Add hooks platform

This adds a KeyData platform that permits sealing and recovery of keys
via hooks provided via a device's gadget and kernel snaps, for platforms
where we don't have a native secboot platform.

bootscope/keydata.go

@@ -434,7 +434,12 @@ func (d *KeyDataScope) SetAuthorizedBootModes(key secboot.PrimaryKey, role strin
 }
 
 // IsBootEnvironmentAuthorized checks if the current boot environment (model and boot mode) is
-// matches the key data's scope authorized models and boot modes.
+// compatible with the bound authorized models and boot modes.
+//
+// This must be called from within an environment where the integrity is protected by
+// some other mechanism, such as verified boot, or where the platform device has some way
+// of authenticating the current environment, and it must be called before the authenticated
+// boot environment parameters are processed and used.
 func (d *KeyDataScope) IsBootEnvironmentAuthorized() error {
 	ok, err := d.isAuthorized()
 	if err != nil {

bootscope/scope.go

@@ -17,12 +17,13 @@
  *
  */
 
-// Package bootscope implements key scoping support for platforms that
-// don't support measured boot.
+// Package bootscope provides a way to bind keys to certain system properties for
+// platforms that don't support measured boot.
 //
 // It is used to track the currently used boot mode and model, provides
-// the KeyDataScope object which encapsulates boot environment information
-// and helper functions used to authenticate and associate a scope with a key.
+// the KeyDataScope object which encapsulates the binding of boot environment
+// information to a key, and helper functions used to authenticate and bind a
+// scope with a key.
 package bootscope
 
 import (

hooks/export_test.go

@@ -0,0 +1,52 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2024 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package hooks
+
+import "github.com/snapcore/secboot"
+
+type (
+	AeadCompatData = aeadCompatData
+	HooksPlatform  = hooksPlatform
+	PrivateKeyData = keyData
+)
+
+const (
+	PlatformName = platformName
+)
+
+func (d *KeyData) Data() *keyData {
+	return &d.data
+}
+
+func (d *KeyData) K() *secboot.KeyData {
+	return d.k
+}
+
+func MakeKeyData(d *keyData) *KeyData {
+	return &KeyData{data: *d}
+}
+
+func MockSecbootNewKeyData(fn func(*secboot.KeyParams) (*secboot.KeyData, error)) (restore func()) {
+	orig := secbootNewKeyData
+	secbootNewKeyData = fn
+	return func() {
+		secbootNewKeyData = orig
+	}
+}

hooks/hooks_test.go

@@ -0,0 +1,33 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2024 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package hooks_test
+
+import (
+	"os"
+	"testing"
+
+	. "gopkg.in/check.v1"
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(m.Run())
+}
+
+func Test(t *testing.T) { TestingT(t) }