tests: correctly test appending secret to initrd

The way the test was implemented previously did not make it fail if no
secret was appended to the initrd. Now it is implemented similary to the
initrd-secrets test in Nixpkgs and works correctly.
This commit is contained in:
nikstur 2023-02-25 21:38:43 +01:00
parent 195e29f935
commit ab4e90c331
1 changed files with 21 additions and 16 deletions

View File

@ -124,26 +124,31 @@ in
''; '';
}; };
# Test that a secret is appended to the initrd during installation. # Test that a secret is appended to the initrd during installation. Smilar to
# # the initrd-secrets test in Nixpkgs:
# During the execution of `preDeviceCommands`, no filesystem should be # https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/initrd-secrets.nix
# mounted. The only place to find `/etc/iamasecret` then, is in the initrd. initrd-secrets =
initrd-secrets = mkSecureBootTest { let
name = "lanzaboote-initrd-secrets"; secret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
machine = { ... }: { in
boot.initrd.secrets = { mkSecureBootTest {
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret"); name = "lanzaboote-initrd-secrets";
machine = { ... }: {
boot.initrd.secrets = {
"/test" = secret;
};
boot.initrd.postMountCommands = ''
cp /test /mnt-root/secret-from-initramfs
'';
}; };
testScript = ''
machine.start()
machine.wait_for_unit("multi-user.target")
boot.initrd.preDeviceCommands = '' machine.succeed("cmp ${secret} /secret-from-initramfs")
grep "this is a very secure secret" /etc/iamasecret assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
''; '';
}; };
testScript = ''
machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
'';
};
# Test that the secrets configured to be appended to the initrd get updated # Test that the secrets configured to be appended to the initrd get updated
# when installing a new generation even if the initrd itself (i.e. its store # when installing a new generation even if the initrd itself (i.e. its store