cmd, secboot: add argon2 out-of-process kdf support

cmd/snap-bootstrap/main.go

@@ -26,6 +26,7 @@
 	"github.com/jessevdk/go-flags"
 
 	"github.com/snapcore/snapd/logger"
+	"github.com/snapcore/snapd/secboot"
 )
 
 var (
@@ -40,6 +41,8 @@
 )
 
 func main() {
+	secboot.HijackAndRunArgon2OutOfProcessHandlerOnArg([]string{"argon2-proc"})
+
 	err := run(os.Args[1:])
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error: %s\n", err)

cmd/snapd/main.go

@@ -32,6 +32,7 @@
 	"github.com/snapcore/snapd/logger"
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/sandbox"
+	"github.com/snapcore/snapd/secboot"
 	"github.com/snapcore/snapd/snapdenv"
 	"github.com/snapcore/snapd/snapdtool"
 	"github.com/snapcore/snapd/syscheck"
@@ -57,6 +58,8 @@
 		snapdtool.ExecInSnapdOrCoreSnap()
 	}
 
+	secboot.HijackAndRunArgon2OutOfProcessHandlerOnArg([]string{"argon2-proc"})
+
 	if err := snapdtool.MaybeSetupFIPS(); err != nil {
 		fmt.Fprintf(os.Stderr, "cannot check or enable FIPS mode: %v", err)
 		os.Exit(1)

secboot/argon2_out_of_process.go

@@ -0,0 +1,36 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2025 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package secboot
+
+import "os"
+
+func isOutOfProcessArgon2KDFMode(args []string) bool {
+	if len(os.Args) != len(args)+1 {
+		return false
+	}
+
+	for i := 0; i < len(args); i++ {
+		if os.Args[i+1] != args[i] {
+			return false
+		}
+	}
+
+	return true
+}

secboot/argon2_out_of_process_dummy.go

@@ -0,0 +1,27 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+//go:build nosecboot
+
+/*
+ * Copyright (C) 2025 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package secboot
+
+func HijackAndRunArgon2OutOfProcessHandlerOnArg(args []string) {
+	if isOutOfProcessArgon2KDFMode(args) {
+		panic("internal error: unexpected call to execute as argon2 runner in non-secboot binary")
+	}
+}

secboot/argon2_out_of_process_sb.go

@@ -0,0 +1,92 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+//go:build !nosecboot
+
+/*
+ * Copyright (C) 2025 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package secboot
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"time"
+
+	sb "github.com/snapcore/secboot"
+
+	"github.com/snapcore/snapd/logger"
+)
+
+var (
+	osExit     = os.Exit
+	osReadlink = os.Readlink
+
+	sbWaitForAndRunArgon2OutOfProcessRequest = sb.WaitForAndRunArgon2OutOfProcessRequest
+	sbNewOutOfProcessArgon2KDF               = sb.NewOutOfProcessArgon2KDF
+	sbSetArgon2KDF                           = sb.SetArgon2KDF
+)
+
+const (
+	outOfProcessArgon2KDFTimeout = 100 * time.Millisecond
+)
+
+// HijackAndRunArgon2OutOfProcessHandlerOnArg is supposed to be called from the
+// main() of binaries involved with sealing/unsealing of keys (i.e. snapd and
+// snap-bootstrap).
+//
+// This switches the binary to a special argon2 mode when the matching args are
+// detected where it hijacks the process and acts as an argon2 out-of-process
+// helper command and exits when its work is done, otherwise (in normal mode)
+// it sets the default argon2 kdf implementation to be self-invoking into the
+// special argon2 mode of the calling binary.
+//
+// For more context, check docs for sb.WaitForAndRunArgon2OutOfProcessRequest
+// and sb.NewOutOfProcessArgon2KDF for details on how the flow works
+// in secboot.
+func HijackAndRunArgon2OutOfProcessHandlerOnArg(args []string) {
+	if !isOutOfProcessArgon2KDFMode(args) {
+		// Binary was invoked in normal mode, let's setup default argon2 kdf implementation
+		// to point to this binary when invoked using special args.
+		exe, err := osReadlink("/proc/self/exe")
+		if err != nil {
+			logger.Noticef("internal error: failed to read symlink of /proc/self/exe: %v", err)
+			return
+		}
+
+		handlerCmd := func() (*exec.Cmd, error) {
+			cmd := exec.Command(exe, args...)
+			return cmd, nil
+		}
+		argon2KDF := sbNewOutOfProcessArgon2KDF(handlerCmd, outOfProcessArgon2KDFTimeout, nil)
+		sbSetArgon2KDF(argon2KDF)
+
+		return
+	}
+
+	logger.Noticef("running argon2 out-of-process helper")
+	// Ignore the lock release callback and use implicit release on process termination.
+	_, err := sbWaitForAndRunArgon2OutOfProcessRequest(os.Stdin, os.Stdout, sb.NoArgon2OutOfProcessWatchdogHandler())
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "cannot run argon2 out-of-process request: %v", err)
+		osExit(1)
+	}
+
+	// Argon2 request was processed successfully
+	osExit(0)
+
+	panic("internal error: not reachable")
+}

