diff --git a/cmd/snap-bootstrap/cmd_initramfs_mounts.go b/cmd/snap-bootstrap/cmd_initramfs_mounts.go index c67e9373212..c9c817b4a2f 100644 --- a/cmd/snap-bootstrap/cmd_initramfs_mounts.go +++ b/cmd/snap-bootstrap/cmd_initramfs_mounts.go @@ -96,11 +96,11 @@ var ( snap.TypeSnapd: "snapd", } - secbootProvisionForCVM func(initramfsUbuntuSeedDir string) error - secbootMeasureSnapSystemEpochWhenPossible func() error - secbootMeasureSnapModelWhenPossible func(findModel func() (*asserts.Model, error)) error - secbootUnlockVolumeUsingSealedKeyIfEncrypted func(disk disks.Disk, name string, encryptionKeyFile string, opts *secboot.UnlockVolumeUsingSealedKeyOptions) (secboot.UnlockResult, error) - secbootUnlockEncryptedVolumeUsingKey func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) + secbootProvisionForCVM func(initramfsUbuntuSeedDir string) error + secbootMeasureSnapSystemEpochWhenPossible func() error + secbootMeasureSnapModelWhenPossible func(findModel func() (*asserts.Model, error)) error + secbootUnlockVolumeUsingSealedKeyIfEncrypted func(disk disks.Disk, name string, encryptionKeyFile string, opts *secboot.UnlockVolumeUsingSealedKeyOptions) (secboot.UnlockResult, error) + secbootUnlockEncryptedVolumeUsingProtectorKey func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) secbootLockSealedKeys func() error @@ -1211,7 +1211,7 @@ func (m *recoverModeStateMachine) unlockEncryptedSaveRunKey() (stateFunc, error) return m.unlockEncryptedSaveFallbackKey, nil } - unlockRes, unlockErr := secbootUnlockEncryptedVolumeUsingKey(m.disk, "ubuntu-save", key) + unlockRes, unlockErr := secbootUnlockEncryptedVolumeUsingProtectorKey(m.disk, "ubuntu-save", key) if err := m.setUnlockStateWithRunKey("ubuntu-save", unlockRes, unlockErr); err != nil { return nil, err } @@ -1800,7 +1800,7 @@ func maybeMountSave(disk disks.Disk, rootdir string, encrypted bool, mountOpts * if err != nil { return true, err } - unlockRes, err := secbootUnlockEncryptedVolumeUsingKey(disk, "ubuntu-save", key) + unlockRes, err := secbootUnlockEncryptedVolumeUsingProtectorKey(disk, "ubuntu-save", key) if err != nil { return true, fmt.Errorf("cannot unlock ubuntu-save volume: %v", err) } diff --git a/cmd/snap-bootstrap/cmd_initramfs_mounts_nosecboot.go b/cmd/snap-bootstrap/cmd_initramfs_mounts_nosecboot.go index 640063d1bb1..3ecc7cc5d61 100644 --- a/cmd/snap-bootstrap/cmd_initramfs_mounts_nosecboot.go +++ b/cmd/snap-bootstrap/cmd_initramfs_mounts_nosecboot.go @@ -45,7 +45,7 @@ func init() { secbootUnlockVolumeUsingSealedKeyIfEncrypted = func(disk disks.Disk, name string, sealedEncryptionKeyFile string, opts *secboot.UnlockVolumeUsingSealedKeyOptions) (secboot.UnlockResult, error) { return secboot.UnlockResult{}, errNotImplemented } - secbootUnlockEncryptedVolumeUsingKey = func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + secbootUnlockEncryptedVolumeUsingProtectorKey = func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { return secboot.UnlockResult{}, errNotImplemented } diff --git a/cmd/snap-bootstrap/cmd_initramfs_mounts_secboot.go b/cmd/snap-bootstrap/cmd_initramfs_mounts_secboot.go index 1a30006bb28..a4be2983554 100644 --- a/cmd/snap-bootstrap/cmd_initramfs_mounts_secboot.go +++ b/cmd/snap-bootstrap/cmd_initramfs_mounts_secboot.go @@ -29,6 +29,6 @@ func init() { secbootMeasureSnapSystemEpochWhenPossible = secboot.MeasureSnapSystemEpochWhenPossible secbootMeasureSnapModelWhenPossible = secboot.MeasureSnapModelWhenPossible secbootUnlockVolumeUsingSealedKeyIfEncrypted = secboot.UnlockVolumeUsingSealedKeyIfEncrypted - secbootUnlockEncryptedVolumeUsingKey = secboot.UnlockEncryptedVolumeUsingKey + secbootUnlockEncryptedVolumeUsingProtectorKey = secboot.UnlockEncryptedVolumeUsingProtectorKey secbootLockSealedKeys = secboot.LockSealedKeys } diff --git a/cmd/snap-bootstrap/cmd_initramfs_mounts_test.go b/cmd/snap-bootstrap/cmd_initramfs_mounts_test.go index 656484454a9..284f1692aac 100644 --- a/cmd/snap-bootstrap/cmd_initramfs_mounts_test.go +++ b/cmd/snap-bootstrap/cmd_initramfs_mounts_test.go @@ -2368,7 +2368,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRunModeEncryptedDataHappy(c *C s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") saveActivated := false - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not activated yet")) saveActivated = true c.Assert(name, Equals, "ubuntu-save") @@ -2586,7 +2586,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRunModeEncryptedDataUnhappyNoS // the test does not mock ubuntu-save.key, the secboot helper for // opening a volume using the key should not be called - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Fatal("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") }) @@ -2664,7 +2664,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRunModeEncryptedDataUnhappyUnl defer restore() s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/data/system-data"), "foo", "") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not