nix: fix indentation of checks attribute

This commit is contained in:
Julian Stecklina 2022-11-26 16:42:20 +01:00
parent 85de5d52d0
commit b37ffd19d6
1 changed files with 37 additions and 37 deletions

View File

@ -159,54 +159,54 @@
''; '';
}; };
in in
{ {
# TODO: user mode: OK # TODO: user mode: OK
# TODO: how to get in: {deployed, audited} mode ? # TODO: how to get in: {deployed, audited} mode ?
lanzaboote-boot = mkSecureBootTest { lanzaboote-boot = mkSecureBootTest {
name = "signed-files-boot-under-secureboot"; name = "signed-files-boot-under-secureboot";
testScript = '' testScript = ''
machine.start() machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
''; '';
}; };
# So, this is the responsibility of the lanzatool install # So, this is the responsibility of the lanzatool install
# to run the append-initrd-secret script # to run the append-initrd-secret script
# This test assert that lanzatool still do the right thing # This test assert that lanzatool still do the right thing
# preDeviceCommands should not have any root filesystem mounted # preDeviceCommands should not have any root filesystem mounted
# so it should not be able to find /etc/iamasecret, other than the # so it should not be able to find /etc/iamasecret, other than the
# initrd's one. # initrd's one.
# which should exist IF lanzatool do the right thing. # which should exist IF lanzatool do the right thing.
lanzaboote-with-initrd-secrets = mkSecureBootTest { lanzaboote-with-initrd-secrets = mkSecureBootTest {
name = "signed-files-boot-with-secrets-under-secureboot"; name = "signed-files-boot-with-secrets-under-secureboot";
machine = { ... }: { machine = { ... }: {
boot.initrd.secrets = { boot.initrd.secrets = {
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret"); "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
}; };
boot.initrd.preDeviceCommands = '' boot.initrd.preDeviceCommands = ''
grep "this is a very secure secret" /etc/iamasecret grep "this is a very secure secret" /etc/iamasecret
''; '';
}; };
testScript = '' testScript = ''
machine.start() machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
''; '';
};
is-initrd-secured = mkUnsignedTest {
name = "unsigned-initrd-do-not-boot-under-secureboot";
path = {
src = "extract_bspec_attr('initrd')";
dst = "convert_to_esp(extract_bspec_attr('initrd'))";
}; };
}; is-initrd-secured = mkUnsignedTest {
is-kernel-secured = mkUnsignedTest { name = "unsigned-initrd-do-not-boot-under-secureboot";
name = "unsigned-kernel-do-not-boot-under-secureboot"; path = {
path = { src = "extract_bspec_attr('initrd')";
src = "extract_bspec_attr('kernel')"; dst = "convert_to_esp(extract_bspec_attr('initrd'))";
dst = "convert_to_esp(extract_bspec_attr('kernel'))"; };
};
is-kernel-secured = mkUnsignedTest {
name = "unsigned-kernel-do-not-boot-under-secureboot";
path = {
src = "extract_bspec_attr('kernel')";
dst = "convert_to_esp(extract_bspec_attr('kernel'))";
};
}; };
};
}; };
}; };
} }