m (→Description) |
m (→Setup) |
||
(One intermediate revision by the same user not shown) | |||
Line 4: | Line 4: | ||
= Setup = | = Setup = | ||
Install a system with an encrypted root filesystem. See [[QA:Testcase_partitioning_guided_encrypted |this testcase]] for further details. | Install a system with an encrypted root filesystem. See [[QA:Testcase_partitioning_guided_encrypted |this testcase]] for further details. | ||
If using a virtual machine you will need to install swtpm and swtpm-tools on the host. | |||
sudo dnf install swtpm swtpm-tools | |||
Using virt-manager add the TPM to the the virtual machine, selecting the default TPMv2. If the host system offers a hardware TPM you can also use that but it is not required for this test case. | |||
= How to test = | = How to test = | ||
Line 23: | Line 28: | ||
clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE | clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE | ||
Reboot the system and see if it is booted without user intervention. | |||
= Results= | = Results= | ||
# The installed system should boot to log in without needing the passphrase for the encrypted filesystem. |
Latest revision as of 19:57, 8 April 2020
Description
A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).
Setup
Install a system with an encrypted root filesystem. See this testcase for further details.
If using a virtual machine you will need to install swtpm and swtpm-tools on the host.
sudo dnf install swtpm swtpm-tools
Using virt-manager add the TPM to the the virtual machine, selecting the default TPMv2. If the host system offers a hardware TPM you can also use that but it is not required for this test case.
How to test
Verify decryption is working via TPM2
echo foo | clevis encrypt tpm2 '{}' | clevis decrypt
Get the UUID of the encrypted device
UUID=$(lsblk | grep luks | sed 's/^.*luks-//' | cut -d ' ' -f1) DEV=$(blkid --uuid $UUID)
Check encryption details of the device
cryptsetup luksDump $DEV
Verify the passphrase before setting
cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct
Setup Clevis to decrypt via TPM2 on boot
clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE
Reboot the system and see if it is booted without user intervention.
Results
- The installed system should boot to log in without needing the passphrase for the encrypted filesystem.