From b37ffd19d67211f28561054e4eeb191c930adaf2 Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Sat, 26 Nov 2022 16:42:20 +0100 Subject: [PATCH] nix: fix indentation of checks attribute --- flake.nix | 74 +++++++++++++++++++++++++++---------------------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/flake.nix b/flake.nix index 11f3619..f59b6ac 100644 --- a/flake.nix +++ b/flake.nix @@ -159,54 +159,54 @@ ''; }; in - { - # TODO: user mode: OK - # TODO: how to get in: {deployed, audited} mode ? - lanzaboote-boot = mkSecureBootTest { - name = "signed-files-boot-under-secureboot"; - testScript = '' + { + # TODO: user mode: OK + # TODO: how to get in: {deployed, audited} mode ? + lanzaboote-boot = mkSecureBootTest { + name = "signed-files-boot-under-secureboot"; + testScript = '' machine.start() assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") ''; - }; - # So, this is the responsibility of the lanzatool install - # to run the append-initrd-secret script - # This test assert that lanzatool still do the right thing - # preDeviceCommands should not have any root filesystem mounted - # so it should not be able to find /etc/iamasecret, other than the - # initrd's one. - # which should exist IF lanzatool do the right thing. - lanzaboote-with-initrd-secrets = mkSecureBootTest { - name = "signed-files-boot-with-secrets-under-secureboot"; - machine = { ... }: { - boot.initrd.secrets = { - "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret"); - }; + }; + # So, this is the responsibility of the lanzatool install + # to run the append-initrd-secret script + # This test assert that lanzatool still do the right thing + # preDeviceCommands should not have any root filesystem mounted + # so it should not be able to find /etc/iamasecret, other than the + # initrd's one. + # which should exist IF lanzatool do the right thing. + lanzaboote-with-initrd-secrets = mkSecureBootTest { + name = "signed-files-boot-with-secrets-under-secureboot"; + machine = { ... }: { + boot.initrd.secrets = { + "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret"); + }; - boot.initrd.preDeviceCommands = '' + boot.initrd.preDeviceCommands = '' grep "this is a very secure secret" /etc/iamasecret ''; - }; - testScript = '' + }; + testScript = '' machine.start() assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") ''; - }; - is-initrd-secured = mkUnsignedTest { - name = "unsigned-initrd-do-not-boot-under-secureboot"; - path = { - src = "extract_bspec_attr('initrd')"; - dst = "convert_to_esp(extract_bspec_attr('initrd'))"; }; - }; - is-kernel-secured = mkUnsignedTest { - name = "unsigned-kernel-do-not-boot-under-secureboot"; - path = { - src = "extract_bspec_attr('kernel')"; - dst = "convert_to_esp(extract_bspec_attr('kernel'))"; + is-initrd-secured = mkUnsignedTest { + name = "unsigned-initrd-do-not-boot-under-secureboot"; + path = { + src = "extract_bspec_attr('initrd')"; + dst = "convert_to_esp(extract_bspec_attr('initrd'))"; + }; + }; + is-kernel-secured = mkUnsignedTest { + name = "unsigned-kernel-do-not-boot-under-secureboot"; + path = { + src = "extract_bspec_attr('kernel')"; + dst = "convert_to_esp(extract_bspec_attr('kernel'))"; + }; }; - }; - }; + }; }; }