical modification of the file descriptor + # passed in the coprocess to remove `FD_CLOEXEC`, i.e. close the file descriptor + # on exec. + # If let alone, it will trigger the coprocess to read EOF when QEMU is `exec` + # at the end of this script. To work around that, we will just clear + # the `FD_CLOEXEC` bits as a first step. + enable -f ${hostPkgs.bash}/lib/bash/fdflags fdflags + # leave a dangling subprocess because the swtpm ctrl socket has + # "terminate" when the last connection disconnects, it stops swtpm. + # When qemu stops, or if the main shell process ends, the coproc will + # get signaled by virtue of the pipe between main and coproc ending. + # Which in turns triggers a socat connect-disconnect to swtpm which + # will stop it. + coproc waitingswtpm { + read || : + echo "" | ${lib.getExe hostPkgs.socat} STDIO UNIX-CONNECT:"$NIX_SWTPM_DIR"/socket + } + # Clear `FD_CLOEXEC` on the coprocess' file descriptor stdin. + fdflags -s-cloexec ''${waitingswtpm[1]} + ''} + cd "$TMPDIR" ${lib.optionalString (cfg.emptyDiskImages != []) "idx=0"} @@ -863,6 +896,32 @@ in }; }; + virtualisation.tpm = { + enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm."; + + package = mkPackageOptionMD cfg.host.pkgs "swtpm" { }; + + deviceModel = mkOption { + type = types.str; + default = ({ + "i686-linux" = "tpm-tis"; + "x86_64-linux" = "tpm-tis"; + "ppc64-linux" = "tpm-spapr"; + "armv7-linux" = "tpm-tis-device"; + "aarch64-linux" = "tpm-tis-device"; + }.${pkgs.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU")); + defaultText = '' + Based on the guest platform Linux system: + + - `tpm-tis` for (i686, x86_64) + - `tpm-spapr` for ppc64 + - `tpm-tis-device` for (armv7, aarch64) + ''; + example = "tpm-tis-device"; + description = lib.mdDoc "QEMU device model for the TPM, uses the appropriate default based on th guest platform system and the package passed."; + }; + }; + virtualisation.useDefaultFilesystems = mkOption { type = types.bool; @@ -1028,7 +1087,8 @@ in boot.initrd.availableKernelModules = optional cfg.writableStore "overlay" - ++ optional (cfg.qemu.diskInterface == "scsi") "sym53c8xx"; + ++ optional (cfg.qemu.diskInterface == "scsi") "sym53c8xx" + ++ optional (cfg.tpm.enable) "tpm_tis"; virtualisation.additionalPaths = [ config.system.build.toplevel ]; @@ -1099,6 +1159,11 @@ in (mkIf (!cfg.graphics) [ "-nographic" ]) + (mkIf (cfg.tpm.enable) [ + "-chardev socket,id=chrtpm,path=\"$NIX_SWTPM_DIR\"/socket" + "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm" + "-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0" + ]) ]; virtualisation.qemu.drives = mkMerge [ diff --git a/nixos/tests/firefox.nix b/nixos/tests/firefox.nix index 3f9cea6662fbe..fbea95dc75235 100644 --- a/nixos/tests/firefox.nix +++ b/nixos/tests/firefox.nix @@ -1,14 +1,7 @@ import ./make-test-python.nix ({ pkgs, firefoxPackage, ... }: -let firefoxPackage' = firefoxPackage.override (args: { - extraPrefsFiles = (args.extraPrefsFiles or []) ++ [ - # make sure that autoplay is enabled by default for the audio test - (builtins.toString (builtins.toFile "autoplay-pref.js" ''defaultPref("media.autoplay.default",0);'')) - ]; - }); - -in { - name = firefoxPackage'.unwrapped.pname; + name = firefoxPackage.pname; + meta = with pkgs.lib.maintainers; { maintainers = [ eelco shlevy ]; }; @@ -17,10 +10,13 @@ in { pkgs, ... }: { imports = [ ./common/x11.nix ]; - environment.systemPackages = [ - firefoxPackage' - pkgs.xdotool - ]; + environment.systemPackages = [ pkgs.xdotool ]; + + programs.firefox = { + enable = true; + preferences."media.autoplay.default" = 0; + package = firefoxPackage; + }; # Create a virtual sound device, with mixing # and all, for recording