summaryrefslogtreecommitdiffstats
path: root/debian/tests/cryptroot-sysvinit.d
diff options
context:
space:
mode:
Diffstat (limited to 'debian/tests/cryptroot-sysvinit.d')
-rw-r--r--debian/tests/cryptroot-sysvinit.d/bottom9
-rw-r--r--debian/tests/cryptroot-sysvinit.d/config5
-rwxr-xr-xdebian/tests/cryptroot-sysvinit.d/mock31
-rw-r--r--debian/tests/cryptroot-sysvinit.d/postinst15
-rw-r--r--debian/tests/cryptroot-sysvinit.d/preinst16
-rw-r--r--debian/tests/cryptroot-sysvinit.d/setup43
6 files changed, 119 insertions, 0 deletions
diff --git a/debian/tests/cryptroot-sysvinit.d/bottom b/debian/tests/cryptroot-sysvinit.d/bottom
new file mode 100644
index 0000000..13d5190
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/bottom
@@ -0,0 +1,9 @@
+umount "$ROOT/boot"
+umount "$ROOT"
+
+swapoff /dev/mapper/vda4_crypt
+
+cryptsetup close "vda4_crypt"
+cryptsetup close "vda5_crypt"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-sysvinit.d/config b/debian/tests/cryptroot-sysvinit.d/config
new file mode 100644
index 0000000..f6b7392
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/config
@@ -0,0 +1,5 @@
+PKGS_EXTRA+=( e2fsprogs ) # for fsck.ext4
+PKGS_EXTRA+=( cryptsetup-initramfs cryptsetup )
+PKG_INIT="sysvinit-core"
+
+# vim: set filetype=bash :
diff --git a/debian/tests/cryptroot-sysvinit.d/mock b/debian/tests/cryptroot-sysvinit.d/mock
new file mode 100755
index 0000000..b729022
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/mock
@@ -0,0 +1,31 @@
+#!/usr/bin/perl -T
+
+BEGIN {
+ require "./debian/tests/utils/mock.pm";
+ CryptrootTest::Mock::->import();
+}
+
+unlock_disk("topsecret");
+login("root");
+
+# make sure the root FS, swap, and /home are help by dm-crypt devices
+shell(q{cryptsetup luksOpen --test-passphrase /dev/vda5 <<<topsecret}, rv => 0);
+my $out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda3});
+die unless $out =~ m#\Avda3\s.*\r?\n^`-vda3_crypt\s+crypt\s+/home\s*\r?\n\z#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda4});
+die unless $out =~ m#\Avda4\s.*\r?\n^`-vda4_crypt\s+crypt\s+\[SWAP\]\s*\r?\n\z#m;
+
+$out = shell(q{lsblk -in -oNAME,TYPE,MOUNTPOINT /dev/vda5});
+die unless $out =~ m#\Avda5\s.*\r?\n^`-vda5_crypt\s+crypt\s+/\s*\r?\n\z#m;
+
+# make sure only vda5 is processed at initramfs stage
+# XXX unmkinitramfs doesn't work on /initrd.img with COMPRESS=zstd, cf. #1015954
+shell(q{unmkinitramfs /boot/initrd.img-`uname -r` /tmp/initramfs});
+shell(q{grep -E '^vd\S+_crypt\s' </tmp/initramfs/cryptroot/crypttab >/tmp/out});
+shell(q{grep -E '^vda5_crypt\s' </tmp/out}, rv => 0);
+shell(q{grep -Ev '^vda5_crypt\s' </tmp/out}, rv => 1);
+
+# don't use QMP::quit() here since we want to run our init scripts in
+# shutdown phase
+poweroff();
diff --git a/debian/tests/cryptroot-sysvinit.d/postinst b/debian/tests/cryptroot-sysvinit.d/postinst
new file mode 100644
index 0000000..d65e21d
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/postinst
