secboot: register keys in keyring with also the legacy paths (#14718)

snap-bootstrap use to unlock encrypted disks using /dev/disk/by-partuuid paths. This was used ask identifier for the keys stored in the keyring. However /dev/disk/by-uuid path makes more sense as UUID is a part of LUKS2, and cryptsetup uses it for the identify of the volume key. Partition UUID on the other hand are only for GPT partitions. However older snapd will query the key using the old path. So we need to make sure snap-bootstrap also register the old name. A new snap-bootstrap should always be able to run and older snapd.
canonical · Nov 19, 2024 · 5f5f773 · 5f5f773
1 parent 4e36599
commit 5f5f773
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 38 deletions.
diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ replace maze.io/x/crypto => github.com/snapcore/maze.io-x-crypto v0.0.0-20190131
 
 require (
 	github.com/bmatcuk/doublestar/v4 v4.6.1
-	github.com/canonical/go-efilib v1.2.0
+	github.com/canonical/go-efilib v1.3.1
 	github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 // indirect
 	github.com/canonical/go-tpm2 v1.7.6
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
@@ -21,7 +21,7 @@ require (
 	github.com/mvo5/libseccomp-golang v0.9.1-0.20180308152521-f4de83b52afb // old trusty builds only
 	github.com/seccomp/libseccomp-golang v0.9.2-0.20220502024300-f57e1d55ea18
 	github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785
-	github.com/snapcore/secboot v0.0.0-20241003185103-eaa3655091fc
+	github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b
 	golang.org/x/crypto v0.21.0
 	golang.org/x/net v0.21.0 // indirect
 	golang.org/x/sys v0.19.0
@@ -40,7 +40,7 @@ require go.etcd.io/bbolt v1.3.9
 require (
 	github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb // indirect
 	github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 // indirect
-	github.com/canonical/tcglog-parser v0.0.0-20240820013904-60cf7cbc7c5d // indirect
+	github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 // indirect
 	github.com/kr/pretty v0.2.2-0.20200810074440-814ac30b4b18 // indirect
 	github.com/kr/text v0.1.0 // indirect
 	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect

diff --git a/go.sum b/go.sum
@@ -2,16 +2,16 @@ github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwN
 github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb h1:+kA/9oHTqUx4P08ywKvmd7a1wOL3RLTrE0K958C15x8=
 github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb/go.mod h1:6j8Sw3dwYVcBXltEeGklDoK/8UJVJNQPUkg1ZdQUgbk=
-github.com/canonical/go-efilib v1.2.0 h1:+fvJdkj3oVyURFtfk8gSft6pdKyVzzdzNn9GC1kMJw8=
-github.com/canonical/go-efilib v1.2.0/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ=
+github.com/canonical/go-efilib v1.3.1 h1:KnVlqrKn0ZDGAbgQt9tke5cvtqNRCmpEp0v7RGUVpqs=
+github.com/canonical/go-efilib v1.3.1/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ=
 github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 h1:ZE2XMRFHcwlib3uU9is37+pKkkMloVoEPWmgQ6GK1yo=
 github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0/go.mod h1:Zrs3YjJr+w51u0R/dyLh/oWt/EcBVdLPCVFYC4daW5s=
 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 h1:oe6fCvaEpkhyW3qAicT0TnGtyht/UrgvOwMcEgLb7Aw=
 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3/go.mod h1:qdP0gaj0QtgX2RUZhnlVrceJ+Qln8aSlDyJwelLLFeM=
 github.com/canonical/go-tpm2 v1.7.6 h1:9k9OAEEp9xKp4h2WJwfTUNivblJi4L5Wjx7Q/LkSTSQ=
 github.com/canonical/go-tpm2 v1.7.6/go.mod h1:Dz0PQRmoYrmk/4BLILjRA+SFzuqEo1etAvYeAJiMhYU=
-github.com/canonical/tcglog-parser v0.0.0-20240820013904-60cf7cbc7c5d h1:v3gTMnOF/eT79eZnUSbHR18IJqHAXUog5SwiPn+HRXk=
-github.com/canonical/tcglog-parser v0.0.0-20240820013904-60cf7cbc7c5d/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU=
+github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 h1:vrUzSfbhl8mzdXPzjxq4jXZPCCNLv18jy6S7aVTS2tI=
+github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -49,8 +49,8 @@ github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 h1:PaunR+BhraK
 github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785/go.mod h1:D3SsWAXK7wCCBZu+Vk5hc1EuKj/L3XN1puEMXTU4LrQ=
 github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066 h1:InG0EmriMOiI4YgtQNOo+6fNxzLCYioo3Q3BCVLdMCE=
 github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066/go.mod h1:VuAdaITF1MrGzxPU+8GxagM1HW2vg7QhEFEeGHbmEMU=
-github.com/snapcore/secboot v0.0.0-20241003185103-eaa3655091fc h1:Cd+Qev1cqyYW8mraiNcJnzSYwl6ZuYL6q23p4lxor5Y=
-github.com/snapcore/secboot v0.0.0-20241003185103-eaa3655091fc/go.mod h1:qYQmU7AB5+hyxM0m5s9VJIiJ2pA0xgmIYIo6859QMys=
+github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b h1:ywW6AgHzAVjJIlkDLb+52IgEXVFYxG2rzjP34khWbow=
+github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b/go.mod h1:Tw/DK06oyO+lFvAQxmNPzXRlSWGk9vZlS2eNx4riAHo=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
 go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=

