lanzaboote/rust/tool/systemd/tests/install.rs

use anyhow::Result;
use base32ct::{Base32Unpadded, Encoding};
use tempfile::tempdir;

mod common;

use common::{
    count_files, hash_file, remove_signature, setup_generation_link_from_toplevel, verify_signature,
};

/// Install two generations that point at the same toplevel.
/// This should install two lanzaboote images and one kernel and one initrd.
#[test]
fn do_not_install_duplicates() -> Result<()> {
    let esp = tempdir()?;
    let tmpdir = tempdir()?;
    let profiles = tempdir()?;
    let toplevel = common::setup_toplevel(tmpdir.path())?;

    let generation_link1 = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 1)?;
    let generation_link2 = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 2)?;
    let generation_links = vec![generation_link1, generation_link2];

    let stub_count = || count_files(&esp.path().join("EFI/Linux")).unwrap();
    let kernel_and_initrd_count = || count_files(&esp.path().join("EFI/nixos")).unwrap();

    let output1 = common::lanzaboote_install(0, esp.path(), generation_links)?;
    assert!(output1.status.success());
    assert_eq!(stub_count(), 2, "Wrong number of stubs after installation");
    assert_eq!(
        kernel_and_initrd_count(),
        2,
        "Wrong number of kernels & initrds after installation"
    );
    Ok(())
}

#[test]
fn do_not_overwrite_images() -> Result<()> {
    let esp = tempdir()?;
    let tmpdir = tempdir()?;
    let profiles = tempdir()?;
    let toplevel = common::setup_toplevel(tmpdir.path())?;

    let image1 = common::image_path(&esp, 1, &toplevel)?;
    let image2 = common::image_path(&esp, 2, &toplevel)?;

    let generation_link1 = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 1)?;
    let generation_link2 = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 2)?;
    let generation_links = vec![generation_link1, generation_link2];

    let output1 = common::lanzaboote_install(0, esp.path(), generation_links.clone())?;
    assert!(output1.status.success());

    remove_signature(&image1)?;
    assert!(!verify_signature(&image1)?);
    assert!(verify_signature(&image2)?);

    let output2 = common::lanzaboote_install(0, esp.path(), generation_links)?;
    assert!(output2.status.success());

    assert!(!verify_signature(&image1)?);
    assert!(verify_signature(&image2)?);

    Ok(())
}

#[test]
fn detect_generation_number_reuse() -> Result<()> {
    let esp = tempdir()?;
    let tmpdir = tempdir()?;
    let profiles = tempdir()?;
    let toplevel1 = common::setup_toplevel(tmpdir.path())?;
    let toplevel2 = common::setup_toplevel(tmpdir.path())?;

    let image1 = common::image_path(&esp, 1, &toplevel1)?;
    // this deliberately gets the same number!
    let image2 = common::image_path(&esp, 1, &toplevel2)?;

    let generation_link1 = setup_generation_link_from_toplevel(&toplevel1, profiles.path(), 1)?;
    let output1 = common::lanzaboote_install(0, esp.path(), vec![generation_link1])?;
    assert!(output1.status.success());
    assert!(image1.exists());
    assert!(!image2.exists());

    std::fs::remove_dir_all(profiles.path().join("system-1-link"))?;
    let generation_link2 = setup_generation_link_from_toplevel(&toplevel2, profiles.path(), 1)?;
    let output2 = common::lanzaboote_install(0, esp.path(), vec![generation_link2])?;
    assert!(output2.status.success());
    assert!(!image1.exists());
    assert!(image2.exists());

    Ok(())
}

#[test]
fn content_addressing_works() -> Result<()> {
    let esp = tempdir()?;
    let tmpdir = tempdir()?;
    let profiles = tempdir()?;
    let toplevel = common::setup_toplevel(tmpdir.path())?;

    let generation_link = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 1)?;
    let generation_links = vec![generation_link];

    let kernel_hash_source =
        hash_file(&toplevel.join("eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-6.1.1/kernel"));

    let output0 = common::lanzaboote_install(1, esp.path(), generation_links)?;
    assert!(output0.status.success());

    let kernel_path = esp.path().join(format!(
        "EFI/nixos/kernel-6.1.1-{}.efi",
        Base32Unpadded::encode_string(&kernel_hash_source)
    ));

    // Implicitly assert that the content-addressed file actually exists.
    let kernel_hash = hash_file(&kernel_path);
    // Assert the written kernel is the source kernel.
    assert_eq!(kernel_hash_source, kernel_hash);

