nixos/tests/initrd-secrets-changing.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

{ system ? builtins.currentSystem
, config ? {}
, pkgs ? import ../.. { inherit system config; }
, lib ? pkgs.lib
, testing ? import ../lib/testing-python.nix { inherit system pkgs; }
}:

let
  secret1InStore = pkgs.writeText "topsecret" "iamasecret1";
  secret2InStore = pkgs.writeText "topsecret" "iamasecret2";
in

testing.makeTest {
  name = "initrd-secrets-changing";

  nodes.machine = { ... }: {
    virtualisation.useBootLoader = true;
    virtualisation.persistBootDevice = true;

    boot.loader.grub.device = "/dev/vda";

    boot.initrd.secrets = {
      "/test" = secret1InStore;
      "/run/keys/test" = secret1InStore;
    };
    boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";

    specialisation.secrets2System.configuration = {
      boot.initrd.secrets = lib.mkForce {
        "/test" = secret2InStore;
        "/run/keys/test" = secret2InStore;
      };
    };
  };

  testScript = ''
    start_all()

    machine.wait_for_unit("multi-user.target")
    print(machine.succeed("cat /run/keys/test"))
    machine.succeed(
        "cmp ${secret1InStore} /secret-from-initramfs",
        "cmp ${secret1InStore} /run/keys/test",
    )
    # Select the second boot entry corresponding to the specialisation secrets2System.
    machine.succeed("grub-reboot 1")
    machine.shutdown()

    with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):
        machine.wait_for_unit("multi-user.target")
        print(machine.succeed("cat /run/keys/test"))
        machine.succeed(
            "cmp ${secret2InStore} /secret-from-initramfs",
            "cmp ${secret2InStore} /run/keys/test",
        )
        machine.shutdown()
  '';
}