Project

General

Profile

action #120459

Updated by tjyrinki_suse about 2 years ago

## Observation 

 The test is based on two machines, client (admin interface) and server (remote server) 
 The idea is that a remote server with encrypted disk can be rebooted and then the password to decrypt entered via ssh. 

 The test somewhat 'works' (worked) with some (unnoticed flaws): 
 * The server is setup with a 'strange' partition layout: /boot encrypted, but / is not 

 As a consequence, before the ssh server is even reachable, an admin needed to locally unlock the /boot encryption (making dracut-ssh completely useless, as an admin was already local to the system anyway) 

 This has now popped up as an error on openQA as recent grub grun forwards the key it receives to decrypt itself to the partitions - which in this case it 'auto-unlocks' during the boot process, making dracut-ssh not having anything to do (tried to unlock /boot again) 

 IMHO, the partitioning layout it inversed: / should be encrypted, /boot decrypted 


 openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-luks1_decrypt_ssh_server@64bit fails in 
 [unlock_via_ssh_server](https://openqa.opensuse.org/tests/2878310/modules/unlock_via_ssh_server/steps/24) 

 ## Test suite description 
 Maintainer: QE Security (Richard Fan) richard.fan@suse.com (Starry Wang) starry.wang@suse.com 


 ## Reproducible 

 Fails since (at least) Build [20221114](https://openqa.opensuse.org/tests/2877890) 


 ## Expected result 

 Last good: [20221109](https://openqa.opensuse.org/tests/2865135) (or more recent) 

 


 ## Further details 

 Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=luks1_decrypt_ssh_server&version=Tumbleweed) 

 --- 

 This test uses HDD Created by test suite create_hdd_gnome_encrypt_separate_boot using YAML schedule/security/autoyast_btrfs_luks1_separate_boot.yaml, which refers to autoyast_sle15/autoyast_btrfs_luks1_separate_boot.xml, and the test itself uses YAML schedule/security/luks1_decrypt_ssh_server.yaml. 

 Internal discussion that resulted in filing this ticket https://suse.slack.com/archives/C02CANHLANP/p1668499778430149 

 Related bug report https://bugzilla.suse.com/show_bug.cgi?id=1141868 

 ## Acceptance Criteria 

 1. Restructure create_hdd_gnome_encrypt_separate_boot to create a qcow2 with unencrypted boot and encrypted /, accepting passphrase for / over SSH server started in initrd from /boot 

Back