From f00e68ace070fd5240a4b5874e61c26f6e909b6c Mon Sep 17 00:00:00 2001 From: Miguel Ángel Arruga Vivas Date: Mon, 21 Dec 2020 13:02:01 +0100 Subject: system: Allow separated /boot and encrypted root. * gnu/bootloader/grub.scm (grub-configuration-file): New parameter store-crypto-devices. [crypto-devices]: New helper function. [builder]: Use crypto-devices. * gnu/machine/ssh.scm (roll-back-managed-host): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * gnu/tests/install.scm (%encrypted-root-not-boot-os, %encrypted-root-not-boot-os): New os declaration. (%encrypted-root-not-boot-installation-script): New script, whose contents were initially taken from %encrypted-root-installation-script. (%test-encrypted-root-not-boot-os): New test. * gnu/system.scm (define-module): Export operating-system-bootoader-crypto-devices and boot-parameters-store-crypto-devices. (): Add field store-crypto-devices. (read-boot-parameters): Parse store-crypto-devices field. [uuid-sexp->uuid]: New helper function extracted from device-sexp->device. (operating-system-bootloader-crypto-devices): New function. (operating-system-bootcfg): Use operating-system-bootloader-crypto-devices to provide its contents to the bootloader configuration generation process. (operating-system-boot-parameters): Add store-crypto-devices to the generated boot-parameters. (operating-system-boot-parameters-file): Likewise to the file with the serialized structure. * guix/scripts/system.scm (reinstall-bootloader): Use boot-parameters-store-crypto-devices to provide its contents to the bootloader configuration generation process. * tests/boot-parameters.scm (%default-store-crypto-devices): New variable. (%grub-boot-parameters, test-read-boot-parameters): Use %default-store-crypto-devices. (tests store-crypto-devices): New tests. --- gnu/tests/install.scm | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) (limited to 'gnu/tests') diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm index 71caa3a493..bf94e97c2a 100644 --- a/gnu/tests/install.scm +++ b/gnu/tests/install.scm @@ -63,6 +63,7 @@ %test-separate-home-os %test-raid-root-os %test-encrypted-root-os + %test-encrypted-root-not-boot-os %test-btrfs-root-os %test-btrfs-root-on-subvolume-os %test-jfs-root-os @@ -883,6 +884,107 @@ reboot\n") (run-basic-test %lvm-separate-home-os `(,@command) "lvm-separate-home-os"))))) + +;;; +;;; LUKS-encrypted root file system and /boot in a non-encrypted partition. +;;; + +(define-os-with-source (%encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source) + ;; The OS we want to install. + (use-modules (gnu) (gnu tests) (srfi srfi-1)) + + (operating-system + (host-name "bootroot") + (timezone "Europe/Madrid") + (locale "en_US.UTF-8") + + (bootloader (bootloader-configuration + (bootloader grub-bootloader) + (target "/dev/vdb"))) + + (mapped-devices (list (mapped-device + (source + (uuid "12345678-1234-1234-1234-123456789abc")) + (target "root") + (type luks-device-mapping)))) + (file-systems (cons* (file-system + (device (file-system-label "my-boot")) + (mount-point "/boot") + (type "ext4")) + (file-system + (device "/dev/mapper/root") + (mount-point "/") + (type "ext4")) + %base-file-systems)) + (users (cons (user-account + (name "alice") + (group "users") + (supplementary-groups '("wheel" "audio" "video"))) + %base-user-accounts)) + (services (cons (service marionette-service-type + (marionette-configuration + (imported-modules '((gnu services herd) + (guix combinators))))) + %base-services)))) + +(define %encrypted-root-not-boot-installation-script + ;; Shell script for an installation with boot not encrypted but root + ;; encrypted. + (format #f "\ +. /etc/profile +set -e -x +guix --version + +export GUIX_BUILD_OPTIONS=--no-grafts +ls -l /run/current-system/gc-roots +parted --script /dev/vdb mklabel gpt \\ + mkpart primary ext2 1M 3M \\ + mkpart primary ext2 3M 50M \\ + mkpart primary ext2 50M 1.6G \\ + set 1 boot on \\ + set 1 bios_grub on +echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 - +echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root +mkfs.ext4 -L my-root /dev/mapper/root +mkfs.ext4 -L my-boot /dev/vdb2 +mount LABEL=my-root /mnt +mkdir /mnt/boot +mount LABEL=my-boot /mnt/boot +echo \"Checking mounts\" +mount +herd start cow-store /mnt +mkdir /mnt/etc +cp /etc/target-config.scm /mnt/etc/config.scm +guix system build /mnt/etc/config.scm +guix system init /mnt/etc/config.scm /mnt --no-substitutes +sync +echo \"Debugging info\" +blkid +cat /mnt/boot/grub/grub.cfg +reboot\n" + %luks-passphrase "12345678-1234-1234-1234-123456789abc" + %luks-passphrase)) + +(define %test-encrypted-root-not-boot-os + (system-test + (name "encrypted-root-not-boot-os") + (description + "Test the manual installation on an OS with / in an encrypted partition +but /boot on a different, non-encrypted partition. This test is expensive in +terms of CPU and storage usage since we need to build (current-guix) and then +store a couple of full system images.") + (value + (mlet* %store-monad + ((image (run-install %encrypted-root-not-boot-os + %encrypted-root-not-boot-os-source + #:script + %encrypted-root-not-boot-installation-script)) + (command (qemu-command/writable-image image))) + (run-basic-test %encrypted-root-not-boot-os command + "encrypted-root-not-boot-os" + #:initialization enter-luks-passphrase))))) + ;;; ;;; Btrfs root file system. -- cgit v1.2.3