Skip to content

Commit 0c1f2f3

Browse files
shiftshift
committed
feat: add comprehensive TPM2 unlock test suite
1 parent 4b9a1b8 commit 0c1f2f3

15 files changed

+564
-0
lines changed

example/bcachefs-tpm2-edge-cases.nix

Lines changed: 163 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,163 @@
1+
{
2+
disko.devices = {
3+
disk = {
4+
vdb = {
5+
device = "/dev/vdb";
6+
type = "disk";
7+
content = {
8+
type = "gpt";
9+
partitions = {
10+
vdb1 = {
11+
type = "EF00";
12+
size = "100M";
13+
content = {
14+
type = "filesystem";
15+
format = "vfat";
16+
mountpoint = "/boot";
17+
mountOptions = [ "umask=0077" ];
18+
};
19+
};
20+
21+
vdb2 = {
22+
size = "25%";
23+
content = {
24+
type = "bcachefs";
25+
filesystem = "empty_test";
26+
label = "edge-empty.vdb2";
27+
};
28+
};
29+
30+
vdb3 = {
31+
size = "25%";
32+
content = {
33+
type = "bcachefs";
34+
filesystem = "corrupted_test";
35+
label = "edge-corrupted.vdb3";
36+
};
37+
};
38+
39+
vdb4 = {
40+
size = "25%";
41+
content = {
42+
type = "bcachefs";
43+
filesystem = "missing_test";
44+
label = "edge-missing.vdb4";
45+
};
46+
};
47+
48+
vdb5 = {
49+
size = "25%";
50+
content = {
51+
type = "bcachefs";
52+
filesystem = "multi_test";
53+
label = "edge-multi.vdb5";
54+
};
55+
};
56+
};
57+
};
58+
};
59+
60+
vdc = {
61+
device = "/dev/vdc";
62+
type = "disk";
63+
content = {
64+
type = "gpt";
65+
partitions = {
66+
vdc1 = {
67+
size = "100%";
68+
content = {
69+
type = "bcachefs";
70+
filesystem = "malformed_test";
71+
label = "edge-malformed.vdc1";
72+
};
73+
};
74+
};
75+
};
76+
};
77+
78+
vdd = {
79+
device = "/dev/vdd";
80+
type = "disk";
81+
content = {
82+
type = "gpt";
83+
partitions = {
84+
vdd1 = {
85+
size = "100%";
86+
content = {
87+
type = "bcachefs";
88+
filesystem = "single_device_test";
89+
label = "edge-single.vdd1";
90+
};
91+
};
92+
};
93+
};
94+
};
95+
};
96+
97+
bcachefs_filesystems = {
98+
# Test 1: Empty configuration (unlock enabled but no secret files)
99+
empty_test = {
100+
type = "bcachefs_filesystem";
101+
passwordFile = "/tmp/secret.key";
102+
unlock = {
103+
enable = true;
104+
secretFiles = [];
105+
};
106+
};
107+
108+
# Test 2: Corrupted JWE file
109+
corrupted_test = {
110+
type = "bcachefs_filesystem";
111+
passwordFile = "/tmp/secret.key";
112+
unlock = {
113+
enable = true;
114+
secretFiles = [ ./secrets/corrupted.jwe ];
115+
};
116+
};
117+
118+
# Test 3: Missing secret files directory (unlock disabled)
119+
missing_test = {
120+
type = "bcachefs_filesystem";
121+
passwordFile = "/tmp/secret.key";
122+
unlock = {
123+
enable = false;
124+
};
125+
};
126+
127+
# Test 4: Multiple valid keys
128+
multi_test = {
129+
type = "bcachefs_filesystem";
130+
passwordFile = "/tmp/secret.key";
131+
unlock = {
132+
enable = true;
133+
secretFiles = [
134+
./secrets/tpm.jwe
135+
./secrets/fido.jwe
136+
./secrets/tang.jwe
137+
];
138+
extraPackages = [ ];
139+
};
140+
};
141+
142+
# Test 5: Malformed JWE files
143+
malformed_test = {
144+
type = "bcachefs_filesystem";
145+
passwordFile = "/tmp/secret.key";
146+
unlock = {
147+
enable = true;
148+
secretFiles = [ ./secrets/invalid.jwe ];
149+
};
150+
};
151+
152+
# Test 6: Single device configuration
153+
single_device_test = {
154+
type = "bcachefs_filesystem";
155+
passwordFile = "/tmp/secret.key";
156+
unlock = {
157+
enable = true;
158+
secretFiles = [ ./secrets/tpm.jwe ];
159+
};
160+
};
161+
};
162+
};
163+
}

