lanzaboote/nix/tests/lanzaboote.nix

{ pkgs
, testPkgs
, lanzabooteModule
}:

let
  inherit (pkgs) lib;

  mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, testScript }: testPkgs.nixosTest {
    inherit name testScript;
    nodes.machine = { lib, ... }: {
      imports = [
        lanzabooteModule
        machine
      ];

      virtualisation = {
        useBootLoader = true;
        useEFIBoot = true;

        inherit useSecureBoot;
      };

      boot.loader.efi = {
        canTouchEfiVariables = true;
      };
      boot.lanzaboote = {
        enable = true;
        enrollKeys = lib.mkDefault true;
        pkiBundle = ./fixtures/uefi-keys;
      };
    };
  };

  # Execute a boot test that has an intentionally broken secure boot
  # chain. This test is expected to fail with Secure Boot and should
  # succeed without.
  #
  # Takes a set `path` consisting of a `src` and a `dst` attribute. The file at
  # `src` is copied to `dst` inside th VM. Optionally append some random data
  # ("crap") to the end of the file at `dst`. This is useful to easily change
  # the hash of a file and produce a hash mismatch when booting the stub.
  mkHashMismatchTest = { name, path, appendCrap ? false, useSecureBoot ? true }: mkSecureBootTest {
    inherit name;
    inherit useSecureBoot;

    testScript = ''
      import json
      import os.path
      bootspec = None

      def convert_to_esp(store_file_path):
          store_dir = os.path.basename(os.path.dirname(store_file_path))
          filename = os.path.basename(store_file_path)
          return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'

      machine.start()
      bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1')
      assert bootspec is not None, "Unsupported bootspec version!"
      src_path = ${path.src}
      dst_path = ${path.dst}
      machine.succeed(f"cp -rf {src_path} {dst_path}")
    '' + lib.optionalString appendCrap ''
      machine.succeed(f"echo Foo >> {dst_path}")
    '' +
    ''
      machine.succeed("sync")
      machine.crash()
      machine.start()
    '' + (if useSecureBoot then ''
      machine.wait_for_console_text("Hash mismatch")
    '' else ''
      # Just check that the system came up.
      print(machine.succeed("bootctl", timeout=120))
    '');
  };

  # The initrd is not directly signed. Its hash is embedded into
  # lanzaboote. To make integrity verification fail, we actually have
  # to modify the initrd. Appending crap to the end is a harmless way
  # that would make the kernel still accept it.
  mkModifiedInitrdTest = { name, useSecureBoot }: mkHashMismatchTest {
    inherit name useSecureBoot;

    path = {
      src = "bootspec.get('initrd')";
      dst = "convert_to_esp(bootspec.get('initrd'))";
    };

    appendCrap = true;
  };

  mkModifiedKernelTest = { name, useSecureBoot }: mkHashMismatchTest {
    inherit name useSecureBoot;

    path = {
      src = "bootspec.get('kernel')";
      dst = "convert_to_esp(bootspec.get('kernel'))";
    };

    appendCrap = true;
  };

in
{
  # TODO: user mode: OK
  # TODO: how to get in: {deployed, audited} mode ?
  basic = mkSecureBootTest {
    name = "lanzaboote";
    testScript = ''
      machine.start()
      assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
    '';
  };

  systemd-initrd = mkSecureBootTest {
    name = "lanzaboote-systemd-initrd";
    machine = { ... }: {
      boot.initrd.systemd.enable = true;
    };
    testScript = ''
      machine.start()
      assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
    '';
  };

  # Test that a secret is appended to the initrd during installation. Smilar to
  # the initrd-secrets test in Nixpkgs:
  # https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/initrd-secrets.nix
  initrd-secrets =
    let
      secret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
    in
    mkSecureBootTest {
      name = "lanzaboote-initrd-secrets";
      machine = { ... }: {
        boot.initrd.secrets = {
          "/test" = secret;
        };
        boot.initrd.postMountCommands = ''
          cp /test /mnt-root/secret-from-initramfs
        '';
      };
      testScript = ''
        machine.start()
        machine.wait_for_unit("multi-user.target")

        machine.succeed("cmp ${secret} /secret-from-initramfs")
        assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
      '';
    };

