go.mod: move to latest secboot

[valentindavid]

No description provided.

[valentindavid]

!13278 with canonical/secboot#266

[codecov-commenter]

Codecov Report

Attention: 16 lines in your changes are missing coverage. Please review.

Comparison is base (cdbd316) 78.96% compared to head (6535984) 78.86%.
Report is 55 commits behind head on master.

Files	Patch %	Lines
secboot/secboot_hooks.go	52.38%	8 Missing and 2 partials ⚠️
secboot/secboot_sb.go	40.00%	2 Missing and 1 partial ⚠️
secboot/secboot_tpm.go	91.17%	2 Missing and 1 partial ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #13339      +/-   ##
==========================================
- Coverage   78.96%   78.86%   -0.10%     
==========================================
  Files        1028     1030       +2     
  Lines      129762   130548     +786     
==========================================
+ Hits       102462   102958     +496     
- Misses      20911    21177     +266     
- Partials     6389     6413      +24     

Flag	Coverage Δ
unittests	78.86% <73.77%> (-0.10%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[valentindavid]

tests/nested/core/core20-gadget-reseal started to fail with:

2023-12-05T17:20:27.3929553Z [   91.522913] snapd[1922]: 2023/12/05 17:10:31.229509 logger.go:93: DEBUG: 2023-12-05T17:10:31Z ERROR cannot set next boot: cannot reseal the fallback encryption keys: cannot increment counter: TPM returned a warning whilst executing command TPM_CC_StartAuthSession: TPM_RC_SESSION_MEMORY (out of memory for session contexts)

[alfonsosanchezbeato]

I made a pass. An additional change that I wonder if is needed is that in the past parts of secboot were imported in snapd:
a466265
e45a076
and maybe we can use directly secboot now. But I don't know about the reason for importing code this way, maybe @pedronis has some context. Anyway, that should be possible a follow-up.

[valentindavid]

I made a pass. An additional change that I wonder if is needed is that in the past parts of secboot were imported in snapd:
a466265
e45a076
and maybe we can use directly secboot now. But I don't know about the reason for importing code this way, maybe @pedronis has some context. Anyway, that should be possible a follow-up.

I had a quick look if I could build without it. It seems that we need this code to enroll recovery keys from snap-fde-keymgr. The functions it calls are in "internal" part of secboot and cannot be used directly.

[valentindavid]

I have added the Block label, because we should not merge it yet. The new key format has to be merged together. But it should still be reviewed.

[alfonsosanchezbeato]

Thanks for the changes, I'm not approving yet as you mentioned that other things need to land first.

[pedronis]

lgtm, one question, did Chris have a look a the changes?

[pedronis]

why we don't need this bit of code/manipulation anymore?

[valentindavid]

I have no idea. I believe that was done by Michael. I suppose we can revert this one if it breaks customers' fde-reveal-key.

[valentindavid]

I suppose, if "fde-setup" does not set a handle. It probably does not care about the handle in the corresponding "fde-reveal-key".

[valentindavid]

lgtm, one question, did Chris have a look a the changes?

I do not know if he looked through it.

[alfonsosanchezbeato]

LGTM

[valentindavid]

Everything is in #13951. Closing this one.