overlord/fdestate: keep FDE state up to date #14516
Conversation
github-actions
bot
added
the
Run Nested -auto-
valentindavid
changed the title
valentindavid
force-pushed
the
valentindavid/sync-fde-state
branch
12 times, most recently
from
728ff63
to
14d22b2
Compare
| } | ||
| } | ||
|
|
||
| type KeyDigest struct { |
There was a problem hiding this comment.
This might be a type that should be handled in secboot. And we just use json.RawMessage for it.
overlord/fdestate/fdemgr.go
Outdated
| if !locked { | ||
| m.state.Lock() | ||
| defer m.state.Unlock() | ||
| } |
There was a problem hiding this comment.
This is not elegant. But I am not sure how to handle it correctly. We do resealing sometimes locked, sometimes not.
There was a problem hiding this comment.
do we know where is it called with the state really already unlocked?
overlord/fdestate/fdestate.go
Outdated
| dataUUID, dataErr := disksDmCryptUUIDFromMountPoint(dirs.GlobalRootDir) | ||
| saveUUID, saveErr := disksDmCryptUUIDFromMountPoint(dirs.SnapSaveDir) | ||
| if errors.Is(saveErr, &disks.ErrMountPointNotFound{}) { | ||
| // TODO: do we need to care about old cases where there is no save partition? | ||
| return nil | ||
| } | ||
|
|
||
| if errors.Is(dataErr, disks.ErrNoDmUUID) && errors.Is(saveErr, disks.ErrNoDmUUID) { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
I think we should look at the sealing method with device.SealedKeysMethod instead.
There was a problem hiding this comment.
I will make it a TODO for now.
overlord/fdestate/fdemgr.go
Outdated
| m.state.Lock() | ||
| defer m.state.Unlock() | ||
| return ensureState(m.state) |
There was a problem hiding this comment.
it's a bit unclear if this will really run before any reseal op? maybe it would be better to use StartUp for this?
secboot/secboot.go
Outdated
| @@ -134,7 +136,7 @@ type SealKeysWithFDESetupHookParams struct { | |||
|
|
|||
| type ResealKeysParams struct { | |||
| // The snap model parameters | |||
| ModelParams []*SealKeyModelParams | |||
| PCRProfile json.RawMessage | |||
There was a problem hiding this comment.
we probably want to use a named type for this for clarity
valentindavid
force-pushed
the
valentindavid/sync-fde-state
branch
from
21663fc
to
5a326be
Compare
Ensure() initializes the empty profiles, and reseal updates them.
overlord/fdestate: keep FDE state up to date StartUp() initializes the empty profiles, and reseal updates them.
valentindavid
force-pushed
the
valentindavid/sync-fde-state
branch
from
425117e
to
5d69be1
Compare
| func (m *FDEManager) resealKeyForBootChains(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { | ||
| doUpdate := func(role string, containerRole string, bootModes []string, models []secboot.ModelForSealing, tpmPCRProfile []byte) error { | ||
| if unlocker != nil { | ||
| m.state.Lock() | ||
| defer m.state.Unlock() | ||
| } | ||
| return updateParameters(m.state, role, containerRole, bootModes, models, tpmPCRProfile) | ||
| } | ||
| if unlocker != nil { | ||
| locker := unlocker() | ||
| defer locker() | ||
| } | ||
| return backend.ResealKeyForBootChains(doUpdate, method, rootdir, params, expectReseal) | ||
| } |
There was a problem hiding this comment.
This function is not covered by tests in this package, but still covered by tests from overlord/managers_test.go. I wonder if we should add tests in the current package. Or move them.
| @@ -628,6 +625,14 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb_tpm2.PCRP | |||
| return pcrProfile, nil | |||
| } | |||
|
|
|||
| func BuildPCRProtectionProfile(modelParams []*SealKeyModelParams) (SerializedPCRProfile, error) { | |||
Ensure() initializes the empty profiles, and reseal updates them.
This is on top of #14400