lanzaboote/nix/tests/lanzaboote.nix

{ pkgs
, testPkgs
, lanzabooteModule
}:

let
  inherit (pkgs) lib;

  mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, testScript }: testPkgs.nixosTest {
    inherit name testScript;
    nodes.machine = { lib, ... }: {
      imports = [
        lanzabooteModule
        machine
      ];

      virtualisation = {
        useBootLoader = true;
        useEFIBoot = true;

        inherit useSecureBoot;
      };

      boot.loader.efi = {
        canTouchEfiVariables = true;
      };
      boot.lanzaboote = {
        enable = true;
        enrollKeys = lib.mkDefault true;
        pkiBundle = ./fixtures/uefi-keys;
      };
    };
  };

  # Execute a boot test that has an intentionally broken secure boot
  # chain. This test is expected to fail with Secure Boot and should
  # succeed without.
  #
  # Takes a set `path` consisting of a `src` and a `dst` attribute. The file at
  # `src` is copied to `dst` inside th VM. Optionally append some random data
  # ("crap") to the end of the file at `dst`. This is useful to easily change
  # the hash of a file and produce a hash mismatch when booting the stub.
  mkHashMismatchTest = { name, path, appendCrap ? false, useSecureBoot ? true }: mkSecureBootTest {
    inherit name;
    inherit useSecureBoot;

    testScript = ''
      import json
      import os.path
      bootspec = None

      def convert_to_esp(store_file_path):
          store_dir = os.path.basename(os.path.dirname(store_file_path))
          filename = os.path.basename(store_file_path)
          return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'

      machine.start()
      bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1')
      assert bootspec is not None, "Unsupported bootspec version!"
      src_path = ${path.src}
      dst_path = ${path.dst}
      machine.succeed(f"cp -rf {src_path} {dst_path}")
    '' + lib.optionalString appendCrap ''
      machine.succeed(f"echo Foo >> {dst_path}")
    '' +
    ''
      machine.succeed("sync")
      machine.crash()
      machine.start()
    '' + (if useSecureBoot then ''
      machine.wait_for_console_text("Hash mismatch")
    '' else ''
      # Just check that the system came up.
      print(machine.succeed("bootctl", timeout=120))
    '');
  };

  # The initrd is not directly signed. Its hash is embedded into
  # lanzaboote. To make integrity verification fail, we actually have
  # to modify the initrd. Appending crap to the end is a harmless way
  # that would make the kernel still accept it.
  mkModifiedInitrdTest = { name, useSecureBoot }: mkHashMismatchTest {
    inherit name useSecureBoot;

    path = {
      src = "bootspec.get('initrd')";
      dst = "convert_to_esp(bootspec.get('initrd'))";
    };

    appendCrap = true;
  };

  mkModifiedKernelTest = { name, useSecureBoot }: mkHashMismatchTest {
    inherit name useSecureBoot;

    path = {
      src = "bootspec.get('kernel')";
      dst = "convert_to_esp(bootspec.get('kernel'))";
    };

    appendCrap = true;
  };

in
{
  # TODO: user mode: OK
  # TODO: how to get in: {deployed, audited} mode ?
  basic = mkSecureBootTest {
    name = "lanzaboote";
    testScript = ''
      machine.start()
      assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
    '';
  };

  systemd-initrd = mkSecureBootTest {
    name = "lanzaboote-systemd-initrd";
    machine = { ... }: {
      boot.initrd.systemd.enable = true;
    };
    testScript = ''
      machine.start()
      assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
    '';
  };

  # Test that a secret is appended to the initrd during installation.
  # 
  # During the execution of `preDeviceCommands`, no filesystem should be
  # mounted. The only place to find `/etc/iamasecret` then, is in the initrd.
  initrd-secrets = mkSecureBootTest {
    name = "lanzaboote-initrd-secrets";
    machine = { ... }: {
      boot.initrd.secrets = {
        "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
      };

      boot.initrd.preDeviceCommands = ''
        grep "this is a very secure secret" /etc/iamasecret
      '';
    };
    testScript = ''
      machine.start()
      assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
    '';
  };

  modified-initrd-doesnt-boot-with-secure-boot = mkModifiedInitrdTest {
    name = "modified-initrd-doesnt-boot-with-secure-boot";
    useSecureBoot = true;
  };

  modified-initrd-boots-without-secure-boot = mkModifiedInitrdTest {
    name = "modified-initrd-boots-without-secure-boot";
    useSecureBoot = false;
  };

  modified-kernel-doesnt-boot-with-secure-boot = mkModifiedKernelTest {
    name = "modified-kernel-doesnt-boot-with-secure-boot";
    useSecureBoot = true;
  };

  modified-kernel-boots-without-secure-boot = mkModifiedKernelTest {
    name = "modified-kernel-boots-without-secure-boot";
    useSecureBoot = false;
  };

  specialisation-works = mkSecureBootTest {
    name = "specialisation-still-boot-under-secureboot";
    machine = { pkgs, ... }: {
      specialisation.variant.configuration = {
        environment.systemPackages = [
          pkgs.efibootmgr
        ];
      };
    };
    testScript = ''
      machine.start()
      print(machine.succeed("ls -lah /boot/EFI/Linux"))
      # TODO: make it more reliable to find this filename, i.e. read it from somewhere?
      machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")
      machine.succeed("sync")
      machine.fail("efibootmgr")
      machine.crash()
      machine.start()
      print(machine.succeed("bootctl"))
      # Only the specialisation contains the efibootmgr binary.
      machine.succeed("efibootmgr")
    '';
  };

  systemd-boot-loader-config = mkSecureBootTest {
    name = "lanzaboote-systemd-boot-loader-config";
    machine = {
      boot.loader.timeout = 0;
      boot.loader.systemd-boot.consoleMode = "auto";
    };
    testScript = ''
      machine.start()

      actual_loader_config = machine.succeed("cat /boot/loader/loader.conf")
      expected_loader_config = "timeout 0\nconsole-mode auto\n"
      
      assert actual_loader_config == expected_loader_config, \
        f"Actual: '{actual_loader_config}' is not equal to expected: '{expected_loader_config}'"
    '';
  };
}
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`{ pkgs`
			`, testPkgs`
			`, lanzabooteModule`
			`}:`

			`let`
			`inherit (pkgs) lib;`

tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, testScript }: testPkgs.nixosTest {`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`inherit name testScript;`
			`nodes.machine = { lib, ... }: {`
			`imports = [`
			`lanzabooteModule`
			`machine`
			`];`

			`virtualisation = {`
			`useBootLoader = true;`
			`useEFIBoot = true;`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00
			`inherit useSecureBoot;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`

			`boot.loader.efi = {`
			`canTouchEfiVariables = true;`
			`};`
			`boot.lanzaboote = {`
			`enable = true;`
			`enrollKeys = lib.mkDefault true;`
treewide: move uefi-keys into test fixtures To clean up the repository move the uefi keys (`pki/`) to `nix/tests/fixtures/uefi-keys`. 2023-01-25 18:17:18 -06:00			`pkiBundle = ./fixtures/uefi-keys;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`
			`};`
			`};`

tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`# Execute a boot test that has an intentionally broken secure boot`
			`# chain. This test is expected to fail with Secure Boot and should`
			`# succeed without.`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`#`
nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			# Takes a set `path` consisting of a `src` and a `dst` attribute. The file at
			# `src` is copied to `dst` inside th VM. Optionally append some random data
			# ("crap") to the end of the file at `dst`. This is useful to easily change
			`# the hash of a file and produce a hash mismatch when booting the stub.`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`mkHashMismatchTest = { name, path, appendCrap ? false, useSecureBoot ? true }: mkSecureBootTest {`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`inherit name;`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`inherit useSecureBoot;`

nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`testScript = ''`
			`import json`
			`import os.path`
			`bootspec = None`

			`def convert_to_esp(store_file_path):`
			`store_dir = os.path.basename(os.path.dirname(store_file_path))`
			`filename = os.path.basename(store_file_path)`
			`return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'`

			`machine.start()`
			`bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1')`
			`assert bootspec is not None, "Unsupported bootspec version!"`
			`src_path = ${path.src}`
			`dst_path = ${path.dst}`
			`machine.succeed(f"cp -rf {src_path} {dst_path}")`
			`'' + lib.optionalString appendCrap ''`
			`machine.succeed(f"echo Foo >> {dst_path}")`
			`'' +`
			`''`
			`machine.succeed("sync")`
			`machine.crash()`
			`machine.start()`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`'' + (if useSecureBoot then ''`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine.wait_for_console_text("Hash mismatch")`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`'' else ''`
			`# Just check that the system came up.`
			`print(machine.succeed("bootctl", timeout=120))`
			`'');`
			`};`

			`# The initrd is not directly signed. Its hash is embedded into`
			`# lanzaboote. To make integrity verification fail, we actually have`
			`# to modify the initrd. Appending crap to the end is a harmless way`
			`# that would make the kernel still accept it.`
			`mkModifiedInitrdTest = { name, useSecureBoot }: mkHashMismatchTest {`
			`inherit name useSecureBoot;`

			`path = {`
			`src = "bootspec.get('initrd')";`
			`dst = "convert_to_esp(bootspec.get('initrd'))";`
			`};`

			`appendCrap = true;`
			`};`

			`mkModifiedKernelTest = { name, useSecureBoot }: mkHashMismatchTest {`
			`inherit name useSecureBoot;`

			`path = {`
			`src = "bootspec.get('kernel')";`
			`dst = "convert_to_esp(bootspec.get('kernel'))";`
			`};`

			`appendCrap = true;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`in`
			`{`
			`# TODO: user mode: OK`
			`# TODO: how to get in: {deployed, audited} mode ?`
nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			`basic = mkSecureBootTest {`
			`name = "lanzaboote";`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`testScript = ''`
			`machine.start()`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
			`'';`
			`};`

nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			`systemd-initrd = mkSecureBootTest {`
			`name = "lanzaboote-systemd-initrd";`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine = { ... }: {`
			`boot.initrd.systemd.enable = true;`
			`};`
			`testScript = ''`
			`machine.start()`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
			`'';`
			`};`

nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			`# Test that a secret is appended to the initrd during installation.`
			`#`
			# During the execution of `preDeviceCommands`, no filesystem should be
			# mounted. The only place to find `/etc/iamasecret` then, is in the initrd.
			`initrd-secrets = mkSecureBootTest {`
			`name = "lanzaboote-initrd-secrets";`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine = { ... }: {`
			`boot.initrd.secrets = {`
			`"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");`
			`};`

			`boot.initrd.preDeviceCommands = ''`
			`grep "this is a very secure secret" /etc/iamasecret`
			`'';`
			`};`
			`testScript = ''`
			`machine.start()`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
			`'';`
			`};`

tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`modified-initrd-doesnt-boot-with-secure-boot = mkModifiedInitrdTest {`
			`name = "modified-initrd-doesnt-boot-with-secure-boot";`
			`useSecureBoot = true;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`

tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`modified-initrd-boots-without-secure-boot = mkModifiedInitrdTest {`
			`name = "modified-initrd-boots-without-secure-boot";`
			`useSecureBoot = false;`
			`};`

			`modified-kernel-doesnt-boot-with-secure-boot = mkModifiedKernelTest {`
			`name = "modified-kernel-doesnt-boot-with-secure-boot";`
			`useSecureBoot = true;`
			`};`

			`modified-kernel-boots-without-secure-boot = mkModifiedKernelTest {`
			`name = "modified-kernel-boots-without-secure-boot";`
			`useSecureBoot = false;`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`};`
nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00
tests: check whether disabled secure boot relaxes hash checks 2023-02-02 07:38:34 -06:00			`specialisation-works = mkSecureBootTest {`
			`name = "specialisation-still-boot-under-secureboot";`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine = { pkgs, ... }: {`
			`specialisation.variant.configuration = {`
			`environment.systemPackages = [`
			`pkgs.efibootmgr`
			`];`
			`};`
			`};`
			`testScript = ''`
			`machine.start()`
			`print(machine.succeed("ls -lah /boot/EFI/Linux"))`
			`# TODO: make it more reliable to find this filename, i.e. read it from somewhere?`
			`machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")`
			`machine.succeed("sync")`
			`machine.fail("efibootmgr")`
			`machine.crash()`
			`machine.start()`
			`print(machine.succeed("bootctl"))`
nix.tests: clean up The test attributes and names are simplified and standardized. They now roughly follow the same structure as the systemd-boot test in Nixpkgs. Some comments are added and variable names changed to make it more clear what they actually do. 2023-01-27 18:34:15 -06:00			`# Only the specialisation contains the efibootmgr binary.`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`machine.succeed("efibootmgr")`
			`'';`
			`};`
tool: write systemd-boot loader.conf To minimize the number of arguments passed to `lzbt`, the loader config is assembled outside `lzbt` and passed as a single argument. Instead of reimplementing `consoleMode` under the `lanzaboote` namespace, `config.loader.systemd-boot.consoleMode` is reused as is. 2023-01-26 17:37:05 -06:00
			`systemd-boot-loader-config = mkSecureBootTest {`
			`name = "lanzaboote-systemd-boot-loader-config";`
			`machine = {`
			`boot.loader.timeout = 0;`
			`boot.loader.systemd-boot.consoleMode = "auto";`
			`};`
			`testScript = ''`
			`machine.start()`

			`actual_loader_config = machine.succeed("cat /boot/loader/loader.conf")`
			`expected_loader_config = "timeout 0\nconsole-mode auto\n"`

			`assert actual_loader_config == expected_loader_config, \`
			`f"Actual: '{actual_loader_config}' is not equal to expected: '{expected_loader_config}'"`
			`'';`
			`};`
nix.tests: move from flake 2022-12-25 09:18:53 -06:00			`}`