canonical · chrisccoulson · Jul 10, 2024 · Jun 21, 2024 · Jul 8, 2024 · Jul 8, 2024
diff --git a/efi/efi_test.go b/efi/efi_test.go
@@ -777,7 +777,7 @@ type mockVarReader struct {
 }
 
 func newMockVarReader(env HostEnvironment) *mockVarReader {
-	return &mockVarReader{ctx: env.VarContext()}
+	return &mockVarReader{ctx: env.VarContext(context.Background())}
 }
 
 func (r *mockVarReader) ReadVar(name string, guid efi.GUID) ([]byte, efi.VariableAttributes, error) {

diff --git a/efi/env.go b/efi/env.go
@@ -40,8 +40,13 @@ import (
 type HostEnvironment interface {
 	// VarContext returns a context containing a VarsBackend, keyed by efi.VarsBackendKey,
 	// for interacting with EFI variables via go-efilib. This context can be passed to any
-	// go-efilib function that interacts with EFI variables.
-	VarContext() context.Context
+	// go-efilib function that interacts with EFI variables. Right now, go-efilib doesn't
+	// support any other uses of the context such as cancelation or deadlines. The efivarfs
+	// backend will support this eventually for variable writes because it currently implements
+	// a retry loop that has a potential to race with other processes. Cancelation and / or
+	// deadlines for sections of code that performs multiple reads using efivarfs may be useful
+	// in the future because the kernel rate-limits reads per-user.
+	VarContext(parent context.Context) context.Context
 
 	// ReadEventLog reads the TCG event log
 	ReadEventLog() (*tcglog.Log, error)
@@ -261,7 +266,17 @@ type variableSetCollector struct {
 }
 
 func newVariableSetCollector(env HostEnvironment) *variableSetCollector {
-	varsCtx := env.VarContext()
+	// We pass the TODO context here for now, as the context just essentially
+	// a container for holding the variable backend, so there's no need for
+	// the caller to override it.
+	//
+	// In the future, the efivarfs backend will make use of cancellation and / or
+	// deadlines it because it runs a retry loop that can race with other processes,
+	// although this package is doing no writing. Cancellation and / or deadlines
+	// may also still be useful in the read path especially where a section of code
+	// performs multiple reads via efivarfs - these reads are rate-limitted per-user
+	// in the kernel.
+	varsCtx := env.VarContext(context.TODO())
 	return &variableSetCollector{
 		varsCtx: varsCtx,
 		seen:    map[initialVarReaderKey]struct{}{initialVarReaderKey{}: struct{}{}}, // add the current environment

diff --git a/efi/export_test.go b/efi/export_test.go
@@ -20,6 +20,8 @@
 package efi
 
 import (
+	"context"
+
 	efi "github.com/canonical/go-efilib"
 	"github.com/canonical/tcglog-parser"
 	"github.com/snapcore/secboot/efi/internal"
@@ -192,7 +194,7 @@ func MockSnapdenvTesting(testing bool) (restore func()) {
 
 func NewInitialVarReader(host HostEnvironment) *initialVarReader {
 	return &initialVarReader{
-		varsCtx:   host.VarContext(),
+		varsCtx:   host.VarContext(context.TODO()),
 		overrides: make(map[efi.VariableDescriptor]varContents)}
 }
 

diff --git a/efi/internal/default_env.go b/efi/internal/default_env.go
@@ -34,8 +34,8 @@ var (
 type defaultEnvImpl struct{}
 
 // VarContext implements [HostEnvironment.VarContext].
-func (e defaultEnvImpl) VarContext() context.Context {
-	return efi.DefaultVarContext
+func (e defaultEnvImpl) VarContext(parent context.Context) context.Context {
+	return efi.WithDefaultVarsBackend(parent)
 }
 
 // ReadEventLog implements [HostEnvironment.ReadEventLog].

