overload/fdestate/backend: implement FDE hook resealing #14305
Conversation
valentindavid
added
Run nested
github-actions
bot
added
the
Run Nested -auto-
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
from
2695fa0
to
9cd28d9
Compare
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
from
9cd28d9
to
d219e4d
Compare
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
2 times, most recently
from
b0bd57d
to
825c315
Compare
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
5 times, most recently
from
185cc1d
to
083087c
Compare
valentindavid
changed the title
tests/lib/fakestore/store/store.go
Outdated
| @@ -394,7 +413,7 @@ func (s *Store) detailsEndpoint(w http.ResponseWriter, req *http.Request) { | |||
| w.Write(out) | |||
| } | |||
|
|
|||
| func (s *Store) collectSnaps() (map[string]string, error) { | |||
| func (s *Store) collectSnaps(cs *ChannelRepository) (map[string]string, error) { | |||
There was a problem hiding this comment.
why is cs passed in when is also on s?
There was a problem hiding this comment.
I didn't see an answer or change related to this question
| summary: verify remodel from UC20 to UC22 | ||
| details: | | ||
| Blah | ||
| Verify remodel from UC20 to UC22. This verifies unencrypted, tpm and | ||
| fde hook modes. |
There was a problem hiding this comment.
shouldn't this mention the fakestore? do we have a not fakestore variant?
tests/lib/fakestore/store/store.go
Outdated
| @@ -394,7 +413,7 @@ func (s *Store) detailsEndpoint(w http.ResponseWriter, req *http.Request) { | |||
| w.Write(out) | |||
| } | |||
|
|
|||
| func (s *Store) collectSnaps() (map[string]string, error) { | |||
| func (s *Store) collectSnaps(cs *ChannelRepository) (map[string]string, error) { | |||
There was a problem hiding this comment.
I didn't see an answer or change related to this question
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
from
efc06fa
to
9b0551f
Compare
tests/lib/fakestore/store/store.go
Outdated
| if a.Channel != "" { | ||
| snapPath, foundSnap = snaps[fmt.Sprintf("%s|%s", name, a.Channel)] | ||
| } | ||
| if !foundSnap { | ||
| snapPath, foundSnap = snaps[name] | ||
| } |
There was a problem hiding this comment.
Maybe a nitpick as this is test code, but do we want to look with the normal name if a channel has been specified? Shouldn't we just return with error/empty result? Unless channel is latest/stable maybe.
There was a problem hiding this comment.
Very good question. I suppose I did it like that because other tests are not setting channels correctly, that are matching the model, or the --channel=... parameter to refresh or install. And I suppose it is rarely "latest/stable" the tests actually look for. But I do not remember. That is probably a task to look at at some point to clean-up the broken tests.
There was a problem hiding this comment.
I will add a comment
There was a problem hiding this comment.
Great, thanks for adding the comment
|
|
||
| mkdir "${tmpd}/early" | ||
| mkdir "${tmpd}/main" | ||
| ( (cd "${tmpd}/early"; cpio -id) ; (cd "${tmpd}/main"; zstdcat | cpio -id) ) <"${tmpd}/initrd" |
There was a problem hiding this comment.
cannot we just use unmkinitramfs?
There was a problem hiding this comment.
I am not a fan of initramfs-tools in general. And also the overcomplicated way unmkinitramfs tries to split the initramfs.
There was a problem hiding this comment.
Ok, but this will fail for older initramfs not using zstd, or newer using maybe something else. So maybe we need to chang in the future.
| if [ "${BUILD_FDE_HOOK-}" = 1 ]; then | ||
| go build -o "${tmpd}/pc-kernel/meta/hooks/fde-setup" /project/tests/lib/fde-setup-hook | ||
| fi |
There was a problem hiding this comment.
isn't this compiling the same as fde-reveal-key? why not just copy around the already compiled binary?
There was a problem hiding this comment.
go has a build cache, right?
There was a problem hiding this comment.
Tbh I was not that concerned about build time but about something changing and then forgetting to change the thing in two places, but not really very important anyway.
