mirror of
https://github.com/systemd/systemd.git
synced 2024-12-23 21:35:11 +03:00
Merge pull request #32842 from DaanDeMeyer/cryptsetup
test: Enable TEST-24-CRYPTSETUP for mkosi
This commit is contained in:
commit
11b706178c
@ -0,0 +1,15 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Partition]
|
||||
Type=var
|
||||
# This label is the partition's label. The filesystem inside may have its own label.
|
||||
Label=varcrypt
|
||||
# This UUID is the decrypted partition UUID, there are also filesystem and luks UUIDs.
|
||||
# The original test finds the partition by this UUID, but it doesn't appear
|
||||
# since the luks UUID, which is derived by hash of this UUID, is different
|
||||
# and the luks UUID is needed before the decrypted partition UUID.
|
||||
# The resulting luks UUID is 0d318174-56b0-4d6e-a324-ac1e7e7d235d.
|
||||
UUID=deadbeef-dead-dead-beef-000000000000
|
||||
Format=ext4
|
||||
Encrypt=key-file
|
||||
SizeMinBytes=1G
|
@ -0,0 +1,20 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Unit]
|
||||
Description=Add encrypted var partition to root disk
|
||||
Documentation=man:systemd-repart.service(8)
|
||||
|
||||
ConditionVirtualization=!container
|
||||
|
||||
DefaultDependencies=no
|
||||
Wants=modprobe@loop.service modprobe@dm_mod.service
|
||||
After=modprobe@loop.service modprobe@dm_mod.service sysroot.mount
|
||||
Before=initrd-root-fs.target
|
||||
Conflicts=shutdown.target initrd-switch-root.target
|
||||
Before=shutdown.target initrd-switch-root.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=systemd-repart --definitions /usr/lib/encrypted-var.repart.d --key-file %d/keyfile --dry-run=no /sysroot
|
||||
ImportCredential=keyfile
|
@ -54,7 +54,9 @@ Packages=
|
||||
nano
|
||||
nftables
|
||||
nvme-cli
|
||||
opensc
|
||||
openssl
|
||||
p11-kit
|
||||
python3
|
||||
qrencode
|
||||
radvd
|
||||
|
@ -26,6 +26,7 @@ Packages=
|
||||
fakeroot
|
||||
git
|
||||
gnutls
|
||||
gnutls
|
||||
iproute
|
||||
iputils
|
||||
linux
|
||||
@ -44,6 +45,7 @@ Packages=
|
||||
quota-tools
|
||||
sbsigntools
|
||||
shadow
|
||||
softhsm
|
||||
squashfs-tools
|
||||
stress
|
||||
tgt
|
||||
|
@ -33,6 +33,7 @@ Packages=
|
||||
glibc-langpack-de
|
||||
glibc-langpack-en
|
||||
gnutls
|
||||
gnutls-utils
|
||||
integritysetup
|
||||
iproute
|
||||
iproute-tc
|
||||
@ -47,7 +48,6 @@ Packages=
|
||||
netcat
|
||||
openssh-clients
|
||||
openssh-server
|
||||
p11-kit
|
||||
pam
|
||||
passwd
|
||||
policycoreutils
|
||||
@ -58,6 +58,7 @@ Packages=
|
||||
rpm-build
|
||||
rpmautospec
|
||||
sbsigntools
|
||||
softhsm
|
||||
squashfs-tools
|
||||
stress
|
||||
tpm2-tools
|
||||
|
@ -46,6 +46,7 @@ Packages=
|
||||
f2fs-tools
|
||||
fdisk
|
||||
git-core
|
||||
gnutls-bin
|
||||
iproute2
|
||||
iputils-ping
|
||||
isc-dhcp-server
|
||||
@ -66,6 +67,7 @@ Packages=
|
||||
python3-psutil
|
||||
quota
|
||||
sbsigntool
|
||||
softhsm2
|
||||
squashfs-tools
|
||||
stress
|
||||
tgt
|
||||
|
@ -37,6 +37,7 @@ Packages=
|
||||
gawk
|
||||
git-core
|
||||
glibc-locale-base
|
||||
gnutls
|
||||
grep
|
||||
group(bin)
|
||||
group(daemon)