secboot/argon2_out_of_process_sb_test.go

@@ -0,0 +1,180 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+//go:build !nosecboot
+
+/*
+ * Copyright (C) 2025 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package secboot_test
+
+import (
+	"errors"
+	"io"
+	"os/exec"
+	"time"
+
+	sb "github.com/snapcore/secboot"
+	. "gopkg.in/check.v1"
+
+	"github.com/snapcore/snapd/secboot"
+)
+
+type argon2Suite struct {
+}
+
+var _ = Suite(&argon2Suite{})
+
+func (*argon2Suite) TestHijackAndRunArgon2OutOfProcessHandlerOnArgArgon2Mode(c *C) {
+	runArgon2Called := 0
+	restore := secboot.MockSbWaitForAndRunArgon2OutOfProcessRequest(func(_ io.Reader, _ io.WriteCloser, _ sb.Argon2OutOfProcessWatchdogHandler) (lockRelease func(), err error) {
+		runArgon2Called++
+		return nil, nil
+	})
+	defer restore()
+
+	setArgon2Called := 0
+	restore = secboot.MockSbSetArgon2KDF(func(kdf sb.Argon2KDF) sb.Argon2KDF {
+		setArgon2Called++
+		return nil
+	})
+	defer restore()
+
+	exitCalled := 0
+	restore = secboot.MockOsExit(func(code int) {
+		exitCalled++
+		c.Assert(code, Equals, 0)
+		panic("os.Exit(0)")
+	})
+	defer restore()
+
+	restore = secboot.MockOsArgs([]string{"/path/to/cmd", "--test-special-argon2-mode"})
+	defer restore()
+
+	// Since we override os.Exit(0), we expect to panic (injected above)
+	f := func() { secboot.HijackAndRunArgon2OutOfProcessHandlerOnArg([]string{"--test-special-argon2-mode"}) }
+	c.Assert(f, Panics, "os.Exit(0)")
+
+	c.Check(setArgon2Called, Equals, 0)
+	c.Check(runArgon2Called, Equals, 1)
+	c.Check(exitCalled, Equals, 1)
+}
+
+func (*argon2Suite) TestHijackAndRunArgon2OutOfProcessHandlerOnArgArgon2ModeError(c *C) {
+	runArgon2Called := 0
+	restore := secboot.MockSbWaitForAndRunArgon2OutOfProcessRequest(func(_ io.Reader, _ io.WriteCloser, _ sb.Argon2OutOfProcessWatchdogHandler) (lockRelease func(), err error) {
+		runArgon2Called++
+		return nil, errors.New("boom!")
+	})
+	defer restore()
+
+	setArgon2Called := 0
+	restore = secboot.MockSbSetArgon2KDF(func(kdf sb.Argon2KDF) sb.Argon2KDF {
+		setArgon2Called++
+		return nil
+	})
+	defer restore()
+
+	exitCalled := 0
+	restore = secboot.MockOsExit(func(code int) {
+		exitCalled++
+		c.Assert(code, Equals, 1)
+		panic("os.Exit(1)")
+	})
+	defer restore()
+
+	restore = secboot.MockOsArgs([]string{"/path/to/cmd", "--test-special-argon2-mode"})
+	defer restore()
+
+	f := func() { secboot.HijackAndRunArgon2OutOfProcessHandlerOnArg([]string{"--test-special-argon2-mode"}) }
