diff --git a/tests/negative/luks/creation.go b/tests/negative/luks/creation.go new file mode 100644 index 0000000000..5cc20112cd --- /dev/null +++ b/tests/negative/luks/creation.go @@ -0,0 +1,58 @@ +// Copyright 2023 CoreOS, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package luks + +import ( + "github.com/coreos/ignition/v2/tests/register" + "github.com/coreos/ignition/v2/tests/types" +) + +func init() { + register.Register(register.NegativeTest, LuksOnNonExtDevice()) +} + +func LuksOnNonExtDevice() types.Test { + name := "tang.filesystem.luks.encrypt" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + mntDevices := []types.MntDevice{ + { + Label: "EFI-SYSTEM", + Substitution: "$DEVICE", + }, + } + config := `{ + "ignition": { "version": "$version" }, + "storage": { + "luks": [ + { + "device": "$DEVICE", + "name": "luks-$UUID", + "wipe_volume": true + } + ] + } + }` + configMinVersion := "3.2.0" + + return types.Test{ + Name: name, + In: in, + Out: out, + MntDevices: mntDevices, + Config: config, + ConfigMinVersion: configMinVersion, + } +} diff --git a/tests/positive/luks/creation.go b/tests/positive/luks/creation.go new file mode 100644 index 0000000000..0c3d1c3a77 --- /dev/null +++ b/tests/positive/luks/creation.go @@ -0,0 +1,187 @@ +// Copyright 2023 CoreOS, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package luks + +import ( + "github.com/coreos/ignition/v2/tests/register" + "github.com/coreos/ignition/v2/tests/types" +) + +func init() { + register.Register(register.PositiveTest, LuksWithStaticKey()) + // register.Register(register.PositiveTest, LuksWithOfflineTang()) + // register.Register(register.PositiveTest, LuksWithTPM()) + +} + +func LuksWithStaticKey() types.Test { + name := "static.filesystem.luks.encrypt" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + mntDevices := []types.MntDevice{ + { + Label: "OEM", + Substitution: "$DEVICE", + }, + } + config := `{ + "ignition": { "version": "$version" }, + "storage": { + "disks": [ + { + "device": "$DEVICE", + "partitions": [ + { + "label": "luks-device", + "sizeMiB": 0, + "startMiB": 0 + } + ], + "wipe_table": true + } + ], + "luks": [ + { + "device": "$DEVICE", + "name": "luks-$UUID", + "keyFile": { + "compression": "", + "source": "data:,REPLACE-THIS-WITH-YOUR-KEY-MATERIAL" + }, + "wipe_volume": true + } + ] + } + }` + configMinVersion := "3.2.0" + in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4" + out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS" + + return types.Test{ + Name: name, + In: in, + Out: out, + MntDevices: mntDevices, + Config: config, + ConfigMinVersion: configMinVersion, + } +} + +func LuksWithTPM() types.Test { + name := "tpm.filesystem.luks.encrypt" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + mntDevices := []types.MntDevice{ + { + Label: "OEM", + Substitution: "$DEVICE", + }, + } + config := `{ + "ignition": { "version": "$version" }, + "storage": { + "disks": [ + { + "device": "$DEVICE", + "partitions": [ + { + "label": "luks-device", + "sizeMiB": 0, + "startMiB": 0 + } + ], + "wipe_table": true + } + ], + "luks": [ + { + "clevis": { + "tpm2": true + }, + "device": "$DEVICE", + "name": "luks-$UUID", + "wipe_volume": true + } + ] + } + }` + configMinVersion := "3.2.0" + in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4" + out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS" + + return types.Test{ + Name: name, + In: in, + Out: out, + MntDevices: mntDevices, + Config: config, + ConfigMinVersion: configMinVersion, + } +} + +func LuksWithOfflineTang() types.Test { + name := "tang.filesystem.luks.encrypt" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + mntDevices := []types.MntDevice{ + { + Label: "OEM", + Substitution: "$DEVICE", + }, + } + config := `{ + "ignition": { "version": "$version" }, + "storage": { + "disks": [ + { + "device": "$DEVICE", + "partitions": [ + { + "label": "luks-device", + "sizeMiB": 0, + "startMiB": 0 + } + ], + "wipe_table": false + } + ], + "luks": [{ + "clevis": { + "tang": [{ + "thumbprint": "REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT", + "url": "https://tang.example.com", + "advertisement": "{\"payload\": \"...\",\"protected\":\"...\",\"signature\":\"...\"}" + }] + }, + "device": "$DEVICE", + "name": "luks-$UUID", + "wipe_volume": true + + }] + } + }` + configMinVersion := "3.4.0" + in[0].Partitions.GetPartition("OEM").FilesystemType = "ext4" + out[0].Partitions.GetPartition("OEM").FilesystemType = "crypto_LUKS" + + return types.Test{ + Name: name, + In: in, + Out: out, + MntDevices: mntDevices, + Config: config, + ConfigMinVersion: configMinVersion, + } +} diff --git a/tests/registry/registry.go b/tests/registry/registry.go index 917106b1ef..c100a97a43 100644 --- a/tests/registry/registry.go +++ b/tests/registry/registry.go @@ -27,6 +27,7 @@ import ( _ "github.com/coreos/ignition/v2/tests/positive/files" _ "github.com/coreos/ignition/v2/tests/positive/filesystems" _ "github.com/coreos/ignition/v2/tests/positive/general" + _ "github.com/coreos/ignition/v2/tests/positive/luks" _ "github.com/coreos/ignition/v2/tests/positive/partitions" _ "github.com/coreos/ignition/v2/tests/positive/passwd" _ "github.com/coreos/ignition/v2/tests/positive/proxy"