nix: fix indentation of checks attribute
This commit is contained in:
Julian Stecklina
parent
85de5d52d0
commit
b37ffd19d6
74
flake.nix
74
flake.nix
|
|
@ -159,54 +159,54 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# TODO: user mode: OK
|
# TODO: user mode: OK
|
||||||
# TODO: how to get in: {deployed, audited} mode ?
|
# TODO: how to get in: {deployed, audited} mode ?
|
||||||
lanzaboote-boot = mkSecureBootTest {
|
lanzaboote-boot = mkSecureBootTest {
|
||||||
name = "signed-files-boot-under-secureboot";
|
name = "signed-files-boot-under-secureboot";
|
||||||
testScript = ''
|
testScript = ''
|
||||||
machine.start()
|
machine.start()
|
||||||
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
# So, this is the responsibility of the lanzatool install
|
# So, this is the responsibility of the lanzatool install
|
||||||
# to run the append-initrd-secret script
|
# to run the append-initrd-secret script
|
||||||
# This test assert that lanzatool still do the right thing
|
# This test assert that lanzatool still do the right thing
|
||||||
# preDeviceCommands should not have any root filesystem mounted
|
# preDeviceCommands should not have any root filesystem mounted
|
||||||
# so it should not be able to find /etc/iamasecret, other than the
|
# so it should not be able to find /etc/iamasecret, other than the
|
||||||
# initrd's one.
|
# initrd's one.
|
||||||
# which should exist IF lanzatool do the right thing.
|
# which should exist IF lanzatool do the right thing.
|
||||||
lanzaboote-with-initrd-secrets = mkSecureBootTest {
|
lanzaboote-with-initrd-secrets = mkSecureBootTest {
|
||||||
name = "signed-files-boot-with-secrets-under-secureboot";
|
name = "signed-files-boot-with-secrets-under-secureboot";
|
||||||
machine = { ... }: {
|
machine = { ... }: {
|
||||||
boot.initrd.secrets = {
|
boot.initrd.secrets = {
|
||||||
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
|
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.initrd.preDeviceCommands = ''
|
boot.initrd.preDeviceCommands = ''
|
||||||
grep "this is a very secure secret" /etc/iamasecret
|
grep "this is a very secure secret" /etc/iamasecret
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
testScript = ''
|
testScript = ''
|
||||||
machine.start()
|
machine.start()
|
||||||
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
|
||||||
'';
|
'';
|
||||||
};
|
|
||||||
is-initrd-secured = mkUnsignedTest {
|
|
||||||
name = "unsigned-initrd-do-not-boot-under-secureboot";
|
|
||||||
path = {
|
|
||||||
src = "extract_bspec_attr('initrd')";
|
|
||||||
dst = "convert_to_esp(extract_bspec_attr('initrd'))";
|
|
||||||
};
|
};
|
||||||
};
|
is-initrd-secured = mkUnsignedTest {
|
||||||
is-kernel-secured = mkUnsignedTest {
|
name = "unsigned-initrd-do-not-boot-under-secureboot";
|
||||||
name = "unsigned-kernel-do-not-boot-under-secureboot";
|
path = {
|
||||||
path = {
|
src = "extract_bspec_attr('initrd')";
|
||||||
src = "extract_bspec_attr('kernel')";
|
dst = "convert_to_esp(extract_bspec_attr('initrd'))";
|
||||||
dst = "convert_to_esp(extract_bspec_attr('kernel'))";
|
};
|
||||||
|
};
|
||||||
|
is-kernel-secured = mkUnsignedTest {
|
||||||
|
name = "unsigned-kernel-do-not-boot-under-secureboot";
|
||||||
|
path = {
|
||||||
|
src = "extract_bspec_attr('kernel')";
|
||||||
|
dst = "convert_to_esp(extract_bspec_attr('kernel'))";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue