action #28507
closedcoordination #28504: [sle][functional][epic] crypt lvm for SLE 12-SP3, SLE 12-SP4 and SLE 15
[sle][functional][story][hard] Proposed partitions for "encrypted lvm" including encrypted boot partition
0%
Description
User story¶
As a customer, when I select in the Yast installer to use encrypted LVM-based partitions, I expect /boot to also be encrypted, so initrd and kernel are better protected against malicious actions.
- Take in mind that /boot can be a directory under the root partition or be in a separated partition, but in any case, it is expected to be encrypted.
- Be aware that on SLE 12-SP3 /boot was in a separated partition by default. On SLE 15, /boot is no more in a separated partition by default.
Acceptance criteria¶
AC1: The test suite lvm-full-encrypt is adapted to have an encrypted /boot for aarch64, ppc64 and x86_64
AC2: The test suite lvm-full-encrypt still gives for SLE 12-SP3 the same results as in https://openqa.suse.de/tests/overview?distri=sle&version=12-SP3&build=0473&groupid=55.
AC3: On ppc there is a workaround for bsc#1070139
AC4: Create additional test suite where we add unencrypted /boot partition outside of lvm to get same coverage for SLE 12 on SLE 15
Tasks¶
1. Wait for bsc#1070139 to be resolved.
- Adapt test suite lvm-full-encrypt to work for SLE 12-SP3 and SLE 15.
- Add new test suite in OSD with setting: UNENCRYPTED_BOOT
Further information¶
As a result of a conversation between okurz, riafarov and slindomansilla, the coverage will be implemented in the following way:
- The test suite cryptlvm performs for SLE 12-SP3 and SLE 15 the yast-proposed lvm installation.
- For SLE 12-SP3, the result will be an encrypted lvm + a non-encrypted /boot partition, which affects test module boot_encrypt to enter the password.
- For SLE 15, the result will be an full encrypted lvm, /boot included, which affects the module boot_encrypt and grub_test to enter the password. So the password is asked twice, before grub is shown, and after grub is shown.
- Since the test suite cryptlvm is working properly, we don't need a ticket for it.
- SLE 12-SP3 osd#1408146#step/partitioning_lvm/4
- SLE 15 osd#1424969#step/partitioning_lvm/7
- The test suite lvm_full_encrypt performs a full encrypted lvm installation using the expert partitioner for both SLE 12-SP3 and SLE 15.
- To also cover the case of a non-encrypted /boot partition, another test suite may be created. The settings of this test suite differs from lvm_full_encrypt on one setting: UNENCRYPTED_BOOT
- Those 4 cases will be covered in this ticket.
Updated by okurz about 7 years ago
- Subject changed from [sle][functional][story][medium] Proposed partitions for "encrypted lvm" inlcude encrypted boot partition to [sle][functional][story][medium] Proposed partitions for "encrypted lvm" including encrypted boot partition
- Status changed from New to Feedback
- Assignee set to SLindoMansilla
- Target version set to Milestone 13
@SLindoMansilla because you are the reporter of the bug please track the status and tell us in this progress ticket when it's done and we have the effect in the build. Then we can schedule it for a specific sprint. If the bug is still not resolved at the end of the milestone we should revisit and discuss how to continue.
Updated by okurz almost 7 years ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: lvm-full-encrypt
https://openqa.suse.de/tests/1396356
Updated by SLindoMansilla almost 7 years ago
- Description updated (diff)
- Status changed from Feedback to Workable
Updated by SLindoMansilla almost 7 years ago
- Assignee deleted (
SLindoMansilla)
Back to sprint backlog
Updated by riafarov almost 7 years ago
- Status changed from Workable to In Progress
- Assignee set to riafarov
Updated by riafarov almost 7 years ago
- Description updated (diff)
Changed description according to our discussion with Olli and Sergio.
Updated by riafarov almost 7 years ago
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/4286
Need to add new test suite based on lvm-full-encrypt and file bugs for SLE15
Updated by SLindoMansilla almost 7 years ago
Verification runs on OSD¶
Missing needle for SLE 12-SP3 on OSD. You only pushed one needle with tag ENV-15ORLATER-1, probably you overwrote the other one because of same filename:
- SLE 12-SP3 osd#1428321#step/partitioning_full_lvm/30
- SLE 12-SP3 unencrypted /boot osd#1428322#step/partitioning_full_lvm/37
For SLE 15, I think the workers shows different failures that look like worker performance issue.
