tests: add initrd-secrets-update

Add a test for updating the secrets on an existing initrd.
nix-community · Feb 24, 2023 · f4f8c41 · f4f8c41
1 parent 75a19cd
commit f4f8c41
Showing 1 changed file with 46 additions and 0 deletions.
diff --git a/nix/tests/lanzaboote.nix b/nix/tests/lanzaboote.nix
@@ -145,6 +145,52 @@ in
     '';
   };
 
+  # Test that the secrets configured to be appended to the initrd get updated
+  # when installing a new generation even if the initrd itself (i.e. its store
+  # path) does not change. 
+  #
+  # An unfortunate result of this NixOS feature is that updating the secrets
+  # without creating a new initrd might break previous generations. Lanzaboote
+  # has no control over that.
+  #
+  # This tests uses a specialisation to imitate a newer generation. This works
+  # because `lzbt` installs the specialisation of a generation AFTER installing
+  # the generation itself (thus making the specialisation "newer").
+  initrd-secrets-update =
+    let
+      originalSecret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security");
+      newSecret = (pkgs.writeText "newly-secure" "so-much-better-now");
+    in
+    mkSecureBootTest {
+      name = "lanzaboote-initrd-secrets-update";
+      machine = { pkgs, lib, ... }: {
+        boot.initrd.secrets = {
+          "/test" = lib.mkDefault originalSecret;
+        };
+        boot.initrd.postMountCommands = ''
+          cp /test /mnt-root/secret-from-initramfs
+        '';
+
+        specialisation.variant.configuration = {
+          boot.initrd.secrets = {
+            "/test" = newSecret;
+          };
+        };
+      };
+      testScript = ''
+        machine.start()
+        machine.wait_for_unit("multi-user.target")
+
+        # Assert that only two boot files exists (a single kernel and a single
+        # initrd). If there are two initrds, the test would not be able to test
+        # updating the secret of an already existing initrd.
+        assert int(machine.succeed("ls -1 /boot/EFI/nixos | wc -l")) == 2
+
+        # It is expected that the initrd contains the new secret.
+        machine.succeed("cmp ${newSecret} /secret-from-initramfs")
+      '';
+    };
+
   modified-initrd-doesnt-boot-with-secure-boot = mkModifiedInitrdTest {
     name = "modified-initrd-doesnt-boot-with-secure-boot";
     useSecureBoot = true;