Unverified Commit 928181b5 authored by rnhmjoj's avatar rnhmjoj
Browse files

nixos/tests/installer: add full disk encryption test 

This tests a common full disk encryption setup:
https://gist.github.com/ladinu/bfebdd90a5afd45dec811296016b2a3f
parent 9fc47e6d

nixos/tests/installer.nix

+50 −2
Original line number Diff line number Diff line
@@ -150,8 +150,7 @@ let 
          )



      with subtest("Shutdown system after installation"):

          machine.succeed("umount /mnt/boot || true")

          machine.succeed("umount /mnt")

          machine.succeed("umount -R /mnt")

          machine.succeed("sync")

          machine.shutdown()
@@ -672,6 +671,55 @@ in { 
    '';

  };



  # Full disk encryption (root, kernel and initrd encrypted) using GRUB, GPT/UEFI,

  # LVM-on-LUKS and a keyfile in initrd.secrets to enter the passphrase once

  fullDiskEncryption = makeInstallerTest "fullDiskEncryption" {

    createPartitions = ''

      machine.succeed(

          "flock /dev/vda parted --script /dev/vda -- mklabel gpt"

          + " mkpart ESP fat32 1M 100MiB"  # /boot/efi

          + " set 1 boot on"

          + " mkpart primary ext2 1024MiB -1MiB",  # LUKS

          "udevadm settle",

          "modprobe dm_mod dm_crypt",

          "dd if=/dev/random of=luks.key bs=256 count=1",

          "echo -n supersecret | cryptsetup luksFormat -q --pbkdf-force-iterations 1000 --type luks1 /dev/vda2 -",

          "echo -n supersecret | cryptsetup luksAddKey -q --pbkdf-force-iterations 1000 --key-file - /dev/vda2 luks.key",

          "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vda2 crypt",

          "pvcreate /dev/mapper/crypt",

          "vgcreate crypt /dev/mapper/crypt",

          "lvcreate -L 100M -n swap crypt",

          "lvcreate -l '100%FREE' -n nixos crypt",

          "mkfs.vfat -n efi /dev/vda1",

          "mkfs.ext4 -L nixos /dev/crypt/nixos",

          "mkswap -L swap /dev/crypt/swap",

          "mount LABEL=nixos /mnt",

          "mkdir -p /mnt/{etc/nixos,boot/efi}",

          "mount LABEL=efi /mnt/boot/efi",

          "swapon -L swap",

          "mv luks.key /mnt/etc/nixos/"

      )

    '';

    bootLoader = "grub";

    grubUseEfi = true;

    extraConfig = ''

      boot.loader.grub.enableCryptodisk = true;

      boot.loader.efi.efiSysMountPoint = "/boot/efi";



      boot.initrd.secrets."/luks.key" = ./luks.key;

      boot.initrd.luks.devices.crypt =

        { device  = "/dev/vda2";

          keyFile = "/luks.key";

        };

    '';

    enableOCR = true;

    preBootCommands = ''

      machine.start()

      machine.wait_for_text("Enter passphrase for")

      machine.send_chars("supersecret\n")

    '';

  };



  swraid = makeInstallerTest "swraid" {

    createPartitions = ''

      machine.succeed(