diff options
| -rw-r--r-- | mkosi.conf | 3 | ||||
| -rw-r--r-- | mkosi.uki-profiles/profile1.conf | 7 | ||||
| -rw-r--r-- | mkosi.uki-profiles/profile2.conf | 7 | ||||
| -rw-r--r-- | test/TEST-86-MULTI-PROFILE-UKI/meson.build | 1 | ||||
| -rwxr-xr-x | test/units/TEST-86-MULTI-PROFILE-UKI.sh | 65 |
5 files changed, 40 insertions, 43 deletions
diff --git a/mkosi.conf b/mkosi.conf index b76cefe0df..f2389b7f01 100644 --- a/mkosi.conf +++ b/mkosi.conf @@ -33,9 +33,8 @@ CacheDirectory=build/mkosi.cache BuildSourcesEphemeral=yes Incremental=yes -# TODO: Remove when TEST-70-TPM doesn't fail in an image with signed PCRs anymore. [Validation] -SignExpectedPcr=no +SignExpectedPcr=yes [Content] ExtraTrees= diff --git a/mkosi.uki-profiles/profile1.conf b/mkosi.uki-profiles/profile1.conf new file mode 100644 index 0000000000..3dc39d2534 --- /dev/null +++ b/mkosi.uki-profiles/profile1.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[UKIProfile] +Profile= + ID=profile1 + TITLE=Profile Two +Cmdline=testprofile1=1 diff --git a/mkosi.uki-profiles/profile2.conf b/mkosi.uki-profiles/profile2.conf new file mode 100644 index 0000000000..d5bd4b6b6a --- /dev/null +++ b/mkosi.uki-profiles/profile2.conf @@ -0,0 +1,7 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later + +[UKIProfile] +Profile= + ID=profile2 + TITLE=Profile Two +Cmdline=testprofile2=1 diff --git a/test/TEST-86-MULTI-PROFILE-UKI/meson.build b/test/TEST-86-MULTI-PROFILE-UKI/meson.build index 10d5957d8f..53042884cc 100644 --- a/test/TEST-86-MULTI-PROFILE-UKI/meson.build +++ b/test/TEST-86-MULTI-PROFILE-UKI/meson.build @@ -6,6 +6,5 @@ integration_tests += [ 'storage' : 'persistent', 'vm' : true, 'firmware' : 'auto', - 'enabled' : false, }, ] diff --git a/test/units/TEST-86-MULTI-PROFILE-UKI.sh b/test/units/TEST-86-MULTI-PROFILE-UKI.sh index 042cc59419..1af0788d5e 100755 --- a/test/units/TEST-86-MULTI-PROFILE-UKI.sh +++ b/test/units/TEST-86-MULTI-PROFILE-UKI.sh @@ -25,57 +25,42 @@ fi echo "CURRENT EVENT LOG + PCRS:" /usr/lib/systemd/systemd-pcrlock -if test ! -f /run/systemd/stub/profile; then - openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /root/pcrsign.private.pem - openssl rsa -pubout -in /root/pcrsign.private.pem -out /root/pcrsign.public.pem +test -f /run/systemd/stub/profile - ukify build --extend="$CURRENT_UKI" --output=/tmp/extended0.efi --profile='ID=profile0 -TITLE="Profile Zero"' --measure-base="$CURRENT_UKI" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512 +# shellcheck source=/dev/null +. /run/systemd/stub/profile - ukify build --extend=/tmp/extended0.efi --output=/tmp/extended1.efi --profile='ID=profile1 -TITLE="Profile One"' --measure-base=/tmp/extended0.efi --cmdline="testprofile1=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512 - - ukify build --extend=/tmp/extended1.efi --output=/tmp/extended2.efi --profile='ID=profile2 -TITLE="Profile Two"' --measure-base=/tmp/extended1.efi --cmdline="testprofile2=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512 - - echo "EXTENDED UKI:" - ukify inspect /tmp/extended2.efi - rm /tmp/extended0.efi /tmp/extended1.efi - mv /tmp/extended2.efi "$CURRENT_UKI" +if [[ "$ID" == "main" ]]; then + if [[ -f /root/encrypted.raw ]]; then + exit 1 + fi - # Prepare a disk image, locked to the PCR measurements of the UKI we just generated + # Prepare a disk image, locked to the PCR measurements of the current UKI truncate -s 32M /root/encrypted.raw echo -n "geheim" >/root/encrypted.secret cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret - systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw + systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --unlock-key-file=/root/encrypted.secret /root/encrypted.raw rm -f /root/encrypted.secret +fi + +# Validate that with the current profile we can fulfill the PCR 11 policy +systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1 +systemd-cryptsetup detach multiprof +if [[ "$ID" == "main" ]]; then + bootctl set-default "$(basename "$CURRENT_UKI")@profile1" reboot exit 0 +elif [[ "$ID" == "profile1" ]]; then + grep testprofile1=1 /proc/cmdline + bootctl set-default "$(basename "$CURRENT_UKI")@profile2" + reboot + exit 0 +elif [[ "$ID" == "profile2" ]]; then + grep testprofile2=1 /proc/cmdline + rm /root/encrypted.raw else - # shellcheck source=/dev/null - . /run/systemd/stub/profile - - # Validate that with the current profile we can fulfill the PCR 11 policy - systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1 - systemd-cryptsetup detach multiprof - - if [ "$ID" = "profile0" ]; then - grep -v testprofile /proc/cmdline - echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf" - reboot - exit 0 - elif [ "$ID" = "profile1" ]; then - grep testprofile1=1 /proc/cmdline - echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf" - reboot - exit 0 - elif [ "$ID" = "profile2" ]; then - grep testprofile2=1 /proc/cmdline - rm /root/encrypted.raw - else - exit 1 - fi + exit 1 fi touch /testok |