example/bcachefs-tpm2-fallback.nix

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
{
2+
disko.devices = {
3+
disk = {
4+
vdb = {
5+
device = "/dev/vdb";
6+
type = "disk";
7+
content = {
8+
type = "gpt";
9+
partitions = {
10+
vdb1 = {
11+
type = "EF00";
12+
size = "100M";
13+
content = {
14+
type = "filesystem";
15+
format = "vfat";
16+
mountpoint = "/boot";
17+
mountOptions = [ "umask=0077" ];
18+
};
19+
};
20+
21+
vdb2 = {
22+
size = "100%";
23+
content = {
24+
type = "bcachefs";
25+
filesystem = "mounted_subvolumes_in_multi";
26+
label = "fallback-test.vdb2";
27+
extraFormatArgs = [
28+
"--discard"
29+
];
30+
};
31+
};
32+
};
33+
};
34+
};
35+
36+
vdc = {
37+
device = "/dev/vdc";
38+
type = "disk";
39+
content = {
40+
type = "gpt";
41+
partitions = {
42+
vdc1 = {
43+
size = "100%";
44+
content = {
45+
type = "bcachefs";
46+
filesystem = "mounted_subvolumes_in_multi";
47+
label = "fallback-test.vdc1";
48+
extraFormatArgs = [
49+
"--discard"
50+
];
51+
};
52+
};
53+
};
54+
};
55+
};
56+
};
57+
58+
bcachefs_filesystems = {
59+
mounted_subvolumes_in_multi = {
60+
type = "bcachefs_filesystem";
61+
passwordFile = "/tmp/fallback-secret.key";
62+
extraFormatArgs = [
63+
"--compression=lz4"
64+
"--background_compression=lz4"
65+
];
66+
67+
# TPM2 unlocking configuration (will fail due to missing TPM2 device)
68+
unlock = {
69+
enable = true;
70+
secretFiles = [
71+
./secrets/tpm.jwe
72+
./secrets/fido.jwe
73+
];
74+
extraPackages = [ ];
75+
};
76+
77+
subvolumes = {
78+
"subvolumes/root" = {
79+
mountpoint = "/";
80+
mountOptions = [ "verbose" ];
81+
};
82+
"subvolumes/home" = {
83+
mountpoint = "/home";
84+
};
85+
"subvolumes/nix" = {
86+
mountpoint = "/nix";
87+
};
88+
};
89+
};
90+
};
91+
};
92+
}

example/bcachefs-tpm2-performance.nix

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
{
2+
disko.devices = {
3+
disk = {
4+
vdb = {
5+
device = "/dev/vdb";
6+
type = "disk";
7+
content = {
8+
type = "gpt";
9+
partitions = {
10+
vdb1 = {
11+
type = "EF00";
12+
size = "100M";
13+
content = {
14+
type = "filesystem";
15+
format = "vfat";
16+
mountpoint = "/boot";
17+
mountOptions = [ "umask=0077" ];
18+
};
19+
};
20+
21+
vdb2 = {
22+
size = "100%";
23+
content = {
24+
type = "bcachefs";
25+
filesystem = "perf_test";
26+
label = "performance-test";
27+
extraFormatArgs = [
28+
"--discard"
29+
"--compression=lz4"
30+
];
31+
};
32+
};
33+
};
34+
};
35+
};
36+
};
37+
38+
bcachefs_filesystems = {
39+
perf_test = {
40+
type = "bcachefs_filesystem";
41+
passwordFile = "/tmp/perf-secret.key";
42+
extraFormatArgs = [
43+
"--compression=lz4"
44+
"--background_compression=lz4"
45+
];
46+
47+
# Performance test configuration with multiple keys
48+
unlock = {
49+
enable = true;
50+
secretFiles = [
51+
./secrets/tpm.jwe
52+
./secrets/fido.jwe
53+
./secrets/tang.jwe
54+
];
55+
extraPackages = [ ];
56+
};
57+
58+
subvolumes = {
59+
"subvolumes/root" = {
60+
mountpoint = "/";
61+
mountOptions = [ "verbose" ];
62+
};
63+
"subvolumes/home" = {
64+
mountpoint = "/home";
65+
};
66+
"subvolumes/nix" = {
67+
mountpoint = "/nix";
68+
};
69+
};
70+
};
71+
};
72+
};
73+
}

0 commit comments

Comments
 (0)