|
||||
@ -66,6 +67,7 @@ Packages=
|
||||
sbsigntools
|
||||
sed
|
||||
shadow
|
||||
softhsm
|
||||
squashfs
|
||||
tgt
|
||||
timezone
|
||||
|
@ -78,3 +78,143 @@ cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf
|
||||
|
||||
# Remove to make TEST-73-LOCALE pass on Ubuntu.
|
||||
rm -f /etc/default/keyboard
|
||||
|
||||
# mkfs.ext4 on CentOS doesn't know the orphan_file feature so clear the mkfs options when we're building for
|
||||
# CentOS.
|
||||
if [[ "$DISTRIBUTION" == "centos" ]]; then
|
||||
SYSTEMD_REPART_MKFS_OPTIONS_EXT4=""
|
||||
fi
|
||||
|
||||
export SYSTEMD_REPART_MKFS_OPTIONS_EXT4
|
||||
|
||||
systemd-repart \
|
||||
--empty=create \
|
||||
--dry-run=no \
|
||||
--size=auto \
|
||||
--offline=true \
|
||||
--root test/TEST-24-CRYPTSETUP \
|
||||
--definitions test/TEST-24-CRYPTSETUP/keydev.repart \
|
||||
"$OUTPUTDIR/keydev.raw"
|
||||
|
||||
can_test_pkcs11() {
|
||||
if [[ "$DISTRIBUTION" == "opensuse" ]]; then
|
||||
echo "softhsm is broken on opensuse (https://bugzilla.opensuse.org/show_bug.cgi?id=1224356), skipping the PKCS#11 test" >&2
|
||||
return 1
|
||||
fi
|
||||
if ! command -v "softhsm2-util" >/dev/null; then
|
||||
echo "softhsm2-util not available, skipping the PKCS#11 test" >&2
|
||||
return 1
|
||||
fi
|
||||
if ! command -v "pkcs11-tool" >/dev/null; then
|
||||
echo "pkcs11-tool not available, skipping the PKCS#11 test" >&2
|
||||
return 1
|
||||
fi
|
||||
if ! command -v "certtool" >/dev/null; then
|
||||
echo "certtool not available, skipping the PKCS#11 test" >&2
|
||||
return 1
|
||||
fi
|
||||
if ! systemctl --version | grep -q "+P11KIT"; then
|
||||
echo "Support for p11-kit is disabled, skipping the PKCS#11 test" >&2
|
||||
return 1
|
||||
fi
|
||||
if ! systemctl --version | grep -q "+OPENSSL"; then
|
||||
echo "Support for openssl is disabled, skipping the PKCS#11 test" >&2
|
||||
return 1
|
||||
fi
|
||||
if ! systemctl --version | grep -q "+LIBCRYPTSETUP\b"; then
|
||||
echo "Support for libcryptsetup is disabled, skipping the PKCS#11 test" >&2
|
||||
return 1
|
||||
fi
|
||||
if ! systemctl --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
|
||||
echo "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" >&2
|
||||
return 1
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
setup_pkcs11_token() {
|
||||
echo "Setup PKCS#11 token" >&2
|
||||
local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
|
||||
|
||||
export SOFTHSM2_CONF="/tmp/softhsm2.conf"
|
||||
mkdir -p /usr/lib/softhsm/tokens/
|
||||
cat >$SOFTHSM2_CONF <<EOF
|
||||
directories.tokendir = /usr/lib/softhsm/tokens/
|
||||
objectstore.backend = file
|
||||
slots.removable = false
|
||||
slots.mechanisms = ALL
|
||||
EOF
|
||||
export GNUTLS_PIN="1234"
|
||||
export GNUTLS_SO_PIN="12345678"
|
||||
softhsm2-util --init-token --free --label "TestToken" --pin "$GNUTLS_PIN" --so-pin "$GNUTLS_SO_PIN"
|
||||
|
||||
if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
|
||||
echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
|
||||
P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
|
||||
fi
|
||||
|
||||
if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
|
||||
echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
|
||||
P11_MODULE_DIR="/usr/lib/pkcs11"
|
||||
fi
|
||||
|
||||
SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
|
||||
if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
|
||||
SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
|
||||
fi
|
||||
|
||||
# RSA #####################################################
|
||||
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
|
||||
|
||||
certtool --generate-self-signed \
|
||||
--load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
|
||||
--load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
|
||||
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
|
||||
--outder --outfile "/tmp/rsa_test.crt"
|
||||
|
||||
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
|
||||
rm "/tmp/rsa_test.crt"
|
||||
|
||||
# prime256v1 ##############################################
|
||||
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
|
||||
|
||||
certtool --generate-self-signed \
|
||||
--load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
|
||||
--load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
