Pass custom password to boot_encrypt

https://bugzilla.suse.com/show_bug.cgi?id=1228795

lib/security_boot_utils.pm

@@ -21,8 +21,11 @@ use Utils::Architectures;
 our @EXPORT = qw(
   boot_has_no_video
   boot_encrypt_no_video
+  cc_fips_pwd
 );
 
+our $cc_fips_pwd = "not-so-s3cr3t-LONG_PWD_FOR_FIPS";
+
 sub boot_has_no_video {
     my $is_encrypted = check_var('FULL_LVM_ENCRYPT', '1') || check_var('ENCRYPT', '1');
     my $is_qr = check_var('FLAVOR', 'Online-QR') || check_var('FLAVOR', 'Full-QR');

lib/utils.pm

@@ -201,13 +201,14 @@ C<$testapi::password> will be used as password.
 =cut
 
 sub unlock_zvm_disk {
-    my ($console) = @_;
+    my ($console, $custom_password) = @_;
+    my $password = $custom_password // $testapi::password;
     eval { $console->expect_3270(output_delim => 'Please enter passphrase', timeout => 30) };
     if ($@) {
         diag 'No passphrase asked, continuing';
     }
     else {
-        $console->sequence_3270("String(\"$testapi::password\")", "ENTER");
+        $console->sequence_3270("String(\"$password\")", "ENTER");
         diag 'Passphrase entered';
     }
 
@@ -338,11 +339,11 @@ C<$check_typed_password> will default to C<0>.
 sub unlock_if_encrypted {
     my (%args) = @_;
     $args{check_typed_password} //= 0;
+    my $password = $args{custom_password} // $testapi::password;
 
     return unless get_var("ENCRYPT");
 
     if (get_var('S390_ZKVM')) {
-        my $password = $testapi::password;
         select_console('svirt');
 
         # enter passphrase twice (before grub and after grub) if full disk is encrypted
@@ -359,19 +360,19 @@ sub unlock_if_encrypted {
         # Enter password before GRUB if boot is encrypted
         # Boot partition is always encrypted, if not using expert partitioner with
         # separate unencrypted boot
-        unlock_zvm_disk($console) unless get_var('UNENCRYPTED_BOOT');
+        unlock_zvm_disk($console, $password) unless get_var('UNENCRYPTED_BOOT');
         handle_grub_zvm($console);
-        unlock_zvm_disk($console);
+        unlock_zvm_disk($console, $password);
     }
     else {
         assert_screen("encrypted-disk-password-prompt", 200);
-        type_password;    # enter PW at boot
+        type_password $password;
         save_screenshot;
         if ($args{check_typed_password}) {
             unless (check_screen "encrypted_disk-typed_password", 30) {
                 record_info("Invalid password", "Not all password characters were typed successfully, retyping");
                 send_key "backspace" for (0 .. 9);
-                type_password;
+                type_password $password;
                 assert_screen "encrypted_disk-typed_password";
             }
         }

tests/installation/boot_encrypt.pm

@@ -12,9 +12,15 @@ use strict;
 use warnings;
 use base "installbasetest";
 use utils;
+use security_boot_utils;
 
 sub run {
-    unlock_if_encrypted(check_typed_password => 1) if need_unlock_after_bootloader;
+    my $custom_password = check_var('SYSTEM_ROLE', 'Common_Criteria') ? $security_boot_utils::cc_fips_pwd : undef;
+
+    unlock_if_encrypted(
+        check_typed_password => 1,
+        custom_password => $custom_password
+    ) if need_unlock_after_bootloader;
 }
 
 1;

tests/installation/partitioning.pm

@@ -16,6 +16,7 @@ use testapi;
 use version_utils qw(is_leap is_storage_ng is_sle is_tumbleweed);
 use partition_setup qw(%partition_roles is_storage_ng_newui);
 use utils 'type_string_slow';
+use security_boot_utils;
 
 sub handle_common_criteria {
     if (is_sle '<=15-SP5') {
@@ -26,9 +27,9 @@ sub handle_common_criteria {
     wait_still_screen;
     assert_screen 'Common-Criteria-Disk-Encryption-Passphrase';
     send_key 'alt-e';
-    type_password;
+    type_password $security_boot_utils::cc_fips_pwd;
     send_key 'alt-v';
-    type_password;
+    type_password $security_boot_utils::cc_fips_pwd;
     send_key 'alt-n';
     wait_still_screen;
     send_key 'alt-y';    # to confirm "the password too simple" dialog