many: move key data to key slots

boot/assets.go

@@ -37,7 +37,7 @@ import (
 	"github.com/snapcore/snapd/gadget/device"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
-	"github.com/snapcore/snapd/secboot/keys"
+	"github.com/snapcore/snapd/secboot"
 	"github.com/snapcore/snapd/strutil"
 )
 
@@ -256,7 +256,7 @@ func isAssetHashTrackedInMap(bam bootAssetsMap, assetName, assetHash string) boo
 type TrustedAssetsInstallObserver interface {
 	BootLoaderSupportsEfiVariables() bool
 	ObserveExistingTrustedRecoveryAssets(recoveryRootDir string) error
-	ChosenEncryptionKeys(key, saveKey keys.EncryptionKey)
+	ChosenEncryptionKeys(resetter, saveResetter secboot.KeyResetter)
 	UpdateBootEntry() error
 	Observe(op gadget.ContentOperation, partRole, root, relativeTarget string, data *gadget.ContentChange) (gadget.ContentChangeAction, error)
 }
@@ -279,9 +279,9 @@ type trustedAssetsInstallObserverImpl struct {
 	trustedRecoveryAssets map[string]string
 	trackedRecoveryAssets bootAssetsMap
 
-	useEncryption     bool
-	dataEncryptionKey keys.EncryptionKey
-	saveEncryptionKey keys.EncryptionKey
+	useEncryption   bool
+	dataKeyResetter secboot.KeyResetter
+	saveKeyResetter secboot.KeyResetter
 
 	seedBootloader bootloader.Bootloader
 }
@@ -368,10 +368,10 @@ func (o *trustedAssetsInstallObserverImpl) currentTrustedRecoveryBootAssetsMap()
 	return o.trackedRecoveryAssets
 }
 
-func (o *trustedAssetsInstallObserverImpl) ChosenEncryptionKeys(key, saveKey keys.EncryptionKey) {
+func (o *trustedAssetsInstallObserverImpl) ChosenEncryptionKeys(resetter, saveResetter secboot.KeyResetter) {
 	o.useEncryption = true
-	o.dataEncryptionKey = key
-	o.saveEncryptionKey = saveKey
+	o.dataKeyResetter = resetter
+	o.saveKeyResetter = saveResetter
 }
 
 func (o *trustedAssetsInstallObserverImpl) UpdateBootEntry() error {

boot/assets_test.go

@@ -37,7 +37,6 @@ import (
 	"github.com/snapcore/snapd/gadget"
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/secboot"
-	"github.com/snapcore/snapd/secboot/keys"
 	"github.com/snapcore/snapd/seed"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/testutil"
@@ -474,13 +473,16 @@ func (s *assetsSuite) TestInstallObserverNonTrustedBootloader(c *C) {
 	obs, err := boot.TrustedAssetsInstallObserverForModel(uc20Model, d, useEncryption)
 	c.Assert(err, IsNil)
 	c.Assert(obs, NotNil)
-	obs.ChosenEncryptionKeys(keys.EncryptionKey{1, 2, 3, 4}, keys.EncryptionKey{5, 6, 7, 8})
+
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
 
 	observerImpl, ok := obs.(*boot.TrustedAssetsInstallObserverImpl)
 	c.Assert(ok, Equals, true)
 
-	c.Check(observerImpl.CurrentDataEncryptionKey(), DeepEquals, keys.EncryptionKey{1, 2, 3, 4})
-	c.Check(observerImpl.CurrentSaveEncryptionKey(), DeepEquals, keys.EncryptionKey{5, 6, 7, 8})
+	c.Check(observerImpl.CurrentDataKeyResetter(), Equals, dataResetter)
+	c.Check(observerImpl.CurrentSaveKeyResetter(), Equals, saveResetter)
 }
 
 func (s *assetsSuite) TestInstallObserverTrustedButNoAssets(c *C) {
@@ -499,13 +501,16 @@ func (s *assetsSuite) TestInstallObserverTrustedButNoAssets(c *C) {
 	obs, err := boot.TrustedAssetsInstallObserverForModel(uc20Model, d, useEncryption)
 	c.Assert(err, IsNil)
 	c.Assert(obs, NotNil)
-	obs.ChosenEncryptionKeys(keys.EncryptionKey{1, 2, 3, 4}, keys.EncryptionKey{5, 6, 7, 8})
+
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
 
 	observerImpl, ok := obs.(*boot.TrustedAssetsInstallObserverImpl)
 	c.Assert(ok, Equals, true)
 