There was a problem hiding this comment.
This is very useful, maybe it should go to tests/lib/. As a side point, we do similar things in different places, it would be great to unify at some point. Maybe this script could be the reference for repacking kernels.
There was a problem hiding this comment.
I agree. But I would like to go through tests/lib/nested.sh and rewrite some of the code to use some generic script. And then use the same script here.
| mkdir -p ./extra-initrd/usr/bin/ | ||
| go build -o ./extra-initrd/usr/bin/fde-reveal-key "$TESTSLIB"/fde-setup-hook/fde-setup.go | ||
| mkdir -p ./extra-kernel-snap/meta/hooks | ||
| go build -o ./extra-kernel-snap/meta/hooks/fde-setup "$TESTSLIB"/fde-setup-hook/fde-setup.go |
There was a problem hiding this comment.
Same nitpick about double building the same binary instead of copying
| for f in updates/{core22,pc-22,pc-kernel-22}.{snap,assert} updates/pc-22.{snap,assert} updates/pc-kernel-22.{snap,assert}; do | ||
| remote.push "${f}" | ||
| done |
There was a problem hiding this comment.
Is pushing the snaps needed?
There was a problem hiding this comment.
It is probably the remains some old attempts without changing the fakestore. I will remove that.
boot/seal.go
Outdated
There was a problem hiding this comment.
As far as I can see the main changes in this file are that things that in the past were done only for TPM-backed FDE are done also when using hooks. As in principle we dot not care about boot chains / sealing for hooks, what is the purpose of these changes? Maybe there is some spec that would help me understand this?
There was a problem hiding this comment.
On FDE hooks, we do care about what model is used depending of the key we unseal. This is a boot chain. That is much smaller than TPM, but it is still a boot chain.
There was a problem hiding this comment.
We should probably have some abstractions though here. But it is yet obvious what it should look like. There will be the run mode that will be introduce in the future, that is not here. And maybe it will start to make more sense.
There was a problem hiding this comment.
Maybe we should rename it to "boot context" at some point.
There was a problem hiding this comment.
Thanks for the offline clarification
| type comparableModel struct { | ||
| BrandID string | ||
| SignKeyID string | ||
| Model string | ||
| Classic bool | ||
| Grade asserts.ModelGrade | ||
| Series string | ||
| } |
There was a problem hiding this comment.
do we need this just because there is no Series field in modelForSealing? Maybe worth adding a comment explaining.
There was a problem hiding this comment.
There should be Series in modelForSealing.
The problem here is that it is not useable as an index for a map, because it is not comparable.
secboot/secboot_sb_test.go
Outdated
| return "some-key" | ||
| } | ||
|
|
||
| func (s *secbootSuite) TestResealKeysWithFDESetupHookV1(c *C) { |
There was a problem hiding this comment.
What is v1 in this context? Which other formats for keyslots do we have?
There was a problem hiding this comment.
Actually this is a mistake here. It tests v2. The new format is v3.
We have 2 format of keydata. Keydata are json. v1 is not json. But this does not need resealing.
There was a problem hiding this comment.
Note, the version here is not related to the key slots. But the key format. Which might be stored in the token for the key slot, or stored in a file.
pedronis
force-pushed
the
fde-manager-features
branch
from
fcc5e2e
to
24018ee
Compare
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
4 times, most recently
from
e0ce10a
to
dac3674
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## fde-manager-features #14305 +/- ##
=======================================================
Coverage ? 78.83%
=======================================================
Files ? 1093
Lines ? 147706
Branches ? 0
=======================================================
Hits ? 116449
Misses ? 23992
Partials ? 7265
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
5 times, most recently
from
a20dc03
to
73ea788
Compare
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
from
73ea788
to
6ad2708
Compare
valentindavid
force-pushed
the
valentindavid/remodel-fakestore
branch
from
6ad2708
to
0d72241
Compare
|
I have implemented the update of the state as part of #14674 that will go on top of this. |
pedronis
merged commit 58e1ac7
into
canonical:fde-manager-features
This also adds: