-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
go.mod: update secboot to 42c7ea9715b3 #14253
go.mod: update secboot to 42c7ea9715b3 #14253
Conversation
416ca44
to
742eb61
Compare
6179daa
to
ff9418e
Compare
This depends on #14252 |
b51bae4
to
225786c
Compare
ff9418e
to
445c1d8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did a pass, some questions and comments, maybe Chris should also take a look at this?
secboot/secboot_sb.go
Outdated
if err := sbActivateVolumeWithRecoveryKey(name, device, nil, &options); err != nil { | ||
authRequestor, err := newAuthRequestor() | ||
if err != nil { | ||
return fmt.Errorf("cannot build an auth requestor: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds like this should be an i"nternal error:" ?
secboot/secboot_tpm.go
Outdated
@@ -280,8 +286,14 @@ func unlockEncryptedPartitionWithSealedKey(mapperName, sourceDevice, keyfile str | |||
return NotUnlocked, fmt.Errorf("cannot read key data: %v", err) | |||
} | |||
options := activateVolOpts(allowRecovery) | |||
options.Model = sb.SkipSnapModelCheck | |||
// ignoring model checker as it doesn't work with tpm "legacy" platform key data |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't this comment go before the previous line? or should this comment be changed instead?
var handle []byte | ||
if keySetup.Handle == nil { | ||
// this will reach fde-reveal-key as null but should be ok | ||
handle = []byte("null") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
have we tested if this work or is not needed anymore? I suppose this is about trying things with the OptEE hooks we have
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original commit: 9807656
secboot: secboot.sb.NewKeyData() now marhals the handle internally
The old version of secboot.sb.NewKeyData() was expecting a handle
in json encoded form. However the new code is now doing the
marshalling itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the future PRs, the code will be different. We will return the handle from a method implementing KeyProtector.ProtectKey
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at the spike branch, something similar is also done there. It has to do with dereference. So for sure the code is tested with nil, since I had to deal with it.
3445da9
to
4f0b595
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, couple of comments
} | ||
if !ok { | ||
return res, fmt.Errorf("cannot unlock volume: model %s/%s not authorized", model.BrandID(), model.Model()) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there'a defer here that can also go away now as there's no code that can set error in the rest of the function anymore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks
secboot/secboot_sb_test.go
Outdated
|
||
return kd, nil | ||
}) | ||
defer restore() | ||
|
||
restore = secboot.MockSbActivateVolumeWithKeyData(func(volumeName, sourceDevicePath string, authRequestor sb.AuthRequestor, kdf sb.KDF, options *sb.ActivateVolumeOptions, keys ...*sb.KeyData) error { | ||
|
||
c.Assert(volumeName, Equals, "name-"+randomUUID) | ||
c.Assert(sourceDevicePath, Equals, devicePath) | ||
c.Assert(keys, HasLen, 1) | ||
c.Assert(keys[0], NotNil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we might leave this one out now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, small nitpick below
secboot/secboot_hooks.go
Outdated
options := activateVolOpts(opts.AllowRecoveryKey) | ||
modChecker, err := sbActivateVolumeWithKeyData(mapperName, sourceDevice, keyData, options) | ||
options.Model = model |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: maybe it would make sense if activateVolOpts()
accepts the model as input so it creates ActivateVolumeOptions
with it already instead of assigning a line later. As this is done in the 2 cases where this function is called.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, since we will remove this one and call SetModel instead, I prefer not to change it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this is not completely true. For the old keys will still need this to be set. But we will possibly we will only add it when we have old key files and not when we have key slot token data. Then we can set it to nil to make it force to fail if it finds old data. I will add a FIXME here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also both unlock for FDE hook and tpm will be joined in the same function at some point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
762adfe
to
6cc667c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks ok to me - I've left a few minor comments
return res, fmt.Errorf("internal error: cannot build an auth requestor: %v", err) | ||
} | ||
|
||
err = sbActivateVolumeWithKeyData(mapperName, sourceDevice, authRequestor, sb.Argon2iKDF(), options, keyData) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it work if you pass nil
instead of sb.Argon2iKDF
? The intention here is that this API would always be executed remotely in a short-lived helper process because otherwise there's a need to force a GC between invocations. As there's technically no passphrase support right now, nothing should call this anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This parameter is removed in the next queued up PR. But I can change that and see if the tests are still working
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unlocking failed with:
[ 4.522158] snap-bootstrap[195]: 2024/08/22 12:44:12.816188 main.go:63: execution error: cannot unlock encrypted partition: nil kdf
@@ -38,8 +38,7 @@ import ( | |||
) | |||
|
|||
var ( | |||
sbInitializeLUKS2Container = sb.InitializeLUKS2Container | |||
sbAddRecoveryKeyToLUKS2Container = sb.AddRecoveryKeyToLUKS2Container |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did nothing call this before?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// FIXME: consider setting it in activateVolOpts if we keep | ||
// this function separate from the tpm one for key data in | ||
// files. Otherwise we should only set it if we provide key | ||
// data generation 1. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to actually remove the Model
field in secboot given that future versions of snap-bootstrap are going to call bootscope.SetModel
. We should probably obtain the model from there for existing keys rather than have a separate option.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be great.
6cc667c
to
1b78a4a
Compare
Its use was removed in 3988a93 which was in PR canonical#11715
3f7f246
to
d20a337
Compare
d20a337
to
bd90f5b
Compare
Also update github.com/mvo5/goconfigparser to latest.
bd90f5b
to
89a01e9
Compare
1e0707b
into
canonical:fde-manager-features
Also update github.com/mvo5/goconfigparser to latest.
This commit of secboot is right before the introduction of new key data format.