mirror of
https://github.com/rocky-linux/os-autoinst-distri-rocky.git
synced 2024-11-22 05:01:25 +00:00
Add QA:Testcase_Clevis test (TPM-based automatic decryption)
This adds a test that automates https://fedoraproject.org/wiki/QA:Testcase_Clevis. It requires os-autoinst-4.6-18.20200623git5038d8c or newer, and a worker host in the 'tpm' class which is set up to have an instance of swtpm running at /tmp/mytpmX , where X is the worker instance number, for each worker. The Fedora infrastructure ansible plays have been updated to handle this via an instantiated systemd service, which other instances can also adopt. Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
parent
9768ac5178
commit
919c88f48f
@ -1553,6 +1553,19 @@
|
||||
"ROOT_PASSWORD": "weakpassword"
|
||||
}
|
||||
},
|
||||
"iot_clevis": {
|
||||
"profiles": {
|
||||
"fedora-IoT-dvd_ostree-iso-aarch64-*-aarch64": 20,
|
||||
"fedora-IoT-dvd_ostree-iso-x86_64-*-64bit": 20
|
||||
},
|
||||
"settings": {
|
||||
"ENCRYPT_PASSWORD": "weakpassword",
|
||||
"POSTINSTALL": "iot_clevis",
|
||||
"QEMUTPM": "instance",
|
||||
"ROOT_PASSWORD": "weakpassword",
|
||||
"WORKER_CLASS": "tpm"
|
||||
}
|
||||
},
|
||||
"iot_greenboot": {
|
||||
"profiles": {
|
||||
"fedora-IoT-dvd_ostree-iso-aarch64-*-aarch64": 20,
|
||||
|
31
tests/iot_clevis.pm
Normal file
31
tests/iot_clevis.pm
Normal file
@ -0,0 +1,31 @@
|
||||
use base "installedtest";
|
||||
use strict;
|
||||
use testapi;
|
||||
use utils;
|
||||
|
||||
sub run {
|
||||
my $self = shift;
|
||||
# we can safely assume we're at a root console at this point
|
||||
# Verify decryption is working via TPM2
|
||||
assert_script_run "echo foo | clevis encrypt tpm2 '{}' | clevis decrypt";
|
||||
# Get the UUID of the encrypted device
|
||||
assert_script_run 'UUID=$(lsblk | grep luks | sed "s/^.*luks-//" | cut -d" " -f1)';
|
||||
assert_script_run 'DEV=$(blkid --uuid $UUID)';
|
||||
# Check encryption details of the device
|
||||
assert_script_run 'cryptsetup luksDump $DEV > /tmp/cryptsetup.log';
|
||||
upload_logs '/tmp/cryptsetup.log';
|
||||
# Setup Clevis to decrypt via TPM2 on boot
|
||||
assert_script_run 'clevis luks bind -f -k- -d $DEV tpm2 "{}" <<< ' . get_var("ENCRYPT_PASSWORD");
|
||||
# Reboot the system and see if it is booted without user intervention
|
||||
script_run "reboot", 0;
|
||||
boot_to_login_screen;
|
||||
}
|
||||
|
||||
|
||||
sub test_flags {
|
||||
return { fatal => 1 };
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
# vim: set sw=4 et:
|
Loading…
Reference in New Issue
Block a user