Merge pull request #82 from nix-community/clean-up-nixos-tests
nix.tests: clean up
This commit is contained in:
commit
41c7a14a80
|
@ -31,9 +31,13 @@ let
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Execute a boot test that is intended to fail.
|
# Execute a SB test that is expected to fail because of a hash mismatch.
|
||||||
#
|
#
|
||||||
mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest {
|
# Takes a set `path` consisting of a `src` and a `dst` attribute. The file at
|
||||||
|
# `src` is copied to `dst` inside th VM. Optionally append some random data
|
||||||
|
# ("crap") to the end of the file at `dst`. This is useful to easily change
|
||||||
|
# the hash of a file and produce a hash mismatch when booting the stub.
|
||||||
|
mkHashMismatchTest = { name, path, appendCrap ? false }: mkSecureBootTest {
|
||||||
inherit name;
|
inherit name;
|
||||||
testScript = ''
|
testScript = ''
|
||||||
import json
|
import json
|
||||||
|
@ -65,16 +69,16 @@ in
|
||||||
{
|
{
|
||||||
# TODO: user mode: OK
|
# TODO: user mode: OK
|
||||||
# TODO: how to get in: {deployed, audited} mode ?
|
# TODO: how to get in: {deployed, audited} mode ?
|
||||||
lanzaboote-boot = mkSecureBootTest {
|
basic = mkSecureBootTest {
|
||||||
name = "signed-files-boot-under-secureboot";
|
name = "lanzaboote";
|
||||||
testScript = ''
|
testScript = ''
|
||||||
machine.start()
|
machine.start()
|
||||||
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
lanzaboote-boot-under-sd-stage1 = mkSecureBootTest {
|
systemd-initrd = mkSecureBootTest {
|
||||||
name = "signed-files-boot-under-secureboot-systemd-stage-1";
|
name = "lanzaboote-systemd-initrd";
|
||||||
machine = { ... }: {
|
machine = { ... }: {
|
||||||
boot.initrd.systemd.enable = true;
|
boot.initrd.systemd.enable = true;
|
||||||
};
|
};
|
||||||
|
@ -84,15 +88,12 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# So, this is the responsibility of the lanzatool install
|
# Test that a secret is appended to the initrd during installation.
|
||||||
# to run the append-initrd-secret script
|
#
|
||||||
# This test assert that lanzatool still do the right thing
|
# During the execution of `preDeviceCommands`, no filesystem should be
|
||||||
# preDeviceCommands should not have any root filesystem mounted
|
# mounted. The only place to find `/etc/iamasecret` then, is in the initrd.
|
||||||
# so it should not be able to find /etc/iamasecret, other than the
|
initrd-secrets = mkSecureBootTest {
|
||||||
# initrd's one.
|
name = "lanzaboote-initrd-secrets";
|
||||||
# which should exist IF lanzatool do the right thing.
|
|
||||||
lanzaboote-with-initrd-secrets = mkSecureBootTest {
|
|
||||||
name = "signed-files-boot-with-secrets-under-secureboot";
|
|
||||||
machine = { ... }: {
|
machine = { ... }: {
|
||||||
boot.initrd.secrets = {
|
boot.initrd.secrets = {
|
||||||
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
|
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
|
||||||
|
@ -109,12 +110,12 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# The initrd is not directly signed. Its hash is embedded
|
# The initrd is not directly signed. Its hash is embedded
|
||||||
# into lanzaboote. To make integrity verification fail, we
|
# into the UKI. To make integrity verification fail, we
|
||||||
# actually have to modify the initrd. Appending crap to the
|
# actually have to modify the initrd. Appending crap to the
|
||||||
# end is a harmless way that would make the kernel still
|
# end is a harmless way that would make the kernel still
|
||||||
# accept it.
|
# accept it.
|
||||||
is-initrd-secured = mkUnsignedTest {
|
secured-initrd = mkHashMismatchTest {
|
||||||
name = "unsigned-initrd-do-not-boot-under-secureboot";
|
name = "lanzaboote-secured-initrd";
|
||||||
path = {
|
path = {
|
||||||
src = "bootspec.get('initrd')";
|
src = "bootspec.get('initrd')";
|
||||||
dst = "convert_to_esp(bootspec.get('initrd'))";
|
dst = "convert_to_esp(bootspec.get('initrd'))";
|
||||||
|
@ -122,15 +123,16 @@ in
|
||||||
appendCrap = true;
|
appendCrap = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
is-kernel-secured = mkUnsignedTest {
|
secured-kernel = mkHashMismatchTest {
|
||||||
name = "unsigned-kernel-do-not-boot-under-secureboot";
|
name = "lanzaboote-secured-kernel";
|
||||||
path = {
|
path = {
|
||||||
src = "bootspec.get('kernel')";
|
src = "bootspec.get('kernel')";
|
||||||
dst = "convert_to_esp(bootspec.get('kernel'))";
|
dst = "convert_to_esp(bootspec.get('kernel'))";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
specialisation-works = mkSecureBootTest {
|
|
||||||
name = "specialisation-still-boot-under-secureboot";
|
specialisation = mkSecureBootTest {
|
||||||
|
name = "lanzaboote-specialisation";
|
||||||
machine = { pkgs, ... }: {
|
machine = { pkgs, ... }: {
|
||||||
specialisation.variant.configuration = {
|
specialisation.variant.configuration = {
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
|
@ -141,7 +143,6 @@ in
|
||||||
testScript = ''
|
testScript = ''
|
||||||
machine.start()
|
machine.start()
|
||||||
print(machine.succeed("ls -lah /boot/EFI/Linux"))
|
print(machine.succeed("ls -lah /boot/EFI/Linux"))
|
||||||
print(machine.succeed("cat /run/current-system/boot.json"))
|
|
||||||
# TODO: make it more reliable to find this filename, i.e. read it from somewhere?
|
# TODO: make it more reliable to find this filename, i.e. read it from somewhere?
|
||||||
machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")
|
machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")
|
||||||
machine.succeed("sync")
|
machine.succeed("sync")
|
||||||
|
@ -149,7 +150,7 @@ in
|
||||||
machine.crash()
|
machine.crash()
|
||||||
machine.start()
|
machine.start()
|
||||||
print(machine.succeed("bootctl"))
|
print(machine.succeed("bootctl"))
|
||||||
# We have efibootmgr in this specialisation.
|
# Only the specialisation contains the efibootmgr binary.
|
||||||
machine.succeed("efibootmgr")
|
machine.succeed("efibootmgr")
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue