Project

General

Profile

action #109163

[sle][security][backlog][FIPS]Implement & Integrate LUKS test case into openQA

Added by bchou 4 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
New test
Target version:
-
Start date:
2022-03-29
Due date:
% Done:

100%

Estimated time:
40.00 h
Difficulty:

Description

Test Case 1769936: FIPS: Full disk encryption with LUKS (including /boot)
https://bugzilla.suse.com/tr_show_case.cgi?case_id=1769936

Test Case 1769937: FIPS: Full disk encryption with LUKS (separate unencrypted /boot)
https://bugzilla.suse.com/tr_show_case.cgi?case_id=1769937

Hello Shawn,
I think you could take this ticket as you have some LUKS test experience. And these 2 cases can be test cases an be implemented in the same time as they are the similar testing area.

You could still need to investigate it and try this on TW first as you are unable to access OSD currently. And also I think the configure/UI style would be some different between SLE and TW.

Thank you.


Related issues

Copied to openQA Tests - action #113162: [sle][security][backlog][FIPS]Implement & Integrate LUKS test case into openQA - make sure test can pass in new official buildNew2022-03-29

History

#1 Updated by llzhao 3 months ago

  • Subject changed from [sle][security][sle15sp4][FIPS] Implement & Integrate LUKS test case into openQA to [sle][security][FIPS][backlog] Implement & Integrate LUKS test case into openQA

#2 Updated by llzhao 3 months ago

  • Subject changed from [sle][security][FIPS][backlog] Implement & Integrate LUKS test case into openQA to [sle][security][backlog][FIPS]Implement & Integrate LUKS test case into openQA

#3 Updated by shawnhao 3 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 90

Need to move to official group from dev on osd

#4 Updated by shawnhao 2 months ago

  • Assignee changed from shawnhao to rfan1

#5 Updated by rfan1 2 months ago

  • % Done changed from 90 to 30

https://bugzilla.suse.com/show_bug.cgi?id=1198190

Based on this bug, we should add some workaround to boot up the system with separate /boot partition.

#6 Updated by rfan1 2 months ago

Sample cases can be used to add FIPS installation mode:

https://openqa.suse.de/tests/8751720
https://openqa.suse.de/tests/8751715

#7 Updated by rfan1 2 months ago

Added some workaround to define boot dev in grub:

+    if (get_var('FIPS_INSTALLATION') && get_var('ENCRYPT') && get_var('UNENCRYPTED_BOOT')) {
+        my $stor_inst = "/var/log/YaST2/storage-inst/*committed.yml";
+        my $boot_hd = script_output("cat $stor_inst | grep -B4 'mount_point: \"/boot\"' | grep name | awk -F \\\" '{print \$2}'");
+        assert_script_run("mount $boot_hd /mnt");
+        assert_script_run("sed -i -e \"s#fips=1#boot=$boot_hd fips=1#g\" /mnt/grub2/grub.cfg");
+        assert_script_run('umount /mnt');
+    }

#8 Updated by rfan1 2 months ago

rfan1 wrote:

Added some workaround to define boot dev in grub:

+    if (get_var('FIPS_INSTALLATION') && get_var('ENCRYPT') && get_var('UNENCRYPTED_BOOT')) {
+        my $stor_inst = "/var/log/YaST2/storage-inst/*committed.yml";
+        my $boot_hd = script_output("cat $stor_inst | grep -B4 'mount_point: \"/boot\"' | grep name | awk -F \\\" '{print \$2}'");
+        assert_script_run("mount $boot_hd /mnt");
+        assert_script_run("sed -i -e \"s#fips=1#boot=$boot_hd fips=1#g\" /mnt/grub2/grub.cfg");
+        assert_script_run('umount /mnt');
+    }

https://openqa.suse.de/tests/8906171

#9 Updated by rfan1 2 months ago

http://openqa.suse.de/tests/8906497# [full disk encryption]

#11 Updated by rfan1 2 months ago

https://openqa.suse.de/tests/8921605# [x86_uefi_full]

#openqa-clone-job  --from http://openqa.suse.de --host http://openqa.suse.de 8751720 --skip-download --skip-chained-deps CASEDIR=https://github.com/rfan1/os-autoinst-distri-opensuse.git#fips_encrypt FIPS_INSTALLATION=1  _GROUP=0 MACHINE=uefi UEFI=1 YAML_TEST_DATA=test_data/yast/encryption/full_lvm_enc_uefi.yaml UEFI_PFLASH_CODE=/usr/share/qemu/ovmf-x86_64-ms-code.bin UEFI_PFLASH_VARS=/usr/share/qemu/ovmf-x86_64-ms-vars.bin

#12 Updated by rfan1 2 months ago

https://openqa.suse.de/tests/8921612#[x86_uefi with separate boot]

#openqa-clone-job  --from http://openqa.suse.de --host http://openqa.suse.de 8751715 --skip-download --skip-chained-deps CASEDIR=https://github.com/rfan1/os-autoinst-distri-opensuse.git#fips_encrypt FIPS_INSTALLATION=1  _GROUP=0 MACHINE=uefi UEFI=1 YAML_TEST_DATA=test_data/yast/encryption/lvm_encrypt_separate_boot_uefi.yaml UEFI_PFLASH_CODE=/usr/share/qemu/ovmf-x86_64-ms-code.bin UEFI_PFLASH_VARS=/usr/share/qemu/ovmf-x86_64-ms-vars.bin
Created job #8921612: sle-15-SP4-Online-x86_64-Build151.1-lvm-encrypt-separate-boot@64bit -> http://openqa.suse.de/t8921612

#13 Updated by rfan1 2 months ago

  • % Done changed from 50 to 80

#14 Updated by rfan1 about 2 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 80 to 90

#15 Updated by rfan1 about 1 month ago

  • Copied to action #113162: [sle][security][backlog][FIPS]Implement & Integrate LUKS test case into openQA - make sure test can pass in new official build added

#16 Updated by rfan1 about 1 month ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100

Also available in: Atom PDF