Project

General

Profile

Actions
Copy link

action #152455

closed

[security][15-SP6] GRUB now passes through unlocking, test needs to be changed

Added by tjyrinki_suse 5 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
pstivanin
Category:
New test
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
1.00 h
Difficulty:
Tags:
encrypt

Description

This is not a test failure ticket, but a behavior change since we earlier learned 15-SP6 GRUB will obtain a feature to pass-through decryption the Linux kernel for the / partition. This request contained it: https://smelt.suse.de/request/313295/

So the test likely needs to behave differently on >= 15-SP6 where this new feature is implemented.

openQA test in scenario sle-15-SP6-Online-x86_64-create_hdd_gnome_encrypt_separate_boot@64bit fails in
boot_encrypt

Last good: 40.1 (or more recent)

Acceptance Criteria

  1. Change the test to now expect this new behavior on 15-SP6, and fail if the pass-through does not work
  2. Older SLE versions should behave as before

Further Information

This information I got from the developers:

Yes it should work for SP6 if the new grub version is accepted. By the way grub will only handle the key for the root partition being unlocked by bootloader (grub). It will not handle the key for swap and other partitions systemd may ask to unlock from the initrd or bootsplash. If those (separate) encrypted partition shares the same key with root partition, the /etc/crypttab has to be modifed with the same key location as root so that systemd can know where to look up the key file.

Related issues 1 (0 open1 closed)

Related to openQA Tests - action #120459: [security] luks1_decrypt_ssh_server fails on tumbleweed; test-logic: unlock_via_ssh_server seems flawedResolvedpstivanin

Actions
Actions
Copy link
 #1

Updated by openqa_review 4 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: create_hdd_gnome_encrypt_separate_boot
https://openqa.suse.de/tests/13085400#step/boot_encrypt/1

To prevent further reminder comments one of the following options should be followed:

  1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
  2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
  3. The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions
Copy link
 #2

Updated by pstivanin 4 months ago

  • Status changed from Workable to In Progress
  • Assignee set to pstivanin
Actions
Copy link
 #3

Updated by pstivanin 4 months ago

  • Related to action #120459: [security] luks1_decrypt_ssh_server fails on tumbleweed; test-logic: unlock_via_ssh_server seems flawed added
Actions
Copy link
 #4

Updated by pstivanin 4 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 0 to 100
  • Estimated time changed from 24.00 h to 1.00 h
Actions
Copy link

Also available in: Atom PDF