Project

General

Profile

Actions
Copy link

action #152455

closed

[security][15-SP6] GRUB now passes through unlocking, test needs to be changed

Added by tjyrinki_suse 5 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
pstivanin
Category:
New test
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
1.00 h
Difficulty:
Tags:
encrypt

Description

This is not a test failure ticket, but a behavior change since we earlier learned 15-SP6 GRUB will obtain a feature to pass-through decryption the Linux kernel for the / partition. This request contained it: https://smelt.suse.de/request/313295/

So the test likely needs to behave differently on >= 15-SP6 where this new feature is implemented.

openQA test in scenario sle-15-SP6-Online-x86_64-create_hdd_gnome_encrypt_separate_boot@64bit fails in
boot_encrypt

Last good: 40.1 (or more recent)

Acceptance Criteria

  1. Change the test to now expect this new behavior on 15-SP6, and fail if the pass-through does not work
  2. Older SLE versions should behave as before

Further Information

This information I got from the developers:

Yes it should work for SP6 if the new grub version is accepted. By the way grub will only handle the key for the root partition being unlocked by bootloader (grub). It will not handle the key for swap and other partitions systemd may ask to unlock from the initrd or bootsplash. If those (separate) encrypted partition shares the same key with root partition, the /etc/crypttab has to be modifed with the same key location as root so that systemd can know where to look up the key file.

Related issues 1 (0 open1 closed)

Related to openQA Tests - action #120459: [security] luks1_decrypt_ssh_server fails on tumbleweed; test-logic: unlock_via_ssh_server seems flawedResolvedpstivanin

Actions
Actions
Copy link

Also available in: Atom PDF