-	c.Check(observerImpl.CurrentDataEncryptionKey(), DeepEquals, keys.EncryptionKey{1, 2, 3, 4})
-	c.Check(observerImpl.CurrentSaveEncryptionKey(), DeepEquals, keys.EncryptionKey{5, 6, 7, 8})
+	c.Check(observerImpl.CurrentDataKeyResetter(), Equals, dataResetter)
+	c.Check(observerImpl.CurrentSaveKeyResetter(), Equals, saveResetter)
 }
 
 func (s *assetsSuite) TestInstallObserverTrustedReuseNameErr(c *C) {

boot/bootstate20.go

@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2019-2023 Canonical Ltd
+ * Copyright (C) 2019-2024 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -69,12 +69,12 @@ func modeenvUnlock() {
 	modeenvMu.Unlock()
 }
 
-func isModeeenvLocked() bool {
+func IsModeeenvLocked() bool {
 	return atomic.LoadInt32(&modeenvLocked) == 1
 }
 
 func loadModeenv() (*Modeenv, error) {
-	if !isModeeenvLocked() {
+	if !IsModeeenvLocked() {
 		return nil, fmt.Errorf("internal error: cannot read modeenv without the lock")
 	}
 	modeenv, err := ReadModeenv("")
@@ -184,7 +184,7 @@ func newBootStateUpdate20(m *Modeenv) (*bootStateUpdate20, error) {
 
 // commit will write out boot state persistently to disk.
 func (u20 *bootStateUpdate20) commit() error {
-	if !isModeeenvLocked() {
+	if !IsModeeenvLocked() {
 		return fmt.Errorf("internal error: cannot commit modeenv without the lock")
 	}
 

boot/export_sb_test.go

@@ -21,6 +21,8 @@
 package boot
 
 import (
+	"context"
+
 	"github.com/canonical/go-efilib"
 	"github.com/canonical/go-efilib/linux"
 
@@ -33,19 +35,19 @@ var (
 	SetEfiBootOrderVariable  = setEfiBootOrderVariable
 )
 
-func MockEfiListVariables(f func() ([]efi.VariableDescriptor, error)) (restore func()) {
+func MockEfiListVariables(f func(ctx context.Context) ([]efi.VariableDescriptor, error)) (restore func()) {
 	restore = testutil.Backup(&efiListVariables)
 	efiListVariables = f
 	return restore
 }
 
-func MockEfiReadVariable(f func(name string, guid efi.GUID) ([]byte, efi.VariableAttributes, error)) (restore func()) {
+func MockEfiReadVariable(f func(ctx context.Context, name string, guid efi.GUID) ([]byte, efi.VariableAttributes, error)) (restore func()) {
 	restore = testutil.Backup(&efiReadVariable)
 	efiReadVariable = f
 	return restore
 }
 
-func MockEfiWriteVariable(f func(name string, guid efi.GUID, attrs efi.VariableAttributes, data []byte) error) (restore func()) {
+func MockEfiWriteVariable(f func(ctx context.Context, name string, guid efi.GUID, attrs efi.VariableAttributes, data []byte) error) (restore func()) {
 	restore = testutil.Backup(&efiWriteVariable)
 	efiWriteVariable = f
 	return restore

boot/export_test.go

@@ -27,7 +27,6 @@ import (
 	"github.com/snapcore/snapd/bootloader"
 	"github.com/snapcore/snapd/kernel/fde"
 	"github.com/snapcore/snapd/secboot"
-	"github.com/snapcore/snapd/secboot/keys"
 	"github.com/snapcore/snapd/seed"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/testutil"
@@ -104,12 +103,12 @@ func (o *trustedAssetsInstallObserverImpl) CurrentTrustedRecoveryBootAssetsMap()
 	return o.currentTrustedRecoveryBootAssetsMap()
 }
 
-func (o *trustedAssetsInstallObserverImpl) CurrentDataEncryptionKey() keys.EncryptionKey {
-	return o.dataEncryptionKey
+func (o *TrustedAssetsInstallObserverImpl) CurrentDataKeyResetter() secboot.KeyResetter {
+	return o.dataKeyResetter
 }
 
-func (o *trustedAssetsInstallObserverImpl) CurrentSaveEncryptionKey() keys.EncryptionKey {
-	return o.saveEncryptionKey
+func (o *TrustedAssetsInstallObserverImpl) CurrentSaveKeyResetter() secboot.KeyResetter {
+	return o.saveKeyResetter
 }
 
 func MockSecbootProvisionTPM(f func(mode secboot.TPMProvisionMode, lockoutAuthFile string) error) (restore func()) {
@@ -118,7 +117,7 @@ func MockSecbootProvisionTPM(f func(mode secboot.TPMProvisionMode, lockoutAuthFi
 	return restore
 }
 
