diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:49:52 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:49:52 +0000 |
| commit | 55944e5e40b1be2afc4855d8d2baf4b73d1876b5 (patch) | |
| tree | 33f869f55a1b149e9b7c2b7e201867ca5dd52992 /test/units/testsuite-04.fss.sh | |
| parent | Initial commit. (diff) | |
| download | systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.tar.xz systemd-55944e5e40b1be2afc4855d8d2baf4b73d1876b5.zip | |
Adding upstream version 255.4.upstream/255.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/units/testsuite-04.fss.sh')
| -rwxr-xr-x | test/units/testsuite-04.fss.sh | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/test/units/testsuite-04.fss.sh b/test/units/testsuite-04.fss.sh new file mode 100755 index 0000000..03351b8 --- /dev/null +++ b/test/units/testsuite-04.fss.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +set -eux +set -o pipefail + +# Forward Secure Sealing + +if ! journalctl --version | grep -qF +GCRYPT; then + echo "Built without gcrypt, skipping the FSS tests" + exit 0 +fi + +journalctl --force --setup-keys --interval=2 |& tee /tmp/fss +FSS_VKEY="$(sed -rn '/([a-f0-9]{6}\-){3}[a-f0-9]{6}\/[a-f0-9]+\-[a-f0-9]+/p' /tmp/fss)" +[[ -n "$FSS_VKEY" ]] + +# Generate some buzz in the journal and wait until the FSS key is changed +# at least once +systemd-cat cat /etc/os-release +sleep 4 +# Seal the journal +journalctl --rotate +# Verification should fail without a valid FSS key +(! journalctl --verify) +(! journalctl --verify --verify-key="") +(! journalctl --verify --verify-key="000000-000000-000000-000000/00000000-00000") +# FIXME: ignore --verify result until #27532 is resolved +journalctl --verify --verify-key="$FSS_VKEY" || : + +# Sealing + systemd-journal-remote +/usr/lib/systemd/systemd-journal-remote --getter="journalctl -n 5 -o export" \ + --split-mode=none \ + --seal=yes \ + --output=/tmp/sealed.journal +(! journalctl --file=/tmp/sealed.journal --verify) +(! journalctl --file=/tmp/sealed.journal --verify --verify-key="") +(! journalctl --file=/tmp/sealed.journal --verify --verify-key="000000-000000-000000-000000/00000000-00000") +# FIXME: ignore --verify result until #27532 is resolved +journalctl --file=/tmp/sealed.journal --verify --verify-key="$FSS_VKEY" || : +rm -f /tmp/sealed.journal + +# Return back to a journal without FSS +rm -fv "/var/log/journal/$(</etc/machine-id)/fss" +journalctl --rotate --vacuum-size=1 +# FIXME: ignore --verify result until #27532 is resolved +journalctl --verify || : |