Feature #15946
Extend VeraCrypt automated tests with PIM
0%
Description
On Tails/Buster we have a recent enough cryptsetup that allows us to use the VeraCrypt PIM feature. So let’s extend our test suite to exercise this.
I’ll write the initial VeraCrypt tests in a way that makes it easy to do this.
Subtasks
Related issues
Related to Tails - |
Resolved | 2017-08-28 | |
Related to Tails - |
Rejected | 2017-08-28 | |
Blocked by Tails - |
Resolved | 2018-09-12 |
History
#1 Updated by intrigeri 2018-09-12 15:38:05
- related to
Feature #14471: Write tests for VeraCrypt support in GNOME Disks added
#2 Updated by intrigeri 2018-09-12 15:38:08
- related to
Feature #14472: Write tests for VeraCrypt support in GNOME Files added
#3 Updated by intrigeri 2019-04-02 15:39:17
- Target version changed from Tails_4.0 to Tails_3.17
#4 Updated by intrigeri 2019-07-06 17:48:17
- blocked by
Feature #15944: Port Tails to Buster added
#5 Updated by intrigeri 2019-07-06 18:13:42
Unfortunately, tcplay, that we use to generate VeraCrypt volumes in our test suite, does not support PIM. Its changelog suggests that 2.0 (not in Debian so far anyway) did not add this feature :/
The zuluplay fork adds this feature but it does not seem to be in Debian and I’d rather not add more ad-hoc, not easily installable requirements for folks who want to run our test suite.
zuluCrypt-cli
also does support creating volumes with a PIM. I don’t recall why I’ve chosen tcplay. This feature is not documented in the manpage but https://bbs.archlinux.org/viewtopic.php?pid=1558372#p1558372 explains how to use it. This seems our best bet at this point.
#6 Updated by intrigeri 2019-07-06 18:16:13
- Feature Branch set to test/15946-veracrypt-pim
#7 Updated by intrigeri 2019-07-06 18:19:41
- Feature Branch deleted (
test/15946-veracrypt-pim)
Note to myself: our test suite not only needs to create VeraCrypt volumes with a PIM: it also needs to unlock them on the host system (that runs Stretch due to Bug #15460) in order to create a filesystem and copy a file in there. zuluCrypt-cli
is supposed to support this.
#8 Updated by segfault 2019-07-06 19:10:56
intrigeri wrote:
> Unfortunately, tcplay, that we use to generate VeraCrypt volumes in our test suite, does not support PIM. Its changelog suggests that 2.0 (not in Debian so far anyway) did not add this feature :/
>
> The zuluplay fork adds this feature but it does not seem to be in Debian and I’d rather not add more ad-hoc, not easily installable requirements for folks who want to run our test suite.
>
> zuluCrypt-cli
also does support creating volumes with a PIM. I don’t recall why I’ve chosen tcplay. This feature is not documented in the manpage but https://bbs.archlinux.org/viewtopic.php?pid=1558372#p1558372 explains how to use it. This seems our best bet at this point.
Wouldn’t it be easier to just create a single container with a PIM and make it accessible to the test suite (just check it into our repo maybe?)?. I could provide you such a container.
#9 Updated by intrigeri 2019-07-06 20:01:17
> Wouldn’t it be easier to just create a single container with a PIM and make it accessible to the test suite
You’re entirely right that it would be easier. I had it in mind as a worst case solution, but I am presently unable to articulate why exactly, so perhaps it boils down to aesthetics, which should not matter too much here. And arguably, given we added VeraCrypt unlocking support and mostly assume one creates their VeraCrypt containers on a non-Linux platform, it makes sense to test stuff on a “foreign” container rather than insisting on generating it ourselves.
> (just check it into our repo maybe?)?
This depends on the size. We went to great lengths to make tails.git smaller and not growing too fast. Granted, with the recent merge of the Weblate branch, perhaps this point is mostly moot nowadays.
> I could provide you such a container.
Yes, please :)) It would at least allow me to write the tests, ensure PIM support does work, without blocking on the “how to generate the container and a filesystem in it” problem. Ideally, we need a VFAT filesystem in the container, with /usr/share/common-licenses/GPL-3
copied to SecretFile
at the root of that filesystem. A mere empty encrypted container won’t help much as I still would need to unlock it to set up the expected filesystem, which seems to be just as hard (on Stretch) as creating the container in the first place.
#10 Updated by segfault 2019-07-07 10:23:49
- Feature Branch set to feature/15946-veracrypt-tests-with-pim
intrigeri wrote:
> > I could provide you such a container.
>
> Yes, please :)) It would at least allow me to write the tests, ensure PIM support does work, without blocking on the “how to generate the container and a filesystem in it” problem. Ideally, we need a VFAT filesystem in the container, with /usr/share/common-licenses/GPL-3
copied to SecretFile
at the root of that filesystem. A mere empty encrypted container won’t help much as I still would need to unlock it to set up the expected filesystem, which seems to be just as hard (on Stretch) as creating the container in the first place.
I pushed a commit. The size of the container is 400KB, I suppose that’s small enough.
#11 Updated by intrigeri 2019-08-07 11:58:39
- Target version changed from Tails_3.17 to Tails_4.0
#12 Updated by intrigeri 2019-08-12 10:03:12
- Feature Branch changed from feature/15946-veracrypt-tests-with-pim to wip/test/15946-veracrypt-tests-with-pim
Thanks! Renaming the branch so Jenkins does not wastes cycles on it until I start working on this.
#13 Updated by intrigeri 2019-08-19 14:14:46
- Status changed from Confirmed to In Progress
Applied in changeset commit:tails|744635f9f7d79bad0201a7809272bacbfe74a2f8.
#14 Updated by intrigeri 2019-08-19 14:16:03
- Feature Branch changed from wip/test/15946-veracrypt-tests-with-pim to test/15946-veracrypt-tests-with-pim
I’ve got something that works on my machine. Let’s see if Jenkins agrees.
#15 Updated by intrigeri 2019-08-21 10:55:42
- Status changed from In Progress to Needs Validation
- Assignee changed from intrigeri to anonym
@anonym, please review and if happy, merge into devel :)
#16 Updated by intrigeri 2019-08-27 18:45:59
- Assignee deleted (
anonym)
(anonym encouraged me to look for other reviewers.)
#17 Updated by segfault 2019-08-27 22:11:08
- Assignee set to segfault
#18 Updated by segfault 2019-08-27 22:26:38
LGTM
#19 Updated by segfault 2019-08-27 22:27:21
- Status changed from Needs Validation to Resolved
- % Done changed from 0 to 100
Applied in changeset commit:tails|f63bef892edd1aadff4631f843e3307b4d0b73df.
#20 Updated by segfault 2019-08-27 22:27:52
- Assignee deleted (
segfault) - % Done changed from 100 to 0