-
Notifications
You must be signed in to change notification settings - Fork 574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
overlord/fdestate: keep FDE state up to date #14516
base: fde-manager-features
Are you sure you want to change the base?
overlord/fdestate: keep FDE state up to date #14516
Conversation
728ff63
to
14d22b2
Compare
} | ||
} | ||
|
||
type KeyDigest struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be a type that should be handled in secboot. And we just use json.RawMessage for it.
overlord/fdestate/fdemgr.go
Outdated
if !locked { | ||
m.state.Lock() | ||
defer m.state.Unlock() | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not elegant. But I am not sure how to handle it correctly. We do resealing sometimes locked, sometimes not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we know where is it called with the state really already unlocked?
overlord/fdestate/fdestate.go
Outdated
dataUUID, dataErr := disksDmCryptUUIDFromMountPoint(dirs.GlobalRootDir) | ||
saveUUID, saveErr := disksDmCryptUUIDFromMountPoint(dirs.SnapSaveDir) | ||
if errors.Is(saveErr, &disks.ErrMountPointNotFound{}) { | ||
// TODO: do we need to care about old cases where there is no save partition? | ||
return nil | ||
} | ||
|
||
if errors.Is(dataErr, disks.ErrNoDmUUID) && errors.Is(saveErr, disks.ErrNoDmUUID) { | ||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should look at the sealing method with device.SealedKeysMethod
instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will make it a TODO for now.
overlord/fdestate/fdemgr.go
Outdated
m.state.Lock() | ||
defer m.state.Unlock() | ||
return ensureState(m.state) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's a bit unclear if this will really run before any reseal op? maybe it would be better to use StartUp for this?
secboot/secboot.go
Outdated
@@ -134,7 +136,7 @@ type SealKeysWithFDESetupHookParams struct { | |||
|
|||
type ResealKeysParams struct { | |||
// The snap model parameters | |||
ModelParams []*SealKeyModelParams | |||
PCRProfile json.RawMessage |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we probably want to use a named type for this for clarity
21663fc
to
5a326be
Compare
Ensure() initializes the empty profiles, and reseal updates them.
overlord/fdestate: keep FDE state up to date StartUp() initializes the empty profiles, and reseal updates them.
425117e
to
5d69be1
Compare
func (m *FDEManager) resealKeyForBootChains(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { | ||
doUpdate := func(role string, containerRole string, bootModes []string, models []secboot.ModelForSealing, tpmPCRProfile []byte) error { | ||
if unlocker != nil { | ||
m.state.Lock() | ||
defer m.state.Unlock() | ||
} | ||
return updateParameters(m.state, role, containerRole, bootModes, models, tpmPCRProfile) | ||
} | ||
if unlocker != nil { | ||
locker := unlocker() | ||
defer locker() | ||
} | ||
return backend.ResealKeyForBootChains(doUpdate, method, rootdir, params, expectReseal) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function is not covered by tests in this package, but still covered by tests from overlord/managers_test.go
. I wonder if we should add tests in the current package. Or move them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
drive-by comment
@@ -628,6 +625,14 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb_tpm2.PCRP | |||
return pcrProfile, nil | |||
} | |||
|
|||
func BuildPCRProtectionProfile(modelParams []*SealKeyModelParams) (SerializedPCRProfile, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this needs a doc comment
Ensure() initializes the empty profiles, and reseal updates them.
This is on top of #14400