1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00

Merge pull request #32842 from DaanDeMeyer/cryptsetup

test: Enable TEST-24-CRYPTSETUP for mkosi
This commit is contained in:
Daan De Meyer 2024-05-16 15:50:55 +02:00 committed by GitHub
commit 11b706178c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 217 additions and 7 deletions

View File

@ -0,0 +1,15 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=var
# This label is the partition's label. The filesystem inside may have its own label.
Label=varcrypt
# This UUID is the decrypted partition UUID, there are also filesystem and luks UUIDs.
# The original test finds the partition by this UUID, but it doesn't appear
# since the luks UUID, which is derived by hash of this UUID, is different
# and the luks UUID is needed before the decrypted partition UUID.
# The resulting luks UUID is 0d318174-56b0-4d6e-a324-ac1e7e7d235d.
UUID=deadbeef-dead-dead-beef-000000000000
Format=ext4
Encrypt=key-file
SizeMinBytes=1G

View File

@ -0,0 +1,20 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Unit]
Description=Add encrypted var partition to root disk
Documentation=man:systemd-repart.service(8)
ConditionVirtualization=!container
DefaultDependencies=no
Wants=modprobe@loop.service modprobe@dm_mod.service
After=modprobe@loop.service modprobe@dm_mod.service sysroot.mount
Before=initrd-root-fs.target
Conflicts=shutdown.target initrd-switch-root.target
Before=shutdown.target initrd-switch-root.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=systemd-repart --definitions /usr/lib/encrypted-var.repart.d --key-file %d/keyfile --dry-run=no /sysroot
ImportCredential=keyfile

View File

@ -54,7 +54,9 @@ Packages=
nano
nftables
nvme-cli
opensc
openssl
p11-kit
python3
qrencode
radvd

View File

@ -26,6 +26,7 @@ Packages=
fakeroot
git
gnutls
gnutls
iproute
iputils
linux
@ -44,6 +45,7 @@ Packages=
quota-tools
sbsigntools
shadow
softhsm
squashfs-tools
stress
tgt

View File

@ -33,6 +33,7 @@ Packages=
glibc-langpack-de
glibc-langpack-en
gnutls
gnutls-utils
integritysetup
iproute
iproute-tc
@ -47,7 +48,6 @@ Packages=
netcat
openssh-clients
openssh-server
p11-kit
pam
passwd
policycoreutils
@ -58,6 +58,7 @@ Packages=
rpm-build
rpmautospec
sbsigntools
softhsm
squashfs-tools
stress
tpm2-tools

View File

@ -46,6 +46,7 @@ Packages=
f2fs-tools
fdisk
git-core
gnutls-bin
iproute2
iputils-ping
isc-dhcp-server
@ -66,6 +67,7 @@ Packages=
python3-psutil
quota
sbsigntool
softhsm2
squashfs-tools
stress
tgt

View File

@ -37,6 +37,7 @@ Packages=
gawk
git-core
glibc-locale-base
gnutls
grep
group(bin)
group(daemon)
@ -66,6 +67,7 @@ Packages=
sbsigntools
sed
shadow
softhsm
squashfs
tgt
timezone

View File

@ -78,3 +78,143 @@ cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
# Remove to make TEST-73-LOCALE pass on Ubuntu.
rm -f /etc/default/keyboard
# mkfs.ext4 on CentOS doesn't know the orphan_file feature so clear the mkfs options when we're building for
# CentOS.
if [[ "$DISTRIBUTION" == "centos" ]]; then
SYSTEMD_REPART_MKFS_OPTIONS_EXT4=""
fi
export SYSTEMD_REPART_MKFS_OPTIONS_EXT4
systemd-repart \
--empty=create \
--dry-run=no \
--size=auto \
--offline=true \
--root test/TEST-24-CRYPTSETUP \
--definitions test/TEST-24-CRYPTSETUP/keydev.repart \
"$OUTPUTDIR/keydev.raw"
can_test_pkcs11() {
if [[ "$DISTRIBUTION" == "opensuse" ]]; then
echo "softhsm is broken on opensuse (https://bugzilla.opensuse.org/show_bug.cgi?id=1224356), skipping the PKCS#11 test" >&2
return 1
fi
if ! command -v "softhsm2-util" >/dev/null; then
echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
return 1
fi
if ! command -v "pkcs11-tool" >/dev/null; then
echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
return 1
fi
if ! command -v "certtool" >/dev/null; then
echo "certtool not available, skipping the PKCS#11 test" >&2
return 1
fi
if ! systemctl --version | grep -q "+P11KIT"; then
echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
return 1
fi
if ! systemctl --version | grep -q "+OPENSSL"; then
echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
return 1
fi
if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
return 1
fi
if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
return 1
fi
return 0
}
setup_pkcs11_token() {
echo "Setup PKCS#11 token" >&2
local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
export SOFTHSM2_CONF="/tmp/softhsm2.conf"
mkdir -p /usr/lib/softhsm/tokens/
cat >$SOFTHSM2_CONF <<EOF
directories.tokendir = /usr/lib/softhsm/tokens/
objectstore.backend = file
slots.removable = false
slots.mechanisms = ALL
EOF
export GNUTLS_PIN="1234"
export GNUTLS_SO_PIN="12345678"
softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
fi
if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
P11_MODULE_DIR="/usr/lib/pkcs11"
fi
SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
fi
# RSA #####################################################
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
certtool --generate-self-signed \
--load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
--load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
--outder --outfile "/tmp/rsa_test.crt"
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
rm "/tmp/rsa_test.crt"
# prime256v1 ##############################################
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
certtool --generate-self-signed \
--load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
--load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
--outder --outfile "/tmp/ec_test.crt"
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
rm "/tmp/ec_test.crt"
###########################################################
rm "$SOFTHSM2_CONF"
unset SOFTHSM2_CONF
cat >/etc/softhsm2.conf <<EOF
directories.tokendir = /usr/lib/softhsm/tokens/
objectstore.backend = file
slots.removable = false
slots.mechanisms = ALL
log.level = INFO
EOF
mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
[Unit]
# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
StartLimitBurst=10
[Service]
Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
Environment="PIN=$GNUTLS_PIN"
EOF
unset GNUTLS_PIN
unset GNUTLS_SO_PIN
}
if can_test_pkcs11; then
setup_pkcs11_token
fi

