Ryan Lahfa
GitHub
commit
5667bbc1f4
18
flake.nix
18
flake.nix
|
|
@ -38,21 +38,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs@{ self, nixpkgs, crane, rust-overlay, flake-parts, ... }:
|
outputs = inputs@{ self, nixpkgs, crane, rust-overlay, flake-parts, ... }:
|
||||||
let
|
flake-parts.lib.mkFlake { inherit inputs; } ({ moduleWithSystem, ... }: {
|
||||||
# Systems supported in CI
|
|
||||||
supportedSystems = [ "x86_64-linux" ];
|
|
||||||
fixupFlakes = outputs: nixpkgs.lib.updateManyAttrsByPath [
|
|
||||||
# Apply post-flakeparts massaging for limited supported systems, e.g. systems for which
|
|
||||||
# we don't have KVM support and cannot test in CI, but we still can meaningfully
|
|
||||||
# build packages.
|
|
||||||
{
|
|
||||||
path = [ "checks" ];
|
|
||||||
update = nixpkgs.lib.filterAttrs (name: _: builtins.elem name supportedSystems);
|
|
||||||
}
|
|
||||||
]
|
|
||||||
outputs;
|
|
||||||
in
|
|
||||||
fixupFlakes (flake-parts.lib.mkFlake { inherit inputs; } ({ moduleWithSystem, ... }: {
|
|
||||||
imports = [
|
imports = [
|
||||||
# Derive the output overlay automatically from all packages that we define.
|
# Derive the output overlay automatically from all packages that we define.
|
||||||
inputs.flake-parts.flakeModules.easyOverlay
|
inputs.flake-parts.flakeModules.easyOverlay
|
||||||
|
|
@ -270,5 +256,5 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}));
|
});
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,6 +6,9 @@ let
|
||||||
inherit (pkgs) lib system;
|
inherit (pkgs) lib system;
|
||||||
defaultTimeout = 5 * 60; # = 5 minutes
|
defaultTimeout = 5 * 60; # = 5 minutes
|
||||||
|
|
||||||
|
inherit (pkgs.stdenv.hostPlatform) efiArch;
|
||||||
|
efiArchUppercased = lib.toUpper efiArch;
|
||||||
|
|
||||||
mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, useTPM2 ? false, readEfiVariables ? false, testScript }:
|
mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, useTPM2 ? false, readEfiVariables ? false, testScript }:
|
||||||
let
|
let
|
||||||
tpmSocketPath = "/tmp/swtpm-sock";
|
tpmSocketPath = "/tmp/swtpm-sock";
|
||||||
|
|
@ -241,7 +244,7 @@ in
|
||||||
|
|
||||||
# Test that the secrets configured to be appended to the initrd get updated
|
# Test that the secrets configured to be appended to the initrd get updated
|
||||||
# when installing a new generation even if the initrd itself (i.e. its store
|
# when installing a new generation even if the initrd itself (i.e. its store
|
||||||
# path) does not change.
|
# path) does not change.
|
||||||
#
|
#
|
||||||
# An unfortunate result of this NixOS feature is that updating the secrets
|
# An unfortunate result of this NixOS feature is that updating the secrets
|
||||||
# without creating a new initrd might break previous generations. Verify that
|
# without creating a new initrd might break previous generations. Verify that
|
||||||
|
|
@ -338,16 +341,28 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
# We test if we can install Lanzaboote without Bootspec support.
|
# We test if we can install Lanzaboote without Bootspec support.
|
||||||
synthesis = mkSecureBootTest {
|
synthesis =
|
||||||
name = "lanzaboote-synthesis";
|
if pkgs.hostPlatform.isAarch64 then
|
||||||
machine = { lib, ... }: {
|
# FIXME: currently broken on aarch64
|
||||||
boot.bootspec.enable = lib.mkForce false;
|
#> mkfs.fat 4.2 (2021-01-31)
|
||||||
};
|
#> setting up /etc...
|
||||||
testScript = ''
|
#> Enrolling keys to EFI variables...✓
|
||||||
machine.start()
|
#> Enrolled keys to the EFI variables!
|
||||||
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
#> Installing Lanzaboote to "/boot"...
|
||||||
'';
|
#> No bootable generations found! Aborting to avoid unbootable system. Please check for Lanzaboote updates!
