From 21663fc2b10fdb8ec546bec6d8508e7556c1f9ce Mon Sep 17 00:00:00 2001 From: Valentin David Date: Tue, 1 Oct 2024 13:35:31 +0200 Subject: [PATCH] fixup! overlord/fdestate: keep FDE state up to date --- boot/assets_test.go | 16 ++++++------- boot/boot_test.go | 48 ++++++++++++++++++------------------- boot/export_test.go | 2 +- boot/model_test.go | 24 +++++++++---------- boot/seal.go | 14 ++++------- boot/seal_test.go | 12 +++++----- boot/systems_test.go | 26 ++++++++++---------- overlord/fdestate/fdemgr.go | 8 +++++-- 8 files changed, 74 insertions(+), 76 deletions(-) diff --git a/boot/assets_test.go b/boot/assets_test.go index fe42c46ab8f..f1a96562afb 100644 --- a/boot/assets_test.go +++ b/boot/assets_test.go @@ -53,7 +53,7 @@ var _ = Suite(&assetsSuite{}) func (s *assetsSuite) SetUpTest(c *C) { s.baseBootenvSuite.SetUpTest(c) - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return nil }) s.AddCleanup(restore) @@ -788,7 +788,7 @@ func (s *assetsSuite) testUpdateObserverUpdateMockedWithReseal(c *C, seedRole st // everything is set up, trigger a reseal resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -893,7 +893,7 @@ func (s *assetsSuite) TestUpdateObserverUpdateExistingAssetMocked(c *C) { // everything is set up, trigger reseal resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -1649,7 +1649,7 @@ func (s *assetsSuite) TestUpdateObserverCanceledSimpleAfterBackupMocked(c *C) { "shim": []string{shimHash}, }) resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -1809,7 +1809,7 @@ func (s *assetsSuite) TestUpdateObserverCanceledNoActionsMocked(c *C) { obs, _ := s.uc20UpdateObserverEncryptedSystemMockedBootloader(c) resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -2561,7 +2561,7 @@ func (s *assetsSuite) TestUpdateObserverReseal(c *C) { // everything is set up, trigger a reseal resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params.RunModeBootChains, HasLen, 1) @@ -2713,7 +2713,7 @@ func (s *assetsSuite) TestUpdateObserverCanceledReseal(c *C) { resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params.RunModeBootChains, HasLen, 1) @@ -2846,7 +2846,7 @@ func (s *assetsSuite) TestUpdateObserverUpdateMockedNonEncryption(c *C) { // make sure that no reseal is triggered resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) diff --git a/boot/boot_test.go b/boot/boot_test.go index cf64c23c9c5..c57585af6e8 100644 --- a/boot/boot_test.go +++ b/boot/boot_test.go @@ -137,7 +137,7 @@ type baseBootenv20Suite struct { func (s *baseBootenv20Suite) SetUpTest(c *C) { s.baseBootenvSuite.SetUpTest(c) - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return nil }) s.AddCleanup(restore) @@ -1121,7 +1121,7 @@ func (s *bootenv20Suite) TestCoreParticipant20SetNextNewKernelSnapWithReseal(c * defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params.RunModeBootChains, HasLen, 2) @@ -1241,7 +1241,7 @@ func (s *bootenv20Suite) TestCoreParticipant20SetNextNewUnassertedKernelSnapWith defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params.RunModeBootChains, HasLen, 2) @@ -1362,7 +1362,7 @@ func (s *bootenv20Suite) TestCoreParticipant20SetNextSameKernelSnapNoReseal(c *C defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -1459,7 +1459,7 @@ func (s *bootenv20Suite) TestCoreParticipant20SetNextSameUnassertedKernelSnapNoR defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -2058,7 +2058,7 @@ func (s *bootenv20Suite) TestMarkBootSuccessful20KernelUpdateWithReseal(c *C) { defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params.RunModeBootChains, HasLen, 1) @@ -2292,7 +2292,7 @@ func (s *bootenv20Suite) TestMarkBootSuccessful20BootAssetsUpdateHappy(c *C) { c.Assert(coreDev.HasModeenv(), Equals, true) resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params.RunModeBootChains, HasLen, 1) @@ -2453,7 +2453,7 @@ func (s *bootenv20Suite) TestMarkBootSuccessful20BootAssetsStableStateHappy(c *C c.Assert(coreDev.HasModeenv(), Equals, true) resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -2567,7 +2567,7 @@ func (s *bootenv20Suite) TestMarkBootSuccessful20BootUnassertedKernelAssetsStabl c.Assert(coreDev.HasModeenv(), Equals, true) resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -3156,7 +3156,7 @@ var _ = Suite(&bootConfigSuite{}) func (s *bootConfigSuite) SetUpTest(c *C) { s.baseBootenvSuite.SetUpTest(c) - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return nil }) s.AddCleanup(restore) @@ -3193,7 +3193,7 @@ func (s *bootConfigSuite) TestBootConfigUpdateHappyNoKeysNoReseal(c *C) { c.Assert(m.WriteTo(""), IsNil) resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -3245,7 +3245,7 @@ func (s *bootConfigSuite) testBootConfigUpdateHappyWithReseal(c *C, cmdlineAppen newCmdline := strutil.JoinNonEmpty([]string{ "snapd_recovery_mode=run mocked candidate panic=-1", cmdlineAppend}, " ") resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params, NotNil) @@ -3305,7 +3305,7 @@ func (s *bootConfigSuite) testBootConfigUpdateHappyNoChange(c *C, cmdlineAppend c.Assert(m.WriteTo(""), IsNil) resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -3470,7 +3470,7 @@ volumes: c.Assert(m.WriteTo(""), IsNil) resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params, NotNil) @@ -3536,7 +3536,7 @@ volumes: // reseal does not happen, because the gadget overrides the static // command line which is part of boot config, thus there's no resulting // change in the command lines tracked in modeenv and no need to reseal - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return fmt.Errorf("unexpected call") }) @@ -3573,7 +3573,7 @@ var _ = Suite(&bootKernelCommandLineSuite{}) func (s *bootKernelCommandLineSuite) SetUpTest(c *C) { s.baseBootenvSuite.SetUpTest(c) - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return nil }) s.AddCleanup(restore) @@ -3633,7 +3633,7 @@ func (s *bootKernelCommandLineSuite) SetUpTest(c *C) { s.resealCommandLines = nil s.resealCalls = 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { s.resealCalls++ c.Assert(params, NotNil) c.Assert(params.RunModeBootChains, HasLen, 0) @@ -3909,7 +3909,7 @@ volumes: c.Assert(s.modeenvWithEncryption.WriteTo(""), IsNil) resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return fmt.Errorf("reseal fails") }) @@ -4053,7 +4053,7 @@ func (s *bootKernelCommandLineSuite) TestCommandLineUpdateUC20OverSpuriousReboot s.stampSealedKeys(c, dirs.GlobalRootDir) resealPanic := false - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { s.resealCalls++ c.Logf("reseal call %v", s.resealCalls) c.Assert(params, NotNil) @@ -4636,7 +4636,7 @@ func (s *bootenv20Suite) TestCoreParticipant20UndoKernelSnapInstallNewWithReseal defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params.RunModeBootChains, HasLen, 1) @@ -4747,7 +4747,7 @@ func (s *bootenv20Suite) TestCoreParticipant20UndoUnassertedKernelSnapInstallNew defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ c.Assert(params.RunModeBootChains, HasLen, 1) @@ -4859,7 +4859,7 @@ func (s *bootenv20Suite) TestCoreParticipant20UndoKernelSnapInstallSameNoReseal( defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -4956,7 +4956,7 @@ func (s *bootenv20Suite) TestCoreParticipant20UndoUnassertedKernelSnapInstallSam defer r() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) @@ -5092,7 +5092,7 @@ func (s *bootenv20Suite) TestCoreParticipant20UndoBaseSnapInstallNewNoReseal(c * model := coreDev.Model() resealCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ return nil }) diff --git a/boot/export_test.go b/boot/export_test.go index dd18c8ed92f..51e500e5515 100644 --- a/boot/export_test.go +++ b/boot/export_test.go @@ -226,7 +226,7 @@ func EnableTestingRebootFunction() (restore