go.mod: update secboot to 42c7ea9715b3 #14253
Conversation
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
3 times, most recently
from
416ca44
to
742eb61
Compare
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
2 times, most recently
from
6179daa
to
ff9418e
Compare
valentindavid
added
the
Run nested
|
This depends on #14252 |
pedronis
force-pushed
the
fde-manager-features
branch
from
b51bae4
to
225786c
Compare
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
from
ff9418e
to
445c1d8
Compare
secboot/secboot_sb.go
Outdated
| if err := sbActivateVolumeWithRecoveryKey(name, device, nil, &options); err != nil { | ||
| authRequestor, err := newAuthRequestor() | ||
| if err != nil { | ||
| return fmt.Errorf("cannot build an auth requestor: %v", err) |
There was a problem hiding this comment.
sounds like this should be an i"nternal error:" ?
secboot/secboot_tpm.go
Outdated
| @@ -280,8 +286,14 @@ func unlockEncryptedPartitionWithSealedKey(mapperName, sourceDevice, keyfile str | |||
| return NotUnlocked, fmt.Errorf("cannot read key data: %v", err) | |||
| } | |||
| options := activateVolOpts(allowRecovery) | |||
| options.Model = sb.SkipSnapModelCheck | |||
| // ignoring model checker as it doesn't work with tpm "legacy" platform key data | |||
There was a problem hiding this comment.
shouldn't this comment go before the previous line? or should this comment be changed instead?
| var handle []byte | ||
| if keySetup.Handle == nil { | ||
| // this will reach fde-reveal-key as null but should be ok | ||
| handle = []byte("null") |
There was a problem hiding this comment.
have we tested if this work or is not needed anymore? I suppose this is about trying things with the OptEE hooks we have
There was a problem hiding this comment.
The original commit: 9807656
secboot: secboot.sb.NewKeyData() now marhals the handle internally
The old version of secboot.sb.NewKeyData() was expecting a handle
in json encoded form. However the new code is now doing the
marshalling itself.
There was a problem hiding this comment.
In the future PRs, the code will be different. We will return the handle from a method implementing KeyProtector.ProtectKey.
There was a problem hiding this comment.
Looking at the spike branch, something similar is also done there. It has to do with dereference. So for sure the code is tested with nil, since I had to deal with it.
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
from
3445da9
to
4f0b595
Compare
pedronis
requested review from
alfonsosanchezbeato
and removed request for
chrisccoulson
| } | ||
| if !ok { | ||
| return res, fmt.Errorf("cannot unlock volume: model %s/%s not authorized", model.BrandID(), model.Model()) | ||
| } |
There was a problem hiding this comment.
there'a defer here that can also go away now as there's no code that can set error in the rest of the function anymore?
secboot/secboot_sb_test.go
Outdated
|
|
||
| return kd, nil | ||
| }) | ||
| defer restore() | ||
|
|
||
| restore = secboot.MockSbActivateVolumeWithKeyData(func(volumeName, sourceDevicePath string, authRequestor sb.AuthRequestor, kdf sb.KDF, options *sb.ActivateVolumeOptions, keys ...*sb.KeyData) error { | ||
|
|
||
| c.Assert(volumeName, Equals, "name-"+randomUUID) | ||
| c.Assert(sourceDevicePath, Equals, devicePath) | ||
| c.Assert(keys, HasLen, 1) | ||
| c.Assert(keys[0], NotNil) |
There was a problem hiding this comment.
we might leave this one out now?
There was a problem hiding this comment.
I can remove it.
secboot/secboot_hooks.go
Outdated
| options := activateVolOpts(opts.AllowRecoveryKey) | ||
| modChecker, err := sbActivateVolumeWithKeyData(mapperName, sourceDevice, keyData, options) | ||
| options.Model = model |
There was a problem hiding this comment.
nitpick: maybe it would make sense if activateVolOpts() accepts the model as input so it creates ActivateVolumeOptions with it already instead of assigning a line later. As this is done in the 2 cases where this function is called.
There was a problem hiding this comment.
Well, since we will remove this one and call SetModel instead, I prefer not to change it.
There was a problem hiding this comment.
Maybe this is not completely true. For the old keys will still need this to be set. But we will possibly we will only add it when we have old key files and not when we have key slot token data. Then we can set it to nil to make it force to fail if it finds old data. I will add a FIXME here.
There was a problem hiding this comment.
Also both unlock for FDE hook and tpm will be joined in the same function at some point.
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
from
762adfe
to
6cc667c
Compare
| return res, fmt.Errorf("internal error: cannot build an auth requestor: %v", err) | ||
| } | ||
|
|
||
| err = sbActivateVolumeWithKeyData(mapperName, sourceDevice, authRequestor, sb.Argon2iKDF(), options, keyData) |
There was a problem hiding this comment.
Does it work if you pass nil instead of sb.Argon2iKDF? The intention here is that this API would always be executed remotely in a short-lived helper process because otherwise there's a need to force a GC between invocations. As there's technically no passphrase support right now, nothing should call this anyway.
There was a problem hiding this comment.
This parameter is removed in the next queued up PR. But I can change that and see if the tests are still working
There was a problem hiding this comment.
Unlocking failed with:
[ 4.522158] snap-bootstrap[195]: 2024/08/22 12:44:12.816188 main.go:63: execution error: cannot unlock encrypted partition: nil kdf
| @@ -38,8 +38,7 @@ import ( | |||
| ) | |||
|
|
|||
| var ( | |||
| sbInitializeLUKS2Container = sb.InitializeLUKS2Container | |||
| sbAddRecoveryKeyToLUKS2Container = sb.AddRecoveryKeyToLUKS2Container | |||
There was a problem hiding this comment.
Did nothing call this before?
| // FIXME: consider setting it in activateVolOpts if we keep | ||
| // this function separate from the tpm one for key data in | ||
| // files. Otherwise we should only set it if we provide key | ||
| // data generation 1. |
There was a problem hiding this comment.
I'd like to actually remove the Model field in secboot given that future versions of snap-bootstrap are going to call bootscope.SetModel. We should probably obtain the model from there for existing keys rather than have a separate option.
There was a problem hiding this comment.
That would be great.
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
from
6cc667c
to
1b78a4a
Compare
Its use was removed in 3988a93 which was in PR canonical#11715
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
3 times, most recently
from
3f7f246
to
d20a337
Compare
github-actions
bot
added
the
Run Nested -auto-
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
from
d20a337
to
bd90f5b
Compare
Also update github.com/mvo5/goconfigparser to latest.
valentindavid
force-pushed
the
valentindavid/secboot-update-part-1
branch
from
bd90f5b
to
89a01e9
Compare
pedronis
merged commit 1e0707b
into
canonical:fde-manager-features
Also update github.com/mvo5/goconfigparser to latest.
This commit of secboot is right before the introduction of new key data format.