diff --git a/go.mod b/go.mod index f9b6fc110d5..9a4c901f88d 100644 --- a/go.mod +++ b/go.mod @@ -7,9 +7,9 @@ replace maze.io/x/crypto => github.com/snapcore/maze.io-x-crypto v0.0.0-20190131 require ( github.com/bmatcuk/doublestar/v4 v4.6.1 - github.com/canonical/go-efilib v1.3.1 + github.com/canonical/go-efilib v1.4.1 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 // indirect - github.com/canonical/go-tpm2 v1.7.6 + github.com/canonical/go-tpm2 v1.11.1 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 github.com/gorilla/mux v1.8.0 @@ -21,11 +21,11 @@ require ( github.com/mvo5/libseccomp-golang v0.9.1-0.20180308152521-f4de83b52afb // old trusty builds only github.com/seccomp/libseccomp-golang v0.9.2-0.20220502024300-f57e1d55ea18 github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 - github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b - golang.org/x/crypto v0.21.0 + github.com/snapcore/secboot v0.0.0-20250128125141-12230bb269ec + golang.org/x/crypto v0.23.0 golang.org/x/net v0.21.0 // indirect - golang.org/x/sys v0.19.0 - golang.org/x/text v0.14.0 + golang.org/x/sys v0.21.0 + golang.org/x/text v0.15.0 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c gopkg.in/macaroon.v1 v1.0.0 @@ -39,11 +39,11 @@ require go.etcd.io/bbolt v1.3.9 require ( github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb // indirect - github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 // indirect + github.com/canonical/go-kbkdf v0.0.0-20250104172618-3b1308f9acf9 // indirect github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 // indirect github.com/kr/pretty v0.2.2-0.20200810074440-814ac30b4b18 // indirect github.com/kr/text v0.1.0 // indirect golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect - golang.org/x/term v0.18.0 // indirect + golang.org/x/term v0.20.0 // indirect maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066 // indirect ) diff --git a/go.sum b/go.sum index 4abebba3921..8a3393a4a15 100644 --- a/go.sum +++ b/go.sum @@ -2,14 +2,14 @@ github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwN github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb h1:+kA/9oHTqUx4P08ywKvmd7a1wOL3RLTrE0K958C15x8= github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb/go.mod h1:6j8Sw3dwYVcBXltEeGklDoK/8UJVJNQPUkg1ZdQUgbk= -github.com/canonical/go-efilib v1.3.1 h1:KnVlqrKn0ZDGAbgQt9tke5cvtqNRCmpEp0v7RGUVpqs= -github.com/canonical/go-efilib v1.3.1/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ= -github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 h1:ZE2XMRFHcwlib3uU9is37+pKkkMloVoEPWmgQ6GK1yo= -github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0/go.mod h1:Zrs3YjJr+w51u0R/dyLh/oWt/EcBVdLPCVFYC4daW5s= +github.com/canonical/go-efilib v1.4.1 h1:/VMNCypz+iVmnNuMcsm7WvmDMI1ObkEP2W1h8Ls7OyM= +github.com/canonical/go-efilib v1.4.1/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ= +github.com/canonical/go-kbkdf v0.0.0-20250104172618-3b1308f9acf9 h1:Twk1ZSTWRClfGShP16ePf2JIiayqWS4ix1rkAR6baag= +github.com/canonical/go-kbkdf v0.0.0-20250104172618-3b1308f9acf9/go.mod h1:IneQ5/yQcfPXrGekEXpR6yeea55ZD24N5+kHzeDseOM= github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 h1:oe6fCvaEpkhyW3qAicT0TnGtyht/UrgvOwMcEgLb7Aw= github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3/go.mod h1:qdP0gaj0QtgX2RUZhnlVrceJ+Qln8aSlDyJwelLLFeM= -github.com/canonical/go-tpm2 v1.7.6 h1:9k9OAEEp9xKp4h2WJwfTUNivblJi4L5Wjx7Q/LkSTSQ= -github.com/canonical/go-tpm2 v1.7.6/go.mod h1:Dz0PQRmoYrmk/4BLILjRA+SFzuqEo1etAvYeAJiMhYU= +github.com/canonical/go-tpm2 v1.11.1 h1:RivdSXfBWWW+eFaFNYQby5+kVgY4km9eEayot1wX/qU= +github.com/canonical/go-tpm2 v1.11.1/go.mod h1:zK+qESVwu78XyX+NPhiBdN+zwPPDoKk4rYlQ7VUsRp4= github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 h1:vrUzSfbhl8mzdXPzjxq4jXZPCCNLv18jy6S7aVTS2tI= github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU= github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU= @@ -49,15 +49,15 @@ github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 h1:PaunR+BhraK github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785/go.mod h1:D3SsWAXK7wCCBZu+Vk5hc1EuKj/L3XN1puEMXTU4LrQ= github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066 h1:InG0EmriMOiI4YgtQNOo+6fNxzLCYioo3Q3BCVLdMCE= github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066/go.mod h1:VuAdaITF1MrGzxPU+8GxagM1HW2vg7QhEFEeGHbmEMU= -github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b h1:ywW6AgHzAVjJIlkDLb+52IgEXVFYxG2rzjP34khWbow= -github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b/go.mod h1:Tw/DK06oyO+lFvAQxmNPzXRlSWGk9vZlS2eNx4riAHo= +github.com/snapcore/secboot v0.0.0-20250128125141-12230bb269ec h1:TfkF2dkq6g0+SDw+0vOZMD0G6G4I5/sUSVP8T4KO5n0= +github.com/snapcore/secboot v0.0.0-20250128125141-12230bb269ec/go.mod h1:2cqUsx8AzOpyo7IAkeAln8SEr9ymC/GVOrFEYNL0RrI= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI= go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= -golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY= golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -67,13 +67,13 @@ golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= -golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0= golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= diff --git a/secboot/secboot_hooks.go b/secboot/secboot_hooks.go index 8a1eac30ee1..6e5b720046a 100644 --- a/secboot/secboot_hooks.go +++ b/secboot/secboot_hooks.go @@ -221,7 +221,7 @@ func (fh *fdeHookV2DataHandler) RecoverKeys(data *sb.PlatformKeyData, encryptedP return fde.Reveal(&p) } -func (fh *fdeHookV2DataHandler) ChangeAuthKey(data *sb.PlatformKeyData, old, new []byte) ([]byte, error) { +func (fh *fdeHookV2DataHandler) ChangeAuthKey(data *sb.PlatformKeyData, old, new []byte, context any) ([]byte, error) { return nil, fmt.Errorf("cannot change auth key yet") } diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go index 5e8c32e0d13..bf946ae1afc 100644 --- a/secboot/secboot_tpm.go +++ b/secboot/secboot_tpm.go @@ -483,33 +483,6 @@ func ProvisionForCVM(initramfsUbuntuSeedDir string) error { return nil } -// This helper is a workaround for a secboot bug https://github.com/canonical/secboot/issues/353 -// where NewTPMPassphraseProtectedKey takes an open tpm connection as input, but internally -// tries to re-open a new connection implicitly causing an error due trying to open two -// connection for the same TPM device. -// -// FIXME: This approach is not thread safe and should be updated when fix lands in secboot. -func withSingleTPMConnection(fn func(tpm *sb_tpm2.Connection)) error { - tpm, err := sbConnectToDefaultTPM() - if err != nil { - return fmt.Errorf("cannot connect to TPM: %v", err) - } - defer tpm.Close() - if !isTPMEnabled(tpm) { - return fmt.Errorf("TPM device is not enabled") - } - - // Workaround for secboot to reuse opened tpm connection. - old := sb_tpm2.ConnectToTPM - sb_tpm2.ConnectToTPM = func() (*sb_tpm2.Connection, error) { - return tpm, nil - } - defer func() { sb_tpm2.ConnectToTPM = old }() - - fn(tpm) - return nil -} - func kdfOptions(volumesAuth *device.VolumesAuthOptions) (sb.KDFOptions, error) { switch volumesAuth.KDFType { case "": @@ -533,7 +506,7 @@ func kdfOptions(volumesAuth *device.VolumesAuthOptions) (sb.KDFOptions, error) { } } -func newTPMProtectedKey(creationParams *sb_tpm2.ProtectKeyParams, volumesAuth *device.VolumesAuthOptions) (protectedKey *sb.KeyData, primaryKey sb.PrimaryKey, unlockKey sb.DiskUnlockKey, err error) { +func newTPMProtectedKey(tpm *sb_tpm2.Connection, creationParams *sb_tpm2.ProtectKeyParams, volumesAuth *device.VolumesAuthOptions) (protectedKey *sb.KeyData, primaryKey sb.PrimaryKey, unlockKey sb.DiskUnlockKey, err error) { if volumesAuth != nil { switch volumesAuth.Mode { case device.AuthModePassphrase: @@ -545,12 +518,7 @@ func newTPMProtectedKey(creationParams *sb_tpm2.ProtectKeyParams, volumesAuth *d ProtectKeyParams: *creationParams, KDFOptions: kdfOptions, } - tpmErr := withSingleTPMConnection(func(tpm *sb_tpm2.Connection) { - protectedKey, primaryKey, unlockKey, err = sbNewTPMPassphraseProtectedKey(tpm, passphraseParams, volumesAuth.Passphrase) - }) - if tpmErr != nil { - return nil, nil, nil, tpmErr - } + protectedKey, primaryKey, unlockKey, err = sbNewTPMPassphraseProtectedKey(tpm, passphraseParams, volumesAuth.Passphrase) case device.AuthModePIN: // TODO: Implement PIN authentication mode. return nil, nil, nil, fmt.Errorf("%q authentication mode is not implemented", device.AuthModePIN) @@ -558,12 +526,7 @@ func newTPMProtectedKey(creationParams *sb_tpm2.ProtectKeyParams, volumesAuth *d return nil, nil, nil, fmt.Errorf("internal error: invalid authentication mode %q", volumesAuth.Mode) } } else { - tpmErr := withSingleTPMConnection(func(tpm *sb_tpm2.Connection) { - protectedKey, primaryKey, unlockKey, err = sbNewTPMProtectedKey(tpm, creationParams) - }) - if tpmErr != nil { - return nil, nil, nil, tpmErr - } + protectedKey, primaryKey, unlockKey, err = sbNewTPMProtectedKey(tpm, creationParams) } return protectedKey, primaryKey, unlockKey, err @@ -578,6 +541,15 @@ func SealKeys(keys []SealKeyRequest, params *SealKeysParams) ([]byte, error) { return nil, fmt.Errorf("at least one set of model-specific parameters is required") } + tpm, err := sbConnectToDefaultTPM() + if err != nil { + return nil, fmt.Errorf("cannot connect to TPM: %v", err) + } + defer tpm.Close() + if !isTPMEnabled(tpm) { + return nil, fmt.Errorf("TPM device is not enabled") + } + var primaryKey sb.PrimaryKey if params.PrimaryKey != nil { primaryKey = params.PrimaryKey @@ -598,7 +570,7 @@ func SealKeys(keys []SealKeyRequest, params *SealKeysParams) ([]byte, error) { PCRPolicyCounterHandle: tpm2.Handle(pcrHandle), PrimaryKey: primaryKey, } - protectedKey, primaryKeyOut, unlockKey, err := newTPMProtectedKey(creationParams, params.VolumesAuth) + protectedKey, primaryKeyOut, unlockKey, err := newTPMProtectedKey(tpm, creationParams, params.VolumesAuth) if primaryKey == nil { primaryKey = primaryKeyOut } @@ -917,7 +889,7 @@ func PCRHandleOfSealedKey(p string) (uint32, error) { func tpmReleaseResourcesImpl(tpm *sb_tpm2.Connection, handle tpm2.Handle) error { rc, err := tpm.CreateResourceContextFromTPM(handle) if err != nil { - if _, ok := err.(tpm2.ResourceUnavailableError); ok { + if _, ok := err.(*tpm2.ResourceUnavailableError); ok { // there's nothing to release, the handle isn't used return nil }