mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-23 02:03:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Rework TEST-86-MULTI-PROFILE-UKI

Browse Source 
Now that mkosi supports generating UKI profiles, let's make use of
that to generate the UKI profiles required for the test instead of
doing it within the test itself.
This commit is contained in:
Daan De Meyer 2024-10-04 16:46:16 +02:00
parent 922fe8b91d
commit 977fc93603
5 changed files with 40 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
mkosi.conf
View File

@ -33,9 +33,8 @@ CacheDirectory=build/mkosi.cache
BuildSourcesEphemeral=yes BuildSourcesEphemeral=yes
Incremental=yes Incremental=yes
# TODO: Remove when TEST-70-TPM doesn't fail in an image with signed PCRs anymore.
[Validation] [Validation]
SignExpectedPcr=no SignExpectedPcr=yes
[Content] [Content]
ExtraTrees= ExtraTrees=

7
mkosi.uki-profiles/profile1.conf Normal file
View File

@ -0,0 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[UKIProfile]
Profile=
ID=profile1
TITLE=Profile Two
Cmdline=testprofile1=1

7
mkosi.uki-profiles/profile2.conf Normal file
View File

@ -0,0 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[UKIProfile]
Profile=
ID=profile2
TITLE=Profile Two
Cmdline=testprofile2=1

1
test/TEST-86-MULTI-PROFILE-UKI/meson.build
View File

@ -6,6 +6,5 @@ integration_tests += [
'storage' : 'persistent', 'storage' : 'persistent',
'vm' : true, 'vm' : true,
'firmware' : 'auto', 'firmware' : 'auto',
'enabled' : false,
}, },
] ]

65
test/units/TEST-86-MULTI-PROFILE-UKI.sh
View File

@ -25,57 +25,42 @@ fi
echo "CURRENT EVENT LOG + PCRS:" echo "CURRENT EVENT LOG + PCRS:"
/usr/lib/systemd/systemd-pcrlock /usr/lib/systemd/systemd-pcrlock
if test ! -f /run/systemd/stub/profile; then test -f /run/systemd/stub/profile
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /root/pcrsign.private.pem
openssl rsa -pubout -in /root/pcrsign.private.pem -out /root/pcrsign.public.pem
ukify build --extend="$CURRENT_UKI" --output=/tmp/extended0.efi --profile='ID=profile0 # shellcheck source=/dev/null
TITLE="Profile Zero"' --measure-base="$CURRENT_UKI" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512 . /run/systemd/stub/profile
ukify build --extend=/tmp/extended0.efi --output=/tmp/extended1.efi --profile='ID=profile1 if [[ "$ID" == "main" ]]; then
TITLE="Profile One"' --measure-base=/tmp/extended0.efi --cmdline="testprofile1=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512 if [[ -f /root/encrypted.raw ]]; then
exit 1
fi
ukify build --extend=/tmp/extended1.efi --output=/tmp/extended2.efi --profile='ID=profile2 # Prepare a disk image, locked to the PCR measurements of the current UKI
TITLE="Profile Two"' --measure-base=/tmp/extended1.efi --cmdline="testprofile2=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
echo "EXTENDED UKI:"
ukify inspect /tmp/extended2.efi
rm /tmp/extended0.efi /tmp/extended1.efi
mv /tmp/extended2.efi "$CURRENT_UKI"
# Prepare a disk image, locked to the PCR measurements of the UKI we just generated
truncate -s 32M /root/encrypted.raw truncate -s 32M /root/encrypted.raw
echo -n "geheim" >/root/encrypted.secret echo -n "geheim" >/root/encrypted.secret
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
rm -f /root/encrypted.secret rm -f /root/encrypted.secret
fi
# Validate that with the current profile we can fulfill the PCR 11 policy
systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
systemd-cryptsetup detach multiprof
if [[ "$ID" == "main" ]]; then
bootctl set-default "$(basename "$CURRENT_UKI")@profile1"
reboot reboot
exit 0 exit 0
elif [[ "$ID" == "profile1" ]]; then
grep testprofile1=1 /proc/cmdline
bootctl set-default "$(basename "$CURRENT_UKI")@profile2"
reboot
exit 0
elif [[ "$ID" == "profile2" ]]; then
grep testprofile2=1 /proc/cmdline
rm /root/encrypted.raw
else else
# shellcheck source=/dev/null exit 1
. /run/systemd/stub/profile
# Validate that with the current profile we can fulfill the PCR 11 policy
systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
systemd-cryptsetup detach multiprof
if [ "$ID" = "profile0" ]; then
grep -v testprofile /proc/cmdline
echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf"
reboot
exit 0
elif [ "$ID" = "profile1" ]; then
grep testprofile1=1 /proc/cmdline
echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf"
reboot
exit 0
elif [ "$ID" = "profile2" ]; then
grep testprofile2=1 /proc/cmdline
rm /root/encrypted.raw
else
exit 1
fi
fi fi
touch /testok touch /testok