fde

package
v0.0.0-...-f890545 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 21, 2024 License: GPL-3.0 Imports: 8 Imported by: 38

Documentation

Overview

package fde implements helper used by low level parts like secboot in snap-bootstrap and high level parts like DeviceManager in snapd.

Note that it must never import anything overlord related itself to avoid increasing the size of snap-bootstrap.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckFeatures

func CheckFeatures(runSetupHook RunSetupHookFunc) ([]string, error)

CheckFeatures returns the features of fde-setup hook.

func HasRevealKey

func HasRevealKey() bool

HasRevealKey return true if the current system has a "fde-reveal-key" binary (usually used in the initrd).

This will be setup by devicestate to support device-specific full disk encryption implementations.

func LockSealedKeys

func LockSealedKeys() error

func MockRunFDERevealKey

func MockRunFDERevealKey(mock func(*RevealKeyRequest) ([]byte, error)) (restore func())

func Reveal

func Reveal(params *RevealParams) (payload []byte, err error)

Reveal invokes the fde-reveal-key reveal operation.

Types

type InitialSetupParams

type InitialSetupParams struct {
	Key     []byte
	KeyName string
}

InitialSetupParams contains the inputs for the fde-setup hook

type InitialSetupResult

type InitialSetupResult struct {
	// result when called with "initial-setup"
	// XXX call this encrypted-key if possible?
	EncryptedKey []byte           `json:"sealed-key"`
	Handle       *json.RawMessage `json:"handle"`
}

InitalSetupResult contains the outputs of the fde-setup hook

func InitialSetup

func InitialSetup(runSetupHook RunSetupHookFunc, params *InitialSetupParams) (*InitialSetupResult, error)

InitialSetup invokes the initial-setup op running the kernel hook via runSetupHook.

type RevealKeyRequest

type RevealKeyRequest struct {
	Op string `json:"op"`

	SealedKey []byte           `json:"sealed-key,omitempty"`
	Handle    *json.RawMessage `json:"handle,omitempty"`
	// deprecated for v1
	KeyName string `json:"key-name,omitempty"`
}

RevealKeyRequest carries the operation parameters to the fde-reavel-key helper that receives them serialized over stdin.

type RevealParams

type RevealParams struct {
	SealedKey []byte
	Handle    *json.RawMessage
	// V2Payload is set true if SealedKey is expected to contain a v2 payload
	// (disk key + aux key)
	V2Payload bool
}

RevealParams contains the parameters for fde-reveal-key reveal operation.

type RunSetupHookFunc

type RunSetupHookFunc func(req *SetupRequest) ([]byte, error)

A RunSetupHookFunc implements running the fde-setup kernel hook.

type SetupRequest

type SetupRequest struct {
	Op string `json:"op"`

	// This needs to be a []byte so that Go's standard library will base64
	// encode it automatically for us
	Key []byte `json:"key,omitempty"`

	// Only used when called with "initial-setup"
	KeyName string `json:"key-name,omitempty"`

	// Name of the partition
	PartitionName string `json:"partition-name,omitempty"`
}

TODO: unexport this because how the hook is driven is an implemenation

detail. It creates quite a bit of churn unfortunately, see
https://github.com/snapcore/snapd/compare/master...mvo5:ice/refactor-fde?expand=1

SetupRequest carries the operation and parameters for the fde-setup hooks made available to them via the snapctl fde-setup-request command.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL