summaryrefslogtreecommitdiffstats
path: root/debian/tests/cryptroot-legacy.d
diff options
context:
space:
mode:
Diffstat (limited to 'debian/tests/cryptroot-legacy.d')
-rw-r--r--debian/tests/cryptroot-legacy.d/bottom9
-rw-r--r--debian/tests/cryptroot-legacy.d/config14
-rwxr-xr-xdebian/tests/cryptroot-legacy.d/mock32
-rw-r--r--debian/tests/cryptroot-legacy.d/preinst14
-rw-r--r--debian/tests/cryptroot-legacy.d/setup46
5 files changed, 115 insertions, 0 deletions
diff --git a/debian/tests/cryptroot-legacy.d/bottom b/debian/tests/cryptroot-legacy.d/bottom
new file mode 100644
index 0000000..8bf492f
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/bottom
@@ -0,0 +1,9 @@
+umount "$ROOT/boot"
+umount "$ROOT"
+
+swapoff /dev/cryptvg/swap
+lvm vgchange -an "cryptvg"
+
+cryptsetup close "vda3_crypt"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-legacy.d/config b/debian/tests/cryptroot-legacy.d/config
new file mode 100644
index 0000000..cff461c
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/config
@@ -0,0 +1,14 @@
+PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4
+PKGS_EXTRA+=( lvm2 )
+PKGS_EXTRA+=( cryptsetup-initramfs )
+
+# disable AES and SHA instructions
+if [[ "$QEMU_CPU_MODEL" =~ ^(.*),\+aes(,.*)?$ ]]; then
+ QEMU_CPU_MODEL="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+fi
+if [[ "$QEMU_CPU_MODEL" =~ ^(.*),\+sha-ni(,.*)?$ ]]; then
+ QEMU_CPU_MODEL="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+fi
+QEMU_CPU_MODEL="$QEMU_CPU_MODEL,-aes,-sha-ni"
+
+# vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-legacy.d/mock b/debian/tests/cryptroot-legacy.d/mock
new file mode 100755
index 0000000..b3b7d26
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/mock
@@ -0,0 +1,32 @@
+#!/usr/bin/perl -T
+
+BEGIN {
+ require "./debian/tests/utils/mock.pm";
+ CryptrootTest::Mock::->import();
+}
+
+unlock_disk("topsecret");
+login("root");
+
+# make sure the root FS and swap are help by dm-crypt devices
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vda3 <<<topsecret}, rv => 0);
+my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3});
+die unless $out =~ m#^`-vda3_crypt\s+crypt\s*$#m;
+die unless $out =~ m#^\s{2}[`|]-cryptvg-root\s+lvm\s+/\s*$#m;
+die unless $out =~ m#^\s{2}[`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m;
+
+# assume MODULES=dep won't add too many modules
+# XXX lsinitramfs doesn't work on /initrd.img with COMPRESS=zstd, cf. #1015954
+$out = shell(q{lsinitramfs /boot/initrd.img-`uname -r` | grep -Ec "^(usr/)?lib/modules/.*\.ko(\.[a-z]+)?$"});
+die "$out == 0 or $out > 50" unless $out =~ s/\r?\n\z// and $out =~ /\A([0-9]+)\z/ and $out > 0 and $out <= 50;
+
+# check cipher and key size
+$out = shell(q{dmsetup table --target crypt --showkeys vda3_crypt});
+die unless $out =~ m#\A0\s+\d+\s+crypt\s+aes-cbc-essiv:sha256\s+[0-9a-f]{64}\s#;
+
+# make sure hardware acceleration for AES isn't available
+$out = shell(q{cat /proc/crypto});
+die unless $out =~ m#^name\s*:.*\baes\b#mi;
+die if $out =~ m#^(?:name|driver)\s*:.*\b__(?:.*\b)?aes\b#mi;
+
+QMP::quit();
diff --git a/debian/tests/cryptroot-legacy.d/preinst b/debian/tests/cryptroot-legacy.d/preinst
new file mode 100644
index 0000000..ee76481
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/preinst
@@ -0,0 +1,14 @@
+cat >/etc/crypttab <<-EOF
+ vda3_crypt UUID=$(blkid -s UUID -o value /dev/vda3) none luks,discard
+EOF
+
+cat >/etc/fstab <<-EOF
+ /dev/cryptvg/root / auto errors=remount-ro 0 1
+ /dev/cryptvg/swap none swap sw 0 0
+ UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2
+EOF
+
+# explicitely set MODULES=dep (yes it's the default, but doesn't hurt)
+echo "MODULES=dep" >/etc/initramfs-tools/conf.d/modules
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-legacy.d/setup b/debian/tests/cryptroot-legacy.d/setup
new file mode 100644
index 0000000..c7ab31f
--- /dev/null
+++ b/debian/tests/cryptroot-legacy.d/setup
@@ -0,0 +1,46 @@
+# LVM-on-LUKS2 layout from an old system: pre-2013 cryptsetup defaults,
+# no AES hardware acceleration (and MODULES=dep)
+
+sfdisk --append /dev/vda <<-EOF
+ unit: sectors
+
+ start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS}
+ start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS}
+EOF
+udevadm settle
+
+# Use pre-2013 (<1.6.0) defaults: LUKS1, aes-cbc-essiv:sha256 cipher, 256bits key
+# <1.6.0 default hash was sha1 but we use legacy hash ripemd160 here to test OpenSSL's
+# legacy.so
+echo -n "topsecret" >/rootfs.key
+cryptsetup luksFormat --batch-mode \
+ --key-file=/rootfs.key \
+ --type=luks1 \
+ --pbkdf-force-iterations=1000 \
+ --cipher="aes-cbc-essiv:sha256" \
+ --hash="ripemd160" \
+ --key-size=256 \
+ -- /dev/vda3
+cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \
+ -- /dev/vda3 "vda3_crypt"
+udevadm settle
+
+lvm pvcreate /dev/mapper/vda3_crypt
+lvm vgcreate "cryptvg" /dev/mapper/vda3_crypt
+lvm lvcreate -Zn --size 64m --name "swap" "cryptvg"
+lvm lvcreate -Zn -l100%FREE --name "root" "cryptvg"
+lvm vgchange -ay "cryptvg"
+lvm vgmknodes
+udevadm settle
+
+mke2fs -Ft ext4 /dev/cryptvg/root
+mount -t ext4 /dev/cryptvg/root "$ROOT"
+
+mkdir "$ROOT/boot"
+mke2fs -Ft ext2 -m0 /dev/vda2
+mount -t ext2 /dev/vda2 "$ROOT/boot"
+
+mkswap /dev/cryptvg/swap
+swapon /dev/cryptvg/swap
+
+# vim: set filetype=sh :