From 919c88f48ff4a5e36a239a056c4348974aaefdae Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Fri, 19 Jun 2020 14:14:57 -0700
Subject: [PATCH] Add QA:Testcase_Clevis test (TPM-based automatic decryption)

This adds a test that automates
https://fedoraproject.org/wiki/QA:Testcase_Clevis. It requires
os-autoinst-4.6-18.20200623git5038d8c or newer, and a worker
host in the 'tpm' class which is set up to have an instance of
swtpm running at /tmp/mytpmX , where X is the worker instance
number, for each worker. The Fedora infrastructure ansible
plays have been updated to handle this via an instantiated
systemd service, which other instances can also adopt.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 templates.fif.json  | 13 +++++++++++++
 tests/iot_clevis.pm | 31 +++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 tests/iot_clevis.pm

diff --git a/templates.fif.json b/templates.fif.json
index 0601d507..01437f5b 100644
--- a/templates.fif.json
+++ b/templates.fif.json
@@ -1553,6 +1553,19 @@
                 "ROOT_PASSWORD": "weakpassword"
             }
         },
+        "iot_clevis": {
+            "profiles": {
+                "fedora-IoT-dvd_ostree-iso-aarch64-*-aarch64": 20,
+                "fedora-IoT-dvd_ostree-iso-x86_64-*-64bit": 20
+            },
+            "settings": {
+                "ENCRYPT_PASSWORD": "weakpassword",
+                "POSTINSTALL": "iot_clevis",
+                "QEMUTPM": "instance",
+                "ROOT_PASSWORD": "weakpassword",
+                "WORKER_CLASS": "tpm"
+            }
+        },
         "iot_greenboot": {
             "profiles": {
                 "fedora-IoT-dvd_ostree-iso-aarch64-*-aarch64": 20,
diff --git a/tests/iot_clevis.pm b/tests/iot_clevis.pm
new file mode 100644
index 00000000..24a93c6e
--- /dev/null
+++ b/tests/iot_clevis.pm
@@ -0,0 +1,31 @@
+use base "installedtest";
+use strict;
+use testapi;
+use utils;
+
+sub run {
+    my $self = shift;
+    # we can safely assume we're at a root console at this point
+    # Verify decryption is working via TPM2
+    assert_script_run "echo foo | clevis encrypt tpm2 '{}' | clevis decrypt";
+    # Get the UUID of the encrypted device
+    assert_script_run 'UUID=$(lsblk | grep luks | sed "s/^.*luks-//" | cut -d" " -f1)';
+    assert_script_run 'DEV=$(blkid --uuid $UUID)';
+    # Check encryption details of the device
+    assert_script_run 'cryptsetup luksDump $DEV > /tmp/cryptsetup.log';
+    upload_logs '/tmp/cryptsetup.log';
+    # Setup Clevis to decrypt via TPM2 on boot
+    assert_script_run 'clevis luks bind -f -k- -d $DEV tpm2 "{}" <<< ' . get_var("ENCRYPT_PASSWORD");
+    # Reboot the system and see if it is booted without user intervention
+    script_run "reboot", 0;
+    boot_to_login_screen;
+}
+
+
+sub test_flags {
+    return { fatal => 1 };
+}
+
+1;
+
+# vim: set sw=4 et: