Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secboot,fdestate: use boot mode for FDE hooks #15049

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

secboot,fdestate: use boot mode for FDE hooks #15049

wants to merge 2 commits into from

Conversation

valentindavid
Copy link
Contributor

@valentindavid valentindavid commented Feb 7, 2025
edited
Loading

2 commits:

  • secboot,overlord/fdestate: seal with boot mode for FDE hooks

Set the authorized boot modes for FDE hook keys. For now the run+recover key allows "run" and "recover", while the recover key allows "recover" and "factory-reset".

  • overlord/fdestate/backend: split profiles for data and save partitions

There should be 3 different keys for FDE hooks. The run+recover key should be allowed for boot modes "run" and "recover". While recover key on data disk should be allowed on "recover". And finally recovery on save disk should be allowed in "recover" and "factory-reset". Here we split the profiles for "recover" for disks "data" and "save", so that we can set different authorized boot modes.

@valentindavid valentindavid added the Run nested The PR also runs tests inluded in nested suite label Feb 7, 2025
@valentindavid valentindavid reopened this Feb 7, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 7, 2025
edited
Loading

Mon Feb 17 16:49:57 UTC 2025
The following results are from: https://github.com/canonical/snapd/actions/runs/13285611711

Failures:

Preparing:

  • openstack:debian-sid-64:tests/main/layout-change
  • openstack:debian-sid-64:tests/main/change-errors
  • google-nested:ubuntu-24.04-64:tests/nested/manual/hybrid-remodel
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64

Executing:

  • google-distro-1:amazon-linux-2023-64:tests/main/snap-confine-undesired-mode-group
  • openstack:debian-sid-64:tests/unit/go:gcc
  • openstack:debian-sid-64:tests/unit/go:clang
  • openstack:debian-sid-64:tests/main/progress
  • openstack:debian-12-64:tests/main/auto-refresh:regular
  • openstack:fedora-40-64:tests/main/degraded
  • google-nested:ubuntu-22.04-64:tests/nested/core/core20-fault-inject-on-refresh:snapd_reboot_link_snap
  • google-nested:ubuntu-22.04-64:tests/nested/manual/muinstaller-real:plain
  • google-nested:ubuntu-22.04-64:tests/nested/manual/recovery-system-reboot:recover
  • google-nested:ubuntu-22.04-64:tests/nested/manual/muinstaller
  • google-nested:ubuntu-22.04-64:tests/nested/manual/muinstaller-real:seeded
  • google-nested:ubuntu-22.04-64:tests/nested/manual/muinstaller-real:partial
  • google-nested:ubuntu-22.04-64:tests/nested/manual/muinstaller-real:encrypted
  • google-nested:ubuntu-22.04-64:tests/nested/manual/update-snapd-seed-and-factory-reset:tpm
  • google-nested:ubuntu-24.04-64:tests/nested/core/core20-fault-inject-on-refresh:kernel_reboot_refresh_gadget_assets
  • google-nested:ubuntu-24.04-64:tests/nested/core/core20-fault-inject-on-refresh:kernel_reboot_link_snap
  • google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-real:partial
  • google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-real:seeded
  • google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-real:encrypted
  • google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-core:install_optional_snap
  • google-nested:ubuntu-24.04-64:tests/nested/manual/muinstaller-real:plain
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-serial-port
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups:kmsg
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups:uinput
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-helper
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-required-or-optional
  • google:ubuntu-25.04-64:tests/main/cgroup-devices-v2
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-self-manage

Restoring:

  • openstack:debian-sid-64:tests/unit/
  • openstack:debian-sid-64:tests/unit/
  • openstack:debian-12-64:tests/unit/
  • openstack:debian-12-64:tests/unit/
  • openstack:debian-12-64:tests/main/services-snapctl
  • openstack:debian-12-64:tests/main/parallel-install-snap-icons
  • openstack:debian-12-64:tests/main/
  • openstack:debian-12-64
  • openstack:debian-12-64:tests/main/
  • openstack:debian-12-64
  • openstack:debian-sid-64:tests/main/layout-change
  • openstack:debian-sid-64:tests/main/
  • openstack:debian-sid-64
  • openstack:debian-sid-64:tests/main/change-errors
  • openstack:debian-sid-64:tests/main/
  • openstack:debian-sid-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • openstack:opensuse-tumbleweed-64
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced

@valentindavid valentindavid force-pushed the valentindavid/fde-boot-modes branch from 084f35b to 49b1aa8 Compare February 7, 2025 16:08
@codecov Codecov
Copy link

codecov bot commented Feb 7, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 77.02703% with 17 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@65e98f1). Learn more about missing BASE report.
Report is 208 commits behind head on master.

