secboot,fdestate: use boot mode for FDE hooks

[valentindavid]

2 commits:

• secboot,overlord/fdestate: seal with boot mode for FDE hooks

Set the authorized boot modes for FDE hook keys. For now the run+recover key allows "run" and "recover", while the recover key allows "recover" and "factory-reset".

• overlord/fdestate/backend: split profiles for data and save partitions

There should be 3 different keys for FDE hooks. The run+recover key should be allowed for boot modes "run" and "recover". While recover key on data disk should be allowed on "recover". And finally recovery on save disk should be allowed in "recover" and "factory-reset". Here we split the profiles for "recover" for disks "data" and "save", so that we can set different authorized boot modes.

[github-actions]

Wed Feb 12 15:02:29 UTC 2025
The following results are from: https://github.com/canonical/snapd/actions/runs/13285611711

Failures:

Preparing:

• google-nested:ubuntu-20.04-64:tests/nested/manual/uc20-install-in-initrd:secureboot
• google-nested:ubuntu-22.04-64:tests/nested/manual/uc-update-assets-secure-add-sbat:seed

Executing:

• google-nested:ubuntu-24.04-64:tests/nested/core/core20-fault-inject-on-refresh:kernel_reboot_link_snap
• google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-real:partial
• google-nested:ubuntu-24.04-64:tests/nested/manual/update-snapd-seed-and-factory-reset:tpm
• google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-real:plain
• google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-real:encrypted
• google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-core:plain
• google:ubuntu-24.04-64:tests/main/progress

Restoring:

• google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-real:encrypted
• google-nested:ubuntu-24.04-64:tests/nested/manual/
• google-nested:ubuntu-24.04-64
• google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-core:plain
• google-nested:ubuntu-24.04-64:tests/nested/manual/
• google-nested:ubuntu-24.04-64

[codecov]

Codecov Report

Attention: Patch coverage is 77.02703% with 17 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@65e98f1). Learn more about missing BASE report.
Report is 208 commits behind head on master.

Files with missing lines	Patch %	Lines
overlord/fdestate/backend/reseal.go	82.53%	5 Missing and 6 partials ⚠️
secboot/secboot_hooks.go	28.57%	4 Missing and 1 partial ⚠️
secboot/secboot_dummy.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #15049   +/-   ##
=========================================
  Coverage          ?   78.08%           
=========================================
  Files             ?     1179           
  Lines             ?   157485           
  Branches          ?        0           
=========================================
  Hits              ?   122970           
  Misses            ?    26880           
  Partials          ?     7635           

Flag	Coverage Δ
unittests	78.08% <77.02%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pedronis]

this looks reasonable to me

didn't want to vote here yet

[valentindavid]

I removed the 2.68 milestone, we do not strictly need it, just #15057