From patchwork Thu Jan 11 17:32:13 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz>
X-Patchwork-Id: 58795
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 9D5ED27BBEA; Thu, 11 Jan 2024 17:33:47 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,
	URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id CF83127BBE2
	for <patchwork@mira.cbaines.net>; Thu, 11 Jan 2024 17:33:46 +0000 (GMT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1rNyvW-00047C-K1; Thu, 11 Jan 2024 12:33:10 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rNyvS-000403-6F
 for guix-patches@gnu.org; Thu, 11 Jan 2024 12:33:06 -0500
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rNyvR-0001gV-PF
 for guix-patches@gnu.org; Thu, 11 Jan 2024 12:33:05 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1rNyvP-0007hl-6P
 for guix-patches@gnu.org; Thu, 11 Jan 2024 12:33:03 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#65002] [PATCH 3/6] tests: Add `encrypted-home-os-key-file'
 installation test.
Resent-From: Tomas Volf <~@wolfsden.cz>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Thu, 11 Jan 2024 17:33:03 +0000
Resent-Message-ID: <handler.65002.B65002.170499436129554@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 65002
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 65002@debbugs.gnu.org
Cc: Tomas Volf <~@wolfsden.cz>
Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499436129554
 (code B ref 65002); Thu, 11 Jan 2024 17:33:03 +0000
Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:32:41 +0000
Received: from localhost ([127.0.0.1]:33746 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1rNyv2-0007gb-Vr
 for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:41 -0500
Received: from wolfsden.cz ([37.205.8.62]:45634)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <~@wolfsden.cz>) id 1rNyuu-0007fl-Pm
 for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:32:36 -0500
Received: by wolfsden.cz (Postfix, from userid 104)
 id 68F14250C85; Thu, 11 Jan 2024 17:32:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail;
 t=1704994354; bh=avZYheE1pEPYdiWuMKQwv7VZx+t+hsnxBKuQbrmg/gw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=QuY3IeLSJaIABBpxxEJ00BtxiUlejNpIxuivUlfZ8KOJt5FHeXq61ha+0bLk5dp8L
 mwo2ZaUP7aQXWb0Fxf34W+6pmoOX1cj/sIxxqtOO8CHU90K3e28Im3EPWNM3gLZKmE
 rEU8LhUnO9+QPBVHseqs8SNyoqPeCpkyl1GUeT/Uvi1oH0QMJP5wd2D3fff6+6CizP
 q/ylHgOIrCImVf1f0Z2iHdj/CpeTRZlE5xOaImuJi5PV+SeCrPgYGlDEKNdNnI8YF3
 cnDQw0cV4fY/TGng1pUdZK6zyIFWcwb01j3Q0dGmXCYYS9Ob7VcIeSNOP1DQfICnE7
 LM4wpzHrx2lbXvYC+hxHylsJoDw0QLF2Q8P4mVPA+UvLyKiUfhM5l+PcRRAOLsjRU9
 oGjyCCy4uB2caFyvw2KmPfomv0o4GnaFVbNRenZjSy6uNok+jd5A31Sth1olm4lqUM
 dXLD2njDNL56d5ADWSl6V++aa1Z9zcok0KzThdOVEyvd+Cy+xVIFBDdZYkpUbrfP89
 QWMK9iP+ngYr9HCmk2i8ayOajDxv8mljdR2w0RmYRiOmPzmhUADvshEvAFioddjFQ+
 8m6MXmqTnHwSJCfAG5jW6hnLHTbPS524eXxInriWHeFvAOJCNfALwW8NaLP/KY4L39
 qHknya3ge8Se9ehFhKy9HxJM=
Received: from localhost (unknown [193.32.127.158])
 by wolfsden.cz (Postfix) with ESMTPSA id F3A372503AE;
 Thu, 11 Jan 2024 17:32:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail;
 t=1704994354; bh=avZYheE1pEPYdiWuMKQwv7VZx+t+hsnxBKuQbrmg/gw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References;
 b=QuY3IeLSJaIABBpxxEJ00BtxiUlejNpIxuivUlfZ8KOJt5FHeXq61ha+0bLk5dp8L
 mwo2ZaUP7aQXWb0Fxf34W+6pmoOX1cj/sIxxqtOO8CHU90K3e28Im3EPWNM3gLZKmE
 rEU8LhUnO9+QPBVHseqs8SNyoqPeCpkyl1GUeT/Uvi1oH0QMJP5wd2D3fff6+6CizP
 q/ylHgOIrCImVf1f0Z2iHdj/CpeTRZlE5xOaImuJi5PV+SeCrPgYGlDEKNdNnI8YF3
 cnDQw0cV4fY/TGng1pUdZK6zyIFWcwb01j3Q0dGmXCYYS9Ob7VcIeSNOP1DQfICnE7
 LM4wpzHrx2lbXvYC+hxHylsJoDw0QLF2Q8P4mVPA+UvLyKiUfhM5l+PcRRAOLsjRU9
 oGjyCCy4uB2caFyvw2KmPfomv0o4GnaFVbNRenZjSy6uNok+jd5A31Sth1olm4lqUM
 dXLD2njDNL56d5ADWSl6V++aa1Z9zcok0KzThdOVEyvd+Cy+xVIFBDdZYkpUbrfP89
 QWMK9iP+ngYr9HCmk2i8ayOajDxv8mljdR2w0RmYRiOmPzmhUADvshEvAFioddjFQ+
 8m6MXmqTnHwSJCfAG5jW6hnLHTbPS524eXxInriWHeFvAOJCNfALwW8NaLP/KY4L39
 qHknya3ge8Se9ehFhKy9HxJM=
From: Tomas Volf <~@wolfsden.cz>
Date: Thu, 11 Jan 2024 18:32:13 +0100
Message-ID: 
 <f8f72a3554346e6258d2027155af1b168ba998c6.1704994323.git.~@wolfsden.cz>
X-Mailer: git-send-email 2.41.0
In-Reply-To: 
 <e1066830735b7180a3f23218c4623a63145796de.1704994323.git.~@wolfsden.cz>
References: 
 <e1066830735b7180a3f23218c4623a63145796de.1704994323.git.~@wolfsden.cz>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Based on encrypted-home-os, this test verifies unlocking via a key file.

