1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
summary: Run a smoke test on UC20 with encryption enabled
details: |
This test checks basic snapd commands on UC20 with secure boot and encryption enabled
systems: [ubuntu-2*.04-64, ubuntu-2*.04-arm-64]
execute: |
#shellcheck source=tests/lib/nested.sh
. "$TESTSLIB/nested.sh"
echo "Wait for the system to be seeded first"
remote.exec "sudo snap wait system seed.loaded"
echo "Wait for device initialisation to be done"
remote.exec "retry --wait 5 -n 10 sh -c 'snap changes | MATCH \"Done.*Initialize device\"'"
echo "Ensure 'snap install' works"
# The install command could cause a ssh break, so || true is used
# and then we check the installation was completed successfully
remote.exec "sudo snap install test-snapd-sh" || true
echo "Ensure 'snap list' works and test-snapd-sh snap is installed"
remote.exec "snap list" | MATCH test-snapd-sh
echo "Ensure 'snap find' works"
remote.exec "snap find test-snapd-sh" | MATCH ^test-snapd-sh
echo "Ensure 'snap info' works"
remote.exec "snap info test-snapd-sh" | MATCH '^name:\ +test-snapd-sh'
echo "Ensure 'snap remove' works"
# The install command could cause a ssh break, so || true is used
# and then we check the removal was completed successfully
remote.exec "sudo snap remove test-snapd-sh" || true
echo "Ensure 'snap list' works and test-snapd-sh snap is removed"
remote.exec "! snap list test-snapd-sh"
echo "Ensure that recovery keys are not present in fresh install"
remote.exec "test ! -f /var/lib/snapd/device/fde/recovery.key"
remote.exec "test ! -f /var/lib/snapd/device/fde/reinstall.key"
if os.query is-arm; then
exit 0
fi
# single key for ubuntu-data and ubuntu-save
# TODO:FDEM:FIX:: for now save partition has 2 keys, one which is sealed in
# tpm, one that is data partition plain.
test "$(remote.exec "sudo cryptsetup luksDump /dev/vda4 |grep Key:" | wc -l)" = "2"
# TODO:FDEM:FIX:: for now data partition has 2 keys, default, and
# default-fallback. Both are sealed in tpm.
test "$(remote.exec "sudo cryptsetup luksDump /dev/vda5 |grep Key:" | wc -l)" = "2"
echo "Ensure 'snap debug show-keys' works as root"
remote.exec "sudo snap recovery --show-keys" > show-keys.out
MATCH 'recovery:\s+[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}-[0-9]{5}' < show-keys.out
# reinstall key is not generated anymore
# show-keys should be idempotent, so let's call it multiple times
remote.exec "sudo snap recovery --show-keys" > show-keys-again.out
# outputs are identical
diff -u show-keys.out show-keys-again.out
# key files are present
remote.exec "test -f /var/lib/snapd/device/fde/recovery.key"
remote.exec "test ! -f /var/lib/snapd/device/fde/reinstall.key"
# and each partition has 2 keys now
echo "luksDump for /dev/vda4"
remote.exec "sudo cryptsetup luksDump /dev/vda4"
echo "luksDump for /dev/vda5"
remote.exec "sudo cryptsetup luksDump /dev/vda5"
# TODO:FDEM:FIX:: for now save partition has 3 keys, one which is sealed in
# tpm, one that is data partition plain. Then one recovery key.
test "$(remote.exec "sudo cryptsetup luksDump /dev/vda4 |grep Key:" | wc -l)" = "3"
# TODO:FDEM:FIX:: for now data partition has 3 keys, default, and
# default-fallback. Both are sealed in tpm. Then one that is recovery.
test "$(remote.exec "sudo cryptsetup luksDump /dev/vda5 |grep Key:" | wc -l)" = "3"
echo "But not as user (normal file permissions prevent this)"
if remote.exec "snap recovery --show-keys"; then
echo "snap recovery --show-keys should not work as a user"
exit 1
fi
# the remove API isn't exposed by snap recovery yet
remote.exec "echo '{\"action\":\"remove\"}' | sudo snap debug api -X POST -H 'Content-Type: application/json' /v2/system-recovery-keys"
# keys were removed
remote.exec "test ! -f /var/lib/snapd/device/fde/recovery.key"
remote.exec "test ! -f /var/lib/snapd/device/fde/reinstall.key"
# back to having just one key
test "$(remote.exec "sudo cryptsetup luksDump /dev/vda4 |grep Key:" | wc -l)" = "2"
test "$(remote.exec "sudo cryptsetup luksDump /dev/vda5 |grep Key:" | wc -l)" = "2"
echo "Check that the serial backed up to save is as expected"
model_p="$(nested_get_model)"
model=$(grep "^model:" "$model_p" | cut -d ' ' -f2)
remote.exec 'cat /var/lib/snapd/save/device/asserts-v0/serial/'"$(tests.nested get model-authority)"'/'"$model"'/*/active' >serial.saved
remote.exec snap model --serial --assertion >serial
cmp serial serial.saved
echo "Check that we get the install log after the transition to run mode"
remote.exec "test -e /var/log/install-mode.log.gz"
echo "Transparently verify that the format is gzip"
remote.exec "zcat /var/log/install-mode.log.gz" | MATCH 'installing a new system'
echo "Check that we go the timings after the transition to run mode"
remote.exec "test -e /var/log/install-timings.txt.gz"
remote.exec "zcat /var/log/install-timings.txt.gz" > install-timings.txt
MATCH "Install the system" < install-timings.txt
MATCH "^seed" < install-timings.txt
MATCH "Mark system seeded" < install-timings.txt
MATCH "Setup system for run mode" < install-timings.txt
MATCH "ensure=install-system" < install-timings.txt
echo "Check seeding info"
remote.exec "snap debug seeding" | MATCH "^seeded: +true"
remote.exec "snap debug seeding" | MATCH "^preseeded: +false"
|
