diff --git a/go.mod b/go.mod index e3710760588..f063c63d632 100644 --- a/go.mod +++ b/go.mod @@ -3,9 +3,10 @@ module github.com/snapcore/snapd go 1.13 require ( + github.com/canonical/go-efilib v0.0.0-20210909101908-41435fa545d4 // indirect github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 // indirect - github.com/canonical/go-tpm2 v0.0.0-20210314160024-32171bd353b1 - github.com/canonical/tcglog-parser v0.0.0-20200908165021-12a3a7bcf5a1 // indirect + github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61 + github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2 // indirect github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 github.com/gorilla/mux v1.7.4-0.20190701202633-d83b6ffe499a @@ -17,8 +18,7 @@ require ( github.com/mvo5/libseccomp-golang v0.9.1-0.20180308152521-f4de83b52afb github.com/snapcore/bolt v1.3.2-0.20210908134111-63c8bfcf7af8 github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 - github.com/snapcore/secboot v0.0.0-20210805184555-c9f2139ee92b - go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect + github.com/snapcore/secboot v0.0.0-20211018143212-802bb19ca263 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 diff --git a/go.sum b/go.sum index 80162bf0279..19c48ef26d4 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,13 @@ +github.com/canonical/go-efilib v0.0.0-20210909101908-41435fa545d4 h1:rSWREoNHHbcIC1iQeKKraBlsDm7cmKg8eS+N48jMVKA= +github.com/canonical/go-efilib v0.0.0-20210909101908-41435fa545d4/go.mod h1:9Sr9kd7IhQPYqaU5nut8Ky97/CtlhHDzQncQnrULgDM= +github.com/canonical/go-sp800.108-kdf v0.0.0-20210314145419-a3359f2d21b9 h1:USzKjrfWo/ESzozv2i3OMM7XDgxrZRvaHFrKkIKRtwU= +github.com/canonical/go-sp800.108-kdf v0.0.0-20210314145419-a3359f2d21b9/go.mod h1:Zrs3YjJr+w51u0R/dyLh/oWt/EcBVdLPCVFYC4daW5s= github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 h1:oe6fCvaEpkhyW3qAicT0TnGtyht/UrgvOwMcEgLb7Aw= github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3/go.mod h1:qdP0gaj0QtgX2RUZhnlVrceJ+Qln8aSlDyJwelLLFeM= -github.com/canonical/go-tpm2 v0.0.0-20210314160024-32171bd353b1 h1:FGWb/opVaD42utMEAkDgO9QqXiTlwESSr7VAirVtW/Q= -github.com/canonical/go-tpm2 v0.0.0-20210314160024-32171bd353b1/go.mod h1:j23KcThy5uN+suQ1HiKSpQxuR54apc2EF2P8C/FHSuE= -github.com/canonical/tcglog-parser v0.0.0-20200908165021-12a3a7bcf5a1 h1:8uxbbF6v0M9G9sadgaGYnmTlhYXN6vDTahXnKsEdz00= -github.com/canonical/tcglog-parser v0.0.0-20200908165021-12a3a7bcf5a1/go.mod h1:QoW2apR2tBl6T/4czdND/EHjL1Ia9cCmQnIj9Xe0Kt8= +github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61 h1:DsyeCtFXqOdukmhPOunohjSlyxDHTqWSW1O4rD9N3L8= +github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61/go.mod h1:vG41hdbBjV4+/fkubTT1ENBBqSkLwLr7mCeW9Y6kpZY= +github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2 h1:CbwVq64ruNLx/S3XA0LO6QMsw6Vc2inK+RcS6D2c4Ns= +github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2/go.mod h1:QoW2apR2tBl6T/4czdND/EHjL1Ia9cCmQnIj9Xe0Kt8= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 h1:u9SHYsPQNyt5tgDm3YN7+9dYrpK96E5wFilTFWIDZOM= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/frankban/quicktest v1.2.2 h1:xfmOhhoH5fGPgbEAlhLpJH9p0z/0Qizio9osmvn9IUY= @@ -38,8 +42,10 @@ github.com/snapcore/bolt v1.3.2-0.20210908134111-63c8bfcf7af8 h1:WmyDfH38e3MaMWr github.com/snapcore/bolt v1.3.2-0.20210908134111-63c8bfcf7af8/go.mod h1:Z6z3sf12AMDjT/4tbT/PmzzdACAxkWGhkuKWiVpTWLM= github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 h1:PaunR+BhraKSLxt2awQ42zofkP+NKh/VjQ0PjIMk/y4= github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785/go.mod h1:D3SsWAXK7wCCBZu+Vk5hc1EuKj/L3XN1puEMXTU4LrQ= -github.com/snapcore/secboot v0.0.0-20210805184555-c9f2139ee92b h1:r8G3o2em2zKDyMDdHthy+FARm9qEiyGtIsJIkGVBMYo= -github.com/snapcore/secboot v0.0.0-20210805184555-c9f2139ee92b/go.mod h1:72paVOkm4sJugXt+v9ItmnjXgO921D8xqsbH2OekouY= +github.com/snapcore/secboot v0.0.0-20210909111405-e3a397e2da90 h1:XCbqRVVmFztGHPWN+wdPcRahQY7moJBRd/g/zMXLJmA= +github.com/snapcore/secboot v0.0.0-20210909111405-e3a397e2da90/go.mod h1:72paVOkm4sJugXt+v9ItmnjXgO921D8xqsbH2OekouY= +github.com/snapcore/secboot v0.0.0-20211018143212-802bb19ca263 h1:cq2rG4JcNBCwHvo7iNdJL4nb8Ns7L/aOUd1EFs2toFs= +github.com/snapcore/secboot v0.0.0-20211018143212-802bb19ca263/go.mod h1:72paVOkm4sJugXt+v9ItmnjXgO921D8xqsbH2OekouY= github.com/snapcore/snapd v0.0.0-20201005140838-501d14ac146e/go.mod h1:3xrn7QDDKymcE5VO2rgWEQ5ZAUGb9htfwlXnoel6Io8= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= @@ -52,6 +58,7 @@ golang.org/x/net v0.0.0-20201002202402-0a1ea396d57c/go.mod h1:iQL9McJNjoIa5mjH6n golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365 h1:6wSTsvPddg9gc/mVEEyk9oOAoxn+bT4Z9q1zx+4RwA4= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= @@ -60,7 +67,6 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/macaroon.v1 v1.0.0-20150121114231-ab3940c6c165 h1:85xqOSyTpSzplW7fyO9bOZpSsemJc9UKzEQR2L4k32k= diff --git a/secboot/export_sb_test.go b/secboot/export_sb_test.go index 1f7cdc51cff..1d8d8c005af 100644 --- a/secboot/export_sb_test.go +++ b/secboot/export_sb_test.go @@ -24,6 +24,8 @@ import ( "io" sb "github.com/snapcore/secboot" + sb_efi "github.com/snapcore/secboot/efi" + sb_tpm2 "github.com/snapcore/secboot/tpm2" ) var ( @@ -31,7 +33,7 @@ var ( LockTPMSealedKeys = lockTPMSealedKeys ) -func MockSbConnectToDefaultTPM(f func() (*sb.TPMConnection, error)) (restore func()) { +func MockSbConnectToDefaultTPM(f func() (*sb_tpm2.Connection, error)) (restore func()) { old := sbConnectToDefaultTPM sbConnectToDefaultTPM = f return func() { @@ -39,7 +41,7 @@ func MockSbConnectToDefaultTPM(f func() (*sb.TPMConnection, error)) (restore fun } } -func MockProvisionTPM(f func(tpm *sb.TPMConnection, mode sb.ProvisionMode, newLockoutAuth []byte) error) (restore func()) { +func MockProvisionTPM(f func(tpm *sb_tpm2.Connection, mode sb_tpm2.ProvisionMode, newLockoutAuth []byte) error) (restore func()) { old := provisionTPM provisionTPM = f return func() { @@ -47,31 +49,31 @@ func MockProvisionTPM(f func(tpm *sb.TPMConnection, mode sb.ProvisionMode, newLo } } -func MockSbAddEFISecureBootPolicyProfile(f func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error) (restore func()) { - old := sbAddEFISecureBootPolicyProfile - sbAddEFISecureBootPolicyProfile = f +func MockSbEfiAddSecureBootPolicyProfile(f func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error) (restore func()) { + old := sbefiAddSecureBootPolicyProfile + sbefiAddSecureBootPolicyProfile = f return func() { - sbAddEFISecureBootPolicyProfile = old + sbefiAddSecureBootPolicyProfile = old } } -func MockSbAddEFIBootManagerProfile(f func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error) (restore func()) { - old := sbAddEFIBootManagerProfile - sbAddEFIBootManagerProfile = f +func MockSbEfiAddBootManagerProfile(f func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error) (restore