secboot: add argon2 out-of-process kdf support

[ZeyadYasser]

MaybeRunArgon2OutOfProcessRequestHandler is supposed to be called from the main() of binaries involved with sealing/unsealing of keys (i.e. snapd and snap-bootstrap).

This switches the binary to a special mode where it acts as an argon2 out-of-process helper command, and exits when its work is done.

For more context, check docs for sb.WaitForAndRunArgon2OutOfProcessRequest and sb.NewOutOfProcessArgon2KDF for details on how the flow works in secboot.

This PR also reverts workaround from #15058 as now the argon2 kdf variants are working.

[github-actions]

Fri Feb 14 15:18:15 UTC 2025
The following results are from: https://github.com/canonical/snapd/actions/runs/13329597963

Failures:

Executing:

• google-core:ubuntu-core-20-64:tests/core/gadget-update-pc
• google:ubuntu-24.10-64:tests/main/cloud-init
• google:ubuntu-24.04-64:tests/main/progress

Restoring:

• google-core:ubuntu-core-20-64:tests/core/gadget-update-pc
• google-core:ubuntu-core-20-64:tests/core/
• google-core:ubuntu-core-20-64

[pedronis]

couple initial comments

[pedronis]

it's a bit unclear to me why we don't want to deal with this inside the helper directly

[ZeyadYasser]

Thanks, updated!

[pedronis]

same

[pedronis]

my preference is something like an option "--argon2-proc"

[ZeyadYasser]

I don't have strong opinions on this, I went with a sub-command to be ready in case we want to pass args in the future to customize how the out-of-process helper is configured, but since this will be internal and be self invoking we can easily switch later if need arise and not worry about the binaries being in sync.

[ZeyadYasser]

switched to --argon2-proc

[pedronis]

question related to what happens if a binary uses argon2 but is not set up to process --argon2-proc ?

[codecov]

Codecov Report

Attention: Patch coverage is 75.00000% with 11 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@cccee5f). Learn more about missing BASE report.
Report is 219 commits behind head on master.

Files with missing lines	Patch %	Lines
secboot/argon2_out_of_process_sb.go	85.18%	3 Missing and 1 partial ⚠️
secboot/argon2_out_of_process_dummy.go	0.00%	3 Missing ⚠️
cmd/snap-bootstrap/main.go	0.00%	2 Missing ⚠️
cmd/snapd/main.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #15073   +/-   ##
=========================================
  Coverage          ?   78.06%           
=========================================
  Files             ?     1183           
  Lines             ?   157779           
  Branches          ?        0           
=========================================
  Hits              ?   123174           
  Misses            ?    26956           
  Partials          ?     7649           

Flag	Coverage Δ
unittests	78.06% <75.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[bboozzoo]

this will now affect every program in which one of the packages imports secboot

[ZeyadYasser]

switched to setting the kdf implementation from MaybeRunArgon2OutOfProcessRequestHandler itself as described here #15073 (comment)

[bboozzoo]

I think this should raise an error/panic if it observes a trigger for out of process secboot runner

[bboozzoo]

I'm bit uncomfortable that this hijacks command line arguments and adds an argument which not exposed anywhere but the secboot package.

[bboozzoo]

What if we change the API a little such that it can be used like so, in snapd:

// snapd/main.go

func executeSecbootArgon2Runner {
	logger.Noticef("running argon2 out-of-process helper")
	// Ignore the lock release callback and use implicit release on process termination.
	_, err := secboot.ExecuteAsArgon2Runner(secboot.Argon2RunnerOptions{
		Watchdog: false,
	})
	if err != nil {
		logger.Errorf("cannot execute runner: %v", err)
		os.Exit(1)
	}
	os.Exit(0)
}

func main() {
	...
	InstallSecbootHandlerOnArg([]string{"--secboot-argon2-runner"})
	
	if len(os.Args) == 2 && os.Args[1] == "--secboot-argon2-runner" {
		executeArgon2Runner()
		// not-reached
	}
	...
}

and snap-bootstrap:

// snap-boostrap/main.go

func main() {
	...
	InstallSecbootHandlerOnArg([]string{"secboot-argon2-runner"})
}

// snap-boostrap/cmd_secboot_argon2_runner.go

func init() {
	addCommandBuilder(func(parser *flags.Parser) {
		cmd, err := parser.AddCommand("secboot2_argon2-runner", short, long, &cmdArgon2Runner{})
		if  err != nil {
			panic(err)
		}
		// make it hidden
		cmd.Hidden = true
	})
}

type cmdArgon2Runner struct {}

func (c *cmdArgon2Runner) Execute([]string) error {
	logger.Noticef("running argon2 out-of-process helper")
	// Ignore the lock release callback and use implicit release on process termination.
	_, err := secboot.ExecuteAsArgon2Runner(secboot.Argon2RunnerOptions{
		Watchdog: false,
	})
	return err
}

[pedronis]

that's a lot of extra code that I'm not keen on. Maybe the compromise is to pass the marker flag to the MaybeRunArgon2OutOfProcessRequestHandler

[bboozzoo]

Suggested change

	func MaybeRunArgon2OutOfProcessRequestHandler() {}
	func MaybeRunArgon2OutOfProcessRequestHandler() {
	if !isOutOfProcessArgon2KDFMode() {
	panic("internal error: unexpected call to execute as argon2 runner in non-secboot binary")
	}
	}

[ZeyadYasser]

I think it should panic when isOutOfProcessArgon2KDFMode is true

[bboozzoo]

yes, my bad, I copied directly without changing it

[pedronis]

thanks, couple small comments

[pedronis]

given that is passed in now, I'm not against dropping "--" here

[pedronis]

tests might need to be renamed now

[pedronis]

maybe we should just have this in a small separate argon2_out_of_process.go ?