- I remember you encountered this: SLE 15 osd#1428328#step/partitioning_full_lvm/17
- bsc#1077708 SLE 15 unencrypted /boot osd#1428489#step/partitioning_full_lvm/53
Updated by riafarov almost 7 years ago
(edited comment)
https://openqa.suse.de/tests/1428328#step/partitioning_full_lvm/17 this one will be fixed to have same behavior as in SLE12. Difference is that MB is not same as MiB 1000kb vs 1024kib, and what we type there is actually less than minimal size.
Created new needle for SLE12 SP4 as per Sergio's comment.
Runs:
SLE 15:
https://openqa.suse.de/tests/1431302#step/partitioning_full_lvm/54 (bug)
https://openqa.suse.de/tests/1431299#step/partitioning_full_lvm/54 (bug)
SLE 12SP4:
https://openqa.suse.de/tests/1431287#
https://openqa.suse.de/tests/1431315
Need runs for all architectures. Both test suites were enabled on arm, which was not the case before.
Updated by SLindoMansilla almost 7 years ago
Are you sure?
I think it is this part:
send_key 'alt-c'; # custom size
assert_screen 'partition-custom-size-selected';
send_key 'alt-s' if is_storage_ng;
Look the tag of this needle: https://openqa.suse.de/tests/1428321#step/partitioning_full_lvm/28
partition-lv-size
Updated by SLindoMansilla almost 7 years ago
Verified on SLE 12-SP3
- SLE 12-SP3 osd#1431313#step/partitioning_full_lvm/39
- SLE 12-SP3 unencrypted /boot osd#1431314#step/partitioning_full_lvm/46
Updated by riafarov almost 7 years ago
- Due date changed from 2018-01-30 to 2018-02-13
- Target version changed from Milestone 13 to Milestone 14
Updated by riafarov almost 7 years ago
- Subject changed from [sle][functional][story][medium] Proposed partitions for "encrypted lvm" including encrypted boot partition to [sle][functional][story][hard] Proposed partitions for "encrypted lvm" including encrypted boot partition
- Status changed from In Progress to Feedback
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/4310
Disabled lvm-full-encrypt on s390x as same as lvm-full-encrypt-separate-boot for SLE15 and SLE12.
For SLE15 disabled lvm-full-encrypt on ppc64le, as same as lvm-full-encrypt-separate-boot as ppc64le requires /boot and prep boor partitions: https://github.com/yast/yast-storage-ng/blob/master/doc/boot-requirements.md#
Updated by okurz almost 7 years ago
- Status changed from Feedback to In Progress
PR has been merged. https://openqa.suse.de/tests/1440989#step/boot_encrypt/6 seems like a related problem. boot_encrypt is looking for a password prompt but to my understanding there should not be one when the boot is separate, right?
Updated by riafarov almost 7 years ago
- Status changed from In Progress to Feedback
Updated by riafarov almost 7 years ago
Updated by SLindoMansilla almost 7 years ago
okurz, boot_encrypt should always ask for the password when using encrypted partition.
The difference about encrypting /boot or not is:
- encrypted /boot: Password is asked before GRUB.stage2 can be loaded too, so the test module grub_test may handle the password. ...Or waiting for your proposal of a separate module for poo#27829... (password asked twice)
- non-encrypted /boot: The password is only asked after GRUB.stage2 to mount the partitions. (password asked once)
Updated by SLindoMansilla almost 7 years ago
- Related to action #27829: [sle][functional][medium]test fails in reboot_gnome - grub2 needs unlock added
Updated by riafarov almost 7 years ago
Correct, and we can see that correct needle is trying to match, this fancy plymouth password prompt. I will label it with https://bugzilla.suse.com/show_bug.cgi?id=1077750
Updated by riafarov almost 7 years ago
- Due date changed from 2018-02-13 to 2018-02-27
Updated by riafarov almost 7 years ago
- Status changed from Feedback to Resolved
I guess we can resolve it, on SP4 it failed with a bug on ppc64le. And on x86 it fails due to changes Oli did recently.