add clevis tests

nix-community · Feb 27, 2024 · 208654b · 208654b
1 parent 19aec79
commit 208654b
Show file tree

Hide file tree

Showing 7 changed files with 124 additions and 18 deletions.
diff --git a/example/luks-clevis-tpm-interactive.nix b/example/luks-clevis-tpm-interactive.nix
@@ -0,0 +1,39 @@
+{
+  disko.devices = {
+    disk = {
+      vdb = {
+        type = "disk";
+        device = "/dev/vdb";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                passwordFile = "/tmp/secret.key";
+                clevisPin = "tpm2";
+                settings.allowDiscards = true;
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/example/luks-clevis-tpm-only.nix b/example/luks-clevis-tpm-only.nix
@@ -0,0 +1,38 @@
+{
+  disko.devices = {
+    disk = {
+      vdb = {
+        type = "disk";
+        device = "/dev/vdb";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                type = "luks";
+                name = "crypted";
+                clevisPin = "tpm2";
+                settings.allowDiscards = true;
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -4,7 +4,8 @@
   # FIXME: in future we don't want lock here to give precedence to a USB live-installer's registry,
   # but garnix currently does not allow this.
   #inputs.nixpkgs.url = "nixpkgs";
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+  #inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+  inputs.nixpkgs.url = "github:zolfariot/nixpkgs/zolfa/initrd_clevis_luks";
 
   outputs = { self, nixpkgs, ... }:
     let

diff --git a/lib/tests.nix b/lib/tests.nix
@@ -86,7 +86,7 @@ let
         tsp-config = tsp-generator.config testConfigBooted;
         num-disks = builtins.length (lib.attrNames testConfigBooted.disko.devices.disk);
 
-        installed-system = { ... }: {
+        installed-system = { config, ... }: {
           imports = [
             (lib.optionalAttrs (testMode == "direct") tsp-config)
             (lib.optionalAttrs (testMode == "module") {
@@ -101,9 +101,10 @@ let
           # config for tests to make them run faster or work at all
           documentation.enable = false;
           hardware.enableAllFirmware = lib.mkForce false;
-          boot.initrd.preDeviceCommands = ''
+          boot.initrd.preDeviceCommands = lib.mkIf (!config.boot.initrd.systemd.enable) ''
             echo -n 'secretsecret' > /tmp/secret.key
           '';
+          boot.initrd.systemd.contents."/tmp/secret.key".text = lib.mkIf (config.boot.initrd.systemd.enable) "secretsecret";
           boot.consoleLogLevel = lib.mkForce 100;
           boot.loader.systemd-boot.enable = lib.mkDefault efi;
         };

diff --git a/lib/types/luks.nix b/lib/types/luks.nix
@@ -15,8 +15,11 @@ let
           + "Use passwordFile instead if you want to use interactive login or settings.keyFile if you want to use key file login")
         config.keyFile
     else if config.clevisPin != null
-    # use a temporary provisioning passphrase if clevis is the only unlocking method
-    then ''<(echo -n "clevisTempPassphrase")''
+    then
+      lib.warn
+        ("You are using clevisPin only without any passphrase or keyFile."
+          + "If you loose access to your pins the data on your disk will be lost")
+        ''<(echo -n "clevis-temp-passphrase")''
     else null;
   keyFileArgs = ''
     ${lib.optionalString (keyFile != null) "--key-file ${keyFile}"} \
@@ -61,7 +64,7 @@ in
     };
     askPassword = lib.mkOption {
       type = lib.types.bool;
-      default = config.keyFile == null && config.passwordFile == null && (! config.settings ? "keyFile");
+      default = config.keyFile == null && config.passwordFile == null && (! config.settings ? "keyFile") && (config.clevisPin == null);
       description = "Whether to ask for a password for initial encryption";
     };
     clevisPin = lib.mkOption {
@@ -108,7 +111,7 @@ in
     extraOpenArgs = lib.mkOption {
       type = lib.types.listOf lib.types.str;
       default = [ ];
-      description = "Extra arguments to pass to `cryptsetup luksOpen` when opening";
+      description = "Extra arguments to pass to `cryptsetup open` when opening";
       example = [ "--timeout 10" ];
     };
     content = diskoLib.deviceType { parent = config; device = "/dev/mapper/${config.name}"; };
@@ -128,7 +131,7 @@ in
       inherit config options;
       default = ''
         ${lib.optionalString config.askPassword ''
-          set +x
+          set -x
           askPassword() {
             echo "Enter password for ${config.device}: "
             IFS= read -r -s password
@@ -147,12 +150,13 @@ in
         ${toString (lib.forEach config.additionalKeyFiles (keyFile: ''
           cryptsetup luksAddKey ${config.device} ${keyFile} ${keyFileArgs}
         ''))}
+        ${lib.optionalString (config.clevisPin != null && keyFile != ''<(echo "clevis-temp-passphrase")'') ''
+          cryptsetup luksAddKey ${config.device} <(echo "clevis-temp-passphrase") ${keyFileArgs}
+        ''}
         ${lib.optionalString (config.clevisPin != null) ''
-          clevis luks bind -d ${config.device} ${config.clevisPin} '${config.clevisPinConfig}'
+          clevis luks bind -y -k - -d ${config.device} ${config.clevisPin} '${config.clevisPinConfig}' <<< clevis-temp-passphrase
+          cryptsetup luksRemoveKey ${config.device} <(echo "clevis-temp-passphrase")
         ''}
-        ${lib.optionalString (config.clevisPin != null && (! config.settings ? "keyFile") && (! config.askPassword) && (config.passwordFile == null) && (config.keyFile == null))
-        # Remove temporary provisioning passphrase if clevis is the only unlocking method
-        ''cryptsetup luksRemoveKey ${config.device} ${keyFile}''}
         ${lib.optionalString (config.content != null) config.content._create}
       '';
     };

diff --git a/tests/luks-clevis-tpm-interactive.nix b/tests/luks-clevis-tpm-interactive.nix
@@ -0,0 +1,23 @@
+{ pkgs ? import <nixpkgs> { }
+, diskoLib ? pkgs.callPackage ../lib { }
+}:
+diskoLib.testLib.makeDiskoTest {
+  inherit pkgs;
+  name = "luks-clevis-tpm-interactive";
+  disko-config = ../example/luks-clevis-tpm-interactive.nix;
+  extraInstallerConfig = {
+    # Currently luks-clevis only works with systemd in initrd
+    virtualisation.tpm.enable = true;
+  };
+  extraSystemConfig = {
+    boot.initrd.systemd.enable = true;
+  };
+  extraTestScript = ''
+    machine.succeed("cryptsetup isLuks /dev/vda2");
+  '';
+  bootCommands = ''
+    machine.wait_for_console_text("")
+    machine.wait_for_console_text("vda")
+    machine.send_console("secretsecret\n")
+  '';
+}