tests: correctly test appending secret to initrd

The way the test was implemented previously did not make it fail if no secret was appended to the initrd. Now it is implemented similary to the initrd-secrets test in Nixpkgs and works correctly.
2023-02-25 21:38:43 +01:00 · 2023-02-25 21:38:43 +01:00 · ab4e90c331
parent 195e29f935
commit ab4e90c331
1 changed files with 21 additions and 16 deletions
--- a/nix/tests/lanzaboote.nix
+++ b/nix/tests/lanzaboote.nix
@ -124,23 +124,28 @@ in
    '';
  };
-  # Test that a secret is appended to the initrd during installation.
+  # Test that a secret is appended to the initrd during installation. Smilar to
-  # 
+  # the initrd-secrets test in Nixpkgs:
-  # During the execution of `preDeviceCommands`, no filesystem should be
+  # https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/initrd-secrets.nix
-  # mounted. The only place to find `/etc/iamasecret` then, is in the initrd.
+  initrd-secrets =
-  initrd-secrets = mkSecureBootTest {
+    let
      secret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
    in
    mkSecureBootTest {
      name = "lanzaboote-initrd-secrets";
      machine = { ... }: {
        boot.initrd.secrets = {
-        "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
+          "/test" = secret;
        };
-
+        boot.initrd.postMountCommands = ''
-      boot.initrd.preDeviceCommands = ''
+          cp /test /mnt-root/secret-from-initramfs
        grep "this is a very secure secret" /etc/iamasecret
        '';
      };
      testScript = ''
        machine.start()
        machine.wait_for_unit("multi-user.target")
        machine.succeed("cmp ${secret} /secret-from-initramfs")
        assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
      '';
    };