|
||||
--template "test/TEST-24-CRYPTSETUP/template.cfg" \
|
||||
--outder --outfile "/tmp/ec_test.crt"
|
||||
|
||||
pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
|
||||
rm "/tmp/ec_test.crt"
|
||||
|
||||
###########################################################
|
||||
rm "$SOFTHSM2_CONF"
|
||||
unset SOFTHSM2_CONF
|
||||
|
||||
cat >/etc/softhsm2.conf <<EOF
|
||||
directories.tokendir = /usr/lib/softhsm/tokens/
|
||||
objectstore.backend = file
|
||||
slots.removable = false
|
||||
slots.mechanisms = ALL
|
||||
log.level = INFO
|
||||
EOF
|
||||
|
||||
mkdir -p /etc/systemd/system/systemd-cryptsetup@.service.d
|
||||
cat >/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf <<EOF
|
||||
[Unit]
|
||||
# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
|
||||
StartLimitBurst=10
|
||||
|
||||
[Service]
|
||||
Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
|
||||
Environment="PIN=$GNUTLS_PIN"
|
||||
EOF
|
||||
|
||||
unset GNUTLS_PIN
|
||||
unset GNUTLS_SO_PIN
|
||||
}
|
||||
|
||||
if can_test_pkcs11; then
|
||||
setup_pkcs11_token
|
||||
fi
|
||||
|
@ -7819,7 +7819,7 @@ static int find_root(Context *context) {
|
||||
if (r == -EUCLEAN)
|
||||
return btrfs_log_dev_root(LOG_ERR, r, p);
|
||||
if (r != -ENODEV)
|
||||
return log_error_errno(r, "Failed to determine backing device of %s: %m", p);
|
||||
return log_error_errno(r, "Failed to determine backing device of %s%s: %m", strempty(arg_root), p);
|
||||
} else
|
||||
return 0;
|
||||
}
|
||||
|
9
test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf
Normal file
9
test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf
Normal file
@ -0,0 +1,9 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[Partition]
|
||||
Type=linux-generic
|
||||
UUID=0fc63daf-8483-4772-8e79-3d69d8477de4
|
||||
Label=varcrypt_keydev
|
||||
SizeMinBytes=16M
|
||||
Format=ext4
|
||||
CopyFiles=/keyfile:/keyfile
|
1
test/TEST-24-CRYPTSETUP/keyfile
Normal file
1
test/TEST-24-CRYPTSETUP/keyfile
Normal file
@ -0,0 +1 @@
|
||||
test
|
@ -3,6 +3,22 @@
|
||||
integration_tests += [
|
||||
integration_test_template + {
|
||||
'name' : fs.name(meson.current_source_dir()),
|
||||
'enabled' : false,
|
||||
'credentials' : integration_test_template['credentials'] + [
|
||||
files('keyfile'),
|
||||
'fstab.extra="/dev/mapper/test24_varcrypt /var ext4 defaults 0 1"',
|
||||
],
|
||||
'cmdline' : [
|
||||
'rd.systemd.wants=encrypted-var.service',
|
||||
'rd.luks=1',
|
||||
'luks.name=0d318174-56b0-4d6e-a324-ac1e7e7d235d=test24_varcrypt',
|
||||
'luks.key=0d318174-56b0-4d6e-a324-ac1e7e7d235d=/keyfile:LABEL=varcrypt_keydev',
|
||||
'luks.options=0d318174-56b0-4d6e-a324-ac1e7e7d235d=x-initrd.attach',
|
||||
],
|
||||
'qemu-args' : [
|
||||
'-drive', 'format=raw,cache=unsafe,file=@0@'.format(project_build_root / 'mkosi.output/keydev.raw'),
|
||||
],
|
||||
'mkosi-args' : integration_test_template['mkosi-args'] + [
|
||||
'--runtime-size=11G',
|
||||
],
|
||||
},
|
||||
]
|
||||
|
@ -80,9 +80,9 @@ setup_pkcs11_token() {
|
||||
local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
|
||||
|
||||
export SOFTHSM2_CONF="/tmp/softhsm2.conf"
|
||||
mkdir -p "$initdir/var/lib/softhsm/tokens/"
|
||||
mkdir -p "$initdir/usr/lib/softhsm/tokens/"
|
||||
cat >${SOFTHSM2_CONF} <<EOF
|
||||
directories.tokendir = $initdir/var/lib/softhsm/tokens/
|
||||
directories.tokendir = $initdir/usr/lib/softhsm/tokens/
|
||||
objectstore.backend = file
|
||||
slots.removable = false
|
||||
slots.mechanisms = ALL
|
||||
@ -139,7 +139,7 @@ EOF
|
||||
inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module"
|
||||
|
||||
cat >"$initdir/etc/softhsm2.conf" <<EOF
|
||||
directories.tokendir = /var/lib/softhsm/tokens/
|
||||
directories.tokendir = /usr/lib/softhsm/tokens/
|
||||
objectstore.backend = file
|
||||
slots.removable = false
|
||||
slots.mechanisms = ALL
|
||||
|
@ -228,7 +228,7 @@ mkdir -p /run/cryptsetup-keys.d
|
||||
cp "$IMAGE_EMPTY_KEYFILE" /run/cryptsetup-keys.d/empty_nokey.key
|
||||
cryptsetup_start_and_check empty_nokey
|
||||
|
||||
if [[ -r /etc/softhsm2.conf ]]; then
|
||||
if [[ -d /usr/lib/softhsm/tokens ]]; then
|
||||
# Test unlocking with a PKCS#11 token
|
||||
export SOFTHSM2_CONF="/etc/softhsm2.conf"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user