From Fedora Project Wiki
m (→How to test) |
m (→Description) |
||
| Line 1: | Line 1: | ||
= Description = | = Description = | ||
A simple validation test case for Clevis on Fedora IoT Edition. | A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools). | ||
= Setup = | = Setup = | ||
Install a system with an encrypted root filesystem. See [[QA:Testcase_partitioning_guided_encrypted |this testcase]] for further details. | Install a system with an encrypted root filesystem. See [[QA:Testcase_partitioning_guided_encrypted |this testcase]] for further details. | ||
Revision as of 19:42, 31 March 2020
Description
A simple validation test case for Clevis on Fedora IoT Edition. This test will require hardware with a Trusted Platform Module (TPM) or a virtual machines with an emulated TPM (you will need to install swtpm, swtpm-tools).
Setup
Install a system with an encrypted root filesystem. See this testcase for further details.
How to test
Verify decryption is working via TPM2
echo foo | clevis encrypt tpm2 '{}' | clevis decrypt
Get the UUID of the encrypted device
UUID=$(lsblk | grep luks | sed 's/^.*luks-//' | cut -d ' ' -f1) DEV=$(blkid --uuid $UUID)
Check encryption details of the device
cryptsetup luksDump $DEV
Verify the passphrase before setting
cryptsetup luksOpen --test-passphrase --key-slot 0 $DEV && echo correct
Setup Clevis to decrypt via TPM2 on boot
clevis luks bind -f -k- -d $DEV tpm2 '{}' <<< $YOUR_PASSPHRASE