action #28507
closed
coordination #28504: [sle][functional][epic] crypt lvm for SLE 12-SP3, SLE 12-SP4 and SLE 15
[sle][functional][story][hard] Proposed partitions for "encrypted lvm" including encrypted boot partition
Added by SLindoMansilla about 7 years ago.
Updated almost 7 years ago.
Category:
Enhancement to existing tests
Description
User story¶
As a customer, when I select in the Yast installer to use encrypted LVM-based partitions, I expect /boot to also be encrypted, so initrd and kernel are better protected against malicious actions.
- Take in mind that /boot can be a directory under the root partition or be in a separated partition, but in any case, it is expected to be encrypted.
- Be aware that on SLE 12-SP3 /boot was in a separated partition by default. On SLE 15, /boot is no more in a separated partition by default.
Acceptance criteria¶
AC1: The test suite lvm-full-encrypt is adapted to have an encrypted /boot for aarch64, ppc64 and x86_64
AC2: The test suite lvm-full-encrypt still gives for SLE 12-SP3 the same results as in https://openqa.suse.de/tests/overview?distri=sle&version=12-SP3&build=0473&groupid=55.
AC3: On ppc there is a workaround for bsc#1070139
AC4: Create additional test suite where we add unencrypted /boot partition outside of lvm to get same coverage for SLE 12 on SLE 15
Tasks¶
1. Wait for bsc#1070139 to be resolved.
- Adapt test suite lvm-full-encrypt to work for SLE 12-SP3 and SLE 15.
- Add new test suite in OSD with setting: UNENCRYPTED_BOOT
Further information¶
As a result of a conversation between okurz, riafarov and slindomansilla, the coverage will be implemented in the following way:
- The test suite cryptlvm performs for SLE 12-SP3 and SLE 15 the yast-proposed lvm installation.
- For SLE 12-SP3, the result will be an encrypted lvm + a non-encrypted /boot partition, which affects test module boot_encrypt to enter the password.
- For SLE 15, the result will be an full encrypted lvm, /boot included, which affects the module boot_encrypt and grub_test to enter the password. So the password is asked twice, before grub is shown, and after grub is shown.
- Since the test suite cryptlvm is working properly, we don't need a ticket for it.
- SLE 12-SP3 osd#1408146#step/partitioning_lvm/4
- SLE 15 osd#1424969#step/partitioning_lvm/7
- The test suite lvm_full_encrypt performs a full encrypted lvm installation using the expert partitioner for both SLE 12-SP3 and SLE 15.
- To also cover the case of a non-encrypted /boot partition, another test suite may be created. The settings of this test suite differs from lvm_full_encrypt on one setting: UNENCRYPTED_BOOT
- Those 4 cases will be covered in this ticket.
- Description updated (diff)
- Subject changed from [sle][functional][story][medium] Proposed partitions for "encrypted lvm" inlcude encrypted boot partition to [sle][functional][story][medium] Proposed partitions for "encrypted lvm" including encrypted boot partition
- Status changed from New to Feedback
- Assignee set to SLindoMansilla
- Target version set to Milestone 13
@SLindoMansilla because you are the reporter of the bug please track the status and tell us in this progress ticket when it's done and we have the effect in the build. Then we can schedule it for a specific sprint. If the bug is still not resolved at the end of the milestone we should revisit and discuss how to continue.
- Due date set to 2018-01-30
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: lvm-full-encrypt
https://openqa.suse.de/tests/1396356
- Description updated (diff)
- Status changed from Feedback to Workable
- Assignee deleted (
SLindoMansilla)
- Status changed from Workable to In Progress
- Assignee set to riafarov
- Description updated (diff)
Changed description according to our discussion with Olli and Sergio.
- Description updated (diff)
Verification runs on OSD¶
Missing needle for SLE 12-SP3 on OSD. You only pushed one needle with tag ENV-15ORLATER-1, probably you overwrote the other one because of same filename:
For SLE 15, I think the workers shows different failures that look like worker performance issue.
- Due date changed from 2018-01-30 to 2018-02-13
- Target version changed from Milestone 13 to Milestone 14
- Subject changed from [sle][functional][story][medium] Proposed partitions for "encrypted lvm" including encrypted boot partition to [sle][functional][story][hard] Proposed partitions for "encrypted lvm" including encrypted boot partition
- Status changed from In Progress to Feedback
- Status changed from Feedback to In Progress
- Status changed from In Progress to Feedback
okurz, boot_encrypt should always ask for the password when using encrypted partition.
The difference about encrypting /boot or not is:
- encrypted /boot: Password is asked before GRUB.stage2 can be loaded too, so the test module grub_test may handle the password. ...Or waiting for your proposal of a separate module for poo#27829... (password asked twice)
- non-encrypted /boot: The password is only asked after GRUB.stage2 to mount the partitions. (password asked once)
- Related to action #27829: [sle][functional][medium]test fails in reboot_gnome - grub2 needs unlock added
- Due date changed from 2018-02-13 to 2018-02-27
Is that still in feedback?
- Status changed from Feedback to Resolved
I guess we can resolve it, on SP4 it failed with a bug on ppc64le. And on x86 it fails due to changes Oli did recently.
Also available in: Atom
PDF