nix: fix indentation of checks attribute

This commit is contained in:
Julian Stecklina 2022-11-26 16:42:20 +01:00
parent 85de5d52d0
commit b37ffd19d6
1 changed files with 37 additions and 37 deletions

View File

@ -159,54 +159,54 @@
'';
};
in
{
# TODO: user mode: OK
# TODO: how to get in: {deployed, audited} mode ?
lanzaboote-boot = mkSecureBootTest {
name = "signed-files-boot-under-secureboot";
testScript = ''
{
# TODO: user mode: OK
# TODO: how to get in: {deployed, audited} mode ?
lanzaboote-boot = mkSecureBootTest {
name = "signed-files-boot-under-secureboot";
testScript = ''
machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
'';
};
# So, this is the responsibility of the lanzatool install
# to run the append-initrd-secret script
# This test assert that lanzatool still do the right thing
# preDeviceCommands should not have any root filesystem mounted
# so it should not be able to find /etc/iamasecret, other than the
# initrd's one.
# which should exist IF lanzatool do the right thing.
lanzaboote-with-initrd-secrets = mkSecureBootTest {
name = "signed-files-boot-with-secrets-under-secureboot";
machine = { ... }: {
boot.initrd.secrets = {
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
};
};
# So, this is the responsibility of the lanzatool install
# to run the append-initrd-secret script
# This test assert that lanzatool still do the right thing
# preDeviceCommands should not have any root filesystem mounted
# so it should not be able to find /etc/iamasecret, other than the
# initrd's one.
# which should exist IF lanzatool do the right thing.
lanzaboote-with-initrd-secrets = mkSecureBootTest {
name = "signed-files-boot-with-secrets-under-secureboot";
machine = { ... }: {
boot.initrd.secrets = {
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
};
boot.initrd.preDeviceCommands = ''
boot.initrd.preDeviceCommands = ''
grep "this is a very secure secret" /etc/iamasecret
'';
};
testScript = ''
};
testScript = ''
machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
'';
};
is-initrd-secured = mkUnsignedTest {
name = "unsigned-initrd-do-not-boot-under-secureboot";
path = {
src = "extract_bspec_attr('initrd')";
dst = "convert_to_esp(extract_bspec_attr('initrd'))";
};
};
is-kernel-secured = mkUnsignedTest {
name = "unsigned-kernel-do-not-boot-under-secureboot";
path = {
src = "extract_bspec_attr('kernel')";
dst = "convert_to_esp(extract_bspec_attr('kernel'))";
is-initrd-secured = mkUnsignedTest {
name = "unsigned-initrd-do-not-boot-under-secureboot";
path = {
src = "extract_bspec_attr('initrd')";
dst = "convert_to_esp(extract_bspec_attr('initrd'))";
};
};
is-kernel-secured = mkUnsignedTest {
name = "unsigned-kernel-do-not-boot-under-secureboot";
path = {
src = "extract_bspec_attr('kernel')";
dst = "convert_to_esp(extract_bspec_attr('kernel'))";
};
};
};
};
};
};
}