  # Test that the secrets configured to be appended to the initrd get updated
  # when installing a new generation even if the initrd itself (i.e. its store
  # path) does not change. 
  #
  # An unfortunate result of this NixOS feature is that updating the secrets
  # without creating a new initrd might break previous generations. Lanzaboote
  # has no control over that.
  #
  # This tests uses a specialisation to imitate a newer generation. This works
  # because `lzbt` installs the specialisation of a generation AFTER installing
  # the generation itself (thus making the specialisation "newer").
  initrd-secrets-update =
    let
      originalSecret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
      newSecret = (pkgs.writeText "newly-secure" "so-much-better-now");
    in
    mkSecureBootTest {
      name = "lanzaboote-initrd-secrets-update";
      machine = { pkgs, lib, ... }: {
        boot.initrd.secrets = {
          "/test" = lib.mkDefault originalSecret;
        };
        boot.initrd.postMountCommands = ''
          cp /test /mnt-root/secret-from-initramfs
        '';

        specialisation.variant.configuration = {
          boot.initrd.secrets = {
            "/test" = newSecret;
          };
        };
      };
      testScript = ''
        machine.start()
        machine.wait_for_unit("multi-user.target")

        # Assert that only two boot files exists (a single kernel and a single
        # initrd). If there are two initrds, the test would not be able to test
        # updating the secret of an already existing initrd.
        assert int(machine.succeed("ls -1 /boot/EFI/nixos | wc -l")) == 2

        # It is expected that the initrd contains the new secret.
        machine.succeed("cmp ${newSecret} /secret-from-initramfs")
      '';
    };

  modified-initrd-doesnt-boot-with-secure-boot = mkModifiedInitrdTest {
    name = "modified-initrd-doesnt-boot-with-secure-boot";
    useSecureBoot = true;
  };

  modified-initrd-boots-without-secure-boot = mkModifiedInitrdTest {
    name = "modified-initrd-boots-without-secure-boot";
    useSecureBoot = false;
  };

  modified-kernel-doesnt-boot-with-secure-boot = mkModifiedKernelTest {
    name = "modified-kernel-doesnt-boot-with-secure-boot";
    useSecureBoot = true;
  };

  modified-kernel-boots-without-secure-boot = mkModifiedKernelTest {
    name = "modified-kernel-boots-without-secure-boot";
    useSecureBoot = false;
  };

  specialisation-works = mkSecureBootTest {
    name = "specialisation-still-boot-under-secureboot";
    machine = { pkgs, ... }: {
      specialisation.variant.configuration = {
        environment.systemPackages = [
          pkgs.efibootmgr
        ];
      };
    };
    testScript = ''
      machine.start()
      print(machine.succeed("ls -lah /boot/EFI/Linux"))
      # TODO: make it more reliable to find this filename, i.e. read it from somewhere?
      machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")
      machine.succeed("sync")
      machine.fail("efibootmgr")
      machine.crash()
      machine.start()
      print(machine.succeed("bootctl"))
      # Only the specialisation contains the efibootmgr binary.
      machine.succeed("efibootmgr")
    '';
  };

  systemd-boot-loader-config = mkSecureBootTest {
    name = "lanzaboote-systemd-boot-loader-config";
    machine = {
      boot.loader.timeout = 0;
      boot.loader.systemd-boot.consoleMode = "auto";
    };
    testScript = ''
      machine.start()

      actual_loader_config = machine.succeed("cat /boot/loader/loader.conf").split("\n")
      expected_loader_config = ["timeout 0", "console-mode auto"]
      
      assert all(cfg in actual_loader_config for cfg in expected_loader_config), \
        f"Expected: {expected_loader_config} is not included in actual config: '{actual_loader_config}'"
    '';
  };
}
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`{ pkgs`
			`, testPkgs`
			`, lanzabooteModule`
			`}:`

