Merge pull request #999 from sarthurdev/T7628

tpm: T7628: Extend test for non-TPM backed encryption
2025-10-01 20:28:40 +02:00 · 2025-07-29 15:54:15 +01:00 · 2025-07-29 15:54:15 +01:00 · 3e02e42e76
commit 3e02e42e76
parent dbf36b928f df9312fc72
1 changed files with 82 additions and 0 deletions
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@ -754,6 +754,88 @@ try:

        verify_config()

+        # Shutdown VM
+        shutdownVM(c, log, 'Shutdown VM for non-TPM backed test')
+
+        # Clear swtpm
+        from glob import glob
+        for f in glob(f'{tpm_folder}/*'):
+            os.remove(f)
+
+        # Shutdown kills swtpm
+        tpm_process.join()
+        tpm_process.close()
+        tpm_process = None
+
+        # Booting back into VM
+        log.info('Booting system without TPM')
+        cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, tpm=False, vnc_enabled=args.vnc)
+        log.debug(f'Executing command: {cmd}')
+        c = pexpect.spawn(cmd, logfile=stl)
+
+        try:
+            c.expect('The highlighted entry will be executed automatically in', timeout=10)
+            c.sendline('')
+        except pexpect.TIMEOUT:
+            log.warning('Did not find GRUB countdown window, ignoring')
+
+        loginVM(c, log)
+
+        # New recovery key
+        test_recovery_key = ''.join(choices(string.ascii_uppercase + string.digits, k=32))
+
+        log.info('Encrypting config')
+        c.sendline('encryption enable')
+        c.expect('Are you sure you want to proceed\?.*')
+        c.sendline('y')
+        c.expect('Enter key: ')
+        c.sendline(test_recovery_key)
+        c.expect('Enter size of encrypted config partition.*', timeout=30)
+        c.sendline('32')
+        c.expect('Encrypted config volume has been enabled', timeout=tpm_timeout)
+        c.expect('Backup the key in a safe place!')
+        c.expect(f'Key: {test_recovery_key}')
+        c.expect(op_mode_prompt)
+
+        verify_mount()
+
+        shutdownVM(c, log, 'Shutdown VM for non-TPM config load')
+
+        # Booting back into VM
+        log.info('Booting system without TPM')
+        cmd = get_qemu_cmd(qemu_name, args.uefi, args.disk, raid=diskname_raid, tpm=False, vnc_enabled=args.vnc)
+        log.debug(f'Executing command: {cmd}')
+        c = pexpect.spawn(cmd, logfile=stl)
+
+        try:
+            c.expect('The highlighted entry will be executed automatically in', timeout=10)
+            c.sendline('')
+        except pexpect.TIMEOUT:
+            log.warning('Did not find GRUB countdown window, ignoring')
+
+        c.expect('.*Encrypted config volume has not been mounted', timeout=120)
+
+        loginVM(c, log)
+
+        # Test loading config with recovery key
+        c.sendline('encryption load')
+        c.expect('Enter key: ')
+        c.sendline(test_recovery_key)
+        c.expect('Encrypted config volume has been mounted', timeout=120)
+        c.expect(op_mode_prompt)
+
+        verify_mount()
+
+        log.info('Loading encrypted config.boot')
+        c.sendline('configure')
+        c.expect(cfg_mode_prompt)
+        c.sendline('load /config/config.boot')
+        c.expect(cfg_mode_prompt)
+        c.sendline('commit')
+        c.expect(cfg_mode_prompt)
+        c.sendline('exit')
+        c.expect(op_mode_prompt)
+
    elif args.raid:
        # Verify RAID subsystem - by deleting a disk and re-create the array
        # from scratch