func()) { + old := sbefiAddBootManagerProfile + sbefiAddBootManagerProfile = f return func() { - sbAddEFIBootManagerProfile = old + sbefiAddBootManagerProfile = old } } -func MockSbAddSystemdEFIStubProfile(f func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error) (restore func()) { - old := sbAddSystemdEFIStubProfile - sbAddSystemdEFIStubProfile = f +func MockSbEfiAddSystemdStubProfile(f func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error) (restore func()) { + old := sbefiAddSystemdStubProfile + sbefiAddSystemdStubProfile = f return func() { - sbAddSystemdEFIStubProfile = old + sbefiAddSystemdStubProfile = old } } -func MockSbAddSnapModelProfile(f func(profile *sb.PCRProtectionProfile, params *sb.SnapModelProfileParams) error) (restore func()) { +func MockSbAddSnapModelProfile(f func(profile *sb_tpm2.PCRProtectionProfile, params *sb_tpm2.SnapModelProfileParams) error) (restore func()) { old := sbAddSnapModelProfile sbAddSnapModelProfile = f return func() { @@ -79,7 +81,7 @@ func MockSbAddSnapModelProfile(f func(profile *sb.PCRProtectionProfile, params * } } -func MockSbSealKeyToTPMMultiple(f func(tpm *sb.TPMConnection, keys []*sb.SealKeyRequest, params *sb.KeyCreationParams) (sb.TPMPolicyAuthKey, error)) (restore func()) { +func MockSbSealKeyToTPMMultiple(f func(tpm *sb_tpm2.Connection, keys []*sb_tpm2.SealKeyRequest, params *sb_tpm2.KeyCreationParams) (sb_tpm2.PolicyAuthKey, error)) (restore func()) { old := sbSealKeyToTPMMultiple sbSealKeyToTPMMultiple = f return func() { @@ -87,7 +89,7 @@ func MockSbSealKeyToTPMMultiple(f func(tpm *sb.TPMConnection, keys []*sb.SealKey } } -func MockSbUpdateKeyPCRProtectionPolicyMultiple(f func(tpm *sb.TPMConnection, keyPaths []string, authKey sb.TPMPolicyAuthKey, pcrProfile *sb.PCRProtectionProfile) error) (restore func()) { +func MockSbUpdateKeyPCRProtectionPolicyMultiple(f func(tpm *sb_tpm2.Connection, keys []*sb_tpm2.SealedKeyObject, authKey sb_tpm2.PolicyAuthKey, pcrProfile *sb_tpm2.PCRProtectionProfile) error) (restore func()) { old := sbUpdateKeyPCRProtectionPolicyMultiple sbUpdateKeyPCRProtectionPolicyMultiple = f return func() { @@ -95,7 +97,15 @@ func MockSbUpdateKeyPCRProtectionPolicyMultiple(f func(tpm *sb.TPMConnection, ke } } -func MockSbBlockPCRProtectionPolicies(f func(tpm *sb.TPMConnection, pcrs []int) error) (restore func()) { +func MockSbSealedKeyObjectRevokeOldPCRProtectionPolicies(f func(sko *sb_tpm2.SealedKeyObject, tpm *sb_tpm2.Connection, authKey sb_tpm2.PolicyAuthKey) error) (restore func()) { + old := sbSealedKeyObjectRevokeOldPCRProtectionPolicies + sbSealedKeyObjectRevokeOldPCRProtectionPolicies = f + return func() { + sbSealedKeyObjectRevokeOldPCRProtectionPolicies = old + } +} + +func MockSbBlockPCRProtectionPolicies(f func(tpm *sb_tpm2.Connection, pcrs []int) error) (restore func()) { old := sbBlockPCRProtectionPolicies sbBlockPCRProtectionPolicies = f return func() { @@ -112,15 +122,6 @@ func MockSbActivateVolumeWithRecoveryKey(f func(volumeName, sourceDevicePath str } } -func MockSbActivateVolumeWithTPMSealedKey(f func(tpm *sb.TPMConnection, volumeName, sourceDevicePath, keyPath string, - pinReader io.Reader, options *sb.ActivateVolumeOptions) (bool, error)) (restore func()) { - old := sbActivateVolumeWithTPMSealedKey - sbActivateVolumeWithTPMSealedKey = f - return func() { - sbActivateVolumeWithTPMSealedKey = old - } -} - func MockSbActivateVolumeWithKey(f func(volumeName, sourceDevicePath string, key []byte, options *sb.ActivateVolumeOptions) error) (restore func()) { old := sbActivateVolumeWithKey @@ -138,7 +139,7 @@ func MockSbActivateVolumeWithKeyData(f func(volumeName, sourceDevicePath string, } } -func MockSbMeasureSnapSystemEpochToTPM(f func(tpm *sb.TPMConnection, pcrIndex int) error) (restore func()) { +func MockSbMeasureSnapSystemEpochToTPM(f func(tpm *sb_tpm2.Connection, pcrIndex int) error) (restore func()) { old := sbMeasureSnapSystemEpochToTPM sbMeasureSnapSystemEpochToTPM = f return func() { @@ -146,7 +147,7 @@ func MockSbMeasureSnapSystemEpochToTPM(f func(tpm *sb.TPMConnection, pcrIndex in } } -func MockSbMeasureSnapModelToTPM(f func(tpm *sb.TPMConnection, pcrIndex int, model sb.SnapModel) error) (restore func()) { +func MockSbMeasureSnapModelToTPM(f func(tpm *sb_tpm2.Connection, pcrIndex int, model sb.SnapModel) error) (restore func()) { old := sbMeasureSnapModelToTPM sbMeasureSnapModelToTPM = f return func() { @@ -179,7 +180,7 @@ func MockSbAddRecoveryKeyToLUKS2Container(f func(devicePath string, key []byte, } } -func MockIsTPMEnabled(f func(tpm *sb.TPMConnection) bool) (restore func()) { +func MockIsTPMEnabled(f func(tpm *sb_tpm2.Connection) bool) (restore func()) { old := isTPMEnabled isTPMEnabled = f return func() { @@ -202,3 +203,11 @@ func MockSbDeactivateVolume(f func(volumeName string) error) (restore func()) { sbDeactivateVolume = old } } + +func MockSbReadSealedKeyObjectFromFile(f func(string) (*sb_tpm2.SealedKeyObject, error)) (restore func()) { + old := sbReadSealedKeyObjectFromFile + sbReadSealedKeyObjectFromFile = f + return func() { + sbReadSealedKeyObjectFromFile = old + } +} diff --git a/secboot/secboot_sb_test.go b/secboot/secboot_sb_test.go index 9df8dda31a5..20ed8d9dca7 100644 --- a/secboot/secboot_sb_test.go +++ b/secboot/secboot_sb_test.go @@ -33,7 +33,10 @@ import ( "path/filepath" "github.com/canonical/go-tpm2" + "github.com/canonical/go-tpm2/linux" sb "github.com/snapcore/secboot" + sb_efi "github.com/snapcore/secboot/efi" + sb_tpm2 "github.com/snapcore/secboot/tpm2" . "gopkg.in/check.v1" "github.com/snapcore/snapd/asserts" @@ -94,14 +97,14 @@ func (s *secbootSuite) TestCheckTPMKeySealingSupported(c *C) { // TPM was detected but it's not enabled {tpmErr: nil, tpmEnabled: false, sbData: sbEnabled, err: "TPM device is not enabled"}, // No TPM device - {tpmErr: sb.ErrNoTPM2Device, sbData: sbEnabled, err: "cannot connect to TPM device: no TPM2 device is available"}, + {tpmErr: sb_tpm2.ErrNoTPM2Device, sbData: sbEnabled, err: "cannot connect to TPM device: no TPM2 device is available"}, } { c.Logf("%d: %v %v %v %q", i, tc.tpmErr, tc.tpmEnabled, tc.sbData, tc.err) _, restore := mockSbTPMConnection(c, tc.tpmErr) defer restore() - restore = secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() @@ -144,19 +147,19 @@ func (s *secbootSuite) TestMeasureSnapSystemEpochWhenPossible(c *C) { }, { // TPM device does not exist - tpmErr: sb.ErrNoTPM2Device, + tpmErr: sb_tpm2.ErrNoTPM2Device, }, } { mockTpm, restore := mockSbTPMConnection(c, tc.tpmErr) defer restore() - restore = secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() calls := 0 - restore = secboot.MockSbMeasureSnapSystemEpochToTPM(func(tpm *sb.TPMConnection, pcrIndex int) error { + restore = secboot.MockSbMeasureSnapSystemEpochToTPM(func(tpm *sb_tpm2.Connection, pcrIndex int) error { calls++ c.Assert(tpm, Equals, mockTpm) c.Assert(pcrIndex, Equals, 12) @@ -202,7 +205,7 @@ func (s *secbootSuite) TestMeasureSnapModelWhenPossible(c *C) { }, { // TPM device does not exist - tpmErr: sb.ErrNoTPM2Device, + tpmErr: sb_tpm2.ErrNoTPM2Device, }, } { c.Logf("%d: tpmErr:%v tpmEnabled:%v", i, tc.tpmErr, tc.tpmEnabled) @@ -211,13 +214,13 @@ func (s *secbootSuite) TestMeasureSnapModelWhenPossible(c *C) { mockTpm, restore := mockSbTPMConnection(c, tc.tpmErr) defer restore() - restore = secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() calls := 0 - restore = secboot.MockSbMeasureSnapModelToTPM(func(tpm *sb.TPMConnection, pcrIndex int, model sb.SnapModel) error { + restore = secboot.MockSbMeasureSnapModelToTPM(func(tpm *sb_tpm2.Connection, pcrIndex int, model sb.SnapModel) error { calls++ c.Assert(tpm, Equals, mockTpm) c.Assert(model, Equals, mockModel) @@ -257,7 +260,7 @@ func (s *secbootSuite) TestLockTPMSealedKeys(c *C) { }, // no TPM2 device, shouldn't return an error { - tpmErr: sb.ErrNoTPM2Device, + tpmErr: sb_tpm2.ErrNoTPM2Device, }, // tpm is not enabled but we can lock it { @@ -281,13 +284,13 @@ func (s *secbootSuite) TestLockTPMSealedKeys(c *C) { mockSbTPM, restoreConnect := mockSbTPMConnection(c, tc.tpmErr) defer restoreConnect() - restore := secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore := secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() sbBlockPCRProtectionPolicesCalls := 0 - restore = secboot.MockSbBlockPCRProtectionPolicies(func(tpm *sb.TPMConnection, pcrs []int) error { + restore = secboot.MockSbBlockPCRProtectionPolicies(func(tpm *sb_tpm2.Connection, pcrs []int) error { sbBlockPCRProtectionPolicesCalls++ c.Assert(tpm, Equals, mockSbTPM) c.Assert(pcrs, DeepEquals, []int{12}) @@ -337,13 +340,12 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { for idx, tc := range []struct { tpmErr error - keyfile string // the keyfile to be used to unseal - tpmEnabled bool // TPM storage and endorsement hierarchies disabled, only relevant if TPM available - hasEncdev bool // an encrypted device exists - rkAllow bool // allow recovery key activation - rkErr error // recovery key unlock error, only relevant if TPM not available - activated bool // the activation operation succeeded - activateErr error // the activation error + tpmEnabled bool // TPM storage and endorsement hierarchies disabled, only relevant if TPM available + hasEncdev bool // an encrypted device exists + rkAllow bool // allow recovery key activation + rkErr error // recovery key unlock error, only relevant if TPM not available + activated bool // the activation operation succeeded + activateErr error // the activation error err string skipDiskEnsureCheck bool // whether to check to ensure the mock disk contains the device label expUnlockMethod secboot.UnlockMethod @@ -355,14 +357,6 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { activated: true, disk: mockDiskWithEncDev, expUnlockMethod: secboot.UnlockedWithSealedKey, - }, { - // happy case with tpm and encrypted device - // with an alternative keyfile - tpmEnabled: true, hasEncdev: true, - activated: true, - disk: mockDiskWithEncDev, - keyfile: "some-other-keyfile", - expUnlockMethod: secboot.UnlockedWithSealedKey, }, { // device activation fails tpmEnabled: true, hasEncdev: true, @@ -381,24 +375,9 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { // happy case with tpm and encrypted device, activation // with recovery key tpmEnabled: true, hasEncdev: true, activated: true, - activateErr: &sb.ActivateWithTPMSealedKeyError{ - // activation error with nil recovery key error - // implies volume activated successfully using - // the recovery key, - RecoveryKeyUsageErr: nil, - }, + activateErr: sb.ErrRecoveryKeyUsed, disk: mockDiskWithEncDev, expUnlockMethod: secboot.UnlockedWithRecoveryKey, - }, { - // tpm and encrypted device, successful activation, but - // recovery key non-nil is an unexpected state - tpmEnabled: true, hasEncdev: true, activated: true, - activateErr: &sb.ActivateWithTPMSealedKeyError{ - RecoveryKeyUsageErr: fmt.Errorf("unexpected"), - }, - expUnlockMethod: secboot.UnlockStatusUnknown, - err: `internal error: volume activated with unexpected error: .* \(unexpected\)`, - disk: mockDiskWithEncDev, }, { // tpm error, no encrypted device tpmErr: errors.New("tpm error"), @@ -425,25 +404,25 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { err: `cannot unlock encrypted device ".*/enc-dev-partuuid": cannot unlock with recovery key`, }, { // no tpm, has encrypted device, unlocked using the recovery key - tpmErr: sb.ErrNoTPM2Device, hasEncdev: true, + tpmErr: sb_tpm2.ErrNoTPM2Device, hasEncdev: true, rkAllow: true, disk: mockDiskWithEncDev, expUnlockMethod: secboot.UnlockedWithRecoveryKey, }, { // no tpm, has encrypted device, unlocking with recovery key not allowed - tpmErr: sb.ErrNoTPM2Device, hasEncdev: true, + tpmErr: sb_tpm2.ErrNoTPM2Device, hasEncdev: true, disk: mockDiskWithEncDev, err: `cannot activate encrypted device ".*/enc-dev-partuuid": activation error`, }, { // no tpm, has encrypted device, recovery key unlocking fails rkErr: errors.New("cannot unlock with recovery key"), - tpmErr: sb.ErrNoTPM2Device, hasEncdev: true, + tpmErr: sb_tpm2.ErrNoTPM2Device, hasEncdev: true, rkAllow: true, disk: mockDiskWithEncDev, err: `cannot unlock encrypted device ".*/enc-dev-partuuid": cannot unlock with recovery key`, }, { // no tpm, no encrypted device - tpmErr: sb.ErrNoTPM2Device, + tpmErr: sb_tpm2.ErrNoTPM2Device, disk: mockDiskWithUnencDev, }, { // no disks at all @@ -465,7 +444,7 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { _, restoreConnect := mockSbTPMConnection(c, tc.tpmErr) defer restoreConnect() - restore = secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() @@ -482,16 +461,19 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { } devicePath := filepath.Join("/dev/disk/by-partuuid", partuuid) - expKeyPath := tc.keyfile - if expKeyPath == "" { - expKeyPath = "vanilla-keyfile" - } + keyPath := filepath.Join("test-data", "keyfile") + kd, err := sb_tpm2.NewKeyDataFromSealedKeyObjectFile(keyPath) + c.Assert(err, IsNil) + expectedID, err := kd.UniqueID() + c.Assert(err, IsNil) - restore = secboot.MockSbActivateVolumeWithTPMSealedKey(func(tpm *sb.TPMConnection, volumeName, sourceDevicePath, - keyPath string, pinReader io.Reader, options *sb.ActivateVolumeOptions) (bool, error) { + restore = secboot.MockSbActivateVolumeWithKeyData(func(volumeName, sourceDevicePath string, keyData *sb.KeyData, options *sb.ActivateVolumeOptions) (sb.SnapModelChecker, error) { c.Assert(volumeName, Equals, "name-"+randomUUID) c.Assert(sourceDevicePath, Equals, devicePath) - c.Assert(keyPath, Equals, expKeyPath) + c.Assert(keyData, NotNil) + uID, err := keyData.UniqueID() + c.Assert(err, IsNil) + c.Check(uID, DeepEquals, expectedID) if tc.rkAllow { c.Assert(*options, DeepEquals, sb.ActivateVolumeOptions{ PassphraseTries: 1, @@ -507,9 +489,9 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { }) } if !tc.activated && tc.activateErr == nil { - return false, errors.New("activation error") + return nil, errors.New("activation error") } - return tc.activated, tc.activateErr + return nil, tc.activateErr }) defer restore() @@ -526,7 +508,7 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { opts := &secboot.UnlockVolumeUsingSealedKeyOptions{ AllowRecoveryKey: tc.rkAllow, } - unlockRes, err := secboot.UnlockVolumeUsingSealedKeyIfEncrypted(tc.disk, defaultDevice, expKeyPath, opts) + unlockRes, err := secboot.UnlockVolumeUsingSealedKeyIfEncrypted(tc.disk, defaultDevice, keyPath, opts) if tc.err == "" { c.Assert(err, IsNil) c.Assert(unlockRes.IsEncrypted, Equals, tc.hasEncdev) @@ -570,13 +552,13 @@ func (s *secbootSuite) TestEFIImageFromBootFile(c *C) { for _, tc := range []struct { bootFile bootloader.BootFile - efiImage sb.EFIImage + efiImage sb_efi.Image err string }{ { // happy case for EFI image bootFile: bootloader.NewBootFile("", existingFile, bootloader.RoleRecovery), - efiImage: sb.FileEFIImage(existingFile), + efiImage: sb_efi.FileImage(existingFile), }, { // missing EFI image @@ -586,7 +568,7 @@ func (s *secbootSuite) TestEFIImageFromBootFile(c *C) { { // happy case for snap file bootFile: bootloader.NewBootFile(snapFile, "rel", bootloader.RoleRecovery), - efiImage: sb.SnapFileEFIImage{Container: snapf, FileName: "rel"}, + efiImage: sb_efi.SnapFileImage{Container: snapf, FileName: "rel"}, }, { // invalid snap file @@ -723,14 +705,14 @@ func (s *secbootSuite) TestSealKey(c *C) { // events for // a -> kernel - sequences1 := []*sb.EFIImageLoadEvent{ + sequences1 := []*sb_efi.ImageLoadEvent{ { - Source: sb.Firmware, - Image: sb.FileEFIImage(mockBF[0].Path), - Next: []*sb.EFIImageLoadEvent{ + Source: sb_efi.Firmware, + Image: sb_efi.FileImage(mockBF[0].Path), + Next: []*sb_efi.ImageLoadEvent{ { - Source: sb.Shim, - Image: sb.SnapFileEFIImage{ + Source: sb_efi.Shim, + Image: sb_efi.SnapFileImage{ Container: kernelSnap, FileName: "kernel.efi", }, @@ -742,14 +724,14 @@ func (s *secbootSuite) TestSealKey(c *C) { // "cdk" events for // c -> kernel OR // d -> kernel - cdk := []*sb.EFIImageLoadEvent{ + cdk := []*sb_efi.ImageLoadEvent{ { - Source: sb.Shim, - Image: sb.FileEFIImage(mockBF[2].Path), - Next: []*sb.EFIImageLoadEvent{ + Source: sb_efi.Shim, + Image: sb_efi.FileImage(mockBF[2].Path), + Next: []*sb_efi.ImageLoadEvent{ { - Source: sb.Shim, - Image: sb.SnapFileEFIImage{ + Source: sb_efi.Shim, + Image: sb_efi.SnapFileImage{ Container: kernelSnap, FileName: "kernel.efi", }, @@ -757,12 +739,12 @@ func (s *secbootSuite) TestSealKey(c *C) { }, }, { - Source: sb.Shim, - Image: sb.FileEFIImage(mockBF[3].Path), - Next: []*sb.EFIImageLoadEvent{ + Source: sb_efi.Shim, + Image: sb_efi.FileImage(mockBF[3].Path), + Next: []*sb_efi.ImageLoadEvent{ { - Source: sb.Shim, - Image: sb.SnapFileEFIImage{ + Source: sb_efi.Shim, + Image: sb_efi.SnapFileImage{ Container: kernelSnap, FileName: "kernel.efi", }, @@ -774,15 +756,15 @@ func (s *secbootSuite) TestSealKey(c *C) { // events for // a -> "cdk" // b -> "cdk" - sequences2 := []*sb.EFIImageLoadEvent{ + sequences2 := []*sb_efi.ImageLoadEvent{ { - Source: sb.Firmware, - Image: sb.FileEFIImage(mockBF[0].Path), + Source: sb_efi.Firmware, + Image: sb_efi.FileImage(mockBF[0].Path), Next: cdk, }, { - Source: sb.Firmware, - Image: sb.FileEFIImage(mockBF[1].Path), + Source: sb_efi.Firmware, + Image: sb_efi.FileImage(mockBF[1].Path), Next: cdk, }, } @@ -791,9 +773,9 @@ func (s *secbootSuite) TestSealKey(c *C) { defer restore() // mock adding EFI secure boot policy profile - var pcrProfile *sb.PCRProtectionProfile + var pcrProfile *sb_tpm2.PCRProtectionProfile addEFISbPolicyCalls := 0 - restore = secboot.MockSbAddEFISecureBootPolicyProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error { + restore = secboot.MockSbEfiAddSecureBootPolicyProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error { addEFISbPolicyCalls++ pcrProfile = profile c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -803,7 +785,7 @@ func (s *secbootSuite) TestSealKey(c *C) { case 2: c.Assert(params.LoadSequences, DeepEquals, sequences2) default: - c.Error("AddEFISecureBootPolicyProfile shouldn't be called a third time") + c.Error("AddSecureBootPolicyProfile shouldn't be called a third time") } return tc.addEFISbPolicyErr }) @@ -811,7 +793,7 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock adding EFI boot manager profile addEFIBootManagerCalls := 0 - restore = secboot.MockSbAddEFIBootManagerProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error { + restore = secboot.MockSbEfiAddBootManagerProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error { addEFIBootManagerCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -821,7 +803,7 @@ func (s *secbootSuite) TestSealKey(c *C) { case 2: c.Assert(params.LoadSequences, DeepEquals, sequences2) default: - c.Error("AddEFIBootManagerProfile shouldn't be called a third time") + c.Error("AddBootManagerProfile shouldn't be called a third time") } return tc.addEFIBootManagerErr }) @@ -829,7 +811,7 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock adding systemd EFI stub profile addSystemdEfiStubCalls := 0 - restore = secboot.MockSbAddSystemdEFIStubProfile(func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error { + restore = secboot.MockSbEfiAddSystemdStubProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error { addSystemdEfiStubCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -840,7 +822,7 @@ func (s *secbootSuite) TestSealKey(c *C) { case 2: c.Assert(params.KernelCmdlines, DeepEquals, myParams.ModelParams[1].KernelCmdlines) default: - c.Error("AddSystemdEFIStubProfile shouldn't be called a third time") + c.Error("AddSystemdStubProfile shouldn't be called a third time") } return tc.addSystemdEFIStubErr }) @@ -848,7 +830,7 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock adding snap model profile addSnapModelCalls := 0 - restore = secboot.MockSbAddSnapModelProfile(func(profile *sb.PCRProtectionProfile, params *sb.SnapModelProfileParams) error { + restore = secboot.MockSbAddSnapModelProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_tpm2.SnapModelProfileParams) error { addSnapModelCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -867,10 +849,10 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock provisioning provisioningCalls := 0 - restore = secboot.MockProvisionTPM(func(t *sb.TPMConnection, mode sb.ProvisionMode, newLockoutAuth []byte) error { + restore = secboot.MockProvisionTPM(func(t *sb_tpm2.Connection, mode sb_tpm2.ProvisionMode, newLockoutAuth []byte) error { provisioningCalls++ c.Assert(t, Equals, tpm) - c.Assert(mode, Equals, sb.ProvisionModeFull) + c.Assert(mode, Equals, sb_tpm2.ProvisionModeFull) c.Assert(myParams.TPMLockoutAuthFile, testutil.FilePresent) return tc.provisioningErr }) @@ -878,18 +860,18 