Files with missing lines Patch % Lines
overlord/fdestate/backend/reseal.go 82.53% 5 Missing and 6 partials ⚠️
secboot/secboot_hooks.go 28.57% 4 Missing and 1 partial ⚠️
secboot/secboot_dummy.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##             master   #15049   +/-   ##
=========================================
  Coverage          ?   78.08%           
=========================================
  Files             ?     1179           
  Lines             ?   157485           
  Branches          ?        0           
=========================================
  Hits              ?   122970           
  Misses            ?    26880           
  Partials          ?     7635
Flag Coverage Δ
unittests 78.08% <77.02%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@valentindavid valentindavid force-pushed the valentindavid/fde-boot-modes branch 2 times, most recently from e804c4e to 12e6592 Compare February 10, 2025 14:59
@valentindavid valentindavid marked this pull request as ready for review February 11, 2025 10:03
@ernestl ernestl added this to the 2.68 milestone Feb 11, 2025
@valentindavid valentindavid force-pushed the valentindavid/fde-boot-modes branch 3 times, most recently from b08f0b7 to 33ba6bf Compare February 11, 2025 10:46
@valentindavid valentindavid changed the title secboot,fdestate,snap-bootstrap: use boot mode for FDE hooks secboot,fdestate: use boot mode for FDE hooks Feb 11, 2025
pedronis
pedronis previously approved these changes Feb 11, 2025
View reviewed changes
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks reasonable to me

@pedronis pedronis dismissed their stale review February 11, 2025 12:58

didn't want to vote here yet

@pedronis pedronis self-requested a review February 11, 2025 13:00
@valentindavid valentindavid removed this from the 2.68 milestone Feb 11, 2025
@valentindavid
Copy link
Contributor Author

I removed the 2.68 milestone, we do not strictly need it, just #15057

@valentindavid valentindavid force-pushed the valentindavid/fde-boot-modes branch 3 times, most recently from 7a1855b to 331f02c Compare February 12, 2025 12:40
@valentindavid
secboot,overlord/fdestate: seal with boot mode for FDE hooks
685a615 
Set the authorized boot modes for FDE hook keys. For now
the run+recover key allows "run" and "recover", while
the recover key allows "recover" and "factory-reset".
@valentindavid
overlord/fdestate/backend: split profiles for data and save partitions
6cff916 
There should be 3 different keys for FDE hooks. The run+recover key
should be allowed for boot modes "run" and "recover". While recover
key on data disk should be allowed on "recover". And finally recovery
on save disk should be allowed in "recover" and "factory-reset". Here
we split the profiles for "recover" for disks "data" and "save", so
that we can set different authorized boot modes.
@valentindavid valentindavid force-pushed the valentindavid/fde-boot-modes branch from 331f02c to 6cff916 Compare February 12, 2025 12:41
@pedronis pedronis added this to the 2.68.1 milestone Feb 13, 2025
pedronis
pedronis reviewed Feb 17, 2025
View reviewed changes
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did a first pass. Do we need an explicit test about the transition for what we are storing currently in the state and what we will store after?

secboot/secboot.go
@@ -87,6 +87,8 @@ type SealKeyRequest struct {
// The file to store the key data. If empty, the key data will
// be saved to the token.
KeyFile string
// The boot modes allow (i.e. snapd_recovery_mode kernel parameter)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: "allowed" or "to allow"

overlord/fdestate/backend/reseal_test.go
@@ -1793,7 +1793,7 @@ func (s *resealTestSuite) TestHooksResealHappy(c *C) {
}

resealCalls := 0
restore := fdeBackend.MockSecbootResealKeysWithFDESetupHook(func(keys []secboot.KeyDataLocation, primaryKeyFile string, models []secboot.ModelForSealing) error {
restore := fdeBackend.MockSecbootResealKeysWithFDESetupHook(func(keys []secboot.KeyDataLocation, primaryKeyFile string, models []secboot.ModelForSealing, bootModes []string) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to check what gets passed in?

overlord/fdestate/backend/reseal.go
func doReseal(manager FDEStateManager, method device.SealingMethod, rootdir string) error {
runParams, err := manager.Get("run+recover", "all")
runParamsData, err := manager.Get("run+recover", "system-data")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will fallback with to containerRole all anyway on the transition?

secboot/secboot.go
@@ -186,6 +186,11 @@ type ResealKeysParams struct {
TPMPolicyAuthKeyFile string
}

type ResealKeysParamsForHooks struct {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need a doc comment? can you explain why it is not used here but only defined?

@pedronis
Copy link
Collaborator

@valentindavid also do we need somehow to clean up the entries for containerRole "all"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedronis pedronis pedronis left review comments

@bboozzoo bboozzoo Awaiting requested review from bboozzoo

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
Run nested The PR also runs tests inluded in nested suite
Projects
None yet
Milestone
2.68.1
Development

Successfully merging this pull request may close these issues.
3 participants
@valentindavid @pedronis @ernestl