tests: correctly test appending secret to initrd
The way the test was implemented previously did not make it fail if no secret was appended to the initrd. Now it is implemented similary to the initrd-secrets test in Nixpkgs and works correctly.
This commit is contained in:
parent
195e29f935
commit
ab4e90c331
|
@ -124,23 +124,28 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# Test that a secret is appended to the initrd during installation.
|
# Test that a secret is appended to the initrd during installation. Smilar to
|
||||||
#
|
# the initrd-secrets test in Nixpkgs:
|
||||||
# During the execution of `preDeviceCommands`, no filesystem should be
|
# https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/initrd-secrets.nix
|
||||||
# mounted. The only place to find `/etc/iamasecret` then, is in the initrd.
|
initrd-secrets =
|
||||||
initrd-secrets = mkSecureBootTest {
|
let
|
||||||
|
secret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
|
||||||
|
in
|
||||||
|
mkSecureBootTest {
|
||||||
name = "lanzaboote-initrd-secrets";
|
name = "lanzaboote-initrd-secrets";
|
||||||
machine = { ... }: {
|
machine = { ... }: {
|
||||||
boot.initrd.secrets = {
|
boot.initrd.secrets = {
|
||||||
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
|
"/test" = secret;
|
||||||
};
|
};
|
||||||
|
boot.initrd.postMountCommands = ''
|
||||||
boot.initrd.preDeviceCommands = ''
|
cp /test /mnt-root/secret-from-initramfs
|
||||||
grep "this is a very secure secret" /etc/iamasecret
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
testScript = ''
|
testScript = ''
|
||||||
machine.start()
|
machine.start()
|
||||||
|
machine.wait_for_unit("multi-user.target")
|
||||||
|
|
||||||
|
machine.succeed("cmp ${secret} /secret-from-initramfs")
|
||||||
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue