diff options
author | Frantisek Sumsal <frantisek@sumsal.cz> | 2023-05-09 22:47:42 +0200 |
---|---|---|
committer | Frantisek Sumsal <frantisek@sumsal.cz> | 2023-05-09 22:47:42 +0200 |
commit | a9fe7f66e8c07728204d0dd3414723b24f219f36 (patch) | |
tree | 0232511d988035034ed7fc5f8940eaf636b95ee9 /test | |
parent | 0e43ab6d245a77aab35c7963ec636f37e6103984 (diff) | |
download | systemd-a9fe7f66e8c07728204d0dd3414723b24f219f36.tar.gz |
test: slightly extend systemd-cryptenroll coverage
Diffstat (limited to 'test')
-rwxr-xr-x | test/units/testsuite-70.sh | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index 78b21818f8..c86a9ab2db 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -229,11 +229,46 @@ systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted: systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata rm -f /tmp/testdata +cryptenroll_wipe_and_check() {( + set +o pipefail + + : >/tmp/cryptenroll.out + systemd-cryptenroll "$@" |& tee /tmp/cryptenroll.out + grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out +)} + img="/tmp/cryptenroll.img" truncate -s 20M "$img" echo -n password >/tmp/password cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$img" /tmp/password +# Enroll additional tokens, keys, and passwords to exercise the list and wipe stuff +systemd-cryptenroll --unlock-key-file=/tmp/password --tpm2-device=auto "$img" +NEWPASSWORD="" systemd-cryptenroll --unlock-key-file=/tmp/password --password "$img" +NEWPASSWORD=foo systemd-cryptenroll --unlock-key-file=/tmp/password --password "$img" +for _ in {0..9}; do + systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$img" +done +PASSWORD="" NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true "$img" +# Do some basic checks before we start wiping stuff +systemd-cryptenroll "$img" +systemd-cryptenroll "$img" | grep password +systemd-cryptenroll "$img" | grep recovery +# Let's start wiping +cryptenroll_wipe_and_check "$img" --wipe=empty +(! cryptenroll_wipe_and_check "$img" --wipe=empty) +cryptenroll_wipe_and_check "$img" --wipe=empty,0 +cryptenroll_wipe_and_check "$img" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery +systemd-cryptenroll "$img" | grep password +(! systemd-cryptenroll "$img" | grep recovery) +# We shouldn't be able to wipe all keyslots without enrolling a new key first +(! systemd-cryptenroll "$img" --wipe=all) +PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$img" --password --wipe=all +# Check if the newly (and only) enrolled password works +(! systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$img") +(! PASSWORD="" systemd-cryptenroll --recovery-key "$img") +PASSWORD=foo systemd-cryptenroll --recovery-key "$img" + systemd-cryptenroll --fido2-with-client-pin=false "$img" systemd-cryptenroll --fido2-with-user-presence=false "$img" systemd-cryptenroll --fido2-with-user-verification=false "$img" |