audio. @@ -58,7 +54,9 @@ in }; - testScript = '' + testScript = let + exe = firefoxPackage.unwrapped.binaryName; + in '' from contextlib import contextmanager @@ -97,7 +95,7 @@ in with subtest("Wait until Firefox has finished loading the Valgrind docs page"): machine.execute( - "xterm -e '${firefoxPackage'.unwrapped.binaryName} file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html' >&2 &" + "xterm -e '${exe} file://${pkgs.valgrind.doc}/share/doc/valgrind/html/index.html' >&2 &" ) machine.wait_for_window("Valgrind") machine.sleep(40) @@ -105,7 +103,7 @@ in with subtest("Check whether Firefox can play sound"): with record_audio(machine): machine.succeed( - "${firefoxPackage'.unwrapped.binaryName} file://${pkgs.sound-theme-freedesktop}/share/sounds/freedesktop/stereo/phone-incoming-call.oga >&2 &" + "${exe} file://${pkgs.sound-theme-freedesktop}/share/sounds/freedesktop/stereo/phone-incoming-call.oga >&2 &" ) wait_for_sound(machine) machine.copy_from_vm("/tmp/record.wav") diff --git a/nixos/tests/systemd-credentials-tpm2.nix b/nixos/tests/systemd-credentials-tpm2.nix index d2dc1fd7b615b..bf74183122368 100644 --- a/nixos/tests/systemd-credentials-tpm2.nix +++ b/nixos/tests/systemd-credentials-tpm2.nix @@ -1,13 +1,4 @@ -import ./make-test-python.nix ({ lib, pkgs, system, ... }: - -let - tpmSocketPath = "/tmp/swtpm-sock"; - tpmDeviceModels = { - x86_64-linux = "tpm-tis"; - aarch64-linux = "tpm-tis-device"; - }; -in - +import ./make-test-python.nix ({ lib, pkgs, ... }: { name = "systemd-credentials-tpm2"; @@ -16,51 +7,11 @@ in }; nodes.machine = { pkgs, ... }: { - virtualisation = { - qemu.options = [ - "-chardev socket,id=chrtpm,path=${tpmSocketPath}" - "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm" - "-device ${tpmDeviceModels.${system}},tpmdev=tpm_dev_0" - ]; - }; - - boot.initrd.availableKernelModules = [ "tpm_tis" ]; - + virtualisation.tpm.enable = true; environment.systemPackages = with pkgs; [ diffutils ]; }; testScript = '' - import subprocess - from tempfile import TemporaryDirectory - - # From systemd-initrd-luks-tpm2.nix - class Tpm: - def __init__(self): - self.state_dir = TemporaryDirectory() - self.start() - - def start(self): - self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", - "socket", - "--tpmstate", f"dir={self.state_dir.name}", - "--ctrl", "type=unixio,path=${tpmSocketPath}", - "--tpm2", - ]) - - # Check whether starting swtpm failed - try: - exit_code = self.proc.wait(timeout=0.2) - if exit_code is not None and exit_code != 0: - raise Exception("failed to start swtpm") - except subprocess.TimeoutExpired: - pass - - """Check whether the swtpm process exited due to an error""" - def check(self): - exit_code = self.proc.poll() - if exit_code is not None and exit_code != 0: - raise Exception("swtpm process died") - CRED_NAME = "testkey" CRED_RAW_FILE = f"/root/{CRED_NAME}" CRED_FILE = f"/root/{CRED_NAME}.cred" @@ -85,12 +36,6 @@ in machine.log("systemd-run finished successfully") - tpm = Tpm() - - @polling_condition - def swtpm_running(): - tpm.check() - machine.wait_for_unit("multi-user.target") with subtest("Check whether TPM device exists"): diff --git a/nixos/tests/systemd-cryptenroll.nix b/nixos/tests/systemd-cryptenroll.nix index 055ae7d1681f2..034aae1d5e955 100644 --- a/nixos/tests/systemd-cryptenroll.nix +++ b/nixos/tests/systemd-cryptenroll.nix @@ -8,47 +8,34 @@ import ./make-test-python.nix ({ pkgs, ... }: { environment.systemPackages = [ pkgs.cryptsetup ]; virtualisation = { emptyDiskImages = [ 512 ]; - qemu.options = [ - "-chardev socket,id=chrtpm,path=/tmp/swtpm-sock" - "-tpmdev emulator,id=tpm0,chardev=chrtpm" - "-device tpm-tis,tpmdev=tpm0" - ]; + tpm.enable = true; }; }; testScript = '' - import subprocess - import tempfile - - def start_swtpm(tpmstate): - subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"]) - - with tempfile.TemporaryDirectory() as tpmstate: - start_swtpm(tpmstate) - machine.start() - - # Verify the TPM device is available and accessible by systemd-cryptenroll - machine.succeed("test -e /dev/tpm0") - machine.succeed("test -e /dev/tpmrm0") - machine.succeed("systemd-cryptenroll --tpm2-device=list") - - # Create LUKS partition - machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -") - # Enroll new LUKS key and bind it to Secure Boot state - # For more details on PASSWORD variable, check the following issue: - # https://github.com/systemd/systemd/issues/20955 - machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb") - # Add LUKS partition to /etc/crypttab to test auto unlock - machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab") - machine.shutdown() - - start_swtpm(tpmstate) - machine.start() - - # Test LUKS partition automatic unlock on boot - machine.wait_for_unit("systemd-cryptsetup@luks.service") - # Wipe TPM2 slot - machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb") + machine.start() + + # Verify the TPM device is available and accessible by systemd-cryptenroll + machine.succeed("test -e /dev/tpm0") + machine.succeed("test -e /dev/tpmrm0") + machine.succeed("systemd-cryptenroll --tpm2-device=list") + + # Create LUKS partition + machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -") + # Enroll new LUKS key and bind it to Secure Boot state + # For more details on PASSWORD variable, check the following issue: + # https://github.com/systemd/systemd/issues/20955 + machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb") + # Add LUKS partition to /etc/crypttab to test auto unlock + machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab") + + machine.shutdown() + machine.start() + + # Test LUKS partition automatic unlock on boot + machine.wait_for_unit("systemd-cryptsetup@luks.service") + # Wipe TPM2 slot + machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb") ''; }) diff --git a/nixos/tests/systemd-initrd-luks-tpm2.nix b/nixos/tests/systemd-initrd-luks-tpm2.nix index d9dd9118a3a24..e292acfd1c5f9 100644 --- a/nixos/tests/systemd-initrd-luks-tpm2.nix +++ b/nixos/tests/systemd-initrd-luks-tpm2.nix @@ -9,7 +9,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { # Booting off the TPM2-encrypted device requires an available init script mountHostNixStore = true; useEFIBoot = true; - qemu.options = ["-chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"]; + tpm.enable = true; }; boot.loader.systemd-boot.enable = true; @@ -33,29 +33,6 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { }; testScript = '' - import subprocess - import os - import time - - - class Tpm: - def __init__(self): - os.mkdir("/tmp/mytpm1") - self.start() - - def start(self): - self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir=/tmp/mytpm1", "--ctrl", "type=unixio,path=/tmp/mytpm1/swtpm-sock", "--log", "level=20", "--tpm2"]) - - def wait_for_death_then_restart(self): - while self.proc.poll() is None: - print("waiting for tpm to die") - time.sleep(1) - assert self.proc.returncode == 0 - self.start() - - tpm = Tpm() - - # Create encrypted volume machine.wait_for_unit("multi-user.target") machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -") @@ -66,8 +43,6 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: { machine.succeed("sync") machine.crash() - tpm.wait_for_death_then_restart() - # Boot and decrypt the disk machine.wait_for_unit("multi-user.target") assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount") |