    Ok(())
}
tool: make kernels and initrds content-addressed Kernels and initrds on the ESP are now content-addressed. By definition, it is impossible for two different kernels or initrds to ever end up at the same place, even in the presence of changing initrd secrets or other unreproducibility. The basic advantage of this is that installing the kernel or initrd for a generation can never break another generation. In turn, this enables the following two improvements: * All generations can be installed independently. In particular, the installation can be performed in one pass, one generation at a time. As a result, the code is significantly simplified, and memory usage (due to the temporary files) does not grow with the number of generations any more. * Generations that already have their files in place on the ESP do not need to be reinstalled. This will be taken advantage of in a subsequent commit. 2023-08-12 08:23:21 -05:00			`use anyhow::Result;`
			`use base32ct::{Base32Unpadded, Encoding};`
tool: make stubs input-addressed The stubs on the ESP are now input-addressed, where the inputs are the system toplevel and the public key used for signature. This way, it is guaranteed that any stub at a given path will boot the desired system, even in the presence of one of the two edge-cases where it was not previously guaranteed: * The latest generation was deleted at one point, and its generation number was reused by a different system configuration. This is detected because the toplevel will change. * The secure boot signing key was rotated, so old stubs would not boot at all any more. This is detected because the public key will change. Avoiding these two cases will allow to skip reinstallation of stubs that are already in place at the correct path. 2023-08-13 05:02:35 -05:00			`use tempfile::tempdir;`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00
			`mod common;`

			`use common::{`
			`count_files, hash_file, remove_signature, setup_generation_link_from_toplevel, verify_signature,`
			`};`

			`/// Install two generations that point at the same toplevel.`
			`/// This should install two lanzaboote images and one kernel and one initrd.`
			`#[test]`
			`fn do_not_install_duplicates() -> Result<()> {`
			`let esp = tempdir()?;`
			`let tmpdir = tempdir()?;`
			`let profiles = tempdir()?;`
			`let toplevel = common::setup_toplevel(tmpdir.path())?;`

			`let generation_link1 = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 1)?;`
			`let generation_link2 = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 2)?;`
			`let generation_links = vec![generation_link1, generation_link2];`

			`let stub_count = \|\| count_files(&esp.path().join("EFI/Linux")).unwrap();`
			`let kernel_and_initrd_count = \|\| count_files(&esp.path().join("EFI/nixos")).unwrap();`

			`let output1 = common::lanzaboote_install(0, esp.path(), generation_links)?;`
			`assert!(output1.status.success());`
			`assert_eq!(stub_count(), 2, "Wrong number of stubs after installation");`
			`assert_eq!(`
			`kernel_and_initrd_count(),`
			`2,`
			`"Wrong number of kernels & initrds after installation"`
			`);`
			`Ok(())`
			`}`

			`#[test]`
tool: stop most overwriting in the ESP Since most files (stubs, kernels and initrds) on the ESP are properly input-addressed or content-addressed now, there is no point in overwriting them any more. Hence we detect what generations are already properly installed, and don't reinstall them any more. This approach leads to two distinct improvements: * Rollbacks are more reliable, because initrd secrets and stubs do not change any more for existing generations (with the necessary exception of stubs in case of signature key rotation). In particular, the risk of a newer stub breaking (for example, because of bad interactions with certain firmware) old and previously working generations is avoided. * Kernels and initrds that are not going to be (re)installed anyway are not read and hashed any more. This significantly reduces the I/O and CPU time required for the installation process, particularly when there is a large number of generations. The following drawbacks are noted: * The first time installation is performed after these changes, most of the ESP is re-written at a different path; as a result, the disk usage increases to roughly the double until the GC is performed. * If multiple generations share a bare initrd, but have different secrets scripts, the final initrds will now be separated, leading to increased disk usage. However, this situation should be rare, and the previous behavior was arguably incorrect anyway. * If the files on the ESP are corrupted, running the installation again will not overwrite them with the correct versions. Since the files are written atomically, this situation should not happen except in case of file system corruption, and it is questionable whether overwriting really fixes the problem in this case. 2023-08-13 11:29:40 -05:00			`fn do_not_overwrite_images() -> Result<()> {`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00			`let esp = tempdir()?;`
			`let tmpdir = tempdir()?;`
			`let profiles = tempdir()?;`
tool: make stubs input-addressed The stubs on the ESP are now input-addressed, where the inputs are the system toplevel and the public key used for signature. This way, it is guaranteed that any stub at a given path will boot the desired system, even in the presence of one of the two edge-cases where it was not previously guaranteed: * The latest generation was deleted at one point, and its generation number was reused by a different system configuration. This is detected because the toplevel will change. * The secure boot signing key was rotated, so old stubs would not boot at all any more. This is detected because the public key will change. Avoiding these two cases will allow to skip reinstallation of stubs that are already in place at the correct path. 2023-08-13 05:02:35 -05:00			`let toplevel = common::setup_toplevel(tmpdir.path())?;`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00
tool: make stubs input-addressed The stubs on the ESP are now input-addressed, where the inputs are the system toplevel and the public key used for signature. This way, it is guaranteed that any stub at a given path will boot the desired system, even in the presence of one of the two edge-cases where it was not previously guaranteed: * The latest generation was deleted at one point, and its generation number was reused by a different system configuration. This is detected because the toplevel will change. * The secure boot signing key was rotated, so old stubs would not boot at all any more. This is detected because the public key will change. Avoiding these two cases will allow to skip reinstallation of stubs that are already in place at the correct path. 2023-08-13 05:02:35 -05:00			`let image1 = common::image_path(&esp, 1, &toplevel)?;`
			`let image2 = common::image_path(&esp, 2, &toplevel)?;`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00
tool: make stubs input-addressed The stubs on the ESP are now input-addressed, where the inputs are the system toplevel and the public key used for signature. This way, it is guaranteed that any stub at a given path will boot the desired system, even in the presence of one of the two edge-cases where it was not previously guaranteed: * The latest generation was deleted at one point, and its generation number was reused by a different system configuration. This is detected because the toplevel will change. * The secure boot signing key was rotated, so old stubs would not boot at all any more. This is detected because the public key will change. Avoiding these two cases will allow to skip reinstallation of stubs that are already in place at the correct path. 2023-08-13 05:02:35 -05:00			`let generation_link1 = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 1)?;`
			`let generation_link2 = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 2)?;`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00			`let generation_links = vec![generation_link1, generation_link2];`

