From 8db1ad7850854beff268deaebaafe4e5867d76dc Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Tue, 2 Aug 2022 15:03:56 +0800 Subject: [PATCH 1/2] linux: enable PERSISTENT_KEYRINGS and KEYS_REQUEST_CACHE PERSISTENT_KEYRINGS provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis. KEYS_REQUEST_CACHE enable temporary caching of the last request_key() result. --- pkgs/os-specific/linux/kernel/common-config.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 97bf388d46a6..a1fd6d755277 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -504,6 +504,11 @@ let # Depends on MODULE_SIG and only really helps when you sign your modules # and enforce signatures which we don't do by default. SECURITY_LOCKDOWN_LSM = option no; + + # provides a register of persistent per-UID keyrings, useful for encrypting storage pools in stratis + PERSISTENT_KEYRINGS = yes; + # enable temporary caching of the last request_key() result + KEYS_REQUEST_CACHE = whenAtLeast "5.3" yes; } // optionalAttrs (!stdenv.hostPlatform.isAarch32) { # Detect buffer overflows on the stack From 732950b26b452cc6762df0d3a2998f010da76624 Mon Sep 17 00:00:00 2001 From: Nick Cao Date: Fri, 16 Sep 2022 21:04:38 +0800 Subject: [PATCH 2/2] nixos/stratis: add test for encryption support --- nixos/tests/stratis/default.nix | 1 + nixos/tests/stratis/encryption.nix | 33 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 nixos/tests/stratis/encryption.nix diff --git a/nixos/tests/stratis/default.nix b/nixos/tests/stratis/default.nix index 6964852e30a0..42daadd5fcaa 100644 --- a/nixos/tests/stratis/default.nix +++ b/nixos/tests/stratis/default.nix @@ -4,4 +4,5 @@ { simple = import ./simple.nix { inherit system pkgs; }; + encryption = import ./encryption.nix { inherit system pkgs; }; } diff --git a/nixos/tests/stratis/encryption.nix b/nixos/tests/stratis/encryption.nix new file mode 100644 index 000000000000..3faa3171843f --- /dev/null +++ b/nixos/tests/stratis/encryption.nix @@ -0,0 +1,33 @@ +import ../make-test-python.nix ({ pkgs, ... }: + { + name = "stratis"; + + meta = with pkgs.lib.maintainers; { + maintainers = [ nickcao ]; + }; + + nodes.machine = { pkgs, ... }: { + services.stratis.enable = true; + virtualisation.emptyDiskImages = [ 2048 ]; + }; + + testScript = + let + testkey1 = pkgs.writeText "testkey1" "supersecret1"; + testkey2 = pkgs.writeText "testkey2" "supersecret2"; + in + '' + machine.wait_for_unit("stratisd") + # test creation of encrypted pool and filesystem + machine.succeed("stratis key set testkey1 --keyfile-path ${testkey1}") + machine.succeed("stratis key set testkey2 --keyfile-path ${testkey2}") + machine.succeed("stratis pool create testpool /dev/vdb --key-desc testkey1") + machine.succeed("stratis fs create testpool testfs") + # test rebinding encrypted pool + machine.succeed("stratis pool rebind keyring testpool testkey2") + # test restarting encrypted pool + uuid = machine.succeed("stratis pool list | grep -oE '[0-9a-fA-F-]{36}'").rstrip('\n') + machine.succeed(" stratis pool stop testpool") + machine.succeed(f"stratis pool start {uuid} --unlock-method keyring") + ''; + })