daemon: secureboot updates API endpoint #14541
Conversation
github-actions
bot
added
the
Needs Documentation -auto-
daemon/api_system_secureboot.go
Outdated
| } | ||
|
|
||
| switch req.Action { | ||
| case "efi-secureboot-db-update": |
There was a problem hiding this comment.
having action and subaction is a bit unusual, also at least the startup action might be relevant to more types of fw updates than db-updates? can't we fold things into actions:
efi-secureboot-update-startup
efi-secureboot-update-db-prepare
efi-secureboot-update-db-cleanup?
is cleanup perhaps also relevant to other kind of updates?
daemon/api_system_secureboot.go
Outdated
| // TODO should this be only allowed for services with fwupd on slot | ||
| // side? |
There was a problem hiding this comment.
yes, as disussed we care about the slot side here, not the plug
daemon/api_system_secureboot.go
Outdated
| var systemSecurebootCmd = &Command{ | ||
| // TODO GET returning whether secure boot is relevant for the system? | ||
|
|
||
| Path: "/v2/system/secureboot", |
There was a problem hiding this comment.
looking at other end points it seems this might need to be /v2/system-secureboot ?
There was a problem hiding this comment.
I was wondering if there's a use case for exposing other properties of the system, eg disks (or storage), gadget, in which case those could be hosted at /v2/system/disks, and so on. wdyt?
bboozzoo
force-pushed
the
bboozzoo/efi-secureboot-api
branch
from
68afd04
to
70eed3e
Compare
daemon/api_system_secureboot.go
Outdated
| func postSystemSecurebootActionJSON(c *Command, r *http.Request) Response { | ||
| var req struct { | ||
| Action string `json:"action,omitempty"` | ||
| Data *json.RawMessage `json:"data"` |
There was a problem hiding this comment.
I would avoid having this nested "data" level, just define a top level struct with the field we need with a validate method that checks if field that should be set for a given op are or than't shouldn't aren't
bboozzoo
force-pushed
the
bboozzoo/efi-secureboot-api
branch
from
70eed3e
to
1bb4610
Compare
| // Slot when true, the snap must appear on the slot side | ||
| Slot bool | ||
| // Plug when true, the snap must appear on the plug side | ||
| Plug bool |
There was a problem hiding this comment.
do we need to support setting both to true because the logic below and the descriptions here don't match in that case
There was a problem hiding this comment.
If we have the use case for it then I think the we need a more complex structure that holds expectation for optional slot-side and plug-side interfaces for each combo we want to allow.
type interfaceAccessReq struct {
PlugInterface string // If set then snap must have a connected plug for specified interface
SlotInterface string // If set then snap must have a connected slot for specified interface
}Then func requireInterfaceApiAccessImpl(d *Daemon, r *http.Request, ucred *ucrednet, req interfaceAccessReqs) *apiError would be func requireInterfaceApiAccessImpl(d *Daemon, r *http.Request, ucred *ucrednet, reqs []interfaceAccessReq) *apiError
This adds a lot of complexity, If we don't have the use case now then maybe better as a todo.
bboozzoo
force-pushed
the
bboozzoo/efi-secureboot-api
branch
from
1bb4610
to
5ac8233
Compare
overlord/fdestate/fdestate.go
Outdated
|
|
||
| // EFISecureBootDBUpdatePrepare notifies notifies that the local EFI key | ||
| // database manager is about to update the database. | ||
| func EFISecureBootDBUpdatePrepare(st *state.State, db EFISecurebooKeystDB, payload []byte) error { |
There was a problem hiding this comment.
To avoid redoing work on the daemon side, Is there an agreement that those stubbed functions are expected to be there with similar signatures in the actual fdestate package?
There was a problem hiding this comment.
no, we don't have the feature yet, so this is best effort guess of what the API may look like
There was a problem hiding this comment.
then maybe @valentindavid can take a look if the function signatures make sense
| // Slot when true, the snap must appear on the slot side | ||
| Slot bool | ||
| // Plug when true, the snap must appear on the plug side | ||
| Plug bool |
There was a problem hiding this comment.
If we have the use case for it then I think the we need a more complex structure that holds expectation for optional slot-side and plug-side interfaces for each combo we want to allow.
type interfaceAccessReq struct {
PlugInterface string // If set then snap must have a connected plug for specified interface
SlotInterface string // If set then snap must have a connected slot for specified interface
}Then func requireInterfaceApiAccessImpl(d *Daemon, r *http.Request, ucred *ucrednet, req interfaceAccessReqs) *apiError would be func requireInterfaceApiAccessImpl(d *Daemon, r *http.Request, ucred *ucrednet, reqs []interfaceAccessReq) *apiError
This adds a lot of complexity, If we don't have the use case now then maybe better as a todo.
| ) (restore func()) { | ||
| restore = testutil.Backup(&fdestateEFISecureBootDBUpdateCleanup) | ||
| fdestateEFISecureBootDBUpdateCleanup = f | ||
| return restore |
bboozzoo
force-pushed
the
bboozzoo/efi-secureboot-api
branch
from
5ac8233
to
9d631d1
Compare
daemon/api_system_secureboot.go
Outdated
| switch r.DB { | ||
| case "PK", "KEK", "DB", "DBX": | ||
| default: | ||
| return fmt.Errorf("invalid key DB %q", r.DB) |
There was a problem hiding this comment.
maybe error can include supported DBs?
overlord/fdestate/fdestate.go
Outdated
| return errNotImplemented | ||
| } | ||
|
|
||
| type EFISecurebootKeysDB int |
There was a problem hiding this comment.
this could be named EFISecurebootKeysDatabase to avoid confusion with DB which is the name of the allowed signature key hashes database.
daemon/api_system_secureboot.go
Outdated
| // DB is used with efi-secureboot-db-prepare action, and indicates the | ||
| // secureboot keys DB which is a target of the action, possible values are | ||
| // PK, KEK, DB, DBX | ||
| DB string `json:"db,omitempty"` |
There was a problem hiding this comment.
similarly to the other comment in fdestate this could be named:
| DB string `json:"db,omitempty"` | |
| Database string `json:"database,omitempty"` |
There was a problem hiding this comment.
@valentindavid pushed the changes we discussed, please have a look
Stubs Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
… process being root Add a new access checker which verifies that the request is coming from a root user and if the process is a snap, a required interface is connected, with that snap present on the slot side. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
…ureboot key DBs Add a new endpoint for integration with a local manager of EFI secureboot key databases. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
bboozzoo
force-pushed
the
bboozzoo/efi-secureboot-api
branch
from
9d631d1
to
c6b94bc
Compare
pedronis
merged commit 0a211fd
into
canonical:fde-manager-features
Add a dedicated integration API endpoint for controlling/notifying of secure boot keys databases updates.
This is a draft PR with no unit tests, with the purpose of validating the API endpoint and the policy around it.
Related: SNAPDENG-32364 SNAPDENG-31856