Feature #15946

Extend VeraCrypt automated tests with PIM

Added by intrigeri 2018-09-12 15:37:57 . Updated 2019-08-27 22:27:52 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Test suite
Target version:
Start date:
2018-09-12
Due date:
% Done:

0%

Feature Branch:
test/15946-veracrypt-tests-with-pim
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

On Tails/Buster we have a recent enough cryptsetup that allows us to use the VeraCrypt PIM feature. So let’s extend our test suite to exercise this.

I’ll write the initial VeraCrypt tests in a way that makes it easy to do this.


Subtasks


Related issues

Related to Tails - Feature #14471: Write tests for VeraCrypt support in GNOME Disks Resolved 2017-08-28
Related to Tails - Feature #14472: Write tests for VeraCrypt support in GNOME Files Rejected 2017-08-28
Blocked by Tails - Feature #15944: Port Tails to Buster Resolved 2018-09-12

History

#1 Updated by intrigeri 2018-09-12 15:38:05

  • related to Feature #14471: Write tests for VeraCrypt support in GNOME Disks added

#2 Updated by intrigeri 2018-09-12 15:38:08

  • related to Feature #14472: Write tests for VeraCrypt support in GNOME Files added

#3 Updated by intrigeri 2019-04-02 15:39:17

  • Target version changed from Tails_4.0 to Tails_3.17

#4 Updated by intrigeri 2019-07-06 17:48:17

#5 Updated by intrigeri 2019-07-06 18:13:42

Unfortunately, tcplay, that we use to generate VeraCrypt volumes in our test suite, does not support PIM. Its changelog suggests that 2.0 (not in Debian so far anyway) did not add this feature :/

The zuluplay fork adds this feature but it does not seem to be in Debian and I’d rather not add more ad-hoc, not easily installable requirements for folks who want to run our test suite.

zuluCrypt-cli also does support creating volumes with a PIM. I don’t recall why I’ve chosen tcplay. This feature is not documented in the manpage but https://bbs.archlinux.org/viewtopic.php?pid=1558372#p1558372 explains how to use it. This seems our best bet at this point.

#6 Updated by intrigeri 2019-07-06 18:16:13

  • Feature Branch set to test/15946-veracrypt-pim

#7 Updated by intrigeri 2019-07-06 18:19:41

  • Feature Branch deleted (test/15946-veracrypt-pim)

Note to myself: our test suite not only needs to create VeraCrypt volumes with a PIM: it also needs to unlock them on the host system (that runs Stretch due to Bug #15460) in order to create a filesystem and copy a file in there. zuluCrypt-cli is supposed to support this.

#8 Updated by segfault 2019-07-06 19:10:56

intrigeri wrote:
> Unfortunately, tcplay, that we use to generate VeraCrypt volumes in our test suite, does not support PIM. Its changelog suggests that 2.0 (not in Debian so far anyway) did not add this feature :/
>
> The zuluplay fork adds this feature but it does not seem to be in Debian and I’d rather not add more ad-hoc, not easily installable requirements for folks who want to run our test suite.
>
> zuluCrypt-cli also does support creating volumes with a PIM. I don’t recall why I’ve chosen tcplay. This feature is not documented in the manpage but https://bbs.archlinux.org/viewtopic.php?pid=1558372#p1558372 explains how to use it. This seems our best bet at this point.

Wouldn’t it be easier to just create a single container with a PIM and make it accessible to the test suite (just check it into our repo maybe?)?. I could provide you such a container.

#9 Updated by intrigeri 2019-07-06 20:01:17

> Wouldn’t it be easier to just create a single container with a PIM and make it accessible to the test suite

You’re entirely right that it would be easier. I had it in mind as a worst case solution, but I am presently unable to articulate why exactly, so perhaps it boils down to aesthetics, which should not matter too much here. And arguably, given we added VeraCrypt unlocking support and mostly assume one creates their VeraCrypt containers on a non-Linux platform, it makes sense to test stuff on a “foreign” container rather than insisting on generating it ourselves.

> (just check it into our repo maybe?)?

This depends on the size. We went to great lengths to make tails.git smaller and not growing too fast. Granted, with the recent merge of the Weblate branch, perhaps this point is mostly moot nowadays.

> I could provide you such a container.

Yes, please :)) It would at least allow me to write the tests, ensure PIM support does work, without blocking on the “how to generate the container and a filesystem in it” problem. Ideally, we need a VFAT filesystem in the container, with /usr/share/common-licenses/GPL-3 copied to SecretFile at the root of that filesystem. A mere empty encrypted container won’t help much as I still would need to unlock it to set up the expected filesystem, which seems to be just as hard (on Stretch) as creating the container in the first place.

#10 Updated by segfault 2019-07-07 10:23:49

  • Feature Branch set to feature/15946-veracrypt-tests-with-pim

intrigeri wrote:
> > I could provide you such a container.
>
> Yes, please :)) It would at least allow me to write the tests, ensure PIM support does work, without blocking on the “how to generate the container and a filesystem in it” problem. Ideally, we need a VFAT filesystem in the container, with /usr/share/common-licenses/GPL-3 copied to SecretFile at the root of that filesystem. A mere empty encrypted container won’t help much as I still would need to unlock it to set up the expected filesystem, which seems to be just as hard (on Stretch) as creating the container in the first place.

I pushed a commit. The size of the container is 400KB, I suppose that’s small enough.

#11 Updated by intrigeri 2019-08-07 11:58:39

  • Target version changed from Tails_3.17 to Tails_4.0

#12 Updated by intrigeri 2019-08-12 10:03:12

  • Feature Branch changed from feature/15946-veracrypt-tests-with-pim to wip/test/15946-veracrypt-tests-with-pim

Thanks! Renaming the branch so Jenkins does not wastes cycles on it until I start working on this.

#13 Updated by intrigeri 2019-08-19 14:14:46

  • Status changed from Confirmed to In Progress

Applied in changeset commit:tails|744635f9f7d79bad0201a7809272bacbfe74a2f8.

#14 Updated by intrigeri 2019-08-19 14:16:03

  • Feature Branch changed from wip/test/15946-veracrypt-tests-with-pim to test/15946-veracrypt-tests-with-pim

I’ve got something that works on my machine. Let’s see if Jenkins agrees.

#15 Updated by intrigeri 2019-08-21 10:55:42

  • Status changed from In Progress to Needs Validation
  • Assignee changed from intrigeri to anonym

https://jenkins.tails.boum.org/view/Tails_ISO/job/test_Tails_ISO_test-15946-veracrypt-tests-with-pim/4/cucumberTestReport/using-veracrypt-encrypted-volumes/ passed!

@anonym, please review and if happy, merge into devel :)

#16 Updated by intrigeri 2019-08-27 18:45:59

  • Assignee deleted (anonym)

(anonym encouraged me to look for other reviewers.)

#17 Updated by segfault 2019-08-27 22:11:08

  • Assignee set to segfault

#18 Updated by segfault 2019-08-27 22:26:38

LGTM

#19 Updated by segfault 2019-08-27 22:27:21

  • Status changed from Needs Validation to Resolved
  • % Done changed from 0 to 100

Applied in changeset commit:tails|f63bef892edd1aadff4631f843e3307b4d0b73df.

#20 Updated by segfault 2019-08-27 22:27:52

  • Assignee deleted (segfault)
  • % Done changed from 100 to 0