Merge pull request #184770 from NickCao/kernel-keyring

This commit is contained in:
Bernardo Meurer 2022-10-14 09:46:01 -03:00 committed by GitHub
commit 71f2836fba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 0 deletions

View file

@ -4,4 +4,5 @@
{
simple = import ./simple.nix { inherit system pkgs; };
encryption = import ./encryption.nix { inherit system pkgs; };
}

View file

@ -0,0 +1,33 @@
import ../make-test-python.nix ({ pkgs, ... }:
{
name = "stratis";
meta = with pkgs.lib.maintainers; {
maintainers = [ nickcao ];
};
nodes.machine = { pkgs, ... }: {
services.stratis.enable = true;
virtualisation.emptyDiskImages = [ 2048 ];
};
testScript =
let
testkey1 = pkgs.writeText "testkey1" "supersecret1";
testkey2 = pkgs.writeText "testkey2" "supersecret2";
in
''
machine.wait_for_unit("stratisd")
# test creation of encrypted pool and filesystem
machine.succeed("stratis key set testkey1 --keyfile-path ${testkey1}")
machine.succeed("stratis key set testkey2 --keyfile-path ${testkey2}")
machine.succeed("stratis pool create testpool /dev/vdb --key-desc testkey1")
machine.succeed("stratis fs create testpool testfs")
# test rebinding encrypted pool
machine.succeed("stratis pool rebind keyring testpool testkey2")
# test restarting encrypted pool
uuid = machine.succeed("stratis pool list | grep -oE '[0-9a-fA-F-]{36}'").rstrip('\n')
machine.succeed(" stratis pool stop testpool")
machine.succeed(f"stratis pool start {uuid} --unlock-method keyring")
'';
})

View file

@ -505,6 +505,11 @@ let
# Depends on MODULE_SIG and only really helps when you sign your modules
# and enforce signatures which we don't do by default.
SECURITY_LOCKDOWN_LSM = option no;
# provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis
PERSISTENT_KEYRINGS = yes;
# enable temporary caching of the last request_key() result
KEYS_REQUEST_CACHE = whenAtLeast "5.3" yes;
} // optionalAttrs (!stdenv.hostPlatform.isAarch32) {
# Detect buffer overflows on the stack