-func MockSecbootSealKeys(f func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) error) (restore func()) {
+func MockSecbootSealKeys(f func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) ([]byte, error)) (restore func()) {
 	old := secbootSealKeys
 	secbootSealKeys = f
 	return func() {
@@ -253,10 +252,10 @@ func MockRunFDESetupHook(f fde.RunSetupHookFunc) (restore func()) {
 }
 
 func MockResealKeyToModeenvUsingFDESetupHook(f func(string, *Modeenv, bool) error) (restore func()) {
-	old := resealKeyToModeenvUsingFDESetupHook
-	resealKeyToModeenvUsingFDESetupHook = f
+	old := ResealKeyToModeenvUsingFDESetupHook
+	ResealKeyToModeenvUsingFDESetupHook = f
 	return func() {
-		resealKeyToModeenvUsingFDESetupHook = old
+		ResealKeyToModeenvUsingFDESetupHook = old
 	}
 }
 

boot/makebootable.go

@@ -554,7 +554,7 @@ func makeRunnableSystem(model *asserts.Model, bootWith *BootableSet, observer Tr
 			flags.SnapsDir = snapBlobDir
 		}
 		// seal the encryption key to the parameters specified in modeenv
-		if err := sealKeyToModeenv(observerImpl.dataEncryptionKey, observerImpl.saveEncryptionKey, model, modeenv, flags); err != nil {
+		if err := sealKeyToModeenv(observerImpl.dataKeyResetter, observerImpl.saveKeyResetter, model, modeenv, flags); err != nil {
 			return err
 		}
 	}

boot/makebootable_test.go

@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2014-2022 Canonical Ltd
+ * Copyright (C) 2014-2022, 2024 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -40,7 +40,6 @@ import (
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/release"
 	"github.com/snapcore/snapd/secboot"
-	"github.com/snapcore/snapd/secboot/keys"
 	"github.com/snapcore/snapd/seed"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snapfile"
@@ -627,14 +626,10 @@ version: 5.0
 	err = obs.ObserveExistingTrustedRecoveryAssets(boot.InitramfsUbuntuSeedDir)
 	c.Assert(err, IsNil)
 
-	// set encryption key
-	myKey := keys.EncryptionKey{}
-	myKey2 := keys.EncryptionKey{}
-	for i := range myKey {
-		myKey[i] = byte(i)
-		myKey2[i] = byte(128 + i)
-	}
-	obs.ChosenEncryptionKeys(myKey, myKey2)
+	// set key resetter
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
 
 	// set a mock recovery kernel
 	readSystemEssentialCalls := 0
@@ -699,38 +694,30 @@ version: 5.0
 
 	// set mock key sealing
 	sealKeysCalls := 0
-	restore = boot.MockSecbootSealKeys(func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) error {
+	restore = boot.MockSecbootSealKeys(func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) ([]byte, error) {
 		c.Assert(provisionCalls, Equals, 1, Commentf("TPM must have been provisioned before"))
 		sealKeysCalls++
 		switch sealKeysCalls {
 		case 1:
 			c.Check(keys, HasLen, 1)
-			c.Check(keys[0].Key, DeepEquals, myKey)
-			c.Check(keys[0].KeyFile, Equals,
-				filepath.Join(s.rootdir, "/run/mnt/ubuntu-boot/device/fde/ubuntu-data.sealed-key"))
+			c.Check(keys[0].Resetter, Equals, dataResetter)
+			c.Check(keys[0].KeyFile, Equals, "")
 			if factoryReset {
 				c.Check(params.PCRPolicyCounterHandle, Equals, secboot.AltRunObjectPCRPolicyCounterHandle)
 			} else {
 				c.Check(params.PCRPolicyCounterHandle, Equals, secboot.RunObjectPCRPolicyCounterHandle)
 			}
 		case 2:
 			c.Check(keys, HasLen, 2)
-			c.Check(keys[0].Key, DeepEquals, myKey)
-			c.Check(keys[1].Key, DeepEquals, myKey2)
-			c.Check(keys[0].KeyFile, Equals,
-				filepath.Join(s.rootdir,
-					"/run/mnt/ubuntu-seed/device/fde/ubuntu-data.recovery.sealed-key"))
+			c.Check(keys[0].Resetter, Equals, dataResetter)
+			c.Check(keys[0].KeyFile, Equals, "")
+			c.Check(keys[1].Resetter, Equals, saveResetter)
 			if factoryReset {
 				c.Check(params.PCRPolicyCounterHandle, Equals, secboot.AltFallbackObjectPCRPolicyCounterHandle)
-				c.Check(keys[1].KeyFile, Equals,
-					filepath.Join(s.rootdir,
-						"/run/mnt/ubuntu-seed/device/fde/ubuntu-save.recovery.sealed-key.factory-reset"))
-
+				c.Check(keys[1].KeyFile, Equals, "")
 			} else {
 				c.Check(params.PCRPolicyCounterHandle, Equals, secboot.FallbackObjectPCRPolicyCounterHandle)
-				c.Check(keys[1].KeyFile, Equals,
-					filepath.Join(s.rootdir,
-						"/run/mnt/ubuntu-seed/device/fde/ubuntu-save.recovery.sealed-key"))
+				c.Check(keys[1].KeyFile, Equals, "")
 			}
 		default:
 			c.Errorf("unexpected additional call to secboot.SealKeys (call # %d)", sealKeysCalls)
@@ -783,7 +770,7 @@ version: 5.0
 
