From Fedora Project Wiki
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:


= Description =
= Description =
A simple validation test case for Clevis on Fedora IoT Edition.
A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).
 
= Setup =
= Setup =
Install a system with an encrypted root filesystem. See [[QA:Testcase_partitioning_guided_encrypted |this testcase]] for further details.  
Install a system with an encrypted root filesystem. See [[QA:Testcase_partitioning_guided_encrypted |this testcase]] for further details.
 
If using a virtual machine you will need to install swtpm and swtpm-tools on the host.
sudo dnf install swtpm swtpm-tools
 
Using virt-manager add the TPM to the the virtual machine, selecting the default TPMv2. If the host system offers a hardware TPM you can also use that but it is not required for this test case.


= How to test =
= How to test =
Line 17: Line 23:


Verify the passphrase before setting
Verify the passphrase before setting
  cryptsetup luksOpen --test-passphrase --key-slot 0 /dev/sda3 && echo correct
  cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct


Setup Clevis to decrypt via TPM2 on boot
Setup Clevis to decrypt via TPM2 on boot
  clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE
  clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE


Reboot the system and see if it is booted without user intervention.
= Results=
= Results=
#  The installed system should boot to log in without needing the passphrase for the encrypted filesystem.

Latest revision as of 19:57, 8 April 2020

Description

A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).

Setup

Install a system with an encrypted root filesystem. See this testcase for further details.

If using a virtual machine you will need to install swtpm and swtpm-tools on the host.

sudo dnf install swtpm swtpm-tools 

Using virt-manager add the TPM to the the virtual machine, selecting the default TPMv2. If the host system offers a hardware TPM you can also use that but it is not required for this test case.

How to test

Verify decryption is working via TPM2

echo foo | clevis encrypt tpm2 '{}' | clevis decrypt

Get the UUID of the encrypted device

UUID=$(lsblk | grep luks | sed 's/^.*luks-//' | cut -d ' ' -f1)
DEV=$(blkid --uuid $UUID)

Check encryption details of the device

cryptsetup luksDump $DEV

Verify the passphrase before setting

cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct

Setup Clevis to decrypt via TPM2 on boot

clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE

Reboot the system and see if it is booted without user intervention.

Results

  1. The installed system should boot to log in without needing the passphrase for the encrypted filesystem.