func()) { return func() { testingRebootItself = false } } -func MockResealKeyForBootChains(f func(locked bool, method device.SealingMethod, rootdir string, params *ResealKeyForBootChainsParams, expectReseal bool) error) (restore func()) { +func MockResealKeyForBootChains(f func(unlocker Unlocker, method device.SealingMethod, rootdir string, params *ResealKeyForBootChainsParams, expectReseal bool) error) (restore func()) { old := ResealKeyForBootChains ResealKeyForBootChains = f return func() { diff --git a/boot/model_test.go b/boot/model_test.go index 398d5638c3f..d78c1e8e9b8 100644 --- a/boot/model_test.go +++ b/boot/model_test.go @@ -89,7 +89,7 @@ func makeEncodableModel(signingAccounts *assertstest.SigningAccounts, overrides func (s *modelSuite) SetUpTest(c *C) { s.baseBootenvSuite.SetUpTest(c) - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return nil }) s.AddCleanup(restore) @@ -204,7 +204,7 @@ func (s *modelSuite) TestDeviceChangeHappy(c *C) { "model: my-model-uc20\n") resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ m, err := boot.ReadModeenv("") c.Assert(err, IsNil) @@ -242,7 +242,7 @@ func (s *modelSuite) TestDeviceChangeHappy(c *C) { err = boot.DeviceChange(s.oldUc20dev, s.newUc20dev, u.unlocker) c.Assert(err, IsNil) c.Assert(resealKeysCalls, Equals, 2) - c.Check(u.unlocked, Equals, 2) + c.Check(u.unlocked, Equals, 0) c.Check(filepath.Join(boot.InitramfsUbuntuBootDir, "device/model"), testutil.FileContains, "model: my-new-model-uc20\n") @@ -267,7 +267,7 @@ func (s *modelSuite) TestDeviceChangeUnhappyFirstReseal(c *C) { "model: my-model-uc20\n") resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ m, err := boot.ReadModeenv("") c.Assert(err, IsNil) @@ -318,7 +318,7 @@ func (s *modelSuite) TestDeviceChangeUnhappyFirstSwapModelFile(c *C) { "model: my-model-uc20\n") resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ m, err := boot.ReadModeenv("") c.Assert(err, IsNil) @@ -371,7 +371,7 @@ func (s *modelSuite) TestDeviceChangeUnhappySecondReseal(c *C) { "model: my-model-uc20\n") resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ m, err := boot.ReadModeenv("") c.Assert(err, IsNil) @@ -467,7 +467,7 @@ func (s *modelSuite) TestDeviceChangeRebootBeforeNewModel(c *C) { "model: my-model-uc20\n") resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ c.Logf("reseal key call: %v", resealKeysCalls) m, err := boot.ReadModeenv("") @@ -586,7 +586,7 @@ func (s *modelSuite) TestDeviceChangeRebootAfterNewModelFileWrite(c *C) { "model: my-model-uc20\n") resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ // timeline & calls: // 1 - pre reboot, run & recovery keys, try model set @@ -706,7 +706,7 @@ func (s *modelSuite) TestDeviceChangeRebootPostSameModel(c *C) { "model: my-model-uc20\n") resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ c.Logf("reseal key call: %v", resealKeysCalls) m, err := boot.ReadModeenv("") @@ -849,7 +849,7 @@ func (s *modelSuite) testDeviceChangeUnhappyMockedWriteModelToBoot(c *C, tc unha writeModelToBootCalls := 0 resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ m, err := boot.ReadModeenv("") c.Assert(err, IsNil) @@ -972,7 +972,7 @@ func (s *modelSuite) TestDeviceChangeUnhappyFailReseaWithSwappedModelMockedWrite writeModelToBootCalls := 0 resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ if resealKeysCalls == 2 { m, err := boot.ReadModeenv("") @@ -1059,7 +1059,7 @@ func (s *modelSuite) TestDeviceChangeRebootRestoreModelKeyChangeMockedWriteModel })) resealKeysCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ c.Logf("reseal key call: %v", resealKeysCalls) m, err := boot.ReadModeenv("") diff --git a/boot/seal.go b/boot/seal.go index 2e253374929..c3b68b4b69a 100644 --- a/boot/seal.go +++ b/boot/seal.go @@ -251,13 +251,7 @@ func resealKeyToModeenvImpl(rootdir string, modeenv *Modeenv, expectReseal