			`let output1 = common::lanzaboote_install(0, esp.path(), generation_links.clone())?;`
			`assert!(output1.status.success());`

			`remove_signature(&image1)?;`
			`assert!(!verify_signature(&image1)?);`
			`assert!(verify_signature(&image2)?);`

			`let output2 = common::lanzaboote_install(0, esp.path(), generation_links)?;`
			`assert!(output2.status.success());`

tool: stop most overwriting in the ESP Since most files (stubs, kernels and initrds) on the ESP are properly input-addressed or content-addressed now, there is no point in overwriting them any more. Hence we detect what generations are already properly installed, and don't reinstall them any more. This approach leads to two distinct improvements: * Rollbacks are more reliable, because initrd secrets and stubs do not change any more for existing generations (with the necessary exception of stubs in case of signature key rotation). In particular, the risk of a newer stub breaking (for example, because of bad interactions with certain firmware) old and previously working generations is avoided. * Kernels and initrds that are not going to be (re)installed anyway are not read and hashed any more. This significantly reduces the I/O and CPU time required for the installation process, particularly when there is a large number of generations. The following drawbacks are noted: * The first time installation is performed after these changes, most of the ESP is re-written at a different path; as a result, the disk usage increases to roughly the double until the GC is performed. * If multiple generations share a bare initrd, but have different secrets scripts, the final initrds will now be separated, leading to increased disk usage. However, this situation should be rare, and the previous behavior was arguably incorrect anyway. * If the files on the ESP are corrupted, running the installation again will not overwrite them with the correct versions. Since the files are written atomically, this situation should not happen except in case of file system corruption, and it is questionable whether overwriting really fixes the problem in this case. 2023-08-13 11:29:40 -05:00			`assert!(!verify_signature(&image1)?);`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00			`assert!(verify_signature(&image2)?);`

			`Ok(())`
			`}`

tool: make stubs input-addressed The stubs on the ESP are now input-addressed, where the inputs are the system toplevel and the public key used for signature. This way, it is guaranteed that any stub at a given path will boot the desired system, even in the presence of one of the two edge-cases where it was not previously guaranteed: * The latest generation was deleted at one point, and its generation number was reused by a different system configuration. This is detected because the toplevel will change. * The secure boot signing key was rotated, so old stubs would not boot at all any more. This is detected because the public key will change. Avoiding these two cases will allow to skip reinstallation of stubs that are already in place at the correct path. 2023-08-13 05:02:35 -05:00			`#[test]`
			`fn detect_generation_number_reuse() -> Result<()> {`
			`let esp = tempdir()?;`
			`let tmpdir = tempdir()?;`
			`let profiles = tempdir()?;`
			`let toplevel1 = common::setup_toplevel(tmpdir.path())?;`
			`let toplevel2 = common::setup_toplevel(tmpdir.path())?;`

			`let image1 = common::image_path(&esp, 1, &toplevel1)?;`
			`// this deliberately gets the same number!`
			`let image2 = common::image_path(&esp, 1, &toplevel2)?;`

