diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:40 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:40 +0000 |
commit | fc53809803cd2bc2434e312b19a18fa36776da12 (patch) | |
tree | b4b43bd6538f51965ce32856e9c053d0f90919c8 /test/TEST-24-CRYPTSETUP | |
parent | Adding upstream version 255.5. (diff) | |
download | systemd-fc53809803cd2bc2434e312b19a18fa36776da12.tar.xz systemd-fc53809803cd2bc2434e312b19a18fa36776da12.zip |
Adding upstream version 256.upstream/256
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/TEST-24-CRYPTSETUP')
-rw-r--r-- | test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf | 9 | ||||
-rw-r--r-- | test/TEST-24-CRYPTSETUP/keyfile | 1 | ||||
-rw-r--r-- | test/TEST-24-CRYPTSETUP/meson.build | 26 | ||||
-rw-r--r-- | test/TEST-24-CRYPTSETUP/template.cfg | 8 | ||||
-rwxr-xr-x | test/TEST-24-CRYPTSETUP/test.sh | 128 |
5 files changed, 171 insertions, 1 deletions
diff --git a/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf b/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf new file mode 100644 index 0000000..d6cdad0 --- /dev/null +++ b/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf @@ -0,0 +1,9 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[Partition] +Type=linux-generic +UUID=0fc63daf-8483-4772-8e79-3d69d8477de4 +Label=varcrypt_keydev +SizeMinBytes=16M +Format=ext4 +CopyFiles=/keyfile:/keyfile diff --git a/test/TEST-24-CRYPTSETUP/keyfile b/test/TEST-24-CRYPTSETUP/keyfile new file mode 100644 index 0000000..9daeafb --- /dev/null +++ b/test/TEST-24-CRYPTSETUP/keyfile @@ -0,0 +1 @@ +test diff --git a/test/TEST-24-CRYPTSETUP/meson.build b/test/TEST-24-CRYPTSETUP/meson.build new file mode 100644 index 0000000..af41f16 --- /dev/null +++ b/test/TEST-24-CRYPTSETUP/meson.build @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +integration_tests += [ + integration_test_template + { + 'name' : fs.name(meson.current_source_dir()), + 'credentials' : integration_test_template['credentials'] + [ + files('keyfile'), + 'fstab.extra="/dev/mapper/test24_varcrypt /var ext4 defaults 0 1"', + ], + 'cmdline' : [ + 'rd.systemd.wants=encrypted-var.service', + 'rd.luks=1', + 'luks.name=0d318174-56b0-4d6e-a324-ac1e7e7d235d=test24_varcrypt', + 'luks.key=0d318174-56b0-4d6e-a324-ac1e7e7d235d=/keyfile:LABEL=varcrypt_keydev', + 'luks.options=0d318174-56b0-4d6e-a324-ac1e7e7d235d=x-initrd.attach', + ], + 'qemu-args' : [ + '-drive', 'id=keydev,if=none,format=raw,cache=unsafe,file=@0@'.format(project_build_root / 'mkosi.output/keydev.raw'), + '-device', 'scsi-hd,drive=keydev', + ], + 'mkosi-args' : integration_test_template['mkosi-args'] + [ + '--runtime-size=11G', + ], + 'vm' : true, + }, +] diff --git a/test/TEST-24-CRYPTSETUP/template.cfg b/test/TEST-24-CRYPTSETUP/template.cfg new file mode 100644 index 0000000..42f8b9d --- /dev/null +++ b/test/TEST-24-CRYPTSETUP/template.cfg @@ -0,0 +1,8 @@ +dn = "cn = systemd" +expiration_days = 30 + +signing_key +encryption_key + +tls_www_client +email_protection_key diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh index 4ace177..a7e118c 100755 --- a/test/TEST-24-CRYPTSETUP/test.sh +++ b/test/TEST-24-CRYPTSETUP/test.sh @@ -18,6 +18,9 @@ KERNEL_OPTIONS=( "luks.name=$PART_UUID=$DM_NAME" "luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev" "luks.options=$PART_UUID=x-initrd.attach" + # Forward journal to console to make debugging easier (or possible at all) if we fail to bring the + # encrypted /var up during boot + "systemd.journald.forward_to_console=1" ) KERNEL_APPEND+=" ${KERNEL_OPTIONS[*]}" QEMU_OPTIONS+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img" @@ -39,6 +42,125 @@ check_result_qemu() { return $ret } +can_test_pkcs11() { + if ! command -v "softhsm2-util" >/dev/null; then + ddebug "softhsm2-util not available, skipping the PKCS#11 test" + return 1 + fi + if ! command -v "pkcs11-tool" >/dev/null; then + ddebug "pkcs11-tool not available, skipping the PKCS#11 test" + return 1 + fi + if ! command -v "certtool" >/dev/null; then + ddebug "certtool not available, skipping the PKCS#11 test" + return 1 + fi + if ! "${SYSTEMCTL:?