bool, return err } - locked := true - if unlocker != nil { - // unlock/relock global state - defer unlocker()() - locked = false - } - return resealKeyToModeenvForMethod(locked, method, rootdir, modeenv, expectReseal) + return resealKeyToModeenvForMethod(unlocker, method, rootdir, modeenv, expectReseal) } type ResealKeyForBootChainsParams struct { @@ -272,7 +266,7 @@ type ResealKeyForBootChainsParams struct { RoleToBlName map[bootloader.Role]string } -func resealKeyToModeenvForMethod(locked bool, method device.SealingMethod, rootdir string, modeenv *Modeenv, expectReseal bool) error { +func resealKeyToModeenvForMethod(unlocker Unlocker, method device.SealingMethod, rootdir string, modeenv *Modeenv, expectReseal bool) error { // this is just optimization. If the backend does not need it, we should not calculate it. requiresBootChains := true switch method { @@ -350,10 +344,10 @@ func resealKeyToModeenvForMethod(locked bool, method device.SealingMethod, rootd } } - return ResealKeyForBootChains(locked, method, rootdir, params, expectReseal) + return ResealKeyForBootChains(unlocker, method, rootdir, params, expectReseal) } -func resealKeyForBootChainsImpl(locked bool, method device.SealingMethod, rootdir string, params *ResealKeyForBootChainsParams, expectReseal bool) error { +func resealKeyForBootChainsImpl(unlocker Unlocker, method device.SealingMethod, rootdir string, params *ResealKeyForBootChainsParams, expectReseal bool) error { return fmt.Errorf("FDE manager was not started") } diff --git a/boot/seal_test.go b/boot/seal_test.go index 67fe0e84f79..3e6761a8d6e 100644 --- a/boot/seal_test.go +++ b/boot/seal_test.go @@ -560,7 +560,7 @@ func (s *sealSuite) TestResealKeyToModeenvWithSystemFallback(c *C) { // set mock key resealing resealKeysCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ c.Check(method, Equals, device.SealingMethodTPM) @@ -654,7 +654,7 @@ func (s *sealSuite) TestResealKeyToModeenvRecoveryKeysForGoodSystemsOnly(c *C) { // set mock key resealing resealKeysCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealKeysCalls++ c.Check(method, Equals, device.SealingMethodTPM) @@ -869,7 +869,7 @@ func (s *sealSuite) TestResealKeyToModeenvFallbackCmdline(c *C) { // set mock key resealing resealKeysCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { c.Check(rootdirArg, Equals, rootdir) c.Check(method, Equals, device.SealingMethodTPM) c.Check(expectReseal, Equals, false) @@ -1713,7 +1713,7 @@ func (s *sealSuite) TestResealKeyToModeenvWithFdeHookCalled(c *C) { defer dirs.SetRootDir("") mockResealKeyForBootChainsCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { c.Check(rootdirArg, Equals, rootdir) c.Check(method, Equals, device.SealingMethodFDESetupHook) c.Check(expectReseal, Equals, false) @@ -1759,7 +1759,7 @@ func (s *sealSuite) TestResealKeyToModeenvWithFdeHookVerySad(c *C) { defer dirs.SetRootDir("") mockResealKeyForBootChainsCalls := 0 - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { c.Check(rootdirArg, Equals, rootdir) c.Check(method, Equals, device.SealingMethodFDESetupHook) c.Check(expectReseal, Equals, false) @@ -1871,7 +1871,7 @@ func (s *sealSuite) testResealKeyToModeenvWithTryModel(c *C, shimId, grubId stri // set mock key resealing resealKeysCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdirArg string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { c.Check(rootdirArg, Equals, rootdir) c.Check(method, Equals, device.SealingMethodTPM) c.Check(expectReseal, Equals, false) diff --git a/boot/systems_test.go b/boot/systems_test.go index b10d53cdc07..53fc8ad5b93 100644 --- a/boot/systems_test.go +++ b/boot/systems_test.go @@ -83,7 +83,7 @@ func (s *systemsSuite) mockTrustedBootloaderWithAssetAndChains(c *C, runKernelBf func (s *systemsSuite) SetUpTest(c *C) { s.baseBootenvSuite.SetUpTest(c) - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return