2521bebbf2
This is the error message on fail: > qemu-system-aarch64: -device canokey,file=/tmp/canokey-file: Warning: > speed mismatch trying to attach usb device "CanoKey QEMU" (full > speed) to bus "usb0.0", port "3" (high speed) My Understanding of the Issue is: The test failed because qemu-system-aarch64 apparently has different USB controllers enabled by default, resulting in a "speed mismatch" between the USB controller and CanoKey that only occurred on aarch64. I could reproduce the issue on x86_64 by enabling the EHCI controller and then fix the issue by specifying which USB bus to use for the CanoKey. This didn't fully fix the issue on my first attempt, because the UCHI controller enabled by -usb doesn't have the same bus name on aarch64 and x86_64. While bus=usb-bus.0 worked on x86_64, on aarch64 i get this message: > qemu-system-aarch64: -device canokey,bus=usb-bus.0,file= > /tmp/canokey-file: Bus 'usb-bus.0' not found The final solution now manually enables the OHCI controller (which may be similar to UHCI, but i really have no idea other than it works) and assigns it the id aka bus name "usb-bus", so it works the same under both architectures.
48 lines
1.6 KiB
Nix
48 lines
1.6 KiB
Nix
import ./make-test-python.nix ({ lib, pkgs, ... }: {
|
|
name = "systemd-initrd-luks-fido2";
|
|
|
|
nodes.machine = { pkgs, config, ... }: {
|
|
# Use systemd-boot
|
|
virtualisation = {
|
|
emptyDiskImages = [ 512 ];
|
|
useBootLoader = true;
|
|
# Booting off the encrypted disk requires having a Nix store available for the init script
|
|
mountHostNixStore = true;
|
|
useEFIBoot = true;
|
|
qemu.options = [ "-device pci-ohci,id=usb-bus" "-device canokey,bus=usb-bus.0,file=/tmp/canokey-file" ];
|
|
};
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
boot.initrd.systemd.enable = true;
|
|
|
|
environment.systemPackages = with pkgs; [ cryptsetup ];
|
|
|
|
specialisation.boot-luks.configuration = {
|
|
boot.initrd.luks.devices = lib.mkVMOverride {
|
|
cryptroot = {
|
|
device = "/dev/vdb";
|
|
crypttabExtraOpts = [ "fido2-device=auto" ];
|
|
};
|
|
};
|
|
virtualisation.rootDevice = "/dev/mapper/cryptroot";
|
|
virtualisation.fileSystems."/".autoFormat = true;
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
# Create encrypted volume
|
|
machine.wait_for_unit("multi-user.target")
|
|
machine.succeed("echo -n supersecret | cryptsetup luksFormat -q --iter-time=1 /dev/vdb -")
|
|
machine.succeed("PASSWORD=supersecret SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --fido2-device=auto /dev/vdb |& systemd-cat")
|
|
|
|
# Boot from the encrypted disk
|
|
machine.succeed("bootctl set-default nixos-generation-1-specialisation-boot-luks.conf")
|
|
machine.succeed("sync")
|
|
machine.crash()
|
|
|
|
# Boot and decrypt the disk
|
|
machine.wait_for_unit("multi-user.target")
|
|
assert "/dev/mapper/cryptroot on / type ext4" in machine.succeed("mount")
|
|
'';
|
|
})
|