View File

@ -7819,7 +7819,7 @@ static int find_root(Context *context) {
if (r == -EUCLEAN)
return btrfs_log_dev_root(LOG_ERR, r, p);
if (r != -ENODEV)
return log_error_errno(r, "Failed to determine backing device of %s: %m", p);
return log_error_errno(r, "Failed to determine backing device of %s%s: %m", strempty(arg_root), p);
} else
return 0;
}

View File

@ -0,0 +1,9 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Partition]
Type=linux-generic
UUID=0fc63daf-8483-4772-8e79-3d69d8477de4
Label=varcrypt_keydev
SizeMinBytes=16M
Format=ext4
CopyFiles=/keyfile:/keyfile

View File

@ -0,0 +1 @@
test

View File

@ -3,6 +3,22 @@
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'enabled' : false,
'credentials' : integration_test_template['credentials'] + [
files('keyfile'),
'fstab.extra="/dev/mapper/test24_varcrypt /var ext4 defaults 0 1"',
],
'cmdline' : [
'rd.systemd.wants=encrypted-var.service',
'rd.luks=1',
'luks.name=0d318174-56b0-4d6e-a324-ac1e7e7d235d=test24_varcrypt',
'luks.key=0d318174-56b0-4d6e-a324-ac1e7e7d235d=/keyfile:LABEL=varcrypt_keydev',
'luks.options=0d318174-56b0-4d6e-a324-ac1e7e7d235d=x-initrd.attach',
],
'qemu-args' : [
'-drive', 'format=raw,cache=unsafe,file=@0@'.format(project_build_root / 'mkosi.output/keydev.raw'),
],
'mkosi-args' : integration_test_template['mkosi-args'] + [
'--runtime-size=11G',
],
},
]

View File

@ -80,9 +80,9 @@ setup_pkcs11_token() {
local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
export SOFTHSM2_CONF="/tmp/softhsm2.conf"
mkdir -p "$initdir/var/lib/softhsm/tokens/"
mkdir -p "$initdir/usr/lib/softhsm/tokens/"
cat >${SOFTHSM2_CONF} <<EOF
directories.tokendir = $initdir/var/lib/softhsm/tokens/
directories.tokendir = $initdir/usr/lib/softhsm/tokens/
objectstore.backend = file
slots.removable = false
slots.mechanisms = ALL
@ -139,7 +139,7 @@ EOF
inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module"
cat >"$initdir/etc/softhsm2.conf" <<EOF
directories.tokendir = /var/lib/softhsm/tokens/
directories.tokendir = /usr/lib/softhsm/tokens/
objectstore.backend = file
slots.removable = false
slots.mechanisms = ALL

View File

@ -228,7 +228,7 @@ mkdir -p /run/cryptsetup-keys.d
cp "$IMAGE_EMPTY_KEYFILE" /run/cryptsetup-keys.d/empty_nokey.key
cryptsetup_start_and_check empty_nokey
if [[ -r /etc/softhsm2.conf ]]; then
if [[ -d /usr/lib/softhsm/tokens ]]; then
# Test unlocking with a PKCS#11 token
export SOFTHSM2_CONF="/etc/softhsm2.conf"