many: attempt to use secboot api for new key format

boot/assets.go

@@ -37,7 +37,7 @@ import (
 	"github.com/snapcore/snapd/gadget/device"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
-	"github.com/snapcore/snapd/secboot/keys"
+	"github.com/snapcore/snapd/secboot"
 	"github.com/snapcore/snapd/strutil"
 )
 
@@ -268,8 +268,8 @@ type TrustedAssetsInstallObserver struct {
 	trustedRecoveryAssets map[string]string
 	trackedRecoveryAssets bootAssetsMap
 
-	dataEncryptionKey keys.EncryptionKey
-	saveEncryptionKey keys.EncryptionKey
+	dataKeyResetter secboot.KeyResetter
+	saveKeyResetter secboot.KeyResetter
 }
 
 // Observe observes the operation related to the content of a given gadget
@@ -349,9 +349,9 @@ func (o *TrustedAssetsInstallObserver) currentTrustedRecoveryBootAssetsMap() boo
 	return o.trackedRecoveryAssets
 }
 
-func (o *TrustedAssetsInstallObserver) ChosenEncryptionKeys(key, saveKey keys.EncryptionKey) {
-	o.dataEncryptionKey = key
-	o.saveEncryptionKey = saveKey
+func (o *TrustedAssetsInstallObserver) ChosenEncryptionKeys(resetter, saveResetter secboot.KeyResetter) {
+	o.dataKeyResetter = resetter
+	o.saveKeyResetter = saveResetter
 }
 
 // TrustedAssetsUpdateObserverForModel returns a new trusted assets observer for

boot/assets_test.go

@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2020 Canonical Ltd
+ * Copyright (C) 2020, 2024 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -37,7 +37,6 @@ import (
 	"github.com/snapcore/snapd/gadget"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/secboot"
-	"github.com/snapcore/snapd/secboot/keys"
 	"github.com/snapcore/snapd/seed"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/testutil"
@@ -467,9 +466,11 @@ func (s *assetsSuite) TestInstallObserverNonTrustedBootloader(c *C) {
 	obs, err := boot.TrustedAssetsInstallObserverForModel(uc20Model, d, useEncryption)
 	c.Assert(err, IsNil)
 	c.Assert(obs, NotNil)
-	obs.ChosenEncryptionKeys(keys.EncryptionKey{1, 2, 3, 4}, keys.EncryptionKey{5, 6, 7, 8})
-	c.Check(obs.CurrentDataEncryptionKey(), DeepEquals, keys.EncryptionKey{1, 2, 3, 4})
-	c.Check(obs.CurrentSaveEncryptionKey(), DeepEquals, keys.EncryptionKey{5, 6, 7, 8})
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
+	c.Check(obs.CurrentDataKeyResetter(), Equals, dataResetter)
+	c.Check(obs.CurrentSaveKeyResetter(), Equals, saveResetter)
 }
 
 func (s *assetsSuite) TestInstallObserverTrustedButNoAssets(c *C) {
@@ -488,9 +489,11 @@ func (s *assetsSuite) TestInstallObserverTrustedButNoAssets(c *C) {
 	obs, err := boot.TrustedAssetsInstallObserverForModel(uc20Model, d, useEncryption)
 	c.Assert(err, IsNil)
 	c.Assert(obs, NotNil)
-	obs.ChosenEncryptionKeys(keys.EncryptionKey{1, 2, 3, 4}, keys.EncryptionKey{5, 6, 7, 8})
-	c.Check(obs.CurrentDataEncryptionKey(), DeepEquals, keys.EncryptionKey{1, 2, 3, 4})
-	c.Check(obs.CurrentSaveEncryptionKey(), DeepEquals, keys.EncryptionKey{5, 6, 7, 8})
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
+	c.Check(obs.CurrentDataKeyResetter(), Equals, dataResetter)
+	c.Check(obs.CurrentSaveKeyResetter(), Equals, saveResetter)
 }
 
 func (s *assetsSuite) TestInstallObserverTrustedReuseNameErr(c *C) {

boot/export_test.go

@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2019 Canonical Ltd
+ * Copyright (C) 2014-2019, 2024 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -27,7 +27,6 @@ import (
 	"github.com/snapcore/snapd/bootloader"
 	"github.com/snapcore/snapd/kernel/fde"
 	"github.com/snapcore/snapd/secboot"
-	"github.com/snapcore/snapd/secboot/keys"
 	"github.com/snapcore/snapd/seed"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/testutil"
@@ -102,12 +101,12 @@ func (o *TrustedAssetsInstallObserver) CurrentTrustedRecoveryBootAssetsMap() Boo
 	return o.currentTrustedRecoveryBootAssetsMap()
 }
 
-func (o *TrustedAssetsInstallObserver) CurrentDataEncryptionKey() keys.EncryptionKey {
-	return o.dataEncryptionKey
+func (o *TrustedAssetsInstallObserver) CurrentDataKeyResetter() secboot.KeyResetter {
+	return o.dataKeyResetter
 }
 
