nix: fix initrd integration test

This commit is contained in:
Julian Stecklina 2022-11-28 11:27:31 +01:00
parent 85b111aa17
commit d35ca2d7d3
1 changed files with 17 additions and 2 deletions

View File

@ -139,7 +139,10 @@
}; };
}; };
}; };
mkUnsignedTest = { name, path }: mkSecureBootTest {
# Execute a boot test that is intended to fail.
#
mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest {
inherit name; inherit name;
testScript = '' testScript = ''
import json import json
@ -156,10 +159,14 @@
src_path = ${path.src} src_path = ${path.src}
dst_path = ${path.dst} dst_path = ${path.dst}
machine.succeed(f"cp -rf {src_path} {dst_path}") machine.succeed(f"cp -rf {src_path} {dst_path}")
'' + lib.optionalString appendCrap ''
machine.succeed(f"echo Foo >> {dst_path}")
'' +
''
machine.succeed("sync") machine.succeed("sync")
machine.crash() machine.crash()
machine.start() machine.start()
machine.wait_for_console_text("panicked") machine.wait_for_console_text("Hash mismatch")
''; '';
}; };
in in
@ -211,13 +218,21 @@
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
''; '';
}; };
# The initrd is not directly signed. Its hash is embedded
# into lanzaboote. To make integrity verification fail, we
# actually have to modify the initrd. Appending crap to the
# end is a harmless way that would make the kernel still
# accept it.
is-initrd-secured = mkUnsignedTest { is-initrd-secured = mkUnsignedTest {
name = "unsigned-initrd-do-not-boot-under-secureboot"; name = "unsigned-initrd-do-not-boot-under-secureboot";
path = { path = {
src = "bootspec.get('initrd')"; src = "bootspec.get('initrd')";
dst = "convert_to_esp(bootspec.get('initrd'))"; dst = "convert_to_esp(bootspec.get('initrd'))";
}; };
appendCrap = true;
}; };
is-kernel-secured = mkUnsignedTest { is-kernel-secured = mkUnsignedTest {
name = "unsigned-kernel-do-not-boot-under-secureboot"; name = "unsigned-kernel-do-not-boot-under-secureboot";
path = { path = {