Rework TEST-86-MULTI-PROFILE-UKI

Now that mkosi supports generating UKI profiles, let's make use of
that to generate the UKI profiles required for the test instead of
doing it within the test itself.
This commit is contained in:
Daan De Meyer 2024-10-04 16:46:16 +02:00
parent 922fe8b91d
commit 977fc93603
5 changed files with 40 additions and 43 deletions

View File

@ -33,9 +33,8 @@ CacheDirectory=build/mkosi.cache
BuildSourcesEphemeral=yes
Incremental=yes
# TODO: Remove when TEST-70-TPM doesn't fail in an image with signed PCRs anymore.
[Validation]
SignExpectedPcr=no
SignExpectedPcr=yes
[Content]
ExtraTrees=

View File

@ -0,0 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[UKIProfile]
Profile=
ID=profile1
TITLE=Profile Two
Cmdline=testprofile1=1

View File

@ -0,0 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[UKIProfile]
Profile=
ID=profile2
TITLE=Profile Two
Cmdline=testprofile2=1

View File

@ -6,6 +6,5 @@ integration_tests += [
'storage' : 'persistent',
'vm' : true,
'firmware' : 'auto',
'enabled' : false,
},
]

View File

@ -25,57 +25,42 @@ fi
echo "CURRENT EVENT LOG + PCRS:"
/usr/lib/systemd/systemd-pcrlock
if test ! -f /run/systemd/stub/profile; then
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /root/pcrsign.private.pem
openssl rsa -pubout -in /root/pcrsign.private.pem -out /root/pcrsign.public.pem
test -f /run/systemd/stub/profile
ukify build --extend="$CURRENT_UKI" --output=/tmp/extended0.efi --profile='ID=profile0
TITLE="Profile Zero"' --measure-base="$CURRENT_UKI" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
# shellcheck source=/dev/null
. /run/systemd/stub/profile
ukify build --extend=/tmp/extended0.efi --output=/tmp/extended1.efi --profile='ID=profile1
TITLE="Profile One"' --measure-base=/tmp/extended0.efi --cmdline="testprofile1=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
if [[ "$ID" == "main" ]]; then
if [[ -f /root/encrypted.raw ]]; then
exit 1
fi
ukify build --extend=/tmp/extended1.efi --output=/tmp/extended2.efi --profile='ID=profile2
TITLE="Profile Two"' --measure-base=/tmp/extended1.efi --cmdline="testprofile2=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
echo "EXTENDED UKI:"
ukify inspect /tmp/extended2.efi
rm /tmp/extended0.efi /tmp/extended1.efi
mv /tmp/extended2.efi "$CURRENT_UKI"
# Prepare a disk image, locked to the PCR measurements of the UKI we just generated
# Prepare a disk image, locked to the PCR measurements of the current UKI
truncate -s 32M /root/encrypted.raw
echo -n "geheim" >/root/encrypted.secret
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
rm -f /root/encrypted.secret
reboot
exit 0
else
# shellcheck source=/dev/null
. /run/systemd/stub/profile
fi
# Validate that with the current profile we can fulfill the PCR 11 policy
systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
systemd-cryptsetup detach multiprof
if [ "$ID" = "profile0" ]; then
grep -v testprofile /proc/cmdline
echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf"
if [[ "$ID" == "main" ]]; then
bootctl set-default "$(basename "$CURRENT_UKI")@profile1"
reboot
exit 0
elif [ "$ID" = "profile1" ]; then
elif [[ "$ID" == "profile1" ]]; then
grep testprofile1=1 /proc/cmdline
echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf"
bootctl set-default "$(basename "$CURRENT_UKI")@profile2"
reboot
exit 0
elif [ "$ID" = "profile2" ]; then
elif [[ "$ID" == "profile2" ]]; then
grep testprofile2=1 /proc/cmdline
rm /root/encrypted.raw
else
exit 1
fi
fi
touch /testok