min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nix.tests: clean up 

The test attributes and names are simplified and standardized. They now
roughly follow the same structure as the systemd-boot test in Nixpkgs.
Some comments are added and variable names changed to make it more clear
what they actually do.
This commit is contained in:
nikstur 2023-01-28 01:34:15 +01:00
parent 0ca25a9bf0
commit fd2e7f7a40
1 changed files with 25 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
nix/tests/lanzaboote.nix
View File

@ -31,9 +31,13 @@ let
}; };
}; };
# Execute a boot test that is intended to fail. # Execute a SB test that is expected to fail because of a hash mismatch.
# #
mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest { # Takes a set `path` consisting of a `src` and a `dst` attribute. The file at
# `src` is copied to `dst` inside th VM. Optionally append some random data
# ("crap") to the end of the file at `dst`. This is useful to easily change
# the hash of a file and produce a hash mismatch when booting the stub.
mkHashMismatchTest = { name, path, appendCrap ? false }: mkSecureBootTest {
inherit name; inherit name;
testScript = '' testScript = ''
import json import json
@ -65,16 +69,16 @@ in
{ {
# TODO: user mode: OK # TODO: user mode: OK
# TODO: how to get in: {deployed, audited} mode ? # TODO: how to get in: {deployed, audited} mode ?
lanzaboote-boot = mkSecureBootTest { basic = mkSecureBootTest {
name = "signed-files-boot-under-secureboot"; name = "lanzaboote";
testScript = '' testScript = ''
machine.start() machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
''; '';
}; };
lanzaboote-boot-under-sd-stage1 = mkSecureBootTest { systemd-initrd = mkSecureBootTest {
name = "signed-files-boot-under-secureboot-systemd-stage-1"; name = "lanzaboote-systemd-initrd";
machine = { ... }: { machine = { ... }: {
boot.initrd.systemd.enable = true; boot.initrd.systemd.enable = true;
}; };
@ -84,15 +88,12 @@ in
''; '';
}; };
# So, this is the responsibility of the lanzatool install # Test that a secret is appended to the initrd during installation.
# to run the append-initrd-secret script #
# This test assert that lanzatool still do the right thing # During the execution of `preDeviceCommands`, no filesystem should be
# preDeviceCommands should not have any root filesystem mounted # mounted. The only place to find `/etc/iamasecret` then, is in the initrd.
# so it should not be able to find /etc/iamasecret, other than the initrd-secrets = mkSecureBootTest {
# initrd's one. name = "lanzaboote-initrd-secrets";
# which should exist IF lanzatool do the right thing.
lanzaboote-with-initrd-secrets = mkSecureBootTest {
name = "signed-files-boot-with-secrets-under-secureboot";
machine = { ... }: { machine = { ... }: {
boot.initrd.secrets = { boot.initrd.secrets = {
"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret"); "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
@ -109,12 +110,12 @@ in
}; };
# The initrd is not directly signed. Its hash is embedded # The initrd is not directly signed. Its hash is embedded
# into lanzaboote. To make integrity verification fail, we # into the UKI. To make integrity verification fail, we
# actually have to modify the initrd. Appending crap to the # actually have to modify the initrd. Appending crap to the
# end is a harmless way that would make the kernel still # end is a harmless way that would make the kernel still
# accept it. # accept it.
is-initrd-secured = mkUnsignedTest { secured-initrd = mkHashMismatchTest {
name = "unsigned-initrd-do-not-boot-under-secureboot"; name = "lanzaboote-secured-initrd";
path = { path = {
src = "bootspec.get('initrd')"; src = "bootspec.get('initrd')";
dst = "convert_to_esp(bootspec.get('initrd'))"; dst = "convert_to_esp(bootspec.get('initrd'))";
@ -122,15 +123,16 @@ in
appendCrap = true; appendCrap = true;
}; };
is-kernel-secured = mkUnsignedTest { secured-kernel = mkHashMismatchTest {
name = "unsigned-kernel-do-not-boot-under-secureboot"; name = "lanzaboote-secured-kernel";
path = { path = {
src = "bootspec.get('kernel')"; src = "bootspec.get('kernel')";
dst = "convert_to_esp(bootspec.get('kernel'))"; dst = "convert_to_esp(bootspec.get('kernel'))";
}; };
}; };
specialisation-works = mkSecureBootTest {
name = "specialisation-still-boot-under-secureboot"; specialisation = mkSecureBootTest {
name = "lanzaboote-specialisation";
machine = { pkgs, ... }: { machine = { pkgs, ... }: {
specialisation.variant.configuration = { specialisation.variant.configuration = {
environment.systemPackages = [ environment.systemPackages = [
@ -141,7 +143,6 @@ in
testScript = '' testScript = ''
machine.start() machine.start()
print(machine.succeed("ls -lah /boot/EFI/Linux")) print(machine.succeed("ls -lah /boot/EFI/Linux"))
print(machine.succeed("cat /run/current-system/boot.json"))
# TODO: make it more reliable to find this filename, i.e. read it from somewhere? # TODO: make it more reliable to find this filename, i.e. read it from somewhere?
machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi") machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")
machine.succeed("sync") machine.succeed("sync")
@ -149,7 +150,7 @@ in
machine.crash() machine.crash()
machine.start() machine.start()
print(machine.succeed("bootctl")) print(machine.succeed("bootctl"))
# We have efibootmgr in this specialisation. # Only the specialisation contains the efibootmgr binary.
machine.succeed("efibootmgr") machine.succeed("efibootmgr")
''; '';
}; };