Documentation ¶
Overview ¶
package fde implements helper used by low level parts like secboot in snap-bootstrap and high level parts like DeviceManager in snapd.
Note that it must never import anything overlord related itself to avoid increasing the size of snap-bootstrap.
Index ¶
- func CheckFeatures(runSetupHook RunSetupHookFunc) ([]string, error)
- func HasRevealKey() bool
- func LockSealedKeys() error
- func MockRunFDERevealKey(mock func(*RevealKeyRequest) ([]byte, error)) (restore func())
- func Reveal(params *RevealParams) (payload []byte, err error)
- type InitialSetupParams
- type InitialSetupResult
- type RevealKeyRequest
- type RevealParams
- type RunSetupHookFunc
- type SetupRequest
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckFeatures ¶
func CheckFeatures(runSetupHook RunSetupHookFunc) ([]string, error)
CheckFeatures returns the features of fde-setup hook.
func HasRevealKey ¶
func HasRevealKey() bool
HasRevealKey return true if the current system has a "fde-reveal-key" binary (usually used in the initrd).
This will be setup by devicestate to support device-specific full disk encryption implementations.
func LockSealedKeys ¶
func LockSealedKeys() error
func MockRunFDERevealKey ¶
func MockRunFDERevealKey(mock func(*RevealKeyRequest) ([]byte, error)) (restore func())
func Reveal ¶
func Reveal(params *RevealParams) (payload []byte, err error)
Reveal invokes the fde-reveal-key reveal operation.
Types ¶
type InitialSetupParams ¶
InitialSetupParams contains the inputs for the fde-setup hook
type InitialSetupResult ¶
type InitialSetupResult struct { // result when called with "initial-setup" // XXX call this encrypted-key if possible? EncryptedKey []byte `json:"sealed-key"` Handle *json.RawMessage `json:"handle"` }
InitalSetupResult contains the outputs of the fde-setup hook
func InitialSetup ¶
func InitialSetup(runSetupHook RunSetupHookFunc, params *InitialSetupParams) (*InitialSetupResult, error)
InitialSetup invokes the initial-setup op running the kernel hook via runSetupHook.
type RevealKeyRequest ¶
type RevealKeyRequest struct { Op string `json:"op"` SealedKey []byte `json:"sealed-key,omitempty"` Handle *json.RawMessage `json:"handle,omitempty"` // deprecated for v1 KeyName string `json:"key-name,omitempty"` }
RevealKeyRequest carries the operation parameters to the fde-reavel-key helper that receives them serialized over stdin.
type RevealParams ¶
type RevealParams struct { SealedKey []byte Handle *json.RawMessage // V2Payload is set true if SealedKey is expected to contain a v2 payload // (disk key + aux key) V2Payload bool }
RevealParams contains the parameters for fde-reveal-key reveal operation.
type RunSetupHookFunc ¶
type RunSetupHookFunc func(req *SetupRequest) ([]byte, error)
A RunSetupHookFunc implements running the fde-setup kernel hook.
type SetupRequest ¶
type SetupRequest struct { Op string `json:"op"` // This needs to be a []byte so that Go's standard library will base64 // encode it automatically for us Key []byte `json:"key,omitempty"` // Only used when called with "initial-setup" KeyName string `json:"key-name,omitempty"` // Name of the partition PartitionName string `json:"partition-name,omitempty"` }
TODO: unexport this because how the hook is driven is an implemenation
detail. It creates quite a bit of churn unfortunately, see https://github.com/snapcore/snapd/compare/master...mvo5:ice/refactor-fde?expand=1
SetupRequest carries the operation and parameters for the fde-setup hooks made available to them via the snapctl fde-setup-request command.