nixos/tests/systemd-credentials-tpm2: Add tests for systemd credentials

[hesiod]

Description of changes

Add a test that checks whether systemd can access the TPM in order access credentials requested via Load/SetCredentialEncrypted.

See discussion in #214383 (comment)

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[flokli]

Nice! That's what I had in mind :-)

Can you undraft this, so it can be merged?

[hesiod]

@flokli Sure, just let me remove some debugging leftovers and add a meta.maintainers entry.

[hesiod]

@flokli Should be good to go now. I've cleaned the commit up and also added an additional check whether the software TPM process started up correctly, making the test more robust.

[hesiod]

Just to make sure, let's see if it works for ofborg as well:
@ofborg test systemd-credentials-tpm2

[hesiod]

It fails on aarch64 because the TPM device is called tpm-tis-device instead of tpm-tis on aarch64. The existing TPM tests don't handle this, but it should be an easy fix. I'll try fixing it, and if it doesn't work out I'll simply mark the test as x86_64-linux-only.

[hesiod]

@ofborg test systemd-credentials-tpm2

[hesiod]

The test now also runs on aarch64-linux. A similar fix should apply to systemd-cryptenroll and systemd-initrd-luks-tpm2.

[flokli]

Thanks!

[flokli]

@JJJollyjim would you be interested in backporting the aarch64 fixes into the other tpm-related tests? Maybe we can also move the Tpm class to a more central place, so less needs to be copypasted.