luks-passwd-leak.nix

import <nixpkgs/nixos/tests/make-test.nix> {
  name = "luks-passwd-leak";

  nodes.machine = { pkgs, ... }: {
    environment.systemPackages = [ pkgs.cryptsetup ];
    virtualisation.emptyDiskImages = [ 512 ];
  };

  nodes.newmachine = { pkgs, lib, ... }: {
    virtualisation.emptyDiskImages = [ 512 ];
    virtualisation.qemu.consoles = [ "tty0" ];
    boot.initrd.luks.devices = lib.mkOverride 0 {
      test.device = "/dev/vdb";
    };
  };

  enableOCR = true;

  testScript = ''
    my $secret = 'sweymabelquigopojkunfofilcovloquittyigoHacajOnecAchomfibs9';

    $machine->waitForUnit('multi-user.target');
    $machine->succeed("echo -n $secret | cryptsetup luksFormat -q /dev/vdb -");
    $machine->shutdown;

    $newmachine->{stateDir} = $machine->{stateDir};
    $newmachine->start;
    $newmachine->waitForText(qr/passphrase/i);
    $newmachine->sendChars("$secret\n");
    $newmachine->waitForUnit('multi-user.target');
    $newmachine->sendMonitorCommand('dump-guest-memory -p memory.dump');
    system('grep', '-F', $secret, 'vm-state-machine/memory.dump') != 0
      or die 'Secret has been found in VM memory!';
  '';
}