@@ -0,0 +1,15 @@
+install -m0600 /dev/null /etc/homefs.key
+head -c512 /dev/urandom >/etc/homefs.key
+cryptsetup luksFormat --batch-mode \
+ --key-file=/etc/homefs.key \
+ --type=luks2 \
+ --pbkdf=argon2id \
+ --pbkdf-force-iterations=4 \
+ --pbkdf-memory=32 \
+ -- /dev/vda3
+cryptsetup luksOpen --key-file=/etc/homefs.key --allow-discards \
+ -- /dev/vda3 "vda3_crypt"
+mke2fs -Ft ext4 /dev/mapper/vda3_crypt
+cryptsetup close "vda3_crypt"
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-sysvinit.d/preinst b/debian/tests/cryptroot-sysvinit.d/preinst
new file mode 100644
index 0000000..05157ca
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/preinst
@@ -0,0 +1,16 @@
+cat >/etc/crypttab <<-EOF
+ vda3_crypt /dev/vda3 /etc/homefs.key luks,discard
+ vda4_crypt /dev/vda4 /dev/urandom plain,cipher=aes-xts-plain64,size=256,discard,swap
+ vda5_crypt UUID=$(blkid -s UUID -o value /dev/vda5) none luks,discard
+EOF
+
+cat >/etc/fstab <<-EOF
+ /dev/mapper/vda3_crypt /home auto defaults 0 2
+ /dev/mapper/vda4_crypt none swap sw 0 0
+ /dev/mapper/vda5_crypt / auto errors=remount-ro 0 1
+ UUID=$(blkid -s UUID -o value /dev/vda2) /boot auto defaults 0 2
+EOF
+
+echo "RESUME=none" >/etc/initramfs-tools/conf.d/resume
+
+# vim: set filetype=sh :
diff --git a/debian/tests/cryptroot-sysvinit.d/setup b/debian/tests/cryptroot-sysvinit.d/setup
new file mode 100644
index 0000000..f8598a6
--- /dev/null
+++ b/debian/tests/cryptroot-sysvinit.d/setup
@@ -0,0 +1,43 @@
+# Separate encrypted root FS and /home partitions, and transient swap --
+# the latter two are not unlocked at initramfs stage but later in the
+# boot process. This environment also uses sysvinit as PID1 so we can
+# test our init scripts.
+
+sfdisk --append /dev/vda <<-EOF
+ unit: sectors
+
+ start=$((64*1024*2)), size=$((128*1024*2)), type=${GUID_TYPE_Linux_FS}
+ start=$(((64+128)*1024*2)), size=$((64*1024*2)), type=${GUID_TYPE_LUKS}
+ start=$(((64+128+64)*1024*2)), size=$((64*1024*2)), type=${GUID_TYPE_DMCRYPT}
+ start=$(((64+128+64+64)*1024*2)), type=${GUID_TYPE_LUKS}
+EOF
+udevadm settle
+
+# initialize a new LUKS partition and open it
+echo -n "topsecret" >/rootfs.key
+cryptsetup luksFormat --batch-mode \
+ --key-file=/rootfs.key \
+ --type=luks2 \
+ --pbkdf=argon2id \
+ --pbkdf-force-iterations=4 \
+ --pbkdf-memory=32 \
+ -- /dev/vda5
+cryptsetup luksOpen --key-file=/rootfs.key --allow-discards \
+ -- /dev/vda5 "vda5_crypt"
+udevadm settle
+
+cryptsetup open --type=plain --key-file=/dev/urandom --allow-discards \
+ -- /dev/vda4 "vda4_crypt"
+udevadm settle
+
+mke2fs -Ft ext4 /dev/mapper/vda5_crypt
+mount -t ext4 /dev/mapper/vda5_crypt "$ROOT"
+
+mkdir "$ROOT/boot"
+mke2fs -Ft ext2 -m0 /dev/vda2
+mount -t ext2 /dev/vda2 "$ROOT/boot"
+
+mkswap /dev/mapper/vda4_crypt
+swapon /dev/mapper/vda4_crypt
+
+# vim: set filetype=sh :
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-19 14:24:32 +0000