 		c.Assert(params.ModelParams[0].Model.Model(), Equals, "my-model-uc20")
 
-		return nil
+		return nil, nil
 	})
 	defer restore()
 
@@ -1152,14 +1139,10 @@ version: 5.0
 	err = obs.ObserveExistingTrustedRecoveryAssets(boot.InitramfsUbuntuSeedDir)
 	c.Assert(err, IsNil)
 
-	// set encryption key
-	myKey := keys.EncryptionKey{}
-	myKey2 := keys.EncryptionKey{}
-	for i := range myKey {
-		myKey[i] = byte(i)
-		myKey2[i] = byte(128 + i)
-	}
-	obs.ChosenEncryptionKeys(myKey, myKey2)
+	// set key resetter
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
 
 	// set a mock recovery kernel
 	readSystemEssentialCalls := 0
@@ -1179,16 +1162,15 @@ version: 5.0
 	defer restore()
 	// set mock key sealing
 	sealKeysCalls := 0
-	restore = boot.MockSecbootSealKeys(func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) error {
+	restore = boot.MockSecbootSealKeys(func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) ([]byte, error) {
 		sealKeysCalls++
 		switch sealKeysCalls {
 		case 1:
 			c.Check(keys, HasLen, 1)
-			c.Check(keys[0].Key, DeepEquals, myKey)
+			c.Check(keys[0].Resetter, Equals, dataResetter)
 		case 2:
-			c.Check(keys, HasLen, 2)
-			c.Check(keys[0].Key, DeepEquals, myKey)
-			c.Check(keys[1].Key, DeepEquals, myKey2)
+			c.Check(keys, HasLen, 1)
+			c.Check(keys[0].Resetter, Equals, saveResetter)
 		default:
 			c.Errorf("unexpected additional call to secboot.SealKeys (call # %d)", sealKeysCalls)
 		}
@@ -1217,7 +1199,7 @@ version: 5.0
 		})
 		c.Assert(params.ModelParams[0].Model.Model(), Equals, "my-model-uc20")
 
-		return fmt.Errorf("seal error")
+		return nil, fmt.Errorf("seal error")
 	})
 	defer restore()
 
@@ -1350,7 +1332,9 @@ version: 5.0
 	err = obs.ObserveExistingTrustedRecoveryAssets(boot.InitramfsUbuntuSeedDir)
 	c.Assert(err, IsNil)
 
-	obs.ChosenEncryptionKeys(keys.EncryptionKey{}, keys.EncryptionKey{})
+	dataResetter := &secboot.MockKeyResetter{}
+	saveResetter := &secboot.MockKeyResetter{}
+	obs.ChosenEncryptionKeys(dataResetter, saveResetter)
 
 	// set a mock recovery kernel
 	readSystemEssentialCalls := 0
@@ -1370,7 +1354,7 @@ version: 5.0
 	defer restore()
 	// set mock key sealing
 	sealKeysCalls := 0
-	restore = boot.MockSecbootSealKeys(func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) error {
+	restore = boot.MockSecbootSealKeys(func(keys []secboot.SealKeyRequest, params *secboot.SealKeysParams) ([]byte, error) {
 		sealKeysCalls++
 		switch sealKeysCalls {
 		case 1, 2:
@@ -1394,7 +1378,7 @@ version: 5.0
 
 		c.Assert(params.ModelParams[0].Model.Model(), Equals, "my-model-uc20")
 
-		return nil
+		return nil, nil
 	})
 	defer restore()