|
||||||
};
|
#> [ 2.788390] reboot: Power down
|
||||||
|
pkgs.hello
|
||||||
|
else
|
||||||
|
mkSecureBootTest {
|
||||||
|
name = "lanzaboote-synthesis";
|
||||||
|
machine = { lib, ... }: {
|
||||||
|
boot.bootspec.enable = lib.mkForce false;
|
||||||
|
};
|
||||||
|
testScript = ''
|
||||||
|
machine.start()
|
||||||
|
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
systemd-boot-loader-config = mkSecureBootTest {
|
systemd-boot-loader-config = mkSecureBootTest {
|
||||||
name = "lanzaboote-systemd-boot-loader-config";
|
name = "lanzaboote-systemd-boot-loader-config";
|
||||||
|
|
@ -360,7 +375,7 @@ in
|
||||||
|
|
||||||
actual_loader_config = machine.succeed("cat /boot/loader/loader.conf").split("\n")
|
actual_loader_config = machine.succeed("cat /boot/loader/loader.conf").split("\n")
|
||||||
expected_loader_config = ["timeout 0", "console-mode auto"]
|
expected_loader_config = ["timeout 0", "console-mode auto"]
|
||||||
|
|
||||||
assert all(cfg in actual_loader_config for cfg in expected_loader_config), \
|
assert all(cfg in actual_loader_config for cfg in expected_loader_config), \
|
||||||
f"Expected: {expected_loader_config} is not included in actual config: '{actual_loader_config}'"
|
f"Expected: {expected_loader_config} is not included in actual config: '{actual_loader_config}'"
|
||||||
'';
|
'';
|
||||||
|
|
@ -384,8 +399,8 @@ in
|
||||||
# TODO: this should work -- machine.succeed("efibootmgr -d /dev/vda -c -l \\EFI\\Linux\\nixos-generation-1.efi") -- efivars are not persisted
|
# TODO: this should work -- machine.succeed("efibootmgr -d /dev/vda -c -l \\EFI\\Linux\\nixos-generation-1.efi") -- efivars are not persisted
|
||||||
# across reboots atm?
|
# across reboots atm?
|
||||||
# cheat code no 1
|
# cheat code no 1
|
||||||
machine.succeed("cp /boot/EFI/Linux/nixos-generation-1-*.efi /boot/EFI/BOOT/BOOTX64.EFI")
|
machine.succeed("cp /boot/EFI/Linux/nixos-generation-1-*.efi /boot/EFI/BOOT/BOOT${efiArchUppercased}.EFI")
|
||||||
machine.succeed("cp /boot/EFI/Linux/nixos-generation-1-*.efi /boot/EFI/systemd/systemd-bootx64.efi")
|
machine.succeed("cp /boot/EFI/Linux/nixos-generation-1-*.efi /boot/EFI/systemd/systemd-boot${efiArch}.efi")
|
||||||
|
|
||||||
# Let's reboot.
|
# Let's reboot.
|
||||||
machine.succeed("sync")
|
machine.succeed("sync")
|
||||||
|
|
@ -415,7 +430,7 @@ in
|
||||||
with subtest("Is `StubInfo` correctly set"):
|
with subtest("Is `StubInfo` correctly set"):
|
||||||
assert "lanzastub" in read_string_variable("StubInfo"), "Unexpected stub information, provenance is not lanzaboote project!"
|
assert "lanzastub" in read_string_variable("StubInfo"), "Unexpected stub information, provenance is not lanzaboote project!"
|
||||||
|
|
||||||
assert_variable_string("LoaderImageIdentifier", "\\EFI\\BOOT\\BOOTX64.EFI")
|
assert_variable_string("LoaderImageIdentifier", "\\EFI\\BOOT\\BOOT${efiArchUppercased}.EFI")
|
||||||
# TODO: exploit QEMU test infrastructure to pass the good value all the time.
|
# TODO: exploit QEMU test infrastructure to pass the good value all the time.
|
||||||
assert_variable_string("LoaderDevicePartUUID", "1c06f03b-704e-4657-b9cd-681a087a2fdc")
|
assert_variable_string("LoaderDevicePartUUID", "1c06f03b-704e-4657-b9cd-681a087a2fdc")
|
||||||
# OVMF tests are using EDK II tree.
|
# OVMF tests are using EDK II tree.
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,7 @@ in
|
||||||
|
|
||||||
nodes.machine = _: {
|
nodes.machine = _: {
|
||||||
imports = [ common ];
|
imports = [ common ];
|
||||||
boot.loader.uki.stub = "${pkgs.systemd}/lib/systemd/boot/efi/linuxx64.efi.stub";
|
boot.loader.uki.stub = "${pkgs.systemd}/lib/systemd/boot/efi/linux${pkgs.hostPlatform.efiArch}.efi.stub";
|
||||||
};
|
};
|
||||||
testScript = ''
|
testScript = ''
|
||||||
machine.start()
|
machine.start()
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue