From 6c6bc99e973ac23701cf6a78e0f4349a2d9eb7cd Mon Sep 17 00:00:00 2001 From: Valentin David Date: Mon, 14 Oct 2024 17:27:18 +0200 Subject: [PATCH] use secboot from https://github.com/canonical/secboot/pull/344 --- go.mod | 16 +++++++++------- go.sum | 32 ++++++++++++++++---------------- secboot/secboot_sb.go | 2 -- secboot/secboot_sb_test.go | 2 -- secboot/secboot_tpm.go | 4 ---- 5 files changed, 25 insertions(+), 31 deletions(-) diff --git a/go.mod b/go.mod index 341be2daa5ab..e5c3b680ba3b 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ replace maze.io/x/crypto => github.com/snapcore/maze.io-x-crypto v0.0.0-20190131 require ( github.com/bmatcuk/doublestar/v4 v4.6.1 - github.com/canonical/go-efilib v1.2.0 + github.com/canonical/go-efilib v1.3.1 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 // indirect github.com/canonical/go-tpm2 v1.7.6 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf @@ -22,10 +22,10 @@ require ( github.com/seccomp/libseccomp-golang v0.9.2-0.20220502024300-f57e1d55ea18 github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 github.com/snapcore/secboot v0.0.0-20240822165722-bc2266b5a56d - golang.org/x/crypto v0.9.0 - golang.org/x/net v0.10.0 // indirect + golang.org/x/crypto v0.21.0 + golang.org/x/net v0.21.0 // indirect golang.org/x/sys v0.19.0 - golang.org/x/text v0.9.0 + golang.org/x/text v0.14.0 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c gopkg.in/macaroon.v1 v1.0.0-20150121114231-ab3940c6c165 @@ -38,15 +38,17 @@ require ( require go.etcd.io/bbolt v1.3.9 require ( + github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb // indirect github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 // indirect - github.com/canonical/tcglog-parser v0.0.0-20240820013904-60cf7cbc7c5d // indirect - github.com/intel-go/cpuid v0.0.0-20220614022739-219e067757cb // indirect + github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 // indirect github.com/kr/pretty v0.2.2-0.20200810074440-814ac30b4b18 // indirect github.com/kr/text v0.1.0 // indirect golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect - golang.org/x/term v0.8.0 // indirect + golang.org/x/term v0.18.0 // indirect maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066 // indirect ) // github.com/intel-go was taken over replace github.com/intel-go/cpuid => github.com/aregm/cpuid v0.0.0-20220614022739-219e067757cb + +replace github.com/snapcore/secboot => github.com/valentindavid/secboot v0.0.0-20241014135727-022435735d89 diff --git a/go.sum b/go.sum index f2734417f51b..01f01fe68621 100644 --- a/go.sum +++ b/go.sum @@ -1,17 +1,17 @@ -github.com/aregm/cpuid v0.0.0-20220614022739-219e067757cb h1:9DjQ6pcRWjaavG/kaC5x34q3r9gHpkoh55PfuXwKYiw= -github.com/aregm/cpuid v0.0.0-20220614022739-219e067757cb/go.mod h1:U7jHFVFhE3ffvppP5MofVeTKcHBpk5GEj4CJsku5ONY= github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I= github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= -github.com/canonical/go-efilib v1.2.0 h1:+fvJdkj3oVyURFtfk8gSft6pdKyVzzdzNn9GC1kMJw8= -github.com/canonical/go-efilib v1.2.0/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ= +github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb h1:+kA/9oHTqUx4P08ywKvmd7a1wOL3RLTrE0K958C15x8= +github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb/go.mod h1:6j8Sw3dwYVcBXltEeGklDoK/8UJVJNQPUkg1ZdQUgbk= +github.com/canonical/go-efilib v1.3.1 h1:KnVlqrKn0ZDGAbgQt9tke5cvtqNRCmpEp0v7RGUVpqs= +github.com/canonical/go-efilib v1.3.1/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ= github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 h1:ZE2XMRFHcwlib3uU9is37+pKkkMloVoEPWmgQ6GK1yo= github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0/go.mod h1:Zrs3YjJr+w51u0R/dyLh/oWt/EcBVdLPCVFYC4daW5s= github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 