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock sealing sealCalls := 0 - restore = secboot.MockSbSealKeyToTPMMultiple(func(t *sb.TPMConnection, kr []*sb.SealKeyRequest, params *sb.KeyCreationParams) (sb.TPMPolicyAuthKey, error) { + restore = secboot.MockSbSealKeyToTPMMultiple(func(t *sb_tpm2.Connection, kr []*sb_tpm2.SealKeyRequest, params *sb_tpm2.KeyCreationParams) (sb_tpm2.PolicyAuthKey, error) { sealCalls++ c.Assert(t, Equals, tpm) - c.Assert(kr, DeepEquals, []*sb.SealKeyRequest{{Key: myKey, Path: "keyfile"}, {Key: myKey2, Path: "keyfile2"}}) + c.Assert(kr, DeepEquals, []*sb_tpm2.SealKeyRequest{{Key: myKey, Path: "keyfile"}, {Key: myKey2, Path: "keyfile2"}}) c.Assert(params.AuthKey, Equals, myAuthKey) c.Assert(params.PCRPolicyCounterHandle, Equals, tpm2.Handle(42)) - return sb.TPMPolicyAuthKey{}, tc.sealErr + return sb_tpm2.PolicyAuthKey{}, tc.sealErr }) defer restore() // mock TPM enabled check - restore = secboot.MockIsTPMEnabled(func(t *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(t *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() @@ -914,18 +896,25 @@ func (s *secbootSuite) TestResealKey(c *C) { mockErr := errors.New("some error") for _, tc := range []struct { - tpmErr error - tpmEnabled bool - missingFile bool - addEFISbPolicyErr error - addEFIBootManagerErr error - addSystemdEFIStubErr error - addSnapModelErr error - provisioningErr error - resealErr error - resealCalls int - expectedErr string + tpmErr error + tpmEnabled bool + missingFile bool + addEFISbPolicyErr error + addEFIBootManagerErr error + addSystemdEFIStubErr error + addSnapModelErr error + readSealedKeyObjectErr error + provisioningErr error + resealErr error + resealCalls int + revokeErr error + revokeCalls int + expectedErr string }{ + // happy case + {tpmEnabled: true, resealCalls: 1, revokeCalls: 1, expectedErr: ""}, + + // unhappy cases {tpmErr: mockErr, expectedErr: "cannot connect to TPM: some error"}, {tpmEnabled: false, expectedErr: "TPM device is not enabled"}, {tpmEnabled: true, missingFile: true, expectedErr: "cannot build EFI image load sequences: file .*/file.efi does not exist"}, @@ -933,8 +922,9 @@ func (s *secbootSuite) TestResealKey(c *C) { {tpmEnabled: true, addEFIBootManagerErr: mockErr, expectedErr: "cannot add EFI boot manager profile: some error"}, {tpmEnabled: true, addSystemdEFIStubErr: mockErr, expectedErr: "cannot add systemd EFI stub profile: some error"}, {tpmEnabled: true, addSnapModelErr: mockErr, expectedErr: "cannot add snap model profile: some error"}, + {tpmEnabled: true, readSealedKeyObjectErr: mockErr, expectedErr: "some error"}, {tpmEnabled: true, resealErr: mockErr, resealCalls: 1, expectedErr: "some error"}, - {tpmEnabled: true, resealCalls: 1, expectedErr: ""}, + {tpmEnabled: true, revokeErr: errors.New("revoke error"), resealCalls: 1, revokeCalls: 1, expectedErr: "revoke error"}, } { mockTPMPolicyAuthKey := []byte{1, 3, 3, 7} mockTPMPolicyAuthKeyFile := filepath.Join(c.MkDir(), "policy-auth-key-file") @@ -947,6 +937,9 @@ func (s *secbootSuite) TestResealKey(c *C) { c.Assert(err, IsNil) } + tmpdir := c.MkDir() + keyFile := filepath.Join(tmpdir, "keyfile") + keyFile2 := filepath.Join(tmpdir, "keyfile2") myParams := &secboot.ResealKeysParams{ ModelParams: []*secboot.SealKeyModelParams{ { @@ -955,14 +948,28 @@ func (s *secbootSuite) TestResealKey(c *C) { Model: &asserts.Model{}, }, }, - KeyFiles: []string{"keyfile", "keyfile2"}, + KeyFiles: []string{keyFile, keyFile2}, TPMPolicyAuthKeyFile: mockTPMPolicyAuthKeyFile, } - sequences := []*sb.EFIImageLoadEvent{ + numMockSealedKeyObjects := len(myParams.KeyFiles) + mockSealedKeyObjects := make([]*sb_tpm2.SealedKeyObject, 0, numMockSealedKeyObjects) + for range myParams.KeyFiles { + // Copy of + // https://github.com/snapcore/secboot/blob/master/internal/compattest/testdata/v1/key + // To create full looking + // mockSealedKeyObjects, although {},{} would + // have been enough as well + mockSealedKeyFile := filepath.Join("test-data", "keyfile") + mockSealedKeyObject, err := sb_tpm2.ReadSealedKeyObjectFromFile(mockSealedKeyFile) + c.Assert(err, IsNil) + mockSealedKeyObjects = append(mockSealedKeyObjects, mockSealedKeyObject) + } + + sequences := []*sb_efi.ImageLoadEvent{ { - Source: sb.Firmware, - Image: sb.FileEFIImage(mockEFI.Path), + Source: sb_efi.Firmware, + Image: sb_efi.FileImage(mockEFI.Path), }, } @@ -971,15 +978,15 @@ func (s *secbootSuite) TestResealKey(c *C) { defer restore() // mock TPM enabled check - restore = secboot.MockIsTPMEnabled(func(t *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(t *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() // mock adding EFI secure boot policy profile - var pcrProfile *sb.PCRProtectionProfile + var pcrProfile *sb_tpm2.PCRProtectionProfile addEFISbPolicyCalls := 0 - restore = secboot.MockSbAddEFISecureBootPolicyProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error { + restore = secboot.MockSbEfiAddSecureBootPolicyProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error { addEFISbPolicyCalls++ pcrProfile = profile c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -990,7 +997,7 @@ func (s *secbootSuite) TestResealKey(c *C) { // mock adding EFI boot manager profile addEFIBootManagerCalls := 0 - restore = secboot.MockSbAddEFIBootManagerProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error { + restore = secboot.MockSbEfiAddBootManagerProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error { addEFIBootManagerCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -1001,7 +1008,7 @@ func (s *secbootSuite) TestResealKey(c *C) { // mock adding systemd EFI stub profile addSystemdEfiStubCalls := 0 - restore = secboot.MockSbAddSystemdEFIStubProfile(func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error { + restore = secboot.MockSbEfiAddSystemdStubProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error { addSystemdEfiStubCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -1013,7 +1020,7 @@ func (s *secbootSuite) TestResealKey(c *C) { // mock adding snap model profile addSnapModelCalls := 0 - restore = secboot.MockSbAddSnapModelProfile(func(profile *sb.PCRProtectionProfile, params *sb.SnapModelProfileParams) error { + restore = secboot.MockSbAddSnapModelProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_tpm2.SnapModelProfileParams) error { addSnapModelCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -1023,17 +1030,36 @@ func (s *secbootSuite) TestResealKey(c *C) { }) defer restore() + // mock ReadSealedKeyObject + readSealedKeyObjectCalls := 0 + restore = secboot.MockSbReadSealedKeyObjectFromFile(func(keyfile string) (*sb_tpm2.SealedKeyObject, error) { + readSealedKeyObjectCalls++ + c.Assert(keyfile, Equals, myParams.KeyFiles[readSealedKeyObjectCalls-1]) + return mockSealedKeyObjects[readSealedKeyObjectCalls-1], tc.readSealedKeyObjectErr + }) + defer restore() + // mock PCR protection policy