search

coreos / ignition

First boot installer and configuration tool
https://coreos.github.io/ignition/
Apache License 2.0
807 stars 243 forks source link

Luks Blackbox Testing add tpm validation support. #1877

Open prestist opened 1 month ago

prestist commented 1 month ago

Feature Request

When testing luks and using a non static clevis binding as developer I would like to know that not only does the device get encrypted; But I want to verify the binding I used is what is reported after ignition runs.

Add support for ClevisBinding verification in the blackbox tests.

As an example, 

func LuksWithTPM() types.Test {
    name := "tpm.filesystem.luks.encrypt"
    in := types.GetBaseDisk()
    out := types.GetBaseDisk()
    mntDevices := []types.MntDevice{
        {
            Label:        "OEM",
            Substitution: "$DEVICE",
        },
    }
    config := `{
        "ignition": { "version": "$version" },
        "storage": {
          "disks": [
            {
              "device": "$DEVICE",
              "partitions": [
                {
                    "label": "luks-device",
                    "sizeMiB": 0,
                    "startMiB": 0
                }
                ],
                "wipe_table": true
            }
          ],
          "luks": [
            {
              "clevis": {
                "tpm2": true
              },    
              "device": "$DEVICE",
              "name": "$UUID",
              "wipe_volume": true
            }
          ]
        }
    }`

Would be verified by 

in[0].Partitions.GetPartition("OEM").ClevisBinding = ""
out[0].Partitions.GetPartition("OEM").ClevisBinding = "tpm2"