Project

General

Profile

Actions

action #28507

closed

coordination #28504: [sle][functional][epic] crypt lvm for SLE 12-SP3, SLE 12-SP4 and SLE 15

[sle][functional][story][hard] Proposed partitions for "encrypted lvm" including encrypted boot partition

Added by SLindoMansilla over 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Enhancement to existing tests
Start date:
2017-11-28
Due date:
2018-02-27
% Done:

0%

Estimated time:
Difficulty:

Description

User story

As a customer, when I select in the Yast installer to use encrypted LVM-based partitions, I expect /boot to also be encrypted, so initrd and kernel are better protected against malicious actions.

  • Take in mind that /boot can be a directory under the root partition or be in a separated partition, but in any case, it is expected to be encrypted.
  • Be aware that on SLE 12-SP3 /boot was in a separated partition by default. On SLE 15, /boot is no more in a separated partition by default.

Acceptance criteria

AC1: The test suite lvm-full-encrypt is adapted to have an encrypted /boot for aarch64, ppc64 and x86_64
AC2: The test suite lvm-full-encrypt still gives for SLE 12-SP3 the same results as in https://openqa.suse.de/tests/overview?distri=sle&version=12-SP3&build=0473&groupid=55.
AC3: On ppc there is a workaround for bsc#1070139
AC4: Create additional test suite where we add unencrypted /boot partition outside of lvm to get same coverage for SLE 12 on SLE 15

Tasks

1. Wait for bsc#1070139 to be resolved.

  1. Adapt test suite lvm-full-encrypt to work for SLE 12-SP3 and SLE 15.
  2. Add new test suite in OSD with setting: UNENCRYPTED_BOOT

Further information

As a result of a conversation between okurz, riafarov and slindomansilla, the coverage will be implemented in the following way:

  • The test suite cryptlvm performs for SLE 12-SP3 and SLE 15 the yast-proposed lvm installation.
    • For SLE 12-SP3, the result will be an encrypted lvm + a non-encrypted /boot partition, which affects test module boot_encrypt to enter the password.
    • For SLE 15, the result will be an full encrypted lvm, /boot included, which affects the module boot_encrypt and grub_test to enter the password. So the password is asked twice, before grub is shown, and after grub is shown.
    • Since the test suite cryptlvm is working properly, we don't need a ticket for it.
    • SLE 12-SP3 osd#1408146#step/partitioning_lvm/4
    • SLE 15 osd#1424969#step/partitioning_lvm/7
  • The test suite lvm_full_encrypt performs a full encrypted lvm installation using the expert partitioner for both SLE 12-SP3 and SLE 15.
    • To also cover the case of a non-encrypted /boot partition, another test suite may be created. The settings of this test suite differs from lvm_full_encrypt on one setting: UNENCRYPTED_BOOT
    • Those 4 cases will be covered in this ticket.

Related issues 1 (0 open1 closed)

Related to openQA Tests - action #27829: [sle][functional][medium]test fails in reboot_gnome - grub2 needs unlockResolvedokurz2017-11-172018-02-13

Actions
Actions #1

Updated by SLindoMansilla over 6 years ago

  • Description updated (diff)
Actions #2

Updated by okurz over 6 years ago

  • Subject changed from [sle][functional][story][medium] Proposed partitions for "encrypted lvm" inlcude encrypted boot partition to [sle][functional][story][medium] Proposed partitions for "encrypted lvm" including encrypted boot partition
  • Status changed from New to Feedback
  • Assignee set to SLindoMansilla
  • Target version set to Milestone 13

@SLindoMansilla because you are the reporter of the bug please track the status and tell us in this progress ticket when it's done and we have the effect in the build. Then we can schedule it for a specific sprint. If the bug is still not resolved at the end of the milestone we should revisit and discuss how to continue.

Actions #3

Updated by okurz over 6 years ago

  • Due date set to 2018-01-30
Actions #4

Updated by okurz about 6 years ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: lvm-full-encrypt
https://openqa.suse.de/tests/1396356

Actions #5

Updated by SLindoMansilla about 6 years ago

  • Description updated (diff)
  • Status changed from Feedback to Workable
Actions #6

Updated by SLindoMansilla about 6 years ago

  • Assignee deleted (SLindoMansilla)

Back to sprint backlog

Actions #7

Updated by riafarov about 6 years ago

  • Status changed from Workable to In Progress
  • Assignee set to riafarov
Actions #8

Updated by riafarov about 6 years ago

  • Description updated (diff)

Changed description according to our discussion with Olli and Sergio.

