action #156616
closedAdd test module to input password for encrypt boot instead of boot_encrypt
0%
Description
Motivation¶
lvm-full-encrypt
The test need input password for encrypt boot but the condition is hard to match: my $need_unlock_after_bootloader = is_leap('<15.6') || is_sle('<15-sp6') || is_leap_micro || is_sle_micro || is_alp || (!get_var('LVM', '0') && !get_var('FULL_LVM_ENCRYPT', '0'));
So it is better for us to add test modules to deal with 'input password for encrypt boot' instead of boot_encrypt in yaml file.
Acceptance criteria¶
AC1: Add test module to input password for encrypt boot instead of boot_encrypt
Updated by JERiveraMoya about 2 months ago · Edited
what does it mean "hard to match"? Could you set up those openQA variable so the error disappears?
This is a recent change done by Richard (or related, you can check history) that was needed, you might loose track of that knowledge if you branch the code, that is why I'm not a big fan of doing new modules for booting/rebooting and other general things that everyone else use.
If you can fix the test setting the proper variables, please reject this ticket or elaborate more why is needed (a simple fragment of code is not enough to get the context, we should paste link to the source code for example or complete blocks if makes sense).
Updated by leli about 2 months ago · Edited
sub need_unlock_after_bootloader {
my $need_unlock_after_bootloader = is_leap('<15.6') || is_sle('<15-sp6') || is_leap_micro || is_sle_micro || is_alp || (!get_var('LVM', '0') && !get_var('FULL_LVM_ENCRYPT', '0'));
return 0 if is_boot_encrypted && !$need_unlock_after_bootloader;
# MicroOS with sdboot supports automatic TPM based unlocking.
return 0 if is_microos && is_bootloader_sdboot && get_var('QEMUTPM');
return 1;
}
To input password for security boot on grub2, two conditions need match:
my $need_unlock_after_bootloader = is_leap('<15.6') || is_sle('<15-sp6') || is_leap_micro || is_sle_micro || is_alp || (!get_var('LVM', '0') && !get_var('FULL_LVM_ENCRYPT', '0'));But this test has the FULL_LVM_ENCRYPT=1 so need_unlock_after_bootloader is 0;
2. sub is_boot_encrypted {
return 0 if get_var('UNENCRYPTED_BOOT');
return 0 if !get_var('ENCRYPT') && !get_var('FULL_LVM_ENCRYPT');
# for Leap 42.3 and SLE 12 codestream the boot partition is not encrypted
# Only aarch64 needs separate handling, it has unencrypted boot for fresh
# installations, but has encrypted boot if cancel activation of existing
# encrypted partitions
# ppc64le on pre-storage-ng boot was part of encrypted LVM
return 0 if !get_var('FULL_LVM_ENCRYPT') && !is_storage_ng && !is_ppc64le()
&& !(get_var('ENCRYPT_CANCEL_EXISTING') && get_var('ENCRYPT') && is_aarch64());
# SLES 15: we don't have scenarios for cryptlvm which boot partion is unencrypted.
return 0 if is_sle('15+') && !get_var('ENCRYPT');
# If the encrypted disk is "just activated" it does not mean that the
# installer would propose an encrypted installation again
return 0 if get_var('ENCRYPT_ACTIVATE_EXISTING') && !get_var('ENCRYPT_FORCE_RECOMPUTE');
return 1;
}
No condition matched, so `is_boot_encrypted' will return 0. then make need_unlock_after_bootloader return 0, so won't input password, I guess the previous PR haven't consider this situation, so whether we change the condition to judge whether need input password in grub2(This will need much Verifications) or just as what I suggested in the ticket to create new module to input password and do not depend on the conditions.
Updated by JERiveraMoya about 2 months ago · Edited
could you please format the text above?, it is hard to follow.
the option to create our own modules for booting reboting etc it is a really bad idea(like last option I would say), can you create PR/MR with correct settings to workaround this problem, is it possible or not?
Updated by JERiveraMoya 19 days ago
- Status changed from New to Rejected