update resealCalls := 0 - restore = secboot.MockSbUpdateKeyPCRProtectionPolicyMultiple(func(t *sb.TPMConnection, keyPaths []string, authKey sb.TPMPolicyAuthKey, profile *sb.PCRProtectionProfile) error { + restore = secboot.MockSbUpdateKeyPCRProtectionPolicyMultiple(func(t *sb_tpm2.Connection, keys []*sb_tpm2.SealedKeyObject, authKey sb_tpm2.PolicyAuthKey, profile *sb_tpm2.PCRProtectionProfile) error { resealCalls++ c.Assert(t, Equals, tpm) - c.Assert(keyPaths, DeepEquals, []string{"keyfile", "keyfile2"}) - c.Assert(authKey, DeepEquals, sb.TPMPolicyAuthKey(mockTPMPolicyAuthKey)) + c.Assert(keys, DeepEquals, mockSealedKeyObjects) + c.Assert(authKey, DeepEquals, sb_tpm2.PolicyAuthKey(mockTPMPolicyAuthKey)) c.Assert(profile, Equals, pcrProfile) return tc.resealErr }) defer restore() + // mock PCR protection policy revoke + revokeCalls := 0 + restore = secboot.MockSbSealedKeyObjectRevokeOldPCRProtectionPolicies(func(sko *sb_tpm2.SealedKeyObject, t *sb_tpm2.Connection, authKey sb_tpm2.PolicyAuthKey) error { + revokeCalls++ + c.Assert(sko, Equals, mockSealedKeyObjects[0]) + c.Assert(t, Equals, tpm) + c.Assert(authKey, DeepEquals, sb_tpm2.PolicyAuthKey(mockTPMPolicyAuthKey)) + return tc.revokeErr + }) + defer restore() err = secboot.ResealKeys(myParams) if tc.expectedErr == "" { @@ -1041,10 +1067,18 @@ func (s *secbootSuite) TestResealKey(c *C) { c.Assert(addEFISbPolicyCalls, Equals, 1) c.Assert(addSystemdEfiStubCalls, Equals, 1) c.Assert(addSnapModelCalls, Equals, 1) + c.Assert(keyFile, testutil.FilePresent) + c.Assert(keyFile2, testutil.FilePresent) } else { - c.Assert(err, ErrorMatches, tc.expectedErr) + c.Assert(err, ErrorMatches, tc.expectedErr, Commentf("%v", tc)) + if revokeCalls == 0 { + // files were not written out + c.Assert(keyFile, testutil.FileAbsent) + c.Assert(keyFile2, testutil.FileAbsent) + } } c.Assert(resealCalls, Equals, tc.resealCalls) + c.Assert(revokeCalls, Equals, tc.revokeCalls) } } @@ -1079,13 +1113,13 @@ func createMockSnapFile(snapDir, snapPath, snapType string) (snap.Container, err return snapfile.Open(snapPath) } -func mockSbTPMConnection(c *C, tpmErr error) (*sb.TPMConnection, func()) { - tcti, err := tpm2.OpenTPMDevice("/dev/null") +func mockSbTPMConnection(c *C, tpmErr error) (*sb_tpm2.Connection, func()) { + tcti, err := linux.OpenDevice("/dev/null") c.Assert(err, IsNil) - tpmctx, err := tpm2.NewTPMContext(tcti) + tpmctx := tpm2.NewTPMContext(tcti) c.Assert(err, IsNil) - tpm := &sb.TPMConnection{TPMContext: tpmctx} - restore := secboot.MockSbConnectToDefaultTPM(func() (*sb.TPMConnection, error) { + tpm := &sb_tpm2.Connection{TPMContext: tpmctx} + restore := secboot.MockSbConnectToDefaultTPM(func() (*sb_tpm2.Connection, error) { if tpmErr != nil { return nil, tpmErr } diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go index 815b9d45cd1..d7fc0c5feea 100644 --- a/secboot/secboot_tpm.go +++ b/secboot/secboot_tpm.go @@ -2,7 +2,7 @@ // +build !nosecboot /* - * Copyright (C) 2020 Canonical Ltd + * Copyright (C) 2021 Canonical Ltd * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License version 3 as @@ -28,6 +28,8 @@ import ( "github.com/canonical/go-tpm2" sb "github.com/snapcore/secboot" + sb_efi "github.com/snapcore/secboot/efi" + sb_tpm2 "github.com/snapcore/secboot/tpm2" "golang.org/x/xerrors" "github.com/snapcore/snapd/asserts" @@ -44,17 +46,19 @@ const ( ) var ( - sbConnectToDefaultTPM = sb.ConnectToDefaultTPM - sbMeasureSnapSystemEpochToTPM = sb.MeasureSnapSystemEpochToTPM - sbMeasureSnapModelToTPM = sb.MeasureSnapModelToTPM - sbBlockPCRProtectionPolicies = sb.BlockPCRProtectionPolicies - sbActivateVolumeWithTPMSealedKey = sb.ActivateVolumeWithTPMSealedKey - sbAddEFISecureBootPolicyProfile = sb.AddEFISecureBootPolicyProfile - sbAddEFIBootManagerProfile = sb.AddEFIBootManagerProfile - sbAddSystemdEFIStubProfile = sb.AddSystemdEFIStubProfile - sbAddSnapModelProfile = sb.AddSnapModelProfile - sbSealKeyToTPMMultiple = sb.SealKeyToTPMMultiple - sbUpdateKeyPCRProtectionPolicyMultiple = sb.UpdateKeyPCRProtectionPolicyMultiple + sbConnectToDefaultTPM = sb_tpm2.ConnectToDefaultTPM + sbMeasureSnapSystemEpochToTPM = sb_tpm2.MeasureSnapSystemEpochToTPM + sbMeasureSnapModelToTPM = sb_tpm2.MeasureSnapModelToTPM + sbBlockPCRProtectionPolicies = sb_tpm2.BlockPCRProtectionPolicies + sbefiAddSecureBootPolicyProfile = sb_efi.AddSecureBootPolicyProfile + sbefiAddBootManagerProfile = sb_efi.AddBootManagerProfile + sbefiAddSystemdStubProfile = sb_efi.AddSystemdStubProfile + sbAddSnapModelProfile = sb_tpm2.AddSnapModelProfile + sbSealKeyToTPMMultiple = sb_tpm2.SealKeyToTPMMultiple + sbUpdateKeyPCRProtectionPolicyMultiple = sb_tpm2.UpdateKeyPCRProtectionPolicyMultiple + sbSealedKeyObjectRevokeOldPCRProtectionPolicies = (*sb_tpm2.SealedKeyObject).RevokeOldPCRProtectionPolicies + sbNewKeyDataFromSealedKeyObjectFile = sb_tpm2.NewKeyDataFromSealedKeyObjectFile + sbReadSealedKeyObjectFromFile = sb_tpm2.ReadSealedKeyObjectFromFile randutilRandomKernelUUID = randutil.RandomKernelUUID @@ -65,7 +69,7 @@ var ( _ (sb.SnapModel) = ModelForSealing(nil) ) -func isTPMEnabledImpl(tpm *sb.TPMConnection) bool { +func isTPMEnabledImpl(tpm *sb_tpm2.Connection) bool { return tpm.IsEnabled() } @@ -119,15 +123,15 @@ func checkSecureBootEnabled() error { // for measurement from the initramfs. const initramfsPCR = 12 -func insecureConnectToTPM() (*sb.TPMConnection, error) { +func insecureConnectToTPM() (*sb_tpm2.Connection, error) { return sbConnectToDefaultTPM() } -func measureWhenPossible(whatHow func(tpm *sb.TPMConnection) error) error { +func measureWhenPossible(whatHow func(tpm *sb_tpm2.Connection) error) error { // the model is ready, we're good to try measuring it now tpm, err := insecureConnectToTPM() if err != nil { - if xerrors.Is(err, sb.ErrNoTPM2Device) { + if xerrors.Is(err, sb_tpm2.ErrNoTPM2Device) { return nil } return fmt.Errorf("cannot open TPM connection: %v", err) @@ -144,7 +148,7 @@ func measureWhenPossible(whatHow func(tpm *sb.TPMConnection) error) error { // MeasureSnapSystemEpochWhenPossible measures the snap system epoch only if the // TPM device is available. If there's no TPM device success is returned. func MeasureSnapSystemEpochWhenPossible() error { - measure := func(tpm *sb.TPMConnection) error { + measure := func(tpm *sb_tpm2.Connection) error { return sbMeasureSnapSystemEpochToTPM(tpm, initramfsPCR) } @@ -158,7 +162,7 @@ func MeasureSnapSystemEpochWhenPossible() error { // MeasureSnapModelWhenPossible measures the snap model only if the TPM device is // available. If there's no TPM device success is returned. func MeasureSnapModelWhenPossible(findModel func() (*asserts.Model, error)) error { - measure := func(tpm *sb.TPMConnection) error { + measure := func(tpm *sb_tpm2.Connection) error { model, err := findModel() if err != nil { return err @@ -176,7 +180,7 @@ func MeasureSnapModelWhenPossible(findModel func() (*asserts.Model, error)) erro