diff --git a/secboot/secboot_sb.go b/secboot/secboot_sb.go
@@ -165,7 +165,7 @@ func UnlockVolumeUsingSealedKeyIfEncrypted(disk disks.Disk, name string, sealedE
 	defer sbSetKeyRevealer(nil)
 
 	const allowPassphrase = true
-	options := activateVolOpts(opts.AllowRecoveryKey, allowPassphrase)
+	options := activateVolOpts(opts.AllowRecoveryKey, allowPassphrase, partDevice)
 	authRequestor, err := newAuthRequestor()
 	if err != nil {
 		res.UnlockMethod = NotUnlocked
@@ -316,26 +316,6 @@ func unlockEncryptedPartitionWithKey(name, device string, key []byte) error {
 	return err
 }
 
-// UnlockEncryptedVolumeWithRecoveryKey prompts for the recovery key and uses it
-// to open an encrypted device.
-func UnlockEncryptedVolumeWithRecoveryKey(name, device string) error {
-	options := sb.ActivateVolumeOptions{
-		RecoveryKeyTries: 3,
-		KeyringPrefix:    keyringPrefix,
-	}
-
-	authRequestor, err := newAuthRequestor()
-	if err != nil {
-		return fmt.Errorf("internal error: cannot build an auth requestor: %v", err)
-	}
-
-	if err := sbActivateVolumeWithRecoveryKey(name, device, authRequestor, &options); err != nil {
-		return fmt.Errorf("cannot unlock encrypted device %q: %v", device, err)
-	}
-
-	return nil
-}
-
 // ActivateVolumeWithKey is a wrapper for secboot.ActivateVolumeWithKey
 func ActivateVolumeWithKey(volumeName, sourceDevicePath string, key []byte, options *ActivateVolumeOptions) error {
 	return sb.ActivateVolumeWithKey(volumeName, sourceDevicePath, key, (*sb.ActivateVolumeOptions)(options))

diff --git a/secboot/secboot_sb_test.go b/secboot/secboot_sb_test.go
@@ -701,16 +701,18 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) {
 
 				if tc.rkAllow {
 					c.Assert(*options, DeepEquals, sb.ActivateVolumeOptions{
-						PassphraseTries:  1,
-						RecoveryKeyTries: 3,
-						KeyringPrefix:    "ubuntu-fde",
+						PassphraseTries:   1,
+						RecoveryKeyTries:  3,
+						KeyringPrefix:     "ubuntu-fde",
+						LegacyDevicePaths: []string{"/dev/disk/by-partuuid/enc-dev-partuuid"},
 					})
 				} else {
 					c.Assert(*options, DeepEquals, sb.ActivateVolumeOptions{
 						PassphraseTries: 1,
 						// activation with recovery key was disabled
-						RecoveryKeyTries: 0,
-						KeyringPrefix:    "ubuntu-fde",
+						RecoveryKeyTries:  0,
+						KeyringPrefix:     "ubuntu-fde",
+						LegacyDevicePaths: []string{"/dev/disk/by-partuuid/enc-dev-partuuid"},
 					})
 				}
 				return tc.activateErr

diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go
@@ -217,16 +217,17 @@ func lockTPMSealedKeys() error {
 	return sbBlockPCRProtectionPolicies(tpm, []int{initramfsPCR})
 }
 
-func activateVolOpts(allowRecoveryKey bool, allowPassphrase bool) *sb.ActivateVolumeOptions {
+func activateVolOpts(allowRecoveryKey bool, allowPassphrase bool, legacyPaths ...string) *sb.ActivateVolumeOptions {
 	passphraseTry := 0
 	if allowPassphrase {
 		passphraseTry = 1
 	}
 	options := sb.ActivateVolumeOptions{
 		PassphraseTries: passphraseTry,
 		// disable recovery key by default
-		RecoveryKeyTries: 0,
-		KeyringPrefix:    keyringPrefix,
+		RecoveryKeyTries:  0,
+		KeyringPrefix:     keyringPrefix,
+		LegacyDevicePaths: legacyPaths,
 	}
 	if allowRecoveryKey {
 		// enable recovery key only when explicitly allowed