nil }) s.AddCleanup(restore) @@ -145,7 +145,7 @@ func (s *systemsSuite) TestSetTryRecoverySystemEncrypted(c *C) { defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ // bootloader variables have already been modified c.Check(mtbl.SetBootVarsCalls, Equals, 1) @@ -270,7 +270,7 @@ func (s *systemsSuite) TestSetTryRecoverySystemRemodelEncrypted(c *C) { defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ // bootloader variables have already been modified c.Check(mtbl.SetBootVarsCalls, Equals, 1) @@ -375,7 +375,7 @@ func (s *systemsSuite) TestSetTryRecoverySystemSimple(c *C) { } c.Assert(modeenv.WriteTo(""), IsNil) - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return fmt.Errorf("unexpected call") }) s.AddCleanup(restore) @@ -416,7 +416,7 @@ func (s *systemsSuite) TestSetTryRecoverySystemSetBootVarsErr(c *C) { } c.Assert(modeenv.WriteTo(""), IsNil) - restore := boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore := boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return fmt.Errorf("unexpected call") }) s.AddCleanup(restore) @@ -527,7 +527,7 @@ func (s *systemsSuite) TestSetTryRecoverySystemCleanupOnErrorBeforeReseal(c *C) defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ if cleanupTriggered { return nil @@ -636,7 +636,7 @@ func (s *systemsSuite) TestSetTryRecoverySystemCleanupOnErrorAfterReseal(c *C) { defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ switch resealCalls { case 1: @@ -737,7 +737,7 @@ func (s *systemsSuite) TestSetTryRecoverySystemCleanupError(c *C) { defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ switch resealCalls { case 1: @@ -784,7 +784,7 @@ func (s *systemsSuite) testInspectRecoverySystemOutcomeHappy(c *C, mtbl *bootloa }) defer restore() - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { return fmt.Errorf("unexpected call") }) defer restore() @@ -980,7 +980,7 @@ func (s *systemsSuite) testClearRecoverySystem(c *C, mtbl *bootloadertest.MockTr defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ switch resealCalls { case 1: @@ -1235,7 +1235,7 @@ func (s *systemsSuite) TestClearRecoverySystemReboot(c *C) { defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ switch resealCalls { case 1: @@ -1365,7 +1365,7 @@ func (s *systemsSuite) testPromoteTriedRecoverySystem(c *C, systemLabel string, defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ switch resealCalls { case 1: @@ -1629,7 +1629,7 @@ func (s *systemsSuite) testDropRecoverySystem(c *C, systemLabel string, tc recov defer restore() resealCalls := 0 - restore = boot.MockResealKeyForBootChains(func(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { + restore = boot.MockResealKeyForBootChains(func(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { resealCalls++ switch resealCalls { case 1: diff --git a/overlord/fdestate/fdemgr.go b/overlord/fdestate/fdemgr.go index aeefc4cb226..deab52ecbe2 100644 --- a/overlord/fdestate/fdemgr.go +++ b/overlord/fdestate/fdemgr.go @@ -60,14 +60,18 @@ func (m *FDEManager) StartUp() error { return initializeState(m.state) } -func (m *FDEManager) resealKeyForBootChains(locked bool, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { +func (m *FDEManager) resealKeyForBootChains(unlocker boot.Unlocker, method device.SealingMethod, rootdir string, params *boot.ResealKeyForBootChainsParams, expectReseal bool) error { doUpdate := func(role string, containerRole string, bootModes []string, models []secboot.ModelForSealing, tpmPCRProfile []byte) error { - if !locked { + if unlocker != nil { m.state.Lock() defer m.state.Unlock() } return updateParameters(m.state, role, containerRole, bootModes, models, tpmPCRProfile) } + if unlocker != nil { + locker := unlocker() + defer locker() + } return backend.ResealKeyForBootChains(doUpdate, method, rootdir, params, expectReseal) }