			`let`
			`inherit (pkgs) lib;`

tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, testScript }: testPkgs.nixosTest {`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`inherit name testScript;`
			`nodes.machine = { lib, ... }: {`
			`imports = [`
			`lanzabooteModule`
			`machine`
			`];`

			`virtualisation = {`
			`useBootLoader = true;`
			`useEFIBoot = true;`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00
			`inherit useSecureBoot;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`

			`boot.loader.efi = {`
			`canTouchEfiVariables = true;`
			`};`
			`boot.lanzaboote = {`
			`enable = true;`
			`enrollKeys = lib.mkDefault true;`
treewide: move uefi-keys into test fixtures To clean up the repository move the uefi keys (`pki/`) to `nix/tests/fixtures/uefi-keys`. 2023-01-25 18:17:18 -06:00			`pkiBundle = ./fixtures/uefi-keys;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`
			`};`
			`};`

tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`# Execute a boot test that has an intentionally broken secure boot`
			`# chain. This test is expected to fail with Secure Boot and should`
			`# succeed without.`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`#`
nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			# Takes a set `path` consisting of a `src` and a `dst` attribute. The file at
			# `src` is copied to `dst` inside th VM. Optionally append some random data
			# ("crap") to the end of the file at `dst`. This is useful to easily change
			`# the hash of a file and produce a hash mismatch when booting the stub.`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`mkHashMismatchTest = { name, path, appendCrap ? false, useSecureBoot ? true }: mkSecureBootTest {`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`inherit name;`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`inherit useSecureBoot;`

nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`testScript = ''`
			`import json`
			`import os.path`
			`bootspec = None`

			`def convert_to_esp(store_file_path):`
			`store_dir = os.path.basename(os.path.dirname(store_file_path))`
			`filename = os.path.basename(store_file_path)`
			`return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'`

			`machine.start()`
			`bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1')`
			`assert bootspec is not None, "Unsupported bootspec version!"`
			`src_path = ${path.src}`
			`dst_path = ${path.dst}`
			`machine.succeed(f"cp -rf {src_path} {dst_path}")`
			`'' + lib.optionalString appendCrap ''`
			`machine.succeed(f"echo Foo >> {dst_path}")`
			`'' +`
			`''`
			`machine.succeed("sync")`
			`machine.crash()`
			`machine.start()`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`'' + (if useSecureBoot then ''`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine.wait_for_console_text("Hash mismatch")`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`'' else ''`
			`# Just check that the system came up.`
			`print(machine.succeed("bootctl", timeout=120))`
			`'');`
			`};`

			`# The initrd is not directly signed. Its hash is embedded into`
			`# lanzaboote. To make integrity verification fail, we actually have`
			`# to modify the initrd. Appending crap to the end is a harmless way`
			`# that would make the kernel still accept it.`
			`mkModifiedInitrdTest = { name, useSecureBoot }: mkHashMismatchTest {`
			`inherit name useSecureBoot;`

			`path = {`
			`src = "bootspec.get('initrd')";`
			`dst = "convert_to_esp(bootspec.get('initrd'))";`
			`};`

			`appendCrap = true;`
			`};`

			`mkModifiedKernelTest = { name, useSecureBoot }: mkHashMismatchTest {`
			`inherit name useSecureBoot;`

			`path = {`
			`src = "bootspec.get('kernel')";`
			`dst = "convert_to_esp(bootspec.get('kernel'))";`
			`};`