-func (o *TrustedAssetsInstallObserver) CurrentSaveEncryptionKey() keys.EncryptionKey {
-	return o.saveEncryptionKey
+func (o *TrustedAssetsInstallObserver) CurrentSaveKeyResetter() secboot.KeyResetter {
+	return o.saveKeyResetter
 }
 
 func MockSecbootProvisionTPM(f func(mode secboot.TPMProvisionMode, lockoutAuthFile string) error) (restore func()) {

boot/makebootable.go

@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2022 Canonical Ltd
+ * Copyright (C) 2014-2022, 2024 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -548,7 +548,7 @@ func makeRunnableSystem(model *asserts.Model, bootWith *BootableSet, sealer *Tru
 			flags.SnapsDir = snapBlobDir
 		}
 		// seal the encryption key to the parameters specified in modeenv
-		if err := sealKeyToModeenv(sealer.dataEncryptionKey, sealer.saveEncryptionKey, model, modeenv, flags); err != nil {
+		if err := sealKeyToModeenv(sealer.dataKeyResetter, sealer.saveKeyResetter, model, modeenv, flags); err != nil {
 			return err
 		}
 	}

boot/makebootable_test.go

@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2022 Canonical Ltd
+ * Copyright (C) 2014-2022, 2024 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -40,7 +40,6 @@ import (
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/secboot"
-	"github.com/snapcore/snapd/secboot/keys"
 	"github.com/snapcore/snapd/seed"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snapfile"
@@ -620,14 +619,10 @@ version: 5.0
 	err = obs.ObserveExistingTrustedRecoveryAssets(boot.InitramfsUbuntuSeedDir)
 	c.Assert(err, IsNil)
 
-	// set encryption key
-	myKey := keys.EncryptionKey{}
-	myKey2 := keys.EncryptionKey{}
-	for i := range myKey {
-		myKey[i] = byte(i)
-		myKey2[i] = byte(128 + i)
-	}
-	obs.ChosenEncryptionKeys(myKey, myKey2)
+	// set key resetter
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
 
 	// set a mock recovery kernel
 	readSystemEssentialCalls := 0
@@ -698,32 +693,20 @@ version: 5.0
 		switch sealKeysCalls {
 		case 1:
 			c.Check(keys, HasLen, 1)
-			c.Check(keys[0].Key, DeepEquals, myKey)
-			c.Check(keys[0].KeyFile, Equals,
-				filepath.Join(s.rootdir, "/run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key"))
+			c.Check(keys[0].Resetter, Equals, dataResetter)
 			if factoryReset {
 				c.Check(params.PCRPolicyCounterHandle, Equals, secboot.AltRunObjectPCRPolicyCounterHandle)
 			} else {
 				c.Check(params.PCRPolicyCounterHandle, Equals, secboot.RunObjectPCRPolicyCounterHandle)
 			}
 		case 2:
-			c.Check(keys, HasLen, 2)
-			c.Check(keys[0].Key, DeepEquals, myKey)
-			c.Check(keys[1].Key, DeepEquals, myKey2)
-			c.Check(keys[0].KeyFile, Equals,
-				filepath.Join(s.rootdir,
-					"/run/mnt/ubuntu-seed/device/fde/ubuntu-data.recovery.sealed-key"))
+			c.Check(keys, HasLen, 1)
+			c.Check(keys[0].Resetter, Equals, saveResetter)
 			if factoryReset {
 				c.Check(params.PCRPolicyCounterHandle, Equals, secboot.AltFallbackObjectPCRPolicyCounterHandle)
-				c.Check(keys[1].KeyFile, Equals,
-					filepath.Join(s.rootdir,
-						"/run/mnt/ubuntu-seed/device/fde/ubuntu-save.recovery.sealed-key.factory-reset"))
 
 			} else {
 				c.Check(params.PCRPolicyCounterHandle, Equals, secboot.FallbackObjectPCRPolicyCounterHandle)
-				c.Check(keys[1].KeyFile, Equals,
-					filepath.Join(s.rootdir,
-						"/run/mnt/ubuntu-seed/device/fde/ubuntu-save.recovery.sealed-key"))
 			}
 		default:
 			c.Errorf("unexpected additional call to secboot.SealKeys (call # %d)", sealKeysCalls)
@@ -1143,14 +1126,10 @@ version: 5.0
 	err = obs.ObserveExistingTrustedRecoveryAssets(boot.InitramfsUbuntuSeedDir)
 	c.Assert(err, IsNil)
 
-	// set encryption key
-	myKey := keys.EncryptionKey{}
-	myKey2 := keys.EncryptionKey{}
-	for i := range myKey {
-		myKey[i] = byte(i)
-		myKey2[i] = byte(128 + i)
-	}
-	obs.ChosenEncryptionKeys(myKey, myKey2)
+	// set key resetter
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
 
 	// set a mock recovery kernel
 	readSystemEssentialCalls := 0
@@ -1175,11 +1154,10 @@ version: 5.0
 		switch sealKeysCalls {
 		case 1:
 			c.Check(keys, HasLen, 1)
-			c.Check(keys[0].Key, DeepEquals, myKey)
+			c.Check(keys[0].Resetter, Equals, dataResetter)
 		case 2:
-			c.Check(keys, HasLen, 2)
-			c.Check(keys[0].Key, DeepEquals, myKey)
-			c.Check(keys[1].Key, DeepEquals, myKey2)
+			c.Check(keys, HasLen, 1)
+			c.Check(keys[0].Resetter, Equals, saveResetter)
 		default:
 			c.Errorf("unexpected additional call to secboot.SealKeys (call # %d)", sealKeysCalls)
 		}