			`let generation_link1 = setup_generation_link_from_toplevel(&toplevel1, profiles.path(), 1)?;`
			`let output1 = common::lanzaboote_install(0, esp.path(), vec![generation_link1])?;`
			`assert!(output1.status.success());`
			`assert!(image1.exists());`
			`assert!(!image2.exists());`

			`std::fs::remove_dir_all(profiles.path().join("system-1-link"))?;`
			`let generation_link2 = setup_generation_link_from_toplevel(&toplevel2, profiles.path(), 1)?;`
			`let output2 = common::lanzaboote_install(0, esp.path(), vec![generation_link2])?;`
			`assert!(output2.status.success());`
			`assert!(!image1.exists());`
			`assert!(image2.exists());`

			`Ok(())`
			`}`

tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00			`#[test]`
tool: make kernels and initrds content-addressed Kernels and initrds on the ESP are now content-addressed. By definition, it is impossible for two different kernels or initrds to ever end up at the same place, even in the presence of changing initrd secrets or other unreproducibility. The basic advantage of this is that installing the kernel or initrd for a generation can never break another generation. In turn, this enables the following two improvements: * All generations can be installed independently. In particular, the installation can be performed in one pass, one generation at a time. As a result, the code is significantly simplified, and memory usage (due to the temporary files) does not grow with the number of generations any more. * Generations that already have their files in place on the ESP do not need to be reinstalled. This will be taken advantage of in a subsequent commit. 2023-08-12 08:23:21 -05:00			`fn content_addressing_works() -> Result<()> {`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00			`let esp = tempdir()?;`
			`let tmpdir = tempdir()?;`
			`let profiles = tempdir()?;`
			`let toplevel = common::setup_toplevel(tmpdir.path())?;`

			`let generation_link = setup_generation_link_from_toplevel(&toplevel, profiles.path(), 1)?;`
			`let generation_links = vec![generation_link];`

tool: make kernels and initrds content-addressed Kernels and initrds on the ESP are now content-addressed. By definition, it is impossible for two different kernels or initrds to ever end up at the same place, even in the presence of changing initrd secrets or other unreproducibility. The basic advantage of this is that installing the kernel or initrd for a generation can never break another generation. In turn, this enables the following two improvements: * All generations can be installed independently. In particular, the installation can be performed in one pass, one generation at a time. As a result, the code is significantly simplified, and memory usage (due to the temporary files) does not grow with the number of generations any more. * Generations that already have their files in place on the ESP do not need to be reinstalled. This will be taken advantage of in a subsequent commit. 2023-08-12 08:23:21 -05:00			`let kernel_hash_source =`
			`hash_file(&toplevel.join("eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-6.1.1/kernel"));`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00
			`let output0 = common::lanzaboote_install(1, esp.path(), generation_links)?;`
			`assert!(output0.status.success());`

tool: make kernels and initrds content-addressed Kernels and initrds on the ESP are now content-addressed. By definition, it is impossible for two different kernels or initrds to ever end up at the same place, even in the presence of changing initrd secrets or other unreproducibility. The basic advantage of this is that installing the kernel or initrd for a generation can never break another generation. In turn, this enables the following two improvements: * All generations can be installed independently. In particular, the installation can be performed in one pass, one generation at a time. As a result, the code is significantly simplified, and memory usage (due to the temporary files) does not grow with the number of generations any more. * Generations that already have their files in place on the ESP do not need to be reinstalled. This will be taken advantage of in a subsequent commit. 2023-08-12 08:23:21 -05:00			`let kernel_path = esp.path().join(format!(`
			`"EFI/nixos/kernel-6.1.1-{}.efi",`
			`Base32Unpadded::encode_string(&kernel_hash_source)`
			`));`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00
tool: make kernels and initrds content-addressed Kernels and initrds on the ESP are now content-addressed. By definition, it is impossible for two different kernels or initrds to ever end up at the same place, even in the presence of changing initrd secrets or other unreproducibility. The basic advantage of this is that installing the kernel or initrd for a generation can never break another generation. In turn, this enables the following two improvements: * All generations can be installed independently. In particular, the installation can be performed in one pass, one generation at a time. As a result, the code is significantly simplified, and memory usage (due to the temporary files) does not grow with the number of generations any more. * Generations that already have their files in place on the ESP do not need to be reinstalled. This will be taken advantage of in a subsequent commit. 2023-08-12 08:23:21 -05:00			`// Implicitly assert that the content-addressed file actually exists.`
			`let kernel_hash = hash_file(&kernel_path);`
			`// Assert the written kernel is the source kernel.`
			`assert_eq!(kernel_hash_source, kernel_hash);`
tool: add install tests Add a few integration tests for installing files, e.g. overwriting signed and unsigned files. 2023-02-15 16:03:12 -06:00
			`Ok(())`
			`}`