			`appendCrap = true;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`in`
			`{`
			`# TODO: user mode: OK`
			`# TODO: how to get in: {deployed, audited} mode ?`
nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			`basic = mkSecureBootTest {`
			`name = "lanzaboote";`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`testScript = ''`
			`machine.start()`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
			`'';`
			`};`

nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			`systemd-initrd = mkSecureBootTest {`
			`name = "lanzaboote-systemd-initrd";`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine = { ... }: {`
			`boot.initrd.systemd.enable = true;`
			`};`
			`testScript = ''`
			`machine.start()`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
			`'';`
			`};`

tests: correctly test appending secret to initrd The way the test was implemented previously did not make it fail if no secret was appended to the initrd. Now it is implemented similary to the initrd-secrets test in Nixpkgs and works correctly. 2023-02-25 14:38:43 -06:00			`# Test that a secret is appended to the initrd during installation. Smilar to`
			`# the initrd-secrets test in Nixpkgs:`
			`# https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/initrd-secrets.nix`
			`initrd-secrets =`
			`let`
			`secret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");`
			`in`
			`mkSecureBootTest {`
			`name = "lanzaboote-initrd-secrets";`
			`machine = { ... }: {`
			`boot.initrd.secrets = {`
			`"/test" = secret;`
			`};`
			`boot.initrd.postMountCommands = ''`
			`cp /test /mnt-root/secret-from-initramfs`
			`'';`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`
tests: correctly test appending secret to initrd The way the test was implemented previously did not make it fail if no secret was appended to the initrd. Now it is implemented similary to the initrd-secrets test in Nixpkgs and works correctly. 2023-02-25 14:38:43 -06:00			`testScript = ''`
			`machine.start()`
			`machine.wait_for_unit("multi-user.target")`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00
tests: correctly test appending secret to initrd The way the test was implemented previously did not make it fail if no secret was appended to the initrd. Now it is implemented similary to the initrd-secrets test in Nixpkgs and works correctly. 2023-02-25 14:38:43 -06:00			`machine.succeed("cmp ${secret} /secret-from-initramfs")`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`'';`
			`};`

tests: add initrd-secrets-update Add a test for updating the secrets on an existing initrd. 2023-02-19 17:25:29 -06:00			`# Test that the secrets configured to be appended to the initrd get updated`
			`# when installing a new generation even if the initrd itself (i.e. its store`
			`# path) does not change.`
			`#`
			`# An unfortunate result of this NixOS feature is that updating the secrets`
			`# without creating a new initrd might break previous generations. Lanzaboote`
			`# has no control over that.`
			`#`
			`# This tests uses a specialisation to imitate a newer generation. This works`
			# because `lzbt` installs the specialisation of a generation AFTER installing
			`# the generation itself (thus making the specialisation "newer").`
			`initrd-secrets-update =`
			`let`
			`originalSecret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");`
			`newSecret = (pkgs.writeText "newly-secure" "so-much-better-now");`
			`in`
			`mkSecureBootTest {`
			`name = "lanzaboote-initrd-secrets-update";`
			`machine = { pkgs, lib, ... }: {`
			`boot.initrd.secrets = {`
			`"/test" = lib.mkDefault originalSecret;`
			`};`
			`boot.initrd.postMountCommands = ''`
			`cp /test /mnt-root/secret-from-initramfs`
			`'';`

			`specialisation.variant.configuration = {`
			`boot.initrd.secrets = {`
			`"/test" = newSecret;`
			`};`
			`};`
			`};`
			`testScript = ''`
			`machine.start()`
			`machine.wait_for_unit("multi-user.target")`

			`# Assert that only two boot files exists (a single kernel and a single`
			`# initrd). If there are two initrds, the test would not be able to test`
			`# updating the secret of an already existing initrd.`
			`assert int(machine.succeed("ls -1 /boot/EFI/nixos \| wc -l")) == 2`

			`# It is expected that the initrd contains the new secret.`
			`machine.succeed("cmp ${newSecret} /secret-from-initramfs")`
			`'';`
			`};`

tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`modified-initrd-doesnt-boot-with-secure-boot = mkModifiedInitrdTest {`
			`name = "modified-initrd-doesnt-boot-with-secure-boot";`
			`useSecureBoot = true;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`

tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`modified-initrd-boots-without-secure-boot = mkModifiedInitrdTest {`
			`name = "modified-initrd-boots-without-secure-boot";`
			`useSecureBoot = false;`
			`};`

