tests: correctly test appending secret to initrd

The way the test was implemented previously did not make it fail if no
secret was appended to the initrd. Now it is implemented similary to the
initrd-secrets test in Nixpkgs and works correctly.
This commit is contained in:
nikstur 2023-02-25 21:38:43 +01:00
parent 195e29f935
commit ab4e90c331
1 changed files with 21 additions and 16 deletions

View File

@ -124,26 +124,31 @@ in
'';
};
# Test that a secret is appended to the initrd during installation.
#
# During the execution of `preDeviceCommands`, no filesystem should be
# mounted. The only place to find `/etc/iamasecret` then, is in the initrd.
initrd-secrets = mkSecureBootTest {
name = "lanzaboote-initrd-secrets";
machine = { ... }: {
boot.initrd.secrets = {
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
# Test that a secret is appended to the initrd during installation. Smilar to
# the initrd-secrets test in Nixpkgs:
# https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/initrd-secrets.nix
initrd-secrets =
let
secret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
in
mkSecureBootTest {
name = "lanzaboote-initrd-secrets";
machine = { ... }: {
boot.initrd.secrets = {
"/test" = secret;
};
boot.initrd.postMountCommands = ''
cp /test /mnt-root/secret-from-initramfs
'';
};
testScript = ''
machine.start()
machine.wait_for_unit("multi-user.target")
boot.initrd.preDeviceCommands = ''
grep "this is a very secure secret" /etc/iamasecret
machine.succeed("cmp ${secret} /secret-from-initramfs")
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
'';
};
testScript = ''
machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
'';
};
# Test that the secrets configured to be appended to the initrd get updated
# when installing a new generation even if the initrd itself (i.e. its store