mirror of
https://github.com/systemd/systemd.git
synced 2025-01-02 01:18:14 +03:00
Rework TEST-86-MULTI-PROFILE-UKI
Now that mkosi supports generating UKI profiles, let's make use of that to generate the UKI profiles required for the test instead of doing it within the test itself.
This commit is contained in:
parent
922fe8b91d
commit
977fc93603
@ -33,9 +33,8 @@ CacheDirectory=build/mkosi.cache
|
|||||||
BuildSourcesEphemeral=yes
|
BuildSourcesEphemeral=yes
|
||||||
Incremental=yes
|
Incremental=yes
|
||||||
|
|
||||||
# TODO: Remove when TEST-70-TPM doesn't fail in an image with signed PCRs anymore.
|
|
||||||
[Validation]
|
[Validation]
|
||||||
SignExpectedPcr=no
|
SignExpectedPcr=yes
|
||||||
|
|
||||||
[Content]
|
[Content]
|
||||||
ExtraTrees=
|
ExtraTrees=
|
||||||
|
7
mkosi.uki-profiles/profile1.conf
Normal file
7
mkosi.uki-profiles/profile1.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
|
||||||
|
[UKIProfile]
|
||||||
|
Profile=
|
||||||
|
ID=profile1
|
||||||
|
TITLE=Profile Two
|
||||||
|
Cmdline=testprofile1=1
|
7
mkosi.uki-profiles/profile2.conf
Normal file
7
mkosi.uki-profiles/profile2.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
|
||||||
|
[UKIProfile]
|
||||||
|
Profile=
|
||||||
|
ID=profile2
|
||||||
|
TITLE=Profile Two
|
||||||
|
Cmdline=testprofile2=1
|
@ -6,6 +6,5 @@ integration_tests += [
|
|||||||
'storage' : 'persistent',
|
'storage' : 'persistent',
|
||||||
'vm' : true,
|
'vm' : true,
|
||||||
'firmware' : 'auto',
|
'firmware' : 'auto',
|
||||||
'enabled' : false,
|
|
||||||
},
|
},
|
||||||
]
|
]
|
||||||
|
@ -25,57 +25,42 @@ fi
|
|||||||
echo "CURRENT EVENT LOG + PCRS:"
|
echo "CURRENT EVENT LOG + PCRS:"
|
||||||
/usr/lib/systemd/systemd-pcrlock
|
/usr/lib/systemd/systemd-pcrlock
|
||||||
|
|
||||||
if test ! -f /run/systemd/stub/profile; then
|
test -f /run/systemd/stub/profile
|
||||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /root/pcrsign.private.pem
|
|
||||||
openssl rsa -pubout -in /root/pcrsign.private.pem -out /root/pcrsign.public.pem
|
|
||||||
|
|
||||||
ukify build --extend="$CURRENT_UKI" --output=/tmp/extended0.efi --profile='ID=profile0
|
# shellcheck source=/dev/null
|
||||||
TITLE="Profile Zero"' --measure-base="$CURRENT_UKI" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
|
. /run/systemd/stub/profile
|
||||||
|
|
||||||
ukify build --extend=/tmp/extended0.efi --output=/tmp/extended1.efi --profile='ID=profile1
|
if [[ "$ID" == "main" ]]; then
|
||||||
TITLE="Profile One"' --measure-base=/tmp/extended0.efi --cmdline="testprofile1=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
|
if [[ -f /root/encrypted.raw ]]; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
ukify build --extend=/tmp/extended1.efi --output=/tmp/extended2.efi --profile='ID=profile2
|
# Prepare a disk image, locked to the PCR measurements of the current UKI
|
||||||
TITLE="Profile Two"' --measure-base=/tmp/extended1.efi --cmdline="testprofile2=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
|
|
||||||
|
|
||||||
echo "EXTENDED UKI:"
|
|
||||||
ukify inspect /tmp/extended2.efi
|
|
||||||
rm /tmp/extended0.efi /tmp/extended1.efi
|
|
||||||
mv /tmp/extended2.efi "$CURRENT_UKI"
|
|
||||||
|
|
||||||
# Prepare a disk image, locked to the PCR measurements of the UKI we just generated
|
|
||||||
truncate -s 32M /root/encrypted.raw
|
truncate -s 32M /root/encrypted.raw
|
||||||
echo -n "geheim" >/root/encrypted.secret
|
echo -n "geheim" >/root/encrypted.secret
|
||||||
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
|
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
|
||||||
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
|
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
|
||||||
rm -f /root/encrypted.secret
|
rm -f /root/encrypted.secret
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Validate that with the current profile we can fulfill the PCR 11 policy
|
||||||
|
systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
|
||||||
|
systemd-cryptsetup detach multiprof
|
||||||
|
|
||||||
|
if [[ "$ID" == "main" ]]; then
|
||||||
|
bootctl set-default "$(basename "$CURRENT_UKI")@profile1"
|
||||||
reboot
|
reboot
|
||||||
exit 0
|
exit 0
|
||||||
|
elif [[ "$ID" == "profile1" ]]; then
|
||||||
|
grep testprofile1=1 /proc/cmdline
|
||||||
|
bootctl set-default "$(basename "$CURRENT_UKI")@profile2"
|
||||||
|
reboot
|
||||||
|
exit 0
|
||||||
|
elif [[ "$ID" == "profile2" ]]; then
|
||||||
|
grep testprofile2=1 /proc/cmdline
|
||||||
|
rm /root/encrypted.raw
|
||||||
else
|
else
|
||||||
# shellcheck source=/dev/null
|
exit 1
|
||||||
. /run/systemd/stub/profile
|
|
||||||
|
|
||||||
# Validate that with the current profile we can fulfill the PCR 11 policy
|
|
||||||
systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
|
|
||||||
systemd-cryptsetup detach multiprof
|
|
||||||
|
|
||||||
if [ "$ID" = "profile0" ]; then
|
|
||||||
grep -v testprofile /proc/cmdline
|
|
||||||
echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf"
|
|
||||||
reboot
|
|
||||||
exit 0
|
|
||||||
elif [ "$ID" = "profile1" ]; then
|
|
||||||
grep testprofile1=1 /proc/cmdline
|
|
||||||
echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf"
|
|
||||||
reboot
|
|
||||||
exit 0
|
|
||||||
elif [ "$ID" = "profile2" ]; then
|
|
||||||
grep testprofile2=1 /proc/cmdline
|
|
||||||
rm /root/encrypted.raw
|
|
||||||
else
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
touch /testok
|
touch /testok
|
||||||
|
Loading…
Reference in New Issue
Block a user