mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-30 09:00:19 +02:00
Merge pull request #139864 from ymatsiuk/systemdtpm2
systemd: add missing TPM2 build dependencies
This commit is contained in:
commit
643f23ffe5
|
@ -429,6 +429,7 @@ in
|
||||||
systemd-binfmt = handleTestOn ["x86_64-linux"] ./systemd-binfmt.nix {};
|
systemd-binfmt = handleTestOn ["x86_64-linux"] ./systemd-binfmt.nix {};
|
||||||
systemd-boot = handleTest ./systemd-boot.nix {};
|
systemd-boot = handleTest ./systemd-boot.nix {};
|
||||||
systemd-confinement = handleTest ./systemd-confinement.nix {};
|
systemd-confinement = handleTest ./systemd-confinement.nix {};
|
||||||
|
systemd-cryptenroll = handleTest ./systemd-cryptenroll.nix {};
|
||||||
systemd-journal = handleTest ./systemd-journal.nix {};
|
systemd-journal = handleTest ./systemd-journal.nix {};
|
||||||
systemd-networkd = handleTest ./systemd-networkd.nix {};
|
systemd-networkd = handleTest ./systemd-networkd.nix {};
|
||||||
systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {};
|
systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {};
|
||||||
|
|
55
nixos/tests/systemd-cryptenroll.nix
Normal file
55
nixos/tests/systemd-cryptenroll.nix
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
import ./make-test-python.nix ({ pkgs, ... }: {
|
||||||
|
name = "systemd-cryptenroll";
|
||||||
|
meta = with pkgs.lib.maintainers; {
|
||||||
|
maintainers = [ ymatsiuk ];
|
||||||
|
};
|
||||||
|
|
||||||
|
machine = { pkgs, lib, ... }: {
|
||||||
|
environment.systemPackages = [ pkgs.cryptsetup ];
|
||||||
|
virtualisation = {
|
||||||
|
emptyDiskImages = [ 512 ];
|
||||||
|
memorySize = 1024;
|
||||||
|
qemu.options = [
|
||||||
|
"-chardev socket,id=chrtpm,path=/tmp/swtpm-sock"
|
||||||
|
"-tpmdev emulator,id=tpm0,chardev=chrtpm"
|
||||||
|
"-device tpm-tis,tpmdev=tpm0"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
import subprocess
|
||||||
|
import tempfile
|
||||||
|
|
||||||
|
def start_swtpm(tpmstate):
|
||||||
|
subprocess.Popen(["${pkgs.swtpm}/bin/swtpm", "socket", "--tpmstate", "dir="+tpmstate, "--ctrl", "type=unixio,path=/tmp/swtpm-sock", "--log", "level=0", "--tpm2"])
|
||||||
|
|
||||||
|
with tempfile.TemporaryDirectory() as tpmstate:
|
||||||
|
start_swtpm(tpmstate)
|
||||||
|
machine.start()
|
||||||
|
|
||||||
|
# Verify the TPM device is available and accessible by systemd-cryptenroll
|
||||||
|
machine.succeed("test -e /dev/tpm0")
|
||||||
|
machine.succeed("test -e /dev/tpmrm0")
|
||||||
|
machine.succeed("systemd-cryptenroll --tpm2-device=list")
|
||||||
|
|
||||||
|
# Create LUKS partition
|
||||||
|
machine.succeed("echo -n lukspass | cryptsetup luksFormat -q /dev/vdb -")
|
||||||
|
# Enroll new LUKS key and bind it to Secure Boot state
|
||||||
|
# For more details on PASSWORD variable, check the following issue:
|
||||||
|
# https://github.com/systemd/systemd/issues/20955
|
||||||
|
machine.succeed("PASSWORD=lukspass systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/vdb")
|
||||||
|
# Add LUKS partition to /etc/crypttab to test auto unlock
|
||||||
|
machine.succeed("echo 'luks /dev/vdb - tpm2-device=auto' >> /etc/crypttab")
|
||||||
|
machine.shutdown()
|
||||||
|
|
||||||
|
start_swtpm(tpmstate)
|
||||||
|
machine.start()
|
||||||
|
|
||||||
|
# Test LUKS partition automatic unlock on boot
|
||||||
|
machine.wait_for_unit("systemd-cryptsetup@luks.service")
|
||||||
|
# Wipe TPM2 slot
|
||||||
|
machine.succeed("systemd-cryptenroll --wipe-slot=tpm2 /dev/vdb")
|
||||||
|
'';
|
||||||
|
})
|
||||||
|
|
|
@ -251,6 +251,7 @@ stdenv.mkDerivation {
|
||||||
{ name = "libtss2-esys.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
{ name = "libtss2-esys.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
||||||
{ name = "libtss2-rc.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
{ name = "libtss2-rc.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
||||||
{ name = "libtss2-mu.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
{ name = "libtss2-mu.so.0"; pkg = opt withTpm2Tss tpm2-tss; }
|
||||||
|
{ name = "libtss2-tcti-"; pkg = opt withTpm2Tss tpm2-tss; }
|
||||||
{ name = "libfido2.so.1"; pkg = opt withFido2 libfido2; }
|
{ name = "libfido2.so.1"; pkg = opt withFido2 libfido2; }
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -267,8 +268,12 @@ stdenv.mkDerivation {
|
||||||
'' else ''
|
'' else ''
|
||||||
# ensure that the library we provide actually exists
|
# ensure that the library we provide actually exists
|
||||||
if ! [ -e ${library} ]; then
|
if ! [ -e ${library} ]; then
|
||||||
echo 'The shared library `${library}` does not exist but was given as subtitute for `${dl.name}`'
|
# exceptional case, details:
|
||||||
exit 1
|
# https://github.com/systemd/systemd-stable/blob/v249-stable/src/shared/tpm2-util.c#L157
|
||||||
|
if ! [[ "${library}" =~ .*libtss2-tcti-$ ]]; then
|
||||||
|
echo 'The shared library `${library}` does not exist but was given as subtitute for `${dl.name}`'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
# make the path to the dependency explicit
|
# make the path to the dependency explicit
|
||||||
for file in $(grep -lr '"${dl.name}"' src); do
|
for file in $(grep -lr '"${dl.name}"' src); do
|
||||||
|
@ -353,6 +358,7 @@ stdenv.mkDerivation {
|
||||||
++ lib.optionals withHomed [ p11-kit ]
|
++ lib.optionals withHomed [ p11-kit ]
|
||||||
++ lib.optionals (withHomed || withCryptsetup) [ libfido2 ]
|
++ lib.optionals (withHomed || withCryptsetup) [ libfido2 ]
|
||||||
++ lib.optionals withLibBPF [ libbpf ]
|
++ lib.optionals withLibBPF [ libbpf ]
|
||||||
|
++ lib.optional withTpm2Tss tpm2-tss
|
||||||
;
|
;
|
||||||
|
|
||||||
#dontAddPrefix = true;
|
#dontAddPrefix = true;
|
||||||
|
@ -452,7 +458,7 @@ stdenv.mkDerivation {
|
||||||
"-Dnss-systemd=false"
|
"-Dnss-systemd=false"
|
||||||
] ++ lib.optionals withLibBPF [
|
] ++ lib.optionals withLibBPF [
|
||||||
"-Dbpf-framework=true"
|
"-Dbpf-framework=true"
|
||||||
];
|
] ++ lib.optional withTpm2Tss "-Dtpm2=true";
|
||||||
|
|
||||||
preConfigure = ''
|
preConfigure = ''
|
||||||
mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org")
|
mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org")
|
||||||
|
|
Loading…
Reference in a new issue