tests: add initrd-secrets-update

Add a test for updating the secrets on an existing initrd.
This commit is contained in:
nikstur 2023-02-20 00:25:29 +01:00
parent 75a19cd818
commit f4f8c41005
1 changed files with 46 additions and 0 deletions

View File

@ -145,6 +145,52 @@ in
'';
};
# Test that the secrets configured to be appended to the initrd get updated
# when installing a new generation even if the initrd itself (i.e. its store
# path) does not change.
#
# An unfortunate result of this NixOS feature is that updating the secrets
# without creating a new initrd might break previous generations. Lanzaboote
# has no control over that.
#
# This tests uses a specialisation to imitate a newer generation. This works
# because `lzbt` installs the specialisation of a generation AFTER installing
# the generation itself (thus making the specialisation "newer").
initrd-secrets-update =
let
originalSecret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
newSecret = (pkgs.writeText "newly-secure" "so-much-better-now");
in
mkSecureBootTest {
name = "lanzaboote-initrd-secrets-update";
machine = { pkgs, lib, ... }: {
boot.initrd.secrets = {
"/test" = lib.mkDefault originalSecret;
};
boot.initrd.postMountCommands = ''
cp /test /mnt-root/secret-from-initramfs
'';
specialisation.variant.configuration = {
boot.initrd.secrets = {
"/test" = newSecret;
};
};
};
testScript = ''
machine.start()
machine.wait_for_unit("multi-user.target")
# Assert that only two boot files exists (a single kernel and a single
# initrd). If there are two initrds, the test would not be able to test
# updating the secret of an already existing initrd.
assert int(machine.succeed("ls -1 /boot/EFI/nixos | wc -l")) == 2
# It is expected that the initrd contains the new secret.
machine.succeed("cmp ${newSecret} /secret-from-initramfs")
'';
};
modified-initrd-doesnt-boot-with-secure-boot = mkModifiedInitrdTest {
name = "modified-initrd-doesnt-boot-with-secure-boot";
useSecureBoot = true;