From: Frantisek Sumsal Date: Tue, 9 May 2023 20:47:42 +0000 (+0200) Subject: test: slightly extend systemd-cryptenroll coverage X-Git-Tag: v254-rc1~524^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F27597%2Fhead;p=thirdparty%2Fsystemd.git test: slightly extend systemd-cryptenroll coverage --- diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh index 78b21818f8e..c86a9ab2db9 100755 --- a/test/units/testsuite-70.sh +++ b/test/units/testsuite-70.sh @@ -229,11 +229,46 @@ systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted: systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata rm -f /tmp/testdata +cryptenroll_wipe_and_check() {( + set +o pipefail + + : >/tmp/cryptenroll.out + systemd-cryptenroll "$@" |& tee /tmp/cryptenroll.out + grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out +)} + img="/tmp/cryptenroll.img" truncate -s 20M "$img" echo -n password >/tmp/password cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$img" /tmp/password +# Enroll additional tokens, keys, and passwords to exercise the list and wipe stuff +systemd-cryptenroll --unlock-key-file=/tmp/password --tpm2-device=auto "$img" +NEWPASSWORD="" systemd-cryptenroll --unlock-key-file=/tmp/password --password "$img" +NEWPASSWORD=foo systemd-cryptenroll --unlock-key-file=/tmp/password --password "$img" +for _ in {0..9}; do + systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$img" +done +PASSWORD="" NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true "$img" +# Do some basic checks before we start wiping stuff +systemd-cryptenroll "$img" +systemd-cryptenroll "$img" | grep password +systemd-cryptenroll "$img" | grep recovery +# Let's start wiping +cryptenroll_wipe_and_check "$img" --wipe=empty +(! cryptenroll_wipe_and_check "$img" --wipe=empty) +cryptenroll_wipe_and_check "$img" --wipe=empty,0 +cryptenroll_wipe_and_check "$img" --wipe=0,0,empty,0,pkcs11,fido2,000,recovery +systemd-cryptenroll "$img" | grep password +(! systemd-cryptenroll "$img" | grep recovery) +# We shouldn't be able to wipe all keyslots without enrolling a new key first +(! systemd-cryptenroll "$img" --wipe=all) +PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$img" --password --wipe=all +# Check if the newly (and only) enrolled password works +(! systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$img") +(! PASSWORD="" systemd-cryptenroll --recovery-key "$img") +PASSWORD=foo systemd-cryptenroll --recovery-key "$img" + systemd-cryptenroll --fido2-with-client-pin=false "$img" systemd-cryptenroll --fido2-with-user-presence=false "$img" systemd-cryptenroll --fido2-with-user-verification=false "$img"