Actions #9

Updated by riafarov about 6 years ago

https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/4286
Need to add new test suite based on lvm-full-encrypt and file bugs for SLE15

Actions #10

Updated by SLindoMansilla about 6 years ago

  • Description updated (diff)
Actions #11

Updated by SLindoMansilla about 6 years ago

Verification runs on OSD

Missing needle for SLE 12-SP3 on OSD. You only pushed one needle with tag ENV-15ORLATER-1, probably you overwrote the other one because of same filename:

For SLE 15, I think the workers shows different failures that look like worker performance issue.

Actions #12

Updated by riafarov about 6 years ago

(edited comment)

https://openqa.suse.de/tests/1428328#step/partitioning_full_lvm/17 this one will be fixed to have same behavior as in SLE12. Difference is that MB is not same as MiB 1000kb vs 1024kib, and what we type there is actually less than minimal size.
Created new needle for SLE12 SP4 as per Sergio's comment.

Runs:
SLE 15:
https://openqa.suse.de/tests/1431302#step/partitioning_full_lvm/54 (bug)
https://openqa.suse.de/tests/1431299#step/partitioning_full_lvm/54 (bug)
SLE 12SP4:
https://openqa.suse.de/tests/1431287#
https://openqa.suse.de/tests/1431315

Need runs for all architectures. Both test suites were enabled on arm, which was not the case before.

Actions #13

Updated by SLindoMansilla about 6 years ago

Are you sure?

I think it is this part:

lib/partition_setup.pm#L166

        send_key 'alt-c';    # custom size
        assert_screen 'partition-custom-size-selected';
        send_key 'alt-s' if is_storage_ng;

Look the tag of this needle: https://openqa.suse.de/tests/1428321#step/partitioning_full_lvm/28
partition-lv-size

Actions #14

Updated by SLindoMansilla about 6 years ago

Verified on SLE 12-SP3

Actions #15

Updated by riafarov about 6 years ago

  • Due date changed from 2018-01-30 to 2018-02-13
  • Target version changed from Milestone 13 to Milestone 14
Actions #16

Updated by riafarov about 6 years ago

  • Subject changed from [sle][functional][story][medium] Proposed partitions for "encrypted lvm" including encrypted boot partition to [sle][functional][story][hard] Proposed partitions for "encrypted lvm" including encrypted boot partition
  • Status changed from In Progress to Feedback

https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/4310

Disabled lvm-full-encrypt on s390x as same as lvm-full-encrypt-separate-boot for SLE15 and SLE12.
For SLE15 disabled lvm-full-encrypt on ppc64le, as same as lvm-full-encrypt-separate-boot as ppc64le requires /boot and prep boor partitions: https://github.com/yast/yast-storage-ng/blob/master/doc/boot-requirements.md#

Actions #17

Updated by okurz about 6 years ago

  • Status changed from Feedback to In Progress

PR has been merged. https://openqa.suse.de/tests/1440989#step/boot_encrypt/6 seems like a related problem. boot_encrypt is looking for a password prompt but to my understanding there should not be one when the boot is separate, right?

Actions #20

Updated by SLindoMansilla about 6 years ago

okurz, boot_encrypt should always ask for the password when using encrypted partition.

The difference about encrypting /boot or not is:

  • encrypted /boot: Password is asked before GRUB.stage2 can be loaded too, so the test module grub_test may handle the password. ...Or waiting for your proposal of a separate module for poo#27829... (password asked twice)
  • non-encrypted /boot: The password is only asked after GRUB.stage2 to mount the partitions. (password asked once)
Actions #21

Updated by SLindoMansilla about 6 years ago

  • Related to action #27829: [sle][functional][medium]test fails in reboot_gnome - grub2 needs unlock added
Actions #22

Updated by riafarov about 6 years ago

Correct, and we can see that correct needle is trying to match, this fancy plymouth password prompt. I will label it with https://bugzilla.suse.com/show_bug.cgi?id=1077750

Actions #23

Updated by riafarov about 6 years ago

  • Due date changed from 2018-02-13 to 2018-02-27
Actions #24

Updated by SLindoMansilla about 6 years ago

Is that still in feedback?

Actions #25

Updated by riafarov about 6 years ago

  • Status changed from Feedback to Resolved

I guess we can resolve it, on SP4 it failed with a bug on ppc64le. And on x86 it fails due to changes Oli did recently.

Actions

Also available in: Atom PDF