summaryrefslogtreecommitdiffstats
path: root/test/TEST-24-CRYPTSETUP
diff options
context:
space:
mode:
Diffstat (limited to 'test/TEST-24-CRYPTSETUP')
-rw-r--r--test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf9
-rw-r--r--test/TEST-24-CRYPTSETUP/keyfile1
-rw-r--r--test/TEST-24-CRYPTSETUP/meson.build26
-rw-r--r--test/TEST-24-CRYPTSETUP/template.cfg8
-rwxr-xr-xtest/TEST-24-CRYPTSETUP/test.sh128
5 files changed, 171 insertions, 1 deletions
diff --git a/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf b/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf
new file mode 100644
index 0000000..d6cdad0
--- /dev/null
+++ b/test/TEST-24-CRYPTSETUP/keydev.repart/00-root.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[Partition]
+Type=linux-generic
+UUID=0fc63daf-8483-4772-8e79-3d69d8477de4
+Label=varcrypt_keydev
+SizeMinBytes=16M
+Format=ext4
+CopyFiles=/keyfile:/keyfile
diff --git a/test/TEST-24-CRYPTSETUP/keyfile b/test/TEST-24-CRYPTSETUP/keyfile
new file mode 100644
index 0000000..9daeafb
--- /dev/null
+++ b/test/TEST-24-CRYPTSETUP/keyfile
@@ -0,0 +1 @@
+test
diff --git a/test/TEST-24-CRYPTSETUP/meson.build b/test/TEST-24-CRYPTSETUP/meson.build
new file mode 100644
index 0000000..af41f16
--- /dev/null
+++ b/test/TEST-24-CRYPTSETUP/meson.build
@@ -0,0 +1,26 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+integration_tests += [
+ integration_test_template + {
+ 'name' : fs.name(meson.current_source_dir()),
+ 'credentials' : integration_test_template['credentials'] + [
+ files('keyfile'),
+ 'fstab.extra="/dev/mapper/test24_varcrypt /var ext4 defaults 0 1"',
+ ],
+ 'cmdline' : [
+ 'rd.systemd.wants=encrypted-var.service',
+ 'rd.luks=1',
+ 'luks.name=0d318174-56b0-4d6e-a324-ac1e7e7d235d=test24_varcrypt',
+ 'luks.key=0d318174-56b0-4d6e-a324-ac1e7e7d235d=/keyfile:LABEL=varcrypt_keydev',
+ 'luks.options=0d318174-56b0-4d6e-a324-ac1e7e7d235d=x-initrd.attach',
+ ],
+ 'qemu-args' : [
+ '-drive', 'id=keydev,if=none,format=raw,cache=unsafe,file=@0@'.format(project_build_root / 'mkosi.output/keydev.raw'),
+ '-device', 'scsi-hd,drive=keydev',
+ ],
+ 'mkosi-args' : integration_test_template['mkosi-args'] + [
+ '--runtime-size=11G',
+ ],
+ 'vm' : true,
+ },
+]
diff --git a/test/TEST-24-CRYPTSETUP/template.cfg b/test/TEST-24-CRYPTSETUP/template.cfg
new file mode 100644
index 0000000..42f8b9d
--- /dev/null
+++ b/test/TEST-24-CRYPTSETUP/template.cfg
@@ -0,0 +1,8 @@
+dn = "cn = systemd"
+expiration_days = 30
+
+signing_key
+encryption_key
+
+tls_www_client
+email_protection_key
diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh
index 4ace177..a7e118c 100755
--- a/test/TEST-24-CRYPTSETUP/test.sh
+++ b/test/TEST-24-CRYPTSETUP/test.sh
@@ -18,6 +18,9 @@ KERNEL_OPTIONS=(
"luks.name=$PART_UUID=$DM_NAME"
"luks.key=$PART_UUID=/keyfile:LABEL=varcrypt_keydev"
"luks.options=$PART_UUID=x-initrd.attach"
+ # Forward journal to console to make debugging easier (or possible at all) if we fail to bring the
+ # encrypted /var up during boot
+ "systemd.journald.forward_to_console=1"
)
KERNEL_APPEND+=" ${KERNEL_OPTIONS[*]}"
QEMU_OPTIONS+=" -drive format=raw,cache=unsafe,file=${STATEDIR:?}/keydev.img"
@@ -39,6 +42,125 @@ check_result_qemu() {
return $ret
}
+can_test_pkcs11() {
+ if ! command -v "softhsm2-util" >/dev/null; then
+ ddebug "softhsm2-util not available, skipping the PKCS#11 test"
+ return 1
+ fi
+ if ! command -v "pkcs11-tool" >/dev/null; then
+ ddebug "pkcs11-tool not available, skipping the PKCS#11 test"
+ return 1
+ fi
+ if ! command -v "certtool" >/dev/null; then
+ ddebug "certtool not available, skipping the PKCS#11 test"
+ return 1
+ fi
+ if ! "${SYSTEMCTL:?}" --version | grep -q "+P11KIT"; then
+ ddebug "Support for p11-kit is disabled, skipping the PKCS#11 test"
+ return 1
+ fi
+ if ! "${SYSTEMCTL:?}" --version | grep -q "+OPENSSL"; then
+ ddebug "Support for openssl is disabled, skipping the PKCS#11 test"
+ return 1
+ fi
+ if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP\b"; then
+ ddebug "Support for libcryptsetup is disabled, skipping the PKCS#11 test"
+ return 1
+ fi
+ if ! "${SYSTEMCTL:?}" --version | grep -q "+LIBCRYPTSETUP_PLUGINS"; then