			`modified-kernel-doesnt-boot-with-secure-boot = mkModifiedKernelTest {`
			`name = "modified-kernel-doesnt-boot-with-secure-boot";`
			`useSecureBoot = true;`
			`};`

			`modified-kernel-boots-without-secure-boot = mkModifiedKernelTest {`
			`name = "modified-kernel-boots-without-secure-boot";`
			`useSecureBoot = false;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`
nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`specialisation-works = mkSecureBootTest {`
			`name = "specialisation-still-boot-under-secureboot";`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine = { pkgs, ... }: {`
			`specialisation.variant.configuration = {`
			`environment.systemPackages = [`
			`pkgs.efibootmgr`
			`];`
			`};`
			`};`
			`testScript = ''`
			`machine.start()`
			`print(machine.succeed("ls -lah /boot/EFI/Linux"))`
			`# TODO: make it more reliable to find this filename, i.e. read it from somewhere?`
			`machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")`
			`machine.succeed("sync")`
			`machine.fail("efibootmgr")`
			`machine.crash()`
			`machine.start()`
			`print(machine.succeed("bootctl"))`
nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			`# Only the specialisation contains the efibootmgr binary.`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine.succeed("efibootmgr")`
			`'';`
			`};`
tool: write systemd-boot loader.conf To minimize the number of arguments passed to `lzbt`, the loader config is assembled outside `lzbt` and passed as a single argument. Instead of reimplementing `consoleMode` under the `lanzaboote` namespace, `config.loader.systemd-boot.consoleMode` is reused as is. 2023-01-26 17:37:05 -06:00
			`systemd-boot-loader-config = mkSecureBootTest {`
			`name = "lanzaboote-systemd-boot-loader-config";`
			`machine = {`
			`boot.loader.timeout = 0;`
			`boot.loader.systemd-boot.consoleMode = "auto";`
			`};`
			`testScript = ''`
			`machine.start()`

nixos-module: add settings key for the loader.conf This commit adds settings key for configuring systemd-boot to the lanzaboot nixos module. The are couple of the default values that are set from the usual nixos boot.loader.systemd-boot options, they are merged with the user defined configuration. This commit modifies default loader.conf to boot into the latest nixos generation by default, for when you have other operating systems installed. Primary reason behind this PR is to allow extensible loader configuration. Co-authored-by: Raito Bezarius <masterancpp@gmail.com> 2023-03-17 14:36:12 -05:00			`actual_loader_config = machine.succeed("cat /boot/loader/loader.conf").split("\n")`
			`expected_loader_config = ["timeout 0", "console-mode auto"]`
tool: write systemd-boot loader.conf To minimize the number of arguments passed to `lzbt`, the loader config is assembled outside `lzbt` and passed as a single argument. Instead of reimplementing `consoleMode` under the `lanzaboote` namespace, `config.loader.systemd-boot.consoleMode` is reused as is. 2023-01-26 17:37:05 -06:00
nixos-module: add settings key for the loader.conf This commit adds settings key for configuring systemd-boot to the lanzaboot nixos module. The are couple of the default values that are set from the usual nixos boot.loader.systemd-boot options, they are merged with the user defined configuration. This commit modifies default loader.conf to boot into the latest nixos generation by default, for when you have other operating systems installed. Primary reason behind this PR is to allow extensible loader configuration. Co-authored-by: Raito Bezarius <masterancpp@gmail.com> 2023-03-17 14:36:12 -05:00			`assert all(cfg in actual_loader_config for cfg in expected_loader_config), \`
			`f"Expected: {expected_loader_config} is not included in actual config: '{actual_loader_config}'"`
tool: write systemd-boot loader.conf To minimize the number of arguments passed to `lzbt`, the loader config is assembled outside `lzbt` and passed as a single argument. Instead of reimplementing `consoleMode` under the `lanzaboote` namespace, `config.loader.systemd-boot.consoleMode` is reused as is. 2023-01-26 17:37:05 -06:00			`'';`
			`};`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`}`