diff options
Diffstat (limited to '')
l--------- | debian/tests/cryptroot-legacy | 1 | ||||
-rw-r--r-- | debian/tests/cryptroot-legacy.d/bottom | 9 | ||||
-rw-r--r-- | debian/tests/cryptroot-legacy.d/config | 14 | ||||
-rwxr-xr-x | debian/tests/cryptroot-legacy.d/mock | 32 | ||||
-rw-r--r-- | debian/tests/cryptroot-legacy.d/preinst | 14 | ||||
-rw-r--r-- | debian/tests/cryptroot-legacy.d/setup | 46 |
6 files changed, 116 insertions, 0 deletions
diff --git a/debian/tests/cryptroot-legacy b/debian/tests/cryptroot-legacy new file mode 120000 index 0000000..2e34c2d --- /dev/null +++ b/debian/tests/cryptroot-legacy @@ -0,0 +1 @@ +utils/cryptroot-common
\ No newline at end of file diff --git a/debian/tests/cryptroot-legacy.d/bottom b/debian/tests/cryptroot-legacy.d/bottom new file mode 100644 index 0000000..8bf492f --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/bottom @@ -0,0 +1,9 @@ +umount "$ROOT/boot" +umount "$ROOT" + +swapoff /dev/cryptvg/swap +lvm vgchange -an "cryptvg" + +cryptsetup close "vda3_crypt" + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-legacy.d/config b/debian/tests/cryptroot-legacy.d/config new file mode 100644 index 0000000..cff461c --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/config @@ -0,0 +1,14 @@ +PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4 +PKGS_EXTRA+=( lvm2 ) +PKGS_EXTRA+=( cryptsetup-initramfs ) + +# disable AES and SHA instructions +if [[ "$QEMU_CPU_MODEL" =~ ^(.*),\+aes(,.*)?$ ]]; then + QEMU_CPU_MODEL="${BASH_REMATCH[1]}${BASH_REMATCH[2]}" +fi +if [[ "$QEMU_CPU_MODEL" =~ ^(.*),\+sha-ni(,.*)?$ ]]; then + QEMU_CPU_MODEL="${BASH_REMATCH[1]}${BASH_REMATCH[2]}" +fi +QEMU_CPU_MODEL="$QEMU_CPU_MODEL,-aes,-sha-ni" + +# vim: set filetype=bash : diff --git a/debian/tests/cryptroot-legacy.d/mock b/debian/tests/cryptroot-legacy.d/mock new file mode 100755 index 0000000..b3b7d26 --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/mock @@ -0,0 +1,32 @@ +#!/usr/bin/perl -T + +BEGIN { + require "./debian/tests/utils/mock.pm"; + CryptrootTest::Mock::->import(); +} + +unlock_disk("topsecret"); +login("root"); + +# make sure the root FS and swap are help by dm-crypt devices +shell(q{cryptsetup luksOpen --test-passphrase /dev/vda3 <<<topsecret}, rv => 0); +my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3}); +die unless $out =~ m#^`-vda3_crypt\s+crypt\s*$#m; +die unless $out =~ m#^\s{2}[`|]-cryptvg-root\s+lvm\s+/\s*$#m; +die unless $out =~ m#^\s{2}[`|]-cryptvg-swap\s+lvm\s+\[SWAP\]\s*$#m; + +# assume MODULES=dep won't add too many modules +# XXX lsinitramfs doesn't work on /initrd.img with COMPRESS=zstd, cf. #1015954 +$out = shell(q{lsinitramfs /boot/initrd.img-`uname -r` | grep -Ec "^(usr/)?lib/modules/.*\.ko(\.[a-z]+)?$"}); +die "$out == 0 or $out > 50" unless $out =~ s/\r?\n\z// and $out =~ /\A([0-9]+)\z/ and $out > 0 and $out <= 50; + +# check cipher and key size +$out = shell(q{dmsetup table --target crypt --showkeys vda3_crypt}); +die unless $out =~ m#\A0\s+\d+\s+crypt\s+aes-cbc-essiv:sha256\s+[0-9a-f]{64}\s#; + +# make sure hardware acceleration for AES isn't available +$out = shell(q{cat /proc/crypto}); +die unless $out =~ m#^name\s*:.*\baes\b#mi; +die if $out =~ m#^(?:name|driver)\s*:.*\b__(?:.*\b)?aes\b#mi; + +QMP::quit(); diff --git a/debian/tests/cryptroot-legacy.d/preinst b/debian/tests/cryptroot-legacy.d/preinst new file mode 100644 index 0000000..ee76481 --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/preinst @@ -0,0 +1,14 @@ +cat >/etc/crypttab <<-EOF + vda3_crypt UUID=$(blkid -s UUID -o value /dev/vda3) none luks,discard +EOF + +cat >/etc/fstab <<-EOF + /dev/cryptvg/root / auto errors=remount-ro 0 1 + /dev/cryptvg/swap none swap sw 0 0 + UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2 +EOF + +# explicitely set MODULES=dep (yes it's the default, but doesn't hurt) +echo "MODULES=dep" >/etc/initramfs-tools/conf.d/modules + +# vim: set filetype=sh : diff --git a/debian/tests/cryptroot-legacy.d/setup b/debian/tests/cryptroot-legacy.d/setup new file mode 100644 index 0000000..c7ab31f --- /dev/null +++ b/debian/tests/cryptroot-legacy.d/setup @@ -0,0 +1,46 @@ +# LVM-on-LUKS2 layout from an old system: pre-2013 cryptsetup defaults, +# no AES hardware acceleration (and MODULES=dep) + +sfdisk --append /dev/vda <<-EOF + unit: sectors + + start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS} + start=$(((64+128)*1024*2)), type=${GUID_TYPE_LUKS} +EOF +udevadm settle + +# Use pre-2013 (<1.6.0) defaults: LUKS1, aes-cbc-essiv:sha256 cipher, 256bits key +# <1.6.0 default hash was sha1 but we use legacy hash ripemd160 here to test OpenSSL's +# legacy.so +echo -n "topsecret" >/rootfs.key +cryptsetup luksFormat --batch-mode \ + --key-file=/rootfs.key \ + --type=luks1 \ + --pbkdf-force-iterations=1000 \ + --cipher="aes-cbc-essiv:sha256" \ + --hash="ripemd160" \ + --key-size=256 \ + -- /dev/vda3 +cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \ + -- /dev/vda3 "vda3_crypt" +udevadm settle + +lvm pvcreate /dev/mapper/vda3_crypt +lvm vgcreate "cryptvg" /dev/mapper/vda3_crypt +lvm lvcreate -Zn --size 64m --name "swap" "cryptvg" +lvm lvcreate -Zn -l100%FREE --name "root" "cryptvg" +lvm vgchange -ay "cryptvg" +lvm vgmknodes +udevadm settle + +mke2fs -Ft ext4 /dev/cryptvg/root +mount -t ext4 /dev/cryptvg/root "$ROOT" + +mkdir "$ROOT/boot" +mke2fs -Ft ext2 -m0 /dev/vda2 +mount -t ext2 /dev/vda2 "$ROOT/boot" + +mkswap /dev/cryptvg/swap +swapon /dev/cryptvg/swap + +# vim: set filetype=sh : |