Project

General

Profile

Actions

action #109163

closed

[sle][security][backlog][FIPS]Implement & Integrate LUKS test case into openQA

Added by bchou almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
New test
Target version:
-
Start date:
2022-03-29
Due date:
% Done:

100%

Estimated time:
40.00 h
Difficulty:

Description

Test Case 1769936: FIPS: Full disk encryption with LUKS (including /boot)
https://bugzilla.suse.com/tr_show_case.cgi?case_id=1769936

Test Case 1769937: FIPS: Full disk encryption with LUKS (separate unencrypted /boot)
https://bugzilla.suse.com/tr_show_case.cgi?case_id=1769937

Hello Shawn,
I think you could take this ticket as you have some LUKS test experience. And these 2 cases can be test cases an be implemented in the same time as they are the similar testing area.

You could still need to investigate it and try this on TW first as you are unable to access OSD currently. And also I think the configure/UI style would be some different between SLE and TW.

Thank you.


Related issues 1 (0 open1 closed)

Copied to openQA Tests (public) - action #113162: [security][FIPS][15-SP4][15-SP5] Implement & Integrate LUKS test case into openQA Resolvedemiler2022-03-29

Actions
Actions #1

Updated by llzhao over 2 years ago

  • Subject changed from [sle][security][sle15sp4][FIPS] Implement & Integrate LUKS test case into openQA to [sle][security][FIPS][backlog] Implement & Integrate LUKS test case into openQA
Actions #2

Updated by llzhao over 2 years ago

  • Subject changed from [sle][security][FIPS][backlog] Implement & Integrate LUKS test case into openQA to [sle][security][backlog][FIPS]Implement & Integrate LUKS test case into openQA
Actions #3

Updated by shawnhao over 2 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 90

Need to move to official group from dev on osd

Actions #4

Updated by shawnhao over 2 years ago

  • Assignee changed from shawnhao to rfan1
Actions #5

Updated by rfan1 over 2 years ago

  • % Done changed from 90 to 30

https://bugzilla.suse.com/show_bug.cgi?id=1198190

Based on this bug, we should add some workaround to boot up the system with separate /boot partition.

Actions #6

Updated by rfan1 over 2 years ago

Sample cases can be used to add FIPS installation mode:

https://openqa.suse.de/tests/8751720
https://openqa.suse.de/tests/8751715

Actions #7

Updated by rfan1 over 2 years ago

Added some workaround to define boot dev in grub:

+    if (get_var('FIPS_INSTALLATION') && get_var('ENCRYPT') && get_var('UNENCRYPTED_BOOT')) {
+        my $stor_inst = "/var/log/YaST2/storage-inst/*committed.yml";
+        my $boot_hd = script_output("cat $stor_inst | grep -B4 'mount_point: \"/boot\"' | grep name | awk -F \\\" '{print \$2}'");
+        assert_script_run("mount $boot_hd /mnt");
+        assert_script_run("sed -i -e \"s#fips=1#boot=$boot_hd fips=1#g\" /mnt/grub2/grub.cfg");
+        assert_script_run('umount /mnt');
+    }

Actions #8

Updated by rfan1 over 2 years ago

rfan1 wrote:

Added some workaround to define boot dev in grub:

+    if (get_var('FIPS_INSTALLATION') && get_var('ENCRYPT') && get_var('UNENCRYPTED_BOOT')) {
+        my $stor_inst = "/var/log/YaST2/storage-inst/*committed.yml";
+        my $boot_hd = script_output("cat $stor_inst | grep -B4 'mount_point: \"/boot\"' | grep name | awk -F \\\" '{print \$2}'");
+        assert_script_run("mount $boot_hd /mnt");
+        assert_script_run("sed -i -e \"s#fips=1#boot=$boot_hd fips=1#g\" /mnt/grub2/grub.cfg");
+        assert_script_run('umount /mnt');
+    }

https://openqa.suse.de/tests/8906171

Actions #9

Updated by rfan1 over 2 years ago

http://openqa.suse.de/tests/8906497# [full disk encryption]

Actions #11

Updated by rfan1 over 2 years ago

https://openqa.suse.de/tests/8921605# [x86_uefi_full]

#openqa-clone-job  --from http://openqa.suse.de --host http://openqa.suse.de 8751720 --skip-download --skip-chained-deps CASEDIR=https://github.com/rfan1/os-autoinst-distri-opensuse.git#fips_encrypt FIPS_INSTALLATION=1  _GROUP=0 MACHINE=uefi UEFI=1 YAML_TEST_DATA=test_data/yast/encryption/full_lvm_enc_uefi.yaml UEFI_PFLASH_CODE=/usr/share/qemu/ovmf-x86_64-ms-code.bin UEFI_PFLASH_VARS=/usr/share/qemu/ovmf-x86_64-ms-vars.bin
Actions #12

Updated by rfan1 over 2 years ago

https://openqa.suse.de/tests/8921612#[x86_uefi with separate boot]

#openqa-clone-job  --from http://openqa.suse.de --host http://openqa.suse.de 8751715 --skip-download --skip-chained-deps CASEDIR=https://github.com/rfan1/os-autoinst-distri-opensuse.git#fips_encrypt FIPS_INSTALLATION=1  _GROUP=0 MACHINE=uefi UEFI=1 YAML_TEST_DATA=test_data/yast/encryption/lvm_encrypt_separate_boot_uefi.yaml UEFI_PFLASH_CODE=/usr/share/qemu/ovmf-x86_64-ms-code.bin UEFI_PFLASH_VARS=/usr/share/qemu/ovmf-x86_64-ms-vars.bin
Created job #8921612: sle-15-SP4-Online-x86_64-Build151.1-lvm-encrypt-separate-boot@64bit -> http://openqa.suse.de/t8921612
Actions #13

Updated by rfan1 over 2 years ago

  • % Done changed from 50 to 80
Actions #14

Updated by rfan1 over 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 80 to 90
Actions #15

Updated by rfan1 over 2 years ago

  • Copied to action #113162: [security][FIPS][15-SP4][15-SP5] Implement & Integrate LUKS test case into openQA added
Actions #16

Updated by rfan1 over 2 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100
Actions

Also available in: Atom PDF