Feature #15946: Extend VeraCrypt automated tests with PIM

Feature #15946

Extend VeraCrypt automated tests with PIM

Added by intrigeri 2018-09-12 15:37:57 . Updated 2019-08-27 22:27:52 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Test suite

Target version:

Tails_4.0

Start date:

2018-09-12

Due date:

% Done:

Feature Branch:

test/15946-veracrypt-tests-with-pim

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

On Tails/Buster we have a recent enough cryptsetup that allows us to use the VeraCrypt PIM feature. So let’s extend our test suite to exercise this.

I’ll write the initial VeraCrypt tests in a way that makes it easy to do this.

Subtasks

Related issues

Related to Tails - ~~Feature #14471~~: Write tests for VeraCrypt support in GNOME Disks	Resolved	2017-08-28
Related to Tails - ~~Feature #14472~~: Write tests for VeraCrypt support in GNOME Files	Rejected	2017-08-28
Blocked by Tails - ~~Feature #15944~~: Port Tails to Buster	Resolved	2018-09-12

History

#1 Updated by intrigeri 2018-09-12 15:38:05

related to ~~Feature #14471~~: Write tests for VeraCrypt support in GNOME Disks added

#2 Updated by intrigeri 2018-09-12 15:38:08

related to ~~Feature #14472~~: Write tests for VeraCrypt support in GNOME Files added

#3 Updated by intrigeri 2019-04-02 15:39:17

Target version changed from Tails_4.0 to Tails_3.17

#4 Updated by intrigeri 2019-07-06 17:48:17

blocked by ~~Feature #15944~~: Port Tails to Buster added

#5 Updated by intrigeri 2019-07-06 18:13:42

Unfortunately, tcplay, that we use to generate VeraCrypt volumes in our test suite, does not support PIM. Its changelog suggests that 2.0 (not in Debian so far anyway) did not add this feature :/

The zuluplay fork adds this feature but it does not seem to be in Debian and I’d rather not add more ad-hoc, not easily installable requirements for folks who want to run our test suite.

zuluCrypt-cli also does support creating volumes with a PIM. I don’t recall why I’ve chosen tcplay. This feature is not documented in the manpage but https://bbs.archlinux.org/viewtopic.php?pid=1558372#p1558372 explains how to use it. This seems our best bet at this point.

#6 Updated by intrigeri 2019-07-06 18:16:13

Feature Branch set to test/15946-veracrypt-pim

#7 Updated by intrigeri 2019-07-06 18:19:41

Feature Branch deleted (~~test/15946-veracrypt-pim~~)

Note to myself: our test suite not only needs to create VeraCrypt volumes with a PIM: it also needs to unlock them on the host system (that runs Stretch due to ~~Bug #15460~~) in order to create a filesystem and copy a file in there. zuluCrypt-cli is supposed to support this.

#8 Updated by segfault 2019-07-06 19:10:56

intrigeri wrote:
> Unfortunately, tcplay, that we use to generate VeraCrypt volumes in our test suite, does not support PIM. Its changelog suggests that 2.0 (not in Debian so far anyway) did not add this feature :/
>
> The zuluplay fork adds this feature but it does not seem to be in Debian and I’d rather not add more ad-hoc, not easily installable requirements for folks who want to run our test suite.
>
> zuluCrypt-cli also does support creating volumes with a PIM. I don’t recall why I’ve chosen tcplay. This feature is not documented in the manpage but https://bbs.archlinux.org/viewtopic.php?pid=1558372#p1558372 explains how to use it. This seems our best bet at this point.

Wouldn’t it be easier to just create a single container with a PIM and make it accessible to the test suite (just check it into our repo maybe?)?. I could provide you such a container.

#9 Updated by intrigeri 2019-07-06 20:01:17

> Wouldn’t it be easier to just create a single container with a PIM and make it accessible to the test suite

You’re entirely right that it would be easier. I had it in mind as a worst case solution, but I am presently unable to articulate why exactly, so perhaps it boils down to aesthetics, which should not matter too much here. And arguably, given we added VeraCrypt unlocking support and mostly assume one creates their VeraCrypt containers on a non-Linux platform, it makes sense to test stuff on a “foreign” container rather than insisting on generating it ourselves.

> (just check it into our repo maybe?)?

This depends on the size. We went to great lengths to make tails.git smaller and not growing too fast. Granted, with the recent merge of the Weblate branch, perhaps this point is mostly moot nowadays.

> I could provide you such a container.

Yes, please :)) It would at least allow me to write the tests, ensure PIM support does work, without blocking on the “how to generate the container and a filesystem in it” problem. Ideally, we need a VFAT filesystem in the container, with /usr/share/common-licenses/GPL-3 copied to SecretFile at the root of that filesystem. A mere empty encrypted container won’t help much as I still would need to unlock it to set up the expected filesystem, which seems to be just as hard (on Stretch) as creating the container in the first place.

#10 Updated by segfault 2019-07-07 10:23:49

Feature Branch set to feature/15946-veracrypt-tests-with-pim

intrigeri wrote:
> > I could provide you such a container.
>
> Yes, please :)) It would at least allow me to write the tests, ensure PIM support does work, without blocking on the “how to generate the container and a filesystem in it” problem. Ideally, we need a VFAT filesystem in the container, with /usr/share/common-licenses/GPL-3 copied to SecretFile at the root of that filesystem. A mere empty encrypted container won’t help much as I still would need to unlock it to set up the expected filesystem, which seems to be just as hard (on Stretch) as creating the container in the first place.

I pushed a commit. The size of the container is 400KB, I suppose that’s small enough.