Rework TEST-86-MULTI-PROFILE-UKI

Now that mkosi supports generating UKI profiles, let's make use of
that to generate the UKI profiles required for the test instead of
doing it within the test itself.

diff --git a/mkosi.conf b/mkosi.conf
index b76cefe0dfd52acebdd17693900e46d77b8fcf1d..f2389b7f012e553d6531d8701b8095e7f6bc8ceb 100644 (file)
--- a/mkosi.conf
+++ b/mkosi.conf
@@ -33,9 +33,8 @@ CacheDirectory=build/mkosi.cache
 BuildSourcesEphemeral=yes
 Incremental=yes
 
-# TODO: Remove when TEST-70-TPM doesn't fail in an image with signed PCRs anymore.
 [Validation]
-SignExpectedPcr=no
+SignExpectedPcr=yes
 
 [Content]
 ExtraTrees=

diff --git a/mkosi.uki-profiles/profile1.conf b/mkosi.uki-profiles/profile1.conf
new file mode 100644 (file)
index 0000000..3dc39d2
--- /dev/null
+++ b/mkosi.uki-profiles/profile1.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[UKIProfile]
+Profile=
+        ID=profile1
+        TITLE=Profile Two
+Cmdline=testprofile1=1

diff --git a/mkosi.uki-profiles/profile2.conf b/mkosi.uki-profiles/profile2.conf
new file mode 100644 (file)
index 0000000..d5bd4b6
--- /dev/null
+++ b/mkosi.uki-profiles/profile2.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+[UKIProfile]
+Profile=
+        ID=profile2
+        TITLE=Profile Two
+Cmdline=testprofile2=1

diff --git a/test/TEST-86-MULTI-PROFILE-UKI/meson.build b/test/TEST-86-MULTI-PROFILE-UKI/meson.build
index 10d5957d8f801eab2b4283c049bd16f356fca979..53042884cc75d90d83df08197d0088fb26b53ee9 100644 (file)
--- a/test/TEST-86-MULTI-PROFILE-UKI/meson.build
+++ b/test/TEST-86-MULTI-PROFILE-UKI/meson.build
@@ -6,6 +6,5 @@ integration_tests += [
                 'storage' : 'persistent',
                 'vm' : true,
                 'firmware' : 'auto',
-                'enabled' : false,
         },
 ]

diff --git a/test/units/TEST-86-MULTI-PROFILE-UKI.sh b/test/units/TEST-86-MULTI-PROFILE-UKI.sh
index 042cc59419e58f346f867017f5a73ed91757f87d..1af0788d5e23212ebf0c9b81051bced50cfb34c6 100755 (executable)
--- a/test/units/TEST-86-MULTI-PROFILE-UKI.sh
+++ b/test/units/TEST-86-MULTI-PROFILE-UKI.sh
@@ -25,57 +25,42 @@ fi
 echo "CURRENT EVENT LOG + PCRS:"
 /usr/lib/systemd/systemd-pcrlock
 
-if test ! -f /run/systemd/stub/profile; then
-    openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /root/pcrsign.private.pem
-    openssl rsa -pubout -in /root/pcrsign.private.pem -out /root/pcrsign.public.pem
+test -f /run/systemd/stub/profile
 
-    ukify build --extend="$CURRENT_UKI" --output=/tmp/extended0.efi --profile='ID=profile0
-TITLE="Profile Zero"' --measure-base="$CURRENT_UKI" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
+# shellcheck source=/dev/null
+. /run/systemd/stub/profile
 
-    ukify build --extend=/tmp/extended0.efi --output=/tmp/extended1.efi --profile='ID=profile1
-TITLE="Profile One"' --measure-base=/tmp/extended0.efi --cmdline="testprofile1=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
-
-    ukify build --extend=/tmp/extended1.efi --output=/tmp/extended2.efi --profile='ID=profile2
-TITLE="Profile Two"' --measure-base=/tmp/extended1.efi --cmdline="testprofile2=1 $(cat /proc/cmdline)" --pcr-private-key=/root/pcrsign.private.pem --pcr-public-key=/root/pcrsign.public.pem --pcr-banks=sha256,sha384,sha512
-
-    echo "EXTENDED UKI:"
-    ukify inspect /tmp/extended2.efi
-    rm /tmp/extended0.efi /tmp/extended1.efi
-    mv /tmp/extended2.efi "$CURRENT_UKI"
+if [[ "$ID" == "main" ]]; then
+    if [[ -f /root/encrypted.raw ]]; then
+        exit 1
+    fi
 
-    # Prepare a disk image, locked to the PCR measurements of the UKI we just generated
+    # Prepare a disk image, locked to the PCR measurements of the current UKI
     truncate -s 32M /root/encrypted.raw
     echo -n "geheim" >/root/encrypted.secret
     cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom /root/encrypted.raw --key-file=/root/encrypted.secret
-    systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --tpm2-public-key=/root/pcrsign.public.pem --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
+    systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs= --unlock-key-file=/root/encrypted.secret /root/encrypted.raw
     rm -f /root/encrypted.secret
+fi
+
+# Validate that with the current profile we can fulfill the PCR 11 policy
+systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
+systemd-cryptsetup detach multiprof
 
+if [[ "$ID" == "main" ]]; then
+    bootctl set-default "$(basename "$CURRENT_UKI")@profile1"
     reboot
     exit 0
+elif [[ "$ID" == "profile1" ]]; then
+    grep testprofile1=1 /proc/cmdline
+    bootctl set-default "$(basename "$CURRENT_UKI")@profile2"
+    reboot
+    exit 0
+elif [[ "$ID" == "profile2" ]]; then
+    grep testprofile2=1 /proc/cmdline
+    rm /root/encrypted.raw
 else
-    # shellcheck source=/dev/null
-    . /run/systemd/stub/profile
-
-    # Validate that with the current profile we can fulfill the PCR 11 policy
-    systemd-cryptsetup attach multiprof /root/encrypted.raw - tpm2-device=auto,headless=1
-    systemd-cryptsetup detach multiprof
-
-    if [ "$ID" = "profile0" ]; then
-        grep -v testprofile /proc/cmdline
-        echo "default $(basename "$CURRENT_UKI")@profile1" >"$(bootctl -p)/loader/loader.conf"
-        reboot
-        exit 0
-    elif [ "$ID" = "profile1" ]; then
-        grep testprofile1=1 /proc/cmdline
-        echo "default $(basename "$CURRENT_UKI")@profile2" >"$(bootctl -p)/loader/loader.conf"
-        reboot
-        exit 0
-    elif [ "$ID" = "profile2" ]; then
-        grep testprofile2=1 /proc/cmdline
-        rm /root/encrypted.raw
-    else
-        exit 1
-    fi
+    exit 1
 fi
 
 touch /testok