h1:oe6fCvaEpkhyW3qAicT0TnGtyht/UrgvOwMcEgLb7Aw= github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3/go.mod h1:qdP0gaj0QtgX2RUZhnlVrceJ+Qln8aSlDyJwelLLFeM= github.com/canonical/go-tpm2 v1.7.6 h1:9k9OAEEp9xKp4h2WJwfTUNivblJi4L5Wjx7Q/LkSTSQ= github.com/canonical/go-tpm2 v1.7.6/go.mod h1:Dz0PQRmoYrmk/4BLILjRA+SFzuqEo1etAvYeAJiMhYU= -github.com/canonical/tcglog-parser v0.0.0-20240820013904-60cf7cbc7c5d h1:v3gTMnOF/eT79eZnUSbHR18IJqHAXUog5SwiPn+HRXk= -github.com/canonical/tcglog-parser v0.0.0-20240820013904-60cf7cbc7c5d/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU= +github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 h1:vrUzSfbhl8mzdXPzjxq4jXZPCCNLv18jy6S7aVTS2tI= +github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -49,25 +49,25 @@ github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 h1:PaunR+BhraK github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785/go.mod h1:D3SsWAXK7wCCBZu+Vk5hc1EuKj/L3XN1puEMXTU4LrQ= github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066 h1:InG0EmriMOiI4YgtQNOo+6fNxzLCYioo3Q3BCVLdMCE= github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066/go.mod h1:VuAdaITF1MrGzxPU+8GxagM1HW2vg7QhEFEeGHbmEMU= -github.com/snapcore/secboot v0.0.0-20240822165722-bc2266b5a56d h1:KWB6+AV0BsXCrL2HWkfmntTaZRpdwil2wAQIaLSS2QI= -github.com/snapcore/secboot v0.0.0-20240822165722-bc2266b5a56d/go.mod h1:zK2P3h0JD7iJtxChu6DvG0ve7qX6OmwGoeGh1p98WIQ= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/valentindavid/secboot v0.0.0-20241014135727-022435735d89 h1:Tt1lM03ZBhyNOCzeN7amva1mIFmUV90jxOy7hE3WNpA= +github.com/valentindavid/secboot v0.0.0-20241014135727-022435735d89/go.mod h1:Tw/DK06oyO+lFvAQxmNPzXRlSWGk9vZlS2eNx4riAHo= go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI= go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE= -golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= -golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY= golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0= golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= diff --git a/secboot/secboot_sb.go b/secboot/secboot_sb.go index a9fe64411a32..fe31da05fdf2 100644 --- a/secboot/secboot_sb.go +++ b/secboot/secboot_sb.go @@ -153,8 +153,6 @@ func UnlockVolumeUsingSealedKeyIfEncrypted(disk disks.Disk, name string, sealedE defer sbSetKeyRevealer(nil) options := activateVolOpts(opts.AllowRecoveryKey) - // TODO: remove this - options.Model = sb.SkipSnapModelCheck authRequestor, err := newAuthRequestor() if err != nil { res.UnlockMethod = NotUnlocked diff --git a/secboot/secboot_sb_test.go b/secboot/secboot_sb_test.go index 0e80593d0774..d166eaede112 100644 --- a/secboot/secboot_sb_test.go +++ b/secboot/secboot_sb_test.go @@ -653,7 +653,6 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { PassphraseTries: 1, RecoveryKeyTries: 3, KeyringPrefix: "ubuntu-fde", - Model: sb.SkipSnapModelCheck, }) } else { c.Assert(*options, DeepEquals, sb.ActivateVolumeOptions{ @@ -661,7 +660,6 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { // activation with recovery key was disabled RecoveryKeyTries: 0, KeyringPrefix: "ubuntu-fde", - Model: sb.SkipSnapModelCheck, }) } return tc.activateErr diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go index badfcf438b83..c7d442abeddb 100644 --- a/secboot/secboot_tpm.go +++ b/secboot/secboot_tpm.go @@ -323,10 +323,6 @@ func unlockEncryptedPartitionWithSealedKey(mapperName, sourceDevice, keyfile str } keys = append(keys, keyData) options := activateVolOpts(allowRecovery) - // Ignoring model checker as it doesn't work with tpm "legacy" platform key data. - // TODO: In the general case anway, it is also not how the model is - // supposed to be provided. We should call SetModels instead. - options.Model = sb.SkipSnapModelCheck authRequestor, err := newAuthRequestor() if err != nil { return NotUnlocked, fmt.Errorf("internal error: cannot build an auth requestor: %v", err)