Skip to content

Commit

Permalink
fixup! secboot: re-introduce v1 fde hook format
Browse files Browse the repository at this point in the history
  • Loading branch information
@valentindavid
valentindavid committed Oct 23, 2024
1 parent a3b1cd1 commit db273b6
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 0 deletions.
3 changes: 3 additions & 0 deletions secboot/export_sb_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -351,3 +351,6 @@ func MockNewLUKS2KeyDataWriter(f func(devicePath string, name string) (KeyDataWr
newLUKS2KeyDataWriter = old
}
}

type DefaultKeyLoader = defaultKeyLoader
var ReadKeyFile = readKeyFile
79 changes: 79 additions & 0 deletions secboot/secboot_sb_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2561,3 +2561,82 @@ func (s *secbootSuite) TestSerializedProfile(c *C) {
"tpm2-pcr-profile": base64.StdEncoding.EncodeToString([]byte("serialized-profile")),
})
}

func (s *secbootSuite) TestReadKeyFileKeyData(c *C) {
keyLoader := &secboot.DefaultKeyLoader{}
const fdeHookHint = false
tmpDir := c.MkDir()
keyPath := filepath.Join(tmpDir, "key")
// KeyData is a json
err := os.WriteFile(keyPath, []byte(`{}`), 0644)
c.Assert(err, IsNil)

newFileKeyDataReaderCalls := 0
restore := secboot.MockSbNewFileKeyDataReader(func(kf string) (*sb.FileKeyDataReader, error) {
newFileKeyDataReaderCalls++
c.Check(kf, Equals, keyPath)
return sb.NewFileKeyDataReader(kf)
})
defer restore()

readKeyDataCalls := 0
restore = secboot.MockSbReadKeyData(func(reader sb.KeyDataReader) (*sb.KeyData, error) {
readKeyDataCalls++
return sb.ReadKeyData(reader)
})
defer restore()

err = secboot.ReadKeyFile(keyPath, keyLoader, fdeHookHint)
c.Assert(err, IsNil)
c.Check(newFileKeyDataReaderCalls, Equals, 1)
c.Check(readKeyDataCalls, Equals, 1)
c.Check(keyLoader.KeyData, NotNil)
c.Check(keyLoader.SealedKeyObject, IsNil)
c.Check(keyLoader.FDEHookKeyV1, IsNil)
}

func (s *secbootSuite) TestReadKeyFileSealedObject(c *C) {
keyLoader := &secboot.DefaultKeyLoader{}
const fdeHookHint = false
keyPath := filepath.Join("test-data", "keyfile")

readSealedKeyObjectFromFileCalls := 0
restore := secboot.MockSbReadSealedKeyObjectFromFile(func(path string) (*sb_tpm2.SealedKeyObject, error) {
readSealedKeyObjectFromFileCalls++
c.Check(path, Equals, keyPath)
return sb_tpm2.ReadSealedKeyObjectFromFile(path)
})
defer restore()

newKeyDataFromSealedKeyObjectFile := 0
restore = secboot.MockSbNewKeyDataFromSealedKeyObjectFile(func(path string) (*sb.KeyData, error) {
newKeyDataFromSealedKeyObjectFile++
c.Check(path, Equals, keyPath)
return sb_tpm2.NewKeyDataFromSealedKeyObjectFile(path)
})
defer restore()

err := secboot.ReadKeyFile(keyPath, keyLoader, fdeHookHint)
c.Assert(err, IsNil)
c.Check(readSealedKeyObjectFromFileCalls, Equals, 1)
c.Check(newKeyDataFromSealedKeyObjectFile, Equals, 1)
c.Check(keyLoader.KeyData, NotNil)
c.Check(keyLoader.SealedKeyObject, NotNil)
c.Check(keyLoader.FDEHookKeyV1, IsNil)
}

func (s *secbootSuite) TestReadKeyFileFDEHookV1(c *C) {
keyLoader := &secboot.DefaultKeyLoader{}
const fdeHookHint = true
tmpDir := c.MkDir()
keyPath := filepath.Join(tmpDir, "key")
// KeyData starts with USK$
err := os.WriteFile(keyPath, []byte(`USK$blahblah`), 0644)
c.Assert(err, IsNil)

err = secboot.ReadKeyFile(keyPath, keyLoader, fdeHookHint)
c.Assert(err, IsNil)
c.Check(keyLoader.KeyData, IsNil)
c.Check(keyLoader.SealedKeyObject, IsNil)
c.Check(keyLoader.FDEHookKeyV1, DeepEquals, []byte(`USK$blahblah`))
}

0 comments on commit db273b6

Please sign in to comment.