Compare commits
5 Commits
0cf3984677
...
e754ca25fc
Author | SHA1 | Date |
---|---|---|
Lennart Poettering | e754ca25fc | |
Yu Watanabe | 7ac1ad90d0 | |
Daan De Meyer | 099b16c3e7 | |
Yu Watanabe | d265b8afb7 | |
Yu Watanabe | 1aab0a5b10 |
|
@ -1,10 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
||||||
set -e
|
|
||||||
|
|
||||||
TEST_DESCRIPTION="Test Multi-Profile UKI Boots"
|
|
||||||
|
|
||||||
# shellcheck source=test/test-functions
|
|
||||||
. "${TEST_BASE_DIR:?}/test-functions"
|
|
||||||
|
|
||||||
do_test "$@"
|
|
|
@ -17,9 +17,9 @@ if test -f /run/systemd/stub/profile; then
|
||||||
fi
|
fi
|
||||||
echo "CURRENT MEASUREMENT:"
|
echo "CURRENT MEASUREMENT:"
|
||||||
/usr/lib/systemd/systemd-measure --current
|
/usr/lib/systemd/systemd-measure --current
|
||||||
if test -f /run/systemd/tpm2-pcr-signature.json ; then
|
if test -f /run/systemd/tpm2-pcr-signature.json; then
|
||||||
echo "CURRENT SIGNATURE:"
|
echo "CURRENT SIGNATURE:"
|
||||||
jq < /run/systemd/tpm2-pcr-signature.json
|
jq </run/systemd/tpm2-pcr-signature.json
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "CURRENT EVENT LOG + PCRS:"
|
echo "CURRENT EVENT LOG + PCRS:"
|
||||||
|
@ -45,7 +45,7 @@ TITLE="Profile Two"' --measure-base=/tmp/extended1.efi --cmdline="testprofile2=1
|
||||||
|
|
||||||
# Prepare a disk image, locked to the PCR measurements of the UKI we just generated
|
# Prepare a disk image, locked to the PCR measurements of the UKI we just generated
|
||||||
truncate -s 32M /root/encrypted.raw
|
truncate -s 32M /root/encrypted.raw
|
||||||
echo -n "geheim" > /root/encrypted.secret
|
echo -n "geheim" >/root/encrypted.secret
|
||||||
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
|
cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
|
||||||
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
|
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
|
||||||
rm -f /root/encrypted.secret
|
rm -f /root/encrypted.secret
|
||||||
|
@ -62,12 +62,12 @@ else
|
||||||
|
|
||||||
if [ "$ID" = "profile0" ]; then
|
if [ "$ID" = "profile0" ]; then
|
||||||
grep -v testprofile /proc/cmdline
|
grep -v testprofile /proc/cmdline
|
||||||
echo "default $(basename "$CURRENT_UKI")@profile1" > "$(bootctl -p)/loader/loader.conf"
|
echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf"
|
||||||
reboot
|
reboot
|
||||||
exit 0
|
exit 0
|
||||||
elif [ "$ID" = "profile1" ]; then
|
elif [ "$ID" = "profile1" ]; then
|
||||||
grep testprofile1=1 /proc/cmdline
|
grep testprofile1=1 /proc/cmdline
|
||||||
echo "default $(basename "$CURRENT_UKI")@profile2" > "$(bootctl -p)/loader/loader.conf"
|
echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf"
|
||||||
reboot
|
reboot
|
||||||
exit 0
|
exit 0
|
||||||
elif [ "$ID" = "profile2" ]; then
|
elif [ "$ID" = "profile2" ]; then
|
||||||
|
|
|
@ -19,5 +19,5 @@ Q /var/lib/machines 0700 - - -
|
||||||
# systemd-nspawn --ephemeral places snapshots) we are more strict, to
|
# systemd-nspawn --ephemeral places snapshots) we are more strict, to
|
||||||
# avoid removing unrelated temporary files.
|
# avoid removing unrelated temporary files.
|
||||||
|
|
||||||
R!$ /var/lib/machines/.#*
|
R! /var/lib/machines/.#*
|
||||||
R!$ /.#machine.*
|
R! /.#machine.*
|
||||||
|
|
|
@ -14,10 +14,10 @@ x /var/tmp/systemd-private-%b-*
|
||||||
X /var/tmp/systemd-private-%b-*/tmp
|
X /var/tmp/systemd-private-%b-*/tmp
|
||||||
|
|
||||||
# Remove top-level private temporary directories on each boot
|
# Remove top-level private temporary directories on each boot
|
||||||
R!$ /tmp/systemd-private-*
|
R! /tmp/systemd-private-*
|
||||||
R!$ /var/tmp/systemd-private-*
|
R! /var/tmp/systemd-private-*
|
||||||
|
|
||||||
# Handle lost systemd-coredump temp files. They could be lost on old filesystems,
|
# Handle lost systemd-coredump temp files. They could be lost on old filesystems,
|
||||||
# for example, after hard reboot.
|
# for example, after hard reboot.
|
||||||
x /var/lib/systemd/coredump/.#core*.%b*
|
x /var/lib/systemd/coredump/.#core*.%b*
|
||||||
r!$ /var/lib/systemd/coredump/.#*
|
r! /var/lib/systemd/coredump/.#*
|
||||||
|
|
Loading…
Reference in New Issue