mirror of
https://github.com/systemd/systemd.git
synced 2024-11-23 02:03:37 +08:00
Rework TEST-86-MULTI-PROFILE-UKI
Now that mkosi supports generating UKI profiles, let's make use of that to generate the UKI profiles required for the test instead of doing it within the test itself.
This commit is contained in:
parent
922fe8b91d
commit
977fc93603
@ -33,9 +33,8 @@ CacheDirectory=build/mkosi.cache
|
||||
BuildSourcesEphemeral=yes
|
||||
Incremental=yes
|
||||
|
||||
# TODO: Remove when TEST-70-TPM doesn't fail in an image with signed PCRs anymore.
|
||||
[Validation]
|
||||
SignExpectedPcr=no
|
||||
SignExpectedPcr=yes
|
||||
|
||||
[Content]
|
||||
ExtraTrees=
|
||||
|
7
mkosi.uki-profiles/profile1.conf
Normal file
7
mkosi.uki-profiles/profile1.conf
Normal file
@ -0,0 +1,7 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[UKIProfile]
|
||||
Profile=
|
||||
ID=profile1
|
||||
TITLE=Profile Two
|
||||
Cmdline=testprofile1=1
|
7
mkosi.uki-profiles/profile2.conf
Normal file
7
mkosi.uki-profiles/profile2.conf
Normal file
@ -0,0 +1,7 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
|
||||
[UKIProfile]
|
||||
Profile=
|
||||
ID=profile2
|
||||
TITLE=Profile Two
|
||||
Cmdline=testprofile2=1
|
@ -6,6 +6,5 @@ integration_tests += [
|
||||
'storage' : 'persistent',
|
||||
'vm' : true,
|
||||
'firmware' : 'auto',
|
||||
'enabled' : false,
|
||||
},
|
||||
]
|
||||
|
@ -25,57 +25,42 @@ fi
|
||||
echo "CURRENT EVENT LOG + PCRS:"
|
||||
/usr/lib/systemd/systemd-pcrlock
|
||||
|
||||
if test ! -f /run/systemd/stub/profile; then
|
||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /root/pcrsign.private.pem
|
||||
openssl rsa -pubout -in /root/pcrsign.private.pem -out /root/pcrsign.public.pem
|
||||
test -f /run/systemd/stub/profile
|
||||
|
||||
ukify build --extend="$CURRENT_UKI" --output=/tmp/extended0.efi --profile='ID=profile0
|
||||
TITLE="Profile Zero"' --measure-base="$CURRENT_UKI" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
|
||||
# shellcheck source=/dev/null
|
||||
. /run/systemd/stub/profile
|
||||
|
||||
ukify build --extend=/tmp/extended0.efi --output=/tmp/extended1.efi --profile='ID=profile1
|
||||
TITLE="Profile One"' --measure-base=/tmp/extended0.efi --cmdline="testprofile1=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
|
||||
if [[ "$ID" == "main" ]]; then
|
||||
if [[ -f /root/encrypted.raw ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
ukify build --extend=/tmp/extended1.efi --output=/tmp/extended2.efi --profile='ID=profile2
|
||||
TITLE="Profile Two"' --measure-base=/tmp/extended1.efi --cmdline="testprofile2=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
|
||||
|
||||
echo "EXTENDED UKI:"
|
||||
ukify inspect /tmp/extended2.efi
|
||||
rm /tmp/extended0.efi /tmp/extended1.efi
|
||||
mv /tmp/extended2.efi "$CURRENT_UKI"
|
||||
|
||||
# Prepare a disk image, locked to the PCR measurements of the UKI we just generated
|
||||
# Prepare a disk image, locked to the PCR measurements of the current UKI
|
||||
truncate -s 32M /root/encrypted.raw
|
||||
echo -n "geheim" >/root/encrypted.secret
|
||||
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
|
||||
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
|
||||
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
|
||||
rm -f /root/encrypted.secret
|
||||
|
||||
reboot
|
||||
exit 0
|
||||
else
|
||||
# shellcheck source=/dev/null
|
||||
. /run/systemd/stub/profile
|
||||
fi
|
||||
|
||||
# Validate that with the current profile we can fulfill the PCR 11 policy
|
||||
systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
|
||||
systemd-cryptsetup detach multiprof
|
||||
|
||||
if [ "$ID" = "profile0" ]; then
|
||||
grep -v testprofile /proc/cmdline
|
||||
echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf"
|
||||
if [[ "$ID" == "main" ]]; then
|
||||
bootctl set-default "$(basename "$CURRENT_UKI")@profile1"
|
||||
reboot
|
||||
exit 0
|
||||
elif [ "$ID" = "profile1" ]; then
|
||||
elif [[ "$ID" == "profile1" ]]; then
|
||||
grep testprofile1=1 /proc/cmdline
|
||||
echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf"
|
||||
bootctl set-default "$(basename "$CURRENT_UKI")@profile2"
|
||||
reboot
|
||||
exit 0
|
||||
elif [ "$ID" = "profile2" ]; then
|
||||
elif [[ "$ID" == "profile2" ]]; then
|
||||
grep testprofile2=1 /proc/cmdline
|
||||
rm /root/encrypted.raw
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
touch /testok
|
||||
|
Loading…
Reference in New Issue
Block a user