yet activated")) return foundEncrypted("ubuntu-save"), fmt.Errorf("ubuntu-save unlock fail") }) @@ -3692,7 +3692,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeHappyEncrypted(c *C s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") saveActivated := false - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not activated yet")) encDevPartUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(name + "-enc") c.Assert(err, IsNil) @@ -3851,7 +3851,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedDegradedDa s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "marker") s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not activated yet")) encDevPartUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(name + "-enc") c.Assert(err, IsNil) @@ -4029,7 +4029,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedDegradedSa s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "marker") s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not activated yet")) encDevPartUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(name + "-enc") c.Assert(err, IsNil) @@ -4200,7 +4200,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedDegradedAb s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "marker") s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not activated yet")) encDevPartUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(name + "-enc") c.Assert(err, IsNil) @@ -4363,7 +4363,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedDegradedAb s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "marker") s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not activated yet")) encDevPartUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(name + "-enc") c.Assert(err, IsNil) @@ -4535,7 +4535,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedDegradedDa s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { // nothing can call this function in the tested scenario c.Fatalf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") @@ -4725,7 +4725,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeDegradedAbsentDataU s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { // nothing can call this function in the tested scenario c.Fatalf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") @@ -4916,7 +4916,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeDegradedUnencrypted s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { // nothing can call this function in the tested scenario c.Fatalf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") @@ -5062,7 +5062,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeDegradedEncryptedDa s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { // nothing can call this function in the tested scenario c.Fatalf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") @@ -5186,7 +5186,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeUnencryptedDataUnen s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { // nothing can call this function in the tested scenario c.Fatalf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") @@ -5325,7 +5325,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedDegradedAb s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { // nothing can call this function in the tested scenario c.Fatalf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") @@ -5531,7 +5531,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedDegradedDa s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { // nothing can call this function in the tested scenario c.Fatalf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") @@ -5696,7 +5696,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedMismatched s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") saveActivated := false - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not activated yet")) encDevPartUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(name + "-enc") c.Assert(err, IsNil) @@ -5910,7 +5910,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsRecoverModeEncryptedAttackerFS s.mockUbuntuSaveKeyAndMarker(c, filepath.Join(dirs.GlobalRootDir, "/run/mnt/host/ubuntu-data/system-data"), "foo", "marker") s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { encDevPartUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(name + "-enc") c.Assert(err, IsNil) c.Assert(encDevPartUUID, Equals, "ubuntu-save-enc-partuuid") @@ -6459,7 +6459,7 @@ func (s *initramfsMountsSuite) testInitramfsMountsTryRecoveryDegraded(c *C, expe }) defer restore() unlockVolumeWithKeyCalls := 0 - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { unlockVolumeWithKeyCalls++ switch unlockVolumeWithKeyCalls { case 1: @@ -6760,7 +6760,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsFactoryResetModeHappyEncrypted }) defer restore() - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Errorf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") }) @@ -6883,7 +6883,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsFactoryResetModeHappyUnencrypt return secboot.UnlockResult{}, fmt.Errorf("unexpected call") }) defer restore() - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Errorf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") }) @@ -6969,7 +6969,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsFactoryResetModeHappyUnencrypt return secboot.UnlockResult{}, fmt.Errorf("unexpected call") }) defer restore() - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Errorf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") }) @@ -7056,7 +7056,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsFactoryResetModeUnhappyUnlockE }) defer restore() - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Errorf("unexpected call") return secboot.UnlockResult{}, fmt.Errorf("unexpected call") }) @@ -7638,7 +7638,7 @@ func (s *initramfsClassicMountsSuite) TestInitramfsMountsRunModeEncryptedDataHap s.mockUbuntuSaveMarker(c, boot.InitramfsUbuntuSaveDir, "marker") saveActivated := false - restore = main.MockSecbootUnlockEncryptedVolumeUsingKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { + restore = main.MockSecbootUnlockEncryptedVolumeUsingProtectorKey(func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error) { c.Check(dataActivated, Equals, true, Commentf("ubuntu-data not activated yet")) saveActivated = true c.Assert(name, Equals, "ubuntu-save") diff --git a/cmd/snap-bootstrap/export_test.go b/cmd/snap-bootstrap/export_test.go index 1ff22759802..49a85f3b064 100644 --- a/cmd/snap-bootstrap/export_test.go +++ b/cmd/snap-bootstrap/export_test.go @@ -129,11 +129,11 @@ func MockSecbootUnlockVolumeUsingSealedKeyIfEncrypted(f func(disk disks.Disk, na } } -func MockSecbootUnlockEncryptedVolumeUsingKey(f func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error)) (restore func()) { - old := secbootUnlockEncryptedVolumeUsingKey - secbootUnlockEncryptedVolumeUsingKey = f +func MockSecbootUnlockEncryptedVolumeUsingProtectorKey(f func(disk disks.Disk, name string, key []byte) (secboot.UnlockResult, error)) (restore func()) { + old := secbootUnlockEncryptedVolumeUsingProtectorKey + secbootUnlockEncryptedVolumeUsingProtectorKey = f return func() { - secbootUnlockEncryptedVolumeUsingKey = old + secbootUnlockEncryptedVolumeUsingProtectorKey = old } } diff --git a/secboot/secboot_sb.go b/secboot/secboot_sb.go index d09c4e56fdf..987ae7cd3a1 100644 --- a/secboot/secboot_sb.go +++ b/secboot/secboot_sb.go @@ -26,6 +26,7 @@ import ( "path/filepath" sb "github.com/snapcore/secboot" + sb_plainkey "github.com/snapcore/secboot/plainkey" "golang.org/x/xerrors" "github.com/snapcore/snapd/kernel/fde" @@ -129,6 +130,62 @@ func UnlockVolumeUsingSealedKeyIfEncrypted(disk disks.Disk, name string, sealedE return res, err } +func UnlockEncryptedVolumeUsingProtectorKey(disk disks.Disk, name string, key []byte) (UnlockResult, error) { + unlockRes := UnlockResult{ + UnlockMethod: NotUnlocked, + } + + // find the encrypted device using the disk we were provided - note that + // we do not specify IsDecryptedDevice in opts because here we are + // looking for the encrypted device to unlock, later on in the boot + // process we will look for the decrypted device to ensure it matches + // what we expected + part, err := disk.FindMatchingPartitionWithFsLabel(EncryptedPartitionName(name)) + if err != nil { + return unlockRes, err + } + unlockRes.IsEncrypted = true + // we have a device + encdev := filepath.Join("/dev/disk/by-uuid", part.FilesystemUUID) + unlockRes.PartDevice = encdev + + uuid, err := randutilRandomKernelUUID() + if err != nil { + // We failed before we could generate the filsystem device path for + // the encrypted partition device, so we return FsDevice empty. + return unlockRes, err + } + + // make up a new name for the mapped device + mapperName := name + "-" + uuid + + slots, err := sbListLUKS2ContainerUnlockKeyNames(encdev) + if err != nil { + return unlockRes, fmt.Errorf("cannot list slots in partition save partition: %v", err) + } + + if len(slots) != 0 { + const allowRecovery = false + options := activateVolOpts(allowRecovery) + options.PassphraseTries = 0 + + sb_plainkey.SetProtectorKeys(key) + defer sb_plainkey.SetProtectorKeys() + + if err := sbActivateVolumeWithKeyData(mapperName, encdev, nil, options); err != nil { + return unlockRes, err + } + } else { + if err := unlockEncryptedPartitionWithKey(mapperName, encdev, key); err != nil { + return unlockRes, err + } + } + + unlockRes.FsDevice = filepath.Join("/dev/mapper/", mapperName) + unlockRes.UnlockMethod = UnlockedWithKey + return unlockRes, nil +} + // UnlockEncryptedVolumeUsingKey unlocks an existing volume using the provided key. func UnlockEncryptedVolumeUsingKey(disk disks.Disk, name string, key []byte) (UnlockResult, error) { unlockRes := UnlockResult{