From 919c88f48ff4a5e36a239a056c4348974aaefdae Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 19 Jun 2020 14:14:57 -0700 Subject: [PATCH] Add QA:Testcase_Clevis test (TPM-based automatic decryption) This adds a test that automates https://fedoraproject.org/wiki/QA:Testcase_Clevis. It requires os-autoinst-4.6-18.20200623git5038d8c or newer, and a worker host in the 'tpm' class which is set up to have an instance of swtpm running at /tmp/mytpmX , where X is the worker instance number, for each worker. The Fedora infrastructure ansible plays have been updated to handle this via an instantiated systemd service, which other instances can also adopt. Signed-off-by: Adam Williamson --- templates.fif.json | 13 +++++++++++++ tests/iot_clevis.pm | 31 +++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 tests/iot_clevis.pm diff --git a/templates.fif.json b/templates.fif.json index 0601d507..01437f5b 100644 --- a/templates.fif.json +++ b/templates.fif.json @@ -1553,6 +1553,19 @@ "ROOT_PASSWORD": "weakpassword" } }, + "iot_clevis": { + "profiles": { + "fedora-IoT-dvd_ostree-iso-aarch64-*-aarch64": 20, + "fedora-IoT-dvd_ostree-iso-x86_64-*-64bit": 20 + }, + "settings": { + "ENCRYPT_PASSWORD": "weakpassword", + "POSTINSTALL": "iot_clevis", + "QEMUTPM": "instance", + "ROOT_PASSWORD": "weakpassword", + "WORKER_CLASS": "tpm" + } + }, "iot_greenboot": { "profiles": { "fedora-IoT-dvd_ostree-iso-aarch64-*-aarch64": 20, diff --git a/tests/iot_clevis.pm b/tests/iot_clevis.pm new file mode 100644 index 00000000..24a93c6e --- /dev/null +++ b/tests/iot_clevis.pm @@ -0,0 +1,31 @@ +use base "installedtest"; +use strict; +use testapi; +use utils; + +sub run { + my $self = shift; + # we can safely assume we're at a root console at this point + # Verify decryption is working via TPM2 + assert_script_run "echo foo | clevis encrypt tpm2 '{}' | clevis decrypt"; + # Get the UUID of the encrypted device + assert_script_run 'UUID=$(lsblk | grep luks | sed "s/^.*luks-//" | cut -d" " -f1)'; + assert_script_run 'DEV=$(blkid --uuid $UUID)'; + # Check encryption details of the device + assert_script_run 'cryptsetup luksDump $DEV > /tmp/cryptsetup.log'; + upload_logs '/tmp/cryptsetup.log'; + # Setup Clevis to decrypt via TPM2 on boot + assert_script_run 'clevis luks bind -f -k- -d $DEV tpm2 "{}" <<< ' . get_var("ENCRYPT_PASSWORD"); + # Reboot the system and see if it is booted without user intervention + script_run "reboot", 0; + boot_to_login_screen; +} + + +sub test_flags { + return { fatal => 1 }; +} + +1; + +# vim: set sw=4 et: