Rework TEST-86-MULTI-PROFILE-UKI

Now that mkosi supports generating UKI profiles, let's make use of that to generate the UKI profiles required for the test instead of doing it within the test itself.
2024-11-23 02:03:37 +08:00 · 2024-10-04 16:46:16 +02:00 · 2024-10-04 16:46:16 +02:00 · 977fc93603
commit 977fc93603
parent 922fe8b91d
5 changed files with 40 additions and 43 deletions
--- a/mkosi.conf
+++ b/mkosi.conf
@ -33,9 +33,8 @@ CacheDirectory=build/mkosi.cache
 BuildSourcesEphemeral=yes
 Incremental=yes

-# TODO: Remove when TEST-70-TPM doesn't fail in an image with signed PCRs anymore.
 [Validation]
-SignExpectedPcr=no
+SignExpectedPcr=yes

 [Content]
 ExtraTrees=
--- a/mkosi.uki-profiles/profile1.conf
+++ b/mkosi.uki-profiles/profile1.conf
@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[UKIProfile]
+Profile=
+        ID=profile1
+        TITLE=Profile Two
+Cmdline=testprofile1=1
--- a/mkosi.uki-profiles/profile2.conf
+++ b/mkosi.uki-profiles/profile2.conf
@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[UKIProfile]
+Profile=
+        ID=profile2
+        TITLE=Profile Two
+Cmdline=testprofile2=1
--- a/test/TEST-86-MULTI-PROFILE-UKI/meson.build
+++ b/test/TEST-86-MULTI-PROFILE-UKI/meson.build
@ -6,6 +6,5 @@ integration_tests += [
                'storage' : 'persistent',
                'vm' : true,
                'firmware' : 'auto',
-                'enabled' : false,
        },
 ]
--- a/test/units/TEST-86-MULTI-PROFILE-UKI.sh
+++ b/test/units/TEST-86-MULTI-PROFILE-UKI.sh
@ -25,57 +25,42 @@ fi
 echo "CURRENT EVENT LOG + PCRS:"
 /usr/lib/systemd/systemd-pcrlock

-if test ! -f /run/systemd/stub/profile; then
-    openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /root/pcrsign.private.pem
-    openssl rsa -pubout -in /root/pcrsign.private.pem -out /root/pcrsign.public.pem
+test -f /run/systemd/stub/profile

-    ukify build --extend="$CURRENT_UKI" --output=/tmp/extended0.efi --profile='ID=profile0
-TITLE="Profile Zero"' --measure-base="$CURRENT_UKI" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
+# shellcheck source=/dev/null
+. /run/systemd/stub/profile

-    ukify build --extend=/tmp/extended0.efi --output=/tmp/extended1.efi --profile='ID=profile1
-TITLE="Profile One"' --measure-base=/tmp/extended0.efi --cmdline="testprofile1=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
+if [[ "$ID" == "main" ]]; then
+    if [[ -f /root/encrypted.raw ]]; then
+        exit 1
+    fi

-    ukify build --extend=/tmp/extended1.efi --output=/tmp/extended2.efi --profile='ID=profile2
-TITLE="Profile Two"' --measure-base=/tmp/extended1.efi --cmdline="testprofile2=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
-
-    echo "EXTENDED UKI:"
-    ukify inspect /tmp/extended2.efi
-    rm /tmp/extended0.efi /tmp/extended1.efi
-    mv /tmp/extended2.efi "$CURRENT_UKI"
-
-    # Prepare a disk image, locked to the PCR measurements of the UKI we just generated
+    # Prepare a disk image, locked to the PCR measurements of the current UKI
    truncate -s 32M /root/encrypted.raw
    echo -n "geheim" >/root/encrypted.secret
    cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
-    systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
+    systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
    rm -f /root/encrypted.secret
+fi

+# Validate that with the current profile we can fulfill the PCR 11 policy
+systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
+systemd-cryptsetup detach multiprof
+
+if [[ "$ID" == "main" ]]; then
+    bootctl set-default "$(basename "$CURRENT_UKI")@profile1"
    reboot
    exit 0
+elif [[ "$ID" == "profile1" ]]; then
+    grep testprofile1=1 /proc/cmdline
+    bootctl set-default "$(basename "$CURRENT_UKI")@profile2"
+    reboot
+    exit 0
+elif [[ "$ID" == "profile2" ]]; then
+    grep testprofile2=1 /proc/cmdline
+    rm /root/encrypted.raw
 else
-    # shellcheck source=/dev/null
-    . /run/systemd/stub/profile
-
-    # Validate that with the current profile we can fulfill the PCR 11 policy
-    systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
-    systemd-cryptsetup detach multiprof
-
-    if [ "$ID" = "profile0" ]; then
-        grep -v testprofile /proc/cmdline
-        echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf"
-        reboot
-        exit 0
-    elif [ "$ID" = "profile1" ]; then
-        grep testprofile1=1 /proc/cmdline
-        echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf"
-        reboot
-        exit 0
-    elif [ "$ID" = "profile2" ]; then
-        grep testprofile2=1 /proc/cmdline
-        rm /root/encrypted.raw
-    else
-        exit 1
-    fi
+    exit 1
 fi

 touch /testok