diff --git a/efi/internal/default_env_test.go b/efi/internal/default_env_test.go
@@ -20,6 +20,7 @@
 package internal_test
 
 import (
+	"context"
 	_ "embed"
 	"io"
 	"os"
@@ -39,7 +40,11 @@ type defaultEnvSuite struct{}
 var _ = Suite(&defaultEnvSuite{})
 
 func (s *defaultEnvSuite) TestVarContext(c *C) {
-	c.Check(DefaultEnv.VarContext(), Equals, efi.DefaultVarContext)
+	ctx := DefaultEnv.VarContext(context.Background())
+	c.Assert(ctx, NotNil)
+
+	expected := efi.WithDefaultVarsBackend(context.Background())
+	c.Check(ctx.Value(efi.VarsBackendKey{}), Equals, expected.Value(efi.VarsBackendKey{}))
 }
 
 func (s *defaultEnvSuite) testReadEventLog(c *C, opts *efitest.LogOptions) {

diff --git a/efi/internal/env.go b/efi/internal/env.go
@@ -31,8 +31,13 @@ import (
 type HostEnvironment interface {
 	// VarContext returns a context containing a VarsBackend, keyed by efi.VarsBackendKey,
 	// for interacting with EFI variables via go-efilib. This context can be passed to any
-	// go-efilib function that interacts with EFI variables.
-	VarContext() context.Context
+	// go-efilib function that interacts with EFI variables. Right now, go-efilib doesn't
+	// support any other uses of the context such as cancelation or deadlines. The efivarfs
+	// backend will support this eventually for variable writes because it currently implements
+	// a retry loop that has a potential to race with other processes. Cancelation and / or
+	// deadlines for sections of code that performs multiple reads using efivarfs may be useful
+	// in the future because the kernel rate-limits reads per-user.
+	VarContext(parent context.Context) context.Context
 
 	// ReadEventLog reads the TCG event log
 	ReadEventLog() (*tcglog.Log, error)

diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/snapcore/secboot
 go 1.18
 
 require (
-	github.com/canonical/go-efilib v1.0.0
+	github.com/canonical/go-efilib v1.2.0
 	github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0
 	github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3
 	github.com/canonical/go-tpm2 v1.3.0

diff --git a/go.sum b/go.sum
@@ -12,6 +12,10 @@ github.com/canonical/go-efilib v0.9.10-0.20240618094320-cc6dd01c07dc h1:U2xZoSBO
 github.com/canonical/go-efilib v0.9.10-0.20240618094320-cc6dd01c07dc/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ=
 github.com/canonical/go-efilib v1.0.0 h1:da3shbdfbJgIUzq4qspkNdWccV5lNMi0ZeYksVCoCvg=
 github.com/canonical/go-efilib v1.0.0/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ=
+github.com/canonical/go-efilib v1.1.0 h1:14CRXLfczZFthTfp2MQBLRz91F2zx8F5jP/YOlJaeDk=
+github.com/canonical/go-efilib v1.1.0/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ=
+github.com/canonical/go-efilib v1.2.0 h1:+fvJdkj3oVyURFtfk8gSft6pdKyVzzdzNn9GC1kMJw8=
+github.com/canonical/go-efilib v1.2.0/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ=
 github.com/canonical/go-sp800.108-kdf v0.0.0-20210314145419-a3359f2d21b9/go.mod h1:Zrs3YjJr+w51u0R/dyLh/oWt/EcBVdLPCVFYC4daW5s=
 github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 h1:ZE2XMRFHcwlib3uU9is37+pKkkMloVoEPWmgQ6GK1yo=
 github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0/go.mod h1:Zrs3YjJr+w51u0R/dyLh/oWt/EcBVdLPCVFYC4daW5s=

diff --git a/internal/efitest/hostenv.go b/internal/efitest/hostenv.go
@@ -41,8 +41,8 @@ func NewMockHostEnvironment(vars MockVars, log *tcglog.Log) *MockHostEnvironment
 }
 
 // VarContext implements [github.com/snapcore/secboot/efi.HostEnvironment.VarContext]/
-func (e *MockHostEnvironment) VarContext() context.Context {
-	return context.WithValue(context.Background(), efi.VarsBackendKey{}, e.Vars)
+func (e *MockHostEnvironment) VarContext(parent context.Context) context.Context {
+	return context.WithValue(parent, efi.VarsBackendKey{}, e.Vars)
 }
 
 // ReadEventLog implements [github.com/snapcore/secboot/efi.HostEnvironment.ReadEventLog].