+	c.Assert(f, Panics, "os.Exit(1)")
+
+	c.Check(setArgon2Called, Equals, 0)
+	c.Check(runArgon2Called, Equals, 1)
+	c.Check(exitCalled, Equals, 1)
+}
+
+type mockArgon2KDF struct{}
+
+func (*mockArgon2KDF) Derive(passphrase string, salt []byte, mode sb.Argon2Mode, params *sb.Argon2CostParams, keyLen uint32) ([]byte, error) {
+	return nil, nil
+}
+
+func (*mockArgon2KDF) Time(mode sb.Argon2Mode, params *sb.Argon2CostParams) (time.Duration, error) {
+	return 0, nil
+}
+
+func (*argon2Suite) TestHijackAndRunArgon2OutOfProcessHandlerOnArgNormalMode(c *C) {
+	runArgon2Called := 0
+	restore := secboot.MockSbWaitForAndRunArgon2OutOfProcessRequest(func(_ io.Reader, _ io.WriteCloser, _ sb.Argon2OutOfProcessWatchdogHandler) (lockRelease func(), err error) {
+		runArgon2Called++
+		return nil, nil
+	})
+	defer restore()
+
+	exitCalled := 0
+	restore = secboot.MockOsExit(func(code int) {
+		exitCalled++
+		c.Assert(code, Equals, 0)
+		panic("injected panic")
+	})
+	defer restore()
+
+	restore = secboot.MockOsReadlink(func(name string) (string, error) {
+		c.Assert(name, Equals, "/proc/self/exe")
+		return "/path/to/cmd", nil
+	})
+	defer restore()
+
+	argon2KDF := &mockArgon2KDF{}
+
+	restore = secboot.MockSbNewOutOfProcessArgon2KDF(func(newHandlerCmd func() (*exec.Cmd, error), timeout time.Duration, watchdog sb.Argon2OutOfProcessWatchdogMonitor) sb.Argon2KDF {
+		c.Check(timeout, Equals, 100*time.Millisecond)
+		c.Check(watchdog, IsNil)
+
+		cmd, err := newHandlerCmd()
+		c.Assert(err, IsNil)
+		c.Check(cmd.Path, Equals, "/path/to/cmd")
+		c.Check(cmd.Args, DeepEquals, []string{"/path/to/cmd", "--test-special-argon2-mode"})
+
+		return argon2KDF
+	})
+	defer restore()
+
+	setArgon2Called := 0
+	restore = secboot.MockSbSetArgon2KDF(func(kdf sb.Argon2KDF) sb.Argon2KDF {
+		setArgon2Called++
+		// Check pointer points to mock implementation
+		c.Assert(kdf, Equals, argon2KDF)
+		return nil
+	})
+	defer restore()
+
+	for _, args := range [][]string{
+		{},
+		{"/path/to/cmd"},
+		{"/path/to/cmd", "not-run-argon2"},
+		{"/path/to/cmd", "not-run-argon2", "--argon2-proc"},
+	} {
+		restore := secboot.MockOsArgs(args)
+		defer restore()
+		// This should exit early before running the argon2 helper and calling os.Exit (and no injected panic)
+		secboot.HijackAndRunArgon2OutOfProcessHandlerOnArg([]string{"--test-special-argon2-mode"})
+	}
+
+	c.Check(setArgon2Called, Equals, 4)
+	c.Check(runArgon2Called, Equals, 0)
+	c.Check(exitCalled, Equals, 0)
+}