func lockTPMSealedKeys() error { tpm, tpmErr := sbConnectToDefaultTPM() if tpmErr != nil { - if xerrors.Is(tpmErr, sb.ErrNoTPM2Device) { + if xerrors.Is(tpmErr, sb_tpm2.ErrNoTPM2Device) { logger.Noticef("cannot open TPM connection: %v", tpmErr) return nil } @@ -205,21 +209,23 @@ func unlockVolumeUsingSealedKeyTPM(name, sealedEncryptionKeyFile, sourceDevice, // intermediate certs from the manufacturer. res := UnlockResult{IsEncrypted: true, PartDevice: sourceDevice} + tpmDeviceAvailable := false // Obtain a TPM connection. - tpm, tpmErr := sbConnectToDefaultTPM() - if tpmErr != nil { - if !xerrors.Is(tpmErr, sb.ErrNoTPM2Device) { + if tpm, tpmErr := sbConnectToDefaultTPM(); tpmErr != nil { + if !xerrors.Is(tpmErr, sb_tpm2.ErrNoTPM2Device) { return res, fmt.Errorf("cannot unlock encrypted device %q: %v", name, tpmErr) } logger.Noticef("cannot open TPM connection: %v", tpmErr) } else { - defer tpm.Close() + // Also check if the TPM device is enabled. The platform firmware may disable the storage + // and endorsement hierarchies, but the device will remain visible to the operating system. + tpmDeviceAvailable = isTPMEnabled(tpm) + // later during ActivateVolumeWithKeyData secboot will + // open the TPM again, close it as it can't be opened + // multiple times and also we are done using it here + tpm.Close() } - // Also check if the TPM device is enabled. The platform firmware may disable the storage - // and endorsement hierarchies, but the device will remain visible to the operating system. - tpmDeviceAvailable := tpmErr == nil && isTPMEnabled(tpm) - // if we don't have a tpm, and we allow using a recovery key, do that // directly if !tpmDeviceAvailable && opts.AllowRecoveryKey { @@ -233,7 +239,7 @@ func unlockVolumeUsingSealedKeyTPM(name, sealedEncryptionKeyFile, sourceDevice, // otherwise we have a tpm and we should use the sealed key first, but // this method will fallback to using the recovery key if enabled - method, err := unlockEncryptedPartitionWithSealedKey(tpm, mapperName, sourceDevice, sealedEncryptionKeyFile, opts.AllowRecoveryKey) + method, err := unlockEncryptedPartitionWithSealedKey(mapperName, sourceDevice, sealedEncryptionKeyFile, opts.AllowRecoveryKey) res.UnlockMethod = method if err == nil { res.FsDevice = targetDevice @@ -241,20 +247,6 @@ func unlockVolumeUsingSealedKeyTPM(name, sealedEncryptionKeyFile, sourceDevice, return res, err } -func isActivatedWithRecoveryKey(err error) bool { - if err == nil { - return false - } - // with non-nil err, we should check for err being ActivateWithTPMSealedKeyError - // and RecoveryKeyUsageErr inside that being nil - this indicates that the - // recovery key was used to unlock it - activateErr, ok := err.(*sb.ActivateWithTPMSealedKeyError) - if !ok { - return false - } - return activateErr.RecoveryKeyUsageErr == nil -} - func activateVolOpts(allowRecoveryKey bool) *sb.ActivateVolumeOptions { options := sb.ActivateVolumeOptions{ PassphraseTries: 1, @@ -272,26 +264,23 @@ func activateVolOpts(allowRecoveryKey bool) *sb.ActivateVolumeOptions { // unlockEncryptedPartitionWithSealedKey unseals the keyfile and opens an encrypted // device. If activation with the sealed key fails, this function will attempt to // activate it with the fallback recovery key instead. -func unlockEncryptedPartitionWithSealedKey(tpm *sb.TPMConnection, name, device, keyfile string, allowRecovery bool) (UnlockMethod, error) { +func unlockEncryptedPartitionWithSealedKey(mapperName, sourceDevice, keyfile string, allowRecovery bool) (UnlockMethod, error) { + keyData, err := sbNewKeyDataFromSealedKeyObjectFile(keyfile) + if err != nil { + return NotUnlocked, fmt.Errorf("cannot read key data: %v", err) + } options := activateVolOpts(allowRecovery) - // XXX: pinfile is currently not used - activated, err := sbActivateVolumeWithTPMSealedKey(tpm, name, device, keyfile, nil, options) - - if activated { - // non nil error may indicate the volume was unlocked using the - // recovery key - if err == nil { - logger.Noticef("successfully activated encrypted device %q with TPM", device) - return UnlockedWithSealedKey, nil - } else if isActivatedWithRecoveryKey(err) { - logger.Noticef("successfully activated encrypted device %q using a fallback activation method", device) - return UnlockedWithRecoveryKey, nil - } - // no other error is possible when activation succeeded - return UnlockStatusUnknown, fmt.Errorf("internal error: volume activated with unexpected error: %v", err) + // ignoring model checker as it doesn't work with tpm "legacy" platform key data + _, err = sbActivateVolumeWithKeyData(mapperName, sourceDevice, keyData, options) + if err == sb.ErrRecoveryKeyUsed { + logger.Noticef("successfully activated encrypted device %q using a fallback activation method", sourceDevice) + return UnlockedWithRecoveryKey, nil + } + if err != nil { + return NotUnlocked, fmt.Errorf("cannot activate encrypted device %q: %v", sourceDevice, err) } - // ActivateVolumeWithTPMSealedKey should always return an error if activated == false - return NotUnlocked, fmt.Errorf("cannot activate encrypted device %q: %v", device, err) + logger.Noticef("successfully activated encrypted device %q with TPM", sourceDevice) + return UnlockedWithSealedKey, nil } // SealKeys provisions the TPM and seals the encryption keys according to the @@ -325,15 +314,15 @@ func SealKeys(keys []SealKeyRequest, params *SealKeysParams) error { } // Seal the provided keys to the TPM - creationParams := sb.KeyCreationParams{ + creationParams := sb_tpm2.KeyCreationParams{ PCRProfile: pcrProfile, PCRPolicyCounterHandle: tpm2.Handle(params.PCRPolicyCounterHandle), AuthKey: params.TPMPolicyAuthKey, } - sbKeys := make([]*sb.SealKeyRequest, 0, len(keys)) + sbKeys := make([]*sb_tpm2.SealKeyRequest, 0, len(keys)) for i := range keys { - sbKeys = append(sbKeys, &sb.SealKeyRequest{ + sbKeys = append(sbKeys, &sb_tpm2.SealKeyRequest{ Key: keys[i].Key, Path: keys[i].KeyFile, }) @@ -359,6 +348,10 @@ func ResealKeys(params *ResealKeysParams) error { if numModels < 1 { return fmt.Errorf("at least one set of model-specific parameters is required") } + numSealedKeyObjects := len(params.KeyFiles) + if numSealedKeyObjects < 1 { + return fmt.Errorf("at least one key file is required") + } tpm, err := sbConnectToDefaultTPM() if err != nil { @@ -379,15 +372,37 @@ func ResealKeys(params *ResealKeysParams) error { return fmt.Errorf("cannot read the policy auth key file: %v", err) } - return sbUpdateKeyPCRProtectionPolicyMultiple(tpm, params.KeyFiles, authKey, pcrProfile) + sealedKeyObjects := make([]*sb_tpm2.SealedKeyObject, 0, numSealedKeyObjects) + for _, keyfile := range params.KeyFiles { + sealedKeyObject, err := sbReadSealedKeyObjectFromFile(keyfile) + if err != nil { + return err + } + sealedKeyObjects = append(sealedKeyObjects, sealedKeyObject) + } + + if err := sbUpdateKeyPCRProtectionPolicyMultiple(tpm, sealedKeyObjects, authKey, pcrProfile); err != nil { + return err + } + + // write key files + for i, sko := range sealedKeyObjects { + w := sb_tpm2.NewFileSealedKeyObjectWriter(params.KeyFiles[i]) + if err := sko.WriteAtomic(w); err != nil { + return fmt.Errorf("cannot write key data file: %v", err) + } + } + + // revoke old policies via the primary key object + return sbSealedKeyObjectRevokeOldPCRProtectionPolicies(sealedKeyObjects[0], tpm, authKey) } -func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtectionProfile, error) { +func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb_tpm2.PCRProtectionProfile, error) { numModels := len(modelParams) - modelPCRProfiles := make([]*sb.PCRProtectionProfile, 0, numModels) + modelPCRProfiles := make([]*sb_tpm2.PCRProtectionProfile, 0, numModels) for _, mp := range modelParams { - modelProfile := sb.NewPCRProtectionProfile() + modelProfile := sb_tpm2.NewPCRProtectionProfile() loadSequences, err := buildLoadSequences(mp.EFILoadChains) if err != nil { @@ -395,7 +410,7 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec } // Add EFI secure boot policy profile - policyParams := sb.EFISecureBootPolicyProfileParams{ + policyParams := sb_efi.SecureBootPolicyProfileParams{ PCRAlgorithm: tpm2.HashAlgorithmSHA256, LoadSequences: loadSequences, // TODO:UC20: set SignatureDbUpdateKeystore to support applying forbidden @@ -404,34 +419,34 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec // ensure that the PCR profile is updated before/after sbkeysync executes. } - if err := sbAddEFISecureBootPolicyProfile(modelProfile, &policyParams); err != nil { + if err := sbefiAddSecureBootPolicyProfile(modelProfile, &policyParams); err != nil { return nil, fmt.Errorf("cannot add EFI secure boot policy profile: %v", err) } // Add EFI boot manager profile - bootManagerParams := sb.EFIBootManagerProfileParams{ + bootManagerParams := sb_efi.BootManagerProfileParams{ PCRAlgorithm: tpm2.HashAlgorithmSHA256, LoadSequences: loadSequences, } - if err := sbAddEFIBootManagerProfile(modelProfile, &bootManagerParams); err != nil { + if err := sbefiAddBootManagerProfile(modelProfile, &bootManagerParams); err != nil { return nil, fmt.Errorf("cannot add EFI boot manager profile: %v", err) } // Add systemd EFI stub profile if len(mp.KernelCmdlines) != 0 { - systemdStubParams := sb.SystemdEFIStubProfileParams{ + systemdStubParams := sb_efi.SystemdStubProfileParams{ PCRAlgorithm: tpm2.HashAlgorithmSHA256, PCRIndex: initramfsPCR, KernelCmdlines: mp.KernelCmdlines, } - if err := sbAddSystemdEFIStubProfile(modelProfile, &systemdStubParams); err != nil { + if err := sbefiAddSystemdStubProfile(modelProfile, &systemdStubParams); err != nil { return nil, fmt.Errorf("cannot add systemd EFI stub profile: %v", err) } } // Add snap model profile if mp.Model != nil { - snapModelParams := sb.SnapModelProfileParams{ + snapModelParams := sb_tpm2.SnapModelProfileParams{ PCRAlgorithm: tpm2.HashAlgorithmSHA256, PCRIndex: initramfsPCR, Models: []sb.SnapModel{mp.Model}, @@ -444,9 +459,9 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec modelPCRProfiles = append(modelPCRProfiles, modelProfile) } - var pcrProfile *sb.PCRProtectionProfile + var pcrProfile *sb_tpm2.PCRProtectionProfile if numModels > 1 { - pcrProfile = sb.NewPCRProtectionProfile().AddProfileOR(modelPCRProfiles...) + pcrProfile = sb_tpm2.NewPCRProtectionProfile().AddProfileOR(modelPCRProfiles...) } else { pcrProfile = modelPCRProfiles[0] } @@ -456,7 +471,7 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec return pcrProfile, nil } -func tpmProvision(tpm *sb.TPMConnection, lockoutAuthFile string) error { +func tpmProvision(tpm *sb_tpm2.Connection, lockoutAuthFile string) error { // Create and save the lockout authorization file lockoutAuth := make([]byte, 16) // crypto rand is protected against short reads @@ -471,19 +486,19 @@ func tpmProvision(tpm *sb.TPMConnection, lockoutAuthFile string) error { // TODO:UC20: ideally we should ask the firmware to clear the TPM and then reboot // if the device has previously been provisioned, see // https://godoc.org/github.com/snapcore/secboot#RequestTPMClearUsingPPI - if err := provisionTPM(tpm, sb.ProvisionModeFull, lockoutAuth); err != nil { + if err := provisionTPM(tpm, sb_tpm2.ProvisionModeFull, lockoutAuth); err != nil { logger.Noticef("TPM provisioning error: %v", err) return fmt.Errorf("cannot provision TPM: %v", err) } return nil } -func provisionTPMImpl(tpm *sb.TPMConnection, mode sb.ProvisionMode, lockoutAuth []byte) error { +func provisionTPMImpl(tpm *sb_tpm2.Connection, mode sb_tpm2.ProvisionMode, lockoutAuth []byte) error { return tpm.EnsureProvisioned(mode, lockoutAuth) } // buildLoadSequences builds EFI load image event trees from this package LoadChains -func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent, err error) { +func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb_efi.ImageLoadEvent, err error) { // this will build load event trees for the current // device configuration, e.g. something like: // @@ -495,7 +510,7 @@ func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent, for _, chain := range chains { // root of load events has source Firmware - loadseq, err := chain.loadEvent(sb.Firmware) + loadseq, err := chain.loadEvent(sb_efi.Firmware) if err != nil { return nil, err } @@ -505,11 +520,11 @@ func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent, } // loadEvent builds the corresponding load event and its tree -func (lc *LoadChain) loadEvent(source sb.EFIImageLoadEventSource) (*sb.EFIImageLoadEvent, error) { - var next []*sb.EFIImageLoadEvent +func (lc *LoadChain) loadEvent(source sb_efi.ImageLoadEventSource) (*sb_efi.ImageLoadEvent, error) { + var next []*sb_efi.ImageLoadEvent for _, nextChain := range lc.Next { // everything that is not the root has source shim - ev, err := nextChain.loadEvent(sb.Shim) + ev, err := nextChain.loadEvent(sb_efi.Shim) if err != nil { return nil, err } @@ -519,26 +534,26 @@ func (lc *LoadChain) loadEvent(source sb.EFIImageLoadEventSource) (*sb.EFIImageL if err != nil { return nil, err } - return &sb.EFIImageLoadEvent{ + return &sb_efi.ImageLoadEvent{ Source: source, Image: image, Next: next, }, nil } -func efiImageFromBootFile(b *bootloader.BootFile) (sb.EFIImage, error) { +func efiImageFromBootFile(b *bootloader.BootFile) (sb_efi.Image, error) { if b.Snap == "" { if !osutil.FileExists(b.Path) { return nil, fmt.Errorf("file %s does not exist", b.Path) } - return sb.FileEFIImage(b.Path), nil + return sb_efi.FileImage(b.Path), nil } snapf, err := snapfile.Open(b.Snap) if err != nil { return nil, err } - return sb.SnapFileEFIImage{ + return sb_efi.SnapFileImage{ Container: snapf, FileName: b.Path, }, nil diff --git a/secboot/test-data/keyfile b/secboot/test-data/keyfile new file mode 100644 index 00000000000..c588b55e7e9 Binary files /dev/null and b/secboot/test-data/keyfile differ