2023-05-03 20:11:45 +00:00
|
|
|
import ./make-test-python.nix (
|
|
|
|
{ lib, pkgs, ... }:
|
|
|
|
{
|
|
|
|
name = "swap-random-encryption";
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
nodes.machine =
|
|
|
|
{
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}:
|
|
|
|
{
|
|
|
|
environment.systemPackages = [ pkgs.cryptsetup ];
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
virtualisation.useDefaultFilesystems = false;
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
virtualisation.rootDevice = "/dev/vda1";
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
boot.initrd.postDeviceCommands = ''
|
|
|
|
if ! test -b /dev/vda1; then
|
|
|
|
${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
|
|
|
|
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
|
|
|
|
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
|
|
|
|
sync
|
|
|
|
fi
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
|
|
|
|
if test -z "$FSTYPE"; then
|
|
|
|
${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
|
|
|
|
fi
|
|
|
|
'';
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
virtualisation.fileSystems = {
|
|
|
|
"/" = {
|
|
|
|
device = "/dev/disk/by-label/root";
|
|
|
|
fsType = "ext4";
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
2023-05-03 20:11:45 +00:00
|
|
|
};
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
swapDevices = [
|
2024-12-10 19:26:33 +00:00
|
|
|
{
|
2023-05-03 20:11:45 +00:00
|
|
|
device = "/dev/vda2";
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
randomEncryption = {
|
|
|
|
enable = true;
|
|
|
|
cipher = "aes-xts-plain64";
|
|
|
|
keySize = 512;
|
|
|
|
sectorSize = 4096;
|
2024-12-10 19:26:33 +00:00
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
2023-05-03 20:11:45 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
machine.wait_for_unit("multi-user.target")
|
|
|
|
|
|
|
|
with subtest("Swap is active"):
|
|
|
|
# Doesn't matter if the numbers reported by `free` are slightly off due to unit conversions.
|
|
|
|
machine.succeed("free -h | grep -E 'Swap:\s+2[45][0-9]Mi'")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
with subtest("Swap device has 4k sector size"):
|
|
|
|
import json
|
|
|
|
result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))
|
|
|
|
block_devices = result["blockdevices"]
|
|
|
|
if len(block_devices) != 1:
|
|
|
|
raise Exception ("lsblk output did not report exactly one block device")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
swapDevice = block_devices[0];
|
|
|
|
if not (swapDevice["phy-sec"] == 4096 and swapDevice["log-sec"] == 4096):
|
|
|
|
raise Exception ("swap device does not have the sector size specified in the configuration")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
with subtest("Swap encrypt has assigned cipher and keysize"):
|
|
|
|
import re
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
results = machine.succeed("cryptsetup status dev-vda2").splitlines()
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")
|
|
|
|
if not any(cipher_pattern.fullmatch(line) for line in results):
|
|
|
|
raise Exception ("swap device encryption does not use the cipher specified in the configuration")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2023-05-03 20:11:45 +00:00
|
|
|
key_size_pattern = re.compile(r"\s*keysize:\s+512\s+bits\s*")
|
|
|
|
if not any(key_size_pattern.fullmatch(line) for line in results):
|
|
|
|
raise Exception ("swap device encryption does not use the key size specified in the configuration")
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
)
|