action #28507
Updated by SLindoMansilla over 6 years ago
## User story
As a customer, when I select in the Yast installer to use *encrypted LVM-based* partitions, I expect _/boot_ to also be encrypted, so initrd and kernel are better protected against malicious actions.
- Take in mind that _/boot_ can be a directory under the root partition or be in a separated partition, but in any case, it is expected to be encrypted.
- Be aware that on SLE 12-SP3 _/boot_ was in a separated partition by default. On SLE 15, _/boot_ is no more in a separated partition by default.
## Acceptance criteria
**AC1:** The test suite **lvm-full-encrypt** is adapted to have an encrypted _/boot_ for **aarch64**, **ppc64** and **x86_64**
**AC2:** The test suite **lvm-full-encrypt** still gives for SLE 12-SP3 the same results as in https://openqa.suse.de/tests/overview?distri=sle&version=12-SP3&build=0473&groupid=55.
**AC3:** On ppc there is a workaround for [bsc#1070139](https://bugzilla.suse.com/show_bug.cgi?id=1070139)
**AC4:** Create additional test suite where we add unencrypted /boot partition outside of lvm to get same coverage for SLE 12 on SLE 15
## Tasks
<s>1. Wait for [bsc#1070139](https://bugzilla.suse.com/show_bug.cgi?id=1070139) to be resolved.</s>
2. Adapt test suite **lvm-full-encrypt** to work for SLE 12-SP3 and SLE 15.
3. Add new test suite in OSD with setting: *UNENCRYPTED_BOOT*
## Further information
As a result of a conversation between okurz, riafarov and slindomansilla, the coverage will be implemented in the following way:
- The test suite **cryptlvm** performs for SLE 12-SP3 and SLE 15 the yast-proposed lvm installation.
- For SLE 12-SP3, the result will be an encrypted lvm + a non-encrypted _/boot_ partition, which affects test module **boot_encrypt** to enter the password.
- For SLE 15, the result will be an full encrypted lvm, _/boot_ included, which affects the module **boot_encrypt** and **grub_test** to enter the password. So the password is asked twice, before grub is shown, and after grub is shown.
- Since the test suite cryptlvm is working properly, we don't need a ticket for it.
- SLE 12-SP3 [osd#1408146#step/partitioning_lvm/4](https://openqa.suse.de/tests/1408146#step/partitioning_lvm/4)
- SLE 15 [osd#1424969#step/partitioning_lvm/7](https://openqa.suse.de/tests/1424969#step/partitioning_lvm/7)
- The test suite **lvm_full_encrypt** performs a full encrypted lvm installation using the expert partitioner for both SLE 12-SP3 and SLE 15.
- To also cover the case of a non-encrypted _/boot_ partition, another test suite may be created. The settings of this test suite differs from **lvm_full_encrypt** on one setting: *UNENCRYPTED_BOOT*
- Those 4 cases will be covered in this ticket.