nixos/tests/systemd-initrd-luks-tpm2.nix

   1 import ./make-test-python.nix ({ lib, pkgs, ... }: {
   2   name = "systemd-initrd-luks-tpm2";
   3
   4   nodes.machine = { pkgs, ... }: {
   5     # Use systemd-boot
   6     virtualisation = {
   7       emptyDiskImages = [ 512 ];
   8       useBootLoader = true;
   9       useEFIBoot = true;
  10       qemu.options = ["-chardev socket,id=chrtpm,path=/tmp/mytpm1/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0"];
  11     };
  12     boot.loader.systemd-boot.enable = true;
  13
  14     boot.initrd.availableKernelModules = [ "tpm_tis" ];
  15
  16     environment.systemPackages = with pkgs; [ cryptsetup ];
  17     boot.initrd.systemd = {
  18       enable = true;
  19     };
  20
  21     specialisation.boot-luks.configuration = {
  22       boot.initrd.luks.devices = lib.mkVMOverride {
  23         cryptroot = {
  24           device = "/dev/vdc";
  25           crypttabExtraOpts = [ "tpm2-device=auto" ];
  26         };
  27       };
  28       virtualisation.bootDevice = "/dev/mapper/cryptroot";
  29     };
  30   };
  31
  32   testScript = ''
  33     import subprocess
  34     import os
  35     import time
  36
  37
  38     class Tpm:
  39         def __init__(self):
  40             os.mkdir("/tmp/mytpm1")
  41             self.start()
  42
  43         def start(self):
  44             self.proc = subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir=/tmp/mytpm1", "--ctrl", "type=unixio,path=/tmp/mytpm1/swtpm-sock", "--log", "level=20", "--tpm2"])
  45
  46         def wait_for_death_then_restart(self):
  47             while self.proc.poll() is None:
  48                 print("waiting for tpm to die")
  49                 time.sleep(1)
  50             assert self.proc.returncode == 0
  51             self.start()
  52
  53     tpm = Tpm()
  54
  55
  56     # Create encrypted volume
  57     machine.wait_for_unit("multi-user.target")
  58     machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdc -")
  59     machine.succeed("PASSWORD=supersecret SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --tpm2-pcrs= --tpm2-device=auto /dev/vdc |& systemd-cat")
  60
  61     # Boot from the encrypted disk
  62     machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
  63     machine.succeed("sync")
  64     machine.crash()
  65
  66     tpm.wait_for_death_then_restart()
  67
  68     # Boot and decrypt the disk
  69     machine.wait_for_unit("multi-user.target")
  70     assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
  71   '';
  72 })