From f716a7ec3221d3954395a0bc9b8124f4532bebb9 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Fri, 1 Mar 2019 23:01:21 +0100 Subject: [PATCH 1/2] cryptsetup: 2.0.6 -> 2.1.0 Bump to the latest stable version. Be aware that cryptsetup changed the default LUKS header format with this version. When porting this to a stable distribution you should supply the configure flag `--with-default-luks-format=LUKS1` to preserve the user experience there. The full changelog can be seen at [0]. [0] https://gitlab.com/cryptsetup/cryptsetup/blob/master/docs/v2.1.0-ReleaseNotes --- pkgs/os-specific/linux/cryptsetup/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/cryptsetup/default.nix b/pkgs/os-specific/linux/cryptsetup/default.nix index f4c83a58823c..fac62597013c 100644 --- a/pkgs/os-specific/linux/cryptsetup/default.nix +++ b/pkgs/os-specific/linux/cryptsetup/default.nix @@ -5,13 +5,13 @@ assert enablePython -> python2 != null; stdenv.mkDerivation rec { - name = "cryptsetup-2.0.6"; + name = "cryptsetup-2.1.0"; outputs = [ "out" "dev" "man" ]; src = fetchurl { - url = "mirror://kernel/linux/utils/cryptsetup/v2.0/${name}.tar.xz"; - sha256 = "0c1x125s7p4ps13spsqrcsd9dclz01vsrchmypq9msp7y3hgllbw"; + url = "mirror://kernel/linux/utils/cryptsetup/v2.1/${name}.tar.xz"; + sha256 = "15y8n547garz0x5kqv09gscdsrz0c0y1y6c5cp8pccwg3xsb5vm3"; }; # Disable 4 test cases that fail in a sandbox From 839a37fdd24d66b04fc8bd634ffab17598ec485c Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Fri, 1 Mar 2019 23:47:19 +0100 Subject: [PATCH 2/2] nixos/tests/installer: add cryptsetup tests for LUKS format 2 & default format --- nixos/tests/installer.nix | 70 ++++++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 31 deletions(-) diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix index 2553a0d116ae..5e363f5d09e9 100644 --- a/nixos/tests/installer.nix +++ b/nixos/tests/installer.nix @@ -273,6 +273,37 @@ let }; }; + makeLuksRootTest = name: luksFormatOpts: makeInstallerTest "luksroot-format2" + { createPartitions = '' + $machine->succeed( + "flock /dev/vda parted --script /dev/vda -- mklabel msdos" + . " mkpart primary ext2 1M 50MB" # /boot + . " mkpart primary linux-swap 50M 1024M" + . " mkpart primary 1024M -1s", # LUKS + "udevadm settle", + "mkswap /dev/vda2 -L swap", + "swapon -L swap", + "modprobe dm_mod dm_crypt", + "echo -n supersecret | cryptsetup luksFormat ${luksFormatOpts} -q /dev/vda3 -", + "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vda3 cryptroot", + "mkfs.ext3 -L nixos /dev/mapper/cryptroot", + "mount LABEL=nixos /mnt", + "mkfs.ext3 -L boot /dev/vda1", + "mkdir -p /mnt/boot", + "mount LABEL=boot /mnt/boot", + ); + ''; + extraConfig = '' + boot.kernelParams = lib.mkAfter [ "console=tty0" ]; + ''; + enableOCR = true; + preBootCommands = '' + $machine->start; + $machine->waitForText(qr/Passphrase for/); + $machine->sendChars("supersecret\n"); + ''; + }; + in { @@ -446,37 +477,14 @@ in { ''; }; - # Boot off an encrypted root partition - luksroot = makeInstallerTest "luksroot" - { createPartitions = '' - $machine->succeed( - "flock /dev/vda parted --script /dev/vda -- mklabel msdos" - . " mkpart primary ext2 1M 50MB" # /boot - . " mkpart primary linux-swap 50M 1024M" - . " mkpart primary 1024M -1s", # LUKS - "udevadm settle", - "mkswap /dev/vda2 -L swap", - "swapon -L swap", - "modprobe dm_mod dm_crypt", - "echo -n supersecret | cryptsetup luksFormat -q /dev/vda3 -", - "echo -n supersecret | cryptsetup luksOpen --key-file - /dev/vda3 cryptroot", - "mkfs.ext3 -L nixos /dev/mapper/cryptroot", - "mount LABEL=nixos /mnt", - "mkfs.ext3 -L boot /dev/vda1", - "mkdir -p /mnt/boot", - "mount LABEL=boot /mnt/boot", - ); - ''; - extraConfig = '' - boot.kernelParams = lib.mkAfter [ "console=tty0" ]; - ''; - enableOCR = true; - preBootCommands = '' - $machine->start; - $machine->waitForText(qr/Passphrase for/); - $machine->sendChars("supersecret\n"); - ''; - }; + # Boot off an encrypted root partition with the default LUKS header format + luksroot = makeLuksRootTest "luksroot-format1" ""; + + # Boot off an encrypted root partition with LUKS1 format + luksroot-format1 = makeLuksRootTest "luksroot-format1" "--type=LUKS1"; + + # Boot off an encrypted root partition with LUKS2 format + luksroot-format2 = makeLuksRootTest "luksroot-format2" "--type=LUKS2"; # Test whether opening encrypted filesystem with keyfile # Checks for regression of missing cryptsetup, when no luks device without