}" --version | grep -q "+P11KIT"; then + ddebug "Support for p11-kit is disabled, skipping the PKCS#11 test" + return 1 + fi + if ! "${SYSTEMCTL:?}" --version | grep -q "+OPENSSL"; then + ddebug "Support for openssl is disabled, skipping the PKCS#11 test" + return 1 + fi + if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP\b"; then + ddebug "Support for libcryptsetup is disabled, skipping the PKCS#11 test" + return 1 + fi + if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then + ddebug "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test" + return 1 + fi + + return 0 +} + +setup_pkcs11_token() { + dinfo "Setup PKCS#11 token" + local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE + + export SOFTHSM2_CONF="/tmp/softhsm2.conf" + mkdir -p "$initdir/usr/lib/softhsm/tokens/" + cat >${SOFTHSM2_CONF} <<EOF +directories.tokendir = $initdir/usr/lib/softhsm/tokens/ +objectstore.backend = file +slots.removable = false +slots.mechanisms = ALL +EOF + export GNUTLS_PIN="1234" + export GNUTLS_SO_PIN="12345678" + softhsm2-util --init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN} + + if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then + echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2 + P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules" + fi + + if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then + echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2 + P11_MODULE_DIR="/usr/lib/pkcs11" + fi + + SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs) + if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then + SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE" + fi + + # RSA ##################################################### + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt + + certtool --generate-self-signed \ + --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \ + --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \ + --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \ + --outder --outfile "/tmp/rsa_test.crt" + + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey" + rm "/tmp/rsa_test.crt" + + # prime256v1 ############################################## + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive + + certtool --generate-self-signed \ + --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \ + --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \ + --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \ + --outder --outfile "/tmp/ec_test.crt" + + pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey" + rm "/tmp/ec_test.crt" + + ########################################################### + rm ${SOFTHSM2_CONF} + unset SOFTHSM2_CONF + + inst_libs "$SOFTHSM_MODULE" + inst_library "$SOFTHSM_MODULE" + inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module" + + cat >"$initdir/etc/softhsm2.conf" <<EOF +directories.tokendir = /usr/lib/softhsm/tokens/ +objectstore.backend = file +slots.removable = false +slots.mechanisms = ALL +log.level = INFO +EOF + + mkdir -p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d" + cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF +[Unit] +# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times +StartLimitBurst=10 + +[Service] +Environment="SOFTHSM2_CONF=/etc/softhsm2.conf" +Environment="PIN=$GNUTLS_PIN" +EOF + + unset GNUTLS_PIN + unset GNUTLS_SO_PIN +} + test_create_image() { create_empty_image_rootdir @@ -57,6 +179,10 @@ test_create_image() { install_dmevent generate_module_dependencies + if can_test_pkcs11; then + setup_pkcs11_token + fi + # Create a keydev dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16 mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img" @@ -84,7 +210,7 @@ EOF if command -v dracut >/dev/null; then dracut --force --verbose --add crypt "$INITRD" elif command -v mkinitcpio >/dev/null; then - mkinitcpio --addhooks sd-encrypt --generate "$INITRD" + mkinitcpio -S autodetect --addhooks sd-encrypt --generate "$INITRD" elif command -v mkinitramfs >/dev/null; then # The cryptroot hook is provided by the cryptsetup-initramfs package if ! dpkg-query -s cryptsetup-initramfs; then |