blob: 9e919db65dde8bb461a799ed051450e4f2eca44a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
import ./make-test-python.nix ({ lib, pkgs, ... }:
{
name = "swap-random-encryption";
nodes.machine =
{ config, pkgs, lib, ... }:
{
environment.systemPackages = [ pkgs.cryptsetup ];
virtualisation.useDefaultFilesystems = false;
virtualisation.rootDevice = "/dev/vda1";
boot.initrd.postDeviceCommands = ''
if ! test -b /dev/vda1; then
${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
sync
fi
FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
if test -z "$FSTYPE"; then
${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
fi
'';
virtualisation.fileSystems = {
"/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
};
swapDevices = [
{
device = "/dev/vda2";
randomEncryption = {
enable = true;
cipher = "aes-xts-plain64";
keySize = 512;
sectorSize = 4096;
};
}
];
};
testScript = ''
machine.wait_for_unit("multi-user.target")
with subtest("Swap is active"):
# Doesn't matter if the numbers reported by `free` are slightly off due to unit conversions.
machine.succeed("free -h | grep -E 'Swap:\s+2[45][0-9]Mi'")
with subtest("Swap device has 4k sector size"):
import json
result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))
block_devices = result["blockdevices"]
if len(block_devices) != 1:
raise Exception ("lsblk output did not report exactly one block device")
swapDevice = block_devices[0];
if not (swapDevice["phy-sec"] == 4096 and swapDevice["log-sec"] == 4096):
raise Exception ("swap device does not have the sector size specified in the configuration")
with subtest("Swap encrypt has assigned cipher and keysize"):
import re
results = machine.succeed("cryptsetup status dev-vda2").splitlines()
cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")
if not any(cipher_pattern.fullmatch(line) for line in results):
raise Exception ("swap device encryption does not use the cipher specified in the configuration")
key_size_pattern = re.compile(r"\s*keysize:\s+512\s+bits\s*")
if not any(key_size_pattern.fullmatch(line) for line in results):
raise Exception ("swap device encryption does not use the key size specified in the configuration")
'';
})
|