+ ddebug "Support for libcryptsetup plugins is disabled, skipping the PKCS#11 test"
+ return 1
+ fi
+
+ return 0
+}
+
+setup_pkcs11_token() {
+ dinfo "Setup PKCS#11 token"
+ local P11_MODULE_CONFIGS_DIR P11_MODULE_DIR SOFTHSM_MODULE
+
+ export SOFTHSM2_CONF="/tmp/softhsm2.conf"
+ mkdir -p "$initdir/usr/lib/softhsm/tokens/"
+ cat >${SOFTHSM2_CONF} <<EOF
+directories.tokendir = $initdir/usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+EOF
+ export GNUTLS_PIN="1234"
+ export GNUTLS_SO_PIN="12345678"
+ softhsm2-util --init-token --free --label "TestToken" --pin ${GNUTLS_PIN} --so-pin ${GNUTLS_SO_PIN}
+
+ if ! P11_MODULE_CONFIGS_DIR=$(pkg-config --variable=p11_module_configs p11-kit-1); then
+ echo "WARNING! Cannot get p11_module_configs from p11-kit-1.pc, assuming /usr/share/p11-kit/modules" >&2
+ P11_MODULE_CONFIGS_DIR="/usr/share/p11-kit/modules"
+ fi
+
+ if ! P11_MODULE_DIR=$(pkg-config --variable=p11_module_path p11-kit-1); then
+ echo "WARNING! Cannot get p11_module_path from p11-kit-1.pc, assuming /usr/lib/pkcs11" >&2
+ P11_MODULE_DIR="/usr/lib/pkcs11"
+ fi
+
+ SOFTHSM_MODULE=$(grep -F 'module:' "$P11_MODULE_CONFIGS_DIR/softhsm2.module"| cut -d ':' -f 2| xargs)
+ if [[ "$SOFTHSM_MODULE" =~ ^[^/] ]]; then
+ SOFTHSM_MODULE="$P11_MODULE_DIR/$SOFTHSM_MODULE"
+ fi
+
+ # RSA #####################################################
+ pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "RSA:2048" --label "RSATestKey" --usage-decrypt
+
+ certtool --generate-self-signed \
+ --load-privkey="pkcs11:token=TestToken;object=RSATestKey;type=private" \
+ --load-pubkey="pkcs11:token=TestToken;object=RSATestKey;type=public" \
+ --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
+ --outder --outfile "/tmp/rsa_test.crt"
+
+ pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/rsa_test.crt" --type cert --label "RSATestKey"
+ rm "/tmp/rsa_test.crt"
+
+ # prime256v1 ##############################################
+ pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --keypairgen --key-type "EC:prime256v1" --label "ECTestKey" --usage-derive
+
+ certtool --generate-self-signed \
+ --load-privkey="pkcs11:token=TestToken;object=ECTestKey;type=private" \
+ --load-pubkey="pkcs11:token=TestToken;object=ECTestKey;type=public" \
+ --template "$TEST_BASE_DIR/$TESTNAME/template.cfg" \
+ --outder --outfile "/tmp/ec_test.crt"
+
+ pkcs11-tool --module "$SOFTHSM_MODULE" --token-label "TestToken" --pin "env:GNUTLS_PIN" --so-pin "env:GNUTLS_SO_PIN" --write-object "/tmp/ec_test.crt" --type cert --label "ECTestKey"
+ rm "/tmp/ec_test.crt"
+
+ ###########################################################
+ rm ${SOFTHSM2_CONF}
+ unset SOFTHSM2_CONF
+
+ inst_libs "$SOFTHSM_MODULE"
+ inst_library "$SOFTHSM_MODULE"
+ inst_simple "$P11_MODULE_CONFIGS_DIR/softhsm2.module"
+
+ cat >"$initdir/etc/softhsm2.conf" <<EOF
+directories.tokendir = /usr/lib/softhsm/tokens/
+objectstore.backend = file
+slots.removable = false
+slots.mechanisms = ALL
+log.level = INFO
+EOF
+
+ mkdir -p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d"
+ cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF
+[Unit]
+# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
+StartLimitBurst=10
+
+[Service]
+Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
+Environment="PIN=$GNUTLS_PIN"
+EOF
+
+ unset GNUTLS_PIN
+ unset GNUTLS_SO_PIN
+}
+
test_create_image() {
create_empty_image_rootdir
@@ -57,6 +179,10 @@ test_create_image() {
install_dmevent
generate_module_dependencies
+ if can_test_pkcs11; then
+ setup_pkcs11_token
+ fi
+
# Create a keydev
dd if=/dev/zero of="${STATEDIR:?}/keydev.img" bs=1M count=16
mkfs.ext4 -L varcrypt_keydev "$STATEDIR/keydev.img"
@@ -84,7 +210,7 @@ EOF
if command -v dracut >/dev/null; then
dracut --force --verbose --add crypt "$INITRD"
elif command -v mkinitcpio >/dev/null; then
- mkinitcpio --addhooks sd-encrypt --generate "$INITRD"
+ mkinitcpio -S autodetect --addhooks sd-encrypt --generate "$INITRD"
elif command -v mkinitramfs >/dev/null; then
# The cryptroot hook is provided by the cryptsetup-initramfs package
if ! dpkg-query -s cryptsetup-initramfs; then
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 04:49:16 +0000