* gnu/tests/install.scm (%encrypted-home-os-key-file),
(%encrypted-home-os-key-file-source): New variables.
(%test-encrypted-home-os-key-file): New exported variables.
(%encrypted-home-installation-script): Generate initrd with a key file for
unlocking the LUKS.

Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636
---
 gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 73 insertions(+), 1 deletion(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index daa4647299..6794bca145 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -35,6 +35,7 @@ (define-module (gnu tests install)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages bootloaders)
   #:use-module (gnu packages commencement)       ;for 'guile-final'
+  #:use-module (gnu packages cpio)
   #:use-module (gnu packages cryptsetup)
   #:use-module (gnu packages disk)
   #:use-module (gnu packages emacs)
@@ -67,6 +68,7 @@ (define-module (gnu tests install)
             %test-raid-root-os
             %test-encrypted-root-os
             %test-encrypted-home-os
+            %test-encrypted-home-os-key-file
             %test-encrypted-root-not-boot-os
             %test-btrfs-root-os
             %test-btrfs-root-on-subvolume-os
@@ -975,6 +977,18 @@ (define %encrypted-home-installation-script
 mkfs.ext4 -L root-fs /dev/vdb2
 mkfs.ext4 -L home-fs /dev/mapper/the-home-device
 mount /dev/vdb2 /mnt
+
+# This script is used for both encrypted-home-os and encrypted-home-os-key-file
+# tests.  So we also add the keyfile here.
+dd if=/dev/zero of=/key-file.bin bs=4096 count=1
+( cd /mnt;
+  echo /key-file.bin | cpio -oH newc > key-file.cpio
+  chmod 0000 key-file.cpio
+  mv /key-file.bin .
+)
+echo -n " %luks-passphrase " | \\
+  cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin
+
 mkdir /mnt/home
 mount /dev/mapper/the-home-device /mnt/home
 df -h /mnt /mnt/home
@@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os
     (mlet* %store-monad ((images (run-install %encrypted-home-os
                                               %encrypted-home-os-source
                                               #:script
-                                              %encrypted-home-installation-script))
+                                              %encrypted-home-installation-script
+                                              #:packages (list cpio)))
                          (command (qemu-command* images)))
       (run-basic-test %encrypted-home-os command "encrypted-home-os"
                       #:initialization enter-luks-passphrase-for-home)))))
 
+
+;;;
+;;; LUKS-encrypted /home, unencrypted root.  The unlock is done using a key
+;;; file.
+;;;
+(define-os-with-source (%encrypted-home-os-key-file
+                        %encrypted-home-os-key-file-source)
+  (use-modules (gnu) (gnu tests))
+
+  (operating-system
+    (host-name "cipherhome")
+    (timezone "Europe/Prague")
+    (locale "en_US.utf8")
+
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets (list "/dev/vdb"))
+                 (extra-initrd "/key-file.cpio")))
+    (kernel-arguments '("console=ttyS0"))
+
+    (mapped-devices (list (mapped-device
+                           (source (uuid "12345678-1234-1234-1234-123456789abc"))
+                           (target "the-home-device")
+                           (type (luks-device-mapping-with-options
+                                  #:key-file "/key-file.bin")))))
+    (file-systems (cons* (file-system
+                           (device (file-system-label "root-fs"))
+                           (mount-point "/")
+                           (type "ext4"))
+                         (file-system
+                           (device (file-system-label "home-fs"))
+                           (mount-point "/home")
+                           (type "ext4")
+                           (dependencies mapped-devices))
+                        %base-file-systems))
+    (services (cons (service marionette-service-type
+                             (marionette-configuration
+                              (imported-modules '((gnu services herd)
+                                                  (guix combinators)))))
+                    %base-services))))
+
+(define %test-encrypted-home-os-key-file
+  (system-test
+   (name "encrypted-home-os-key-file")
+   (description
+    "Test functionality of an OS installed with a LUKS /home partition with
+unlock done using a key file")
+   (value
+    (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file
+                                              %encrypted-home-os-key-file-source
+                                              #:script
+                                              %encrypted-home-installation-script
+                                              #:packages (list cpio)))
+                         (command (qemu-command* images)))
+      (run-basic-test %encrypted-home-os-key-file
+                      command "encrypted-home-os-key-file")))))
+
 
 ;;;
 ;;; LUKS-encrypted root file system and /boot in a non-encrypted partition.