fixup! many: rework the way we allocate counter handles

canonical · Jan 20, 2025 · 4883247 · 4883247
1 parent 82ecb36
commit 4883247
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 6 deletions.
diff --git a/overlord/devicestate/devicemgr.go b/overlord/devicestate/devicemgr.go
@@ -1703,7 +1703,7 @@ func (m *DeviceManager) ensurePostFactoryReset() error {
 	}
 
 	if encrypted {
-		if err := deleteOldKeys(boot.InitramfsUbuntuSaveDir); err != nil {
+		if err := swapSaveKeyAndDeleteOldKeys(boot.InitramfsUbuntuSaveDir); err != nil {
 			return fmt.Errorf("cannot remove old encryption keys: %v", err)
 		}
 	}

diff --git a/overlord/devicestate/handlers_install.go b/overlord/devicestate/handlers_install.go
@@ -1361,11 +1361,11 @@ func createSaveBootstrappedContainer(saveNode string) (secboot.BootstrappedConta
 }
 
 
-// deleteOldKeys remove old keys that were used in previous installation after successful factory reset.
+// swapSaveKeyAndDeleteOldKeys removes old keys that were used in previous installation after successful factory reset.
 //  * Key files ubuntu-save.recovery.sealed-key has to be replaced by key file ubuntu-save.recovery.sealed-key.factory-reset
 //  * Keyslots factory-reset-* have to be removed
 //  * TPM handles used by the removed keys have to be released
-func deleteOldKeys(saveMntPnt string) error {
+func swapSaveKeyAndDeleteOldKeys(saveMntPnt string) error {
 	hasHook, err := boot.HasFDESetupHook(nil)
 	if err != nil {
 		logger.Noticef("WARNING: cannot figure out if FDE hooks are in use: %v", err)
@@ -1388,6 +1388,9 @@ func deleteOldKeys(saveMntPnt string) error {
 
 	var oldKeys []string
 	renameKey := false
+	// If the fallback save key exists, then it is the new
+	// key. That means the default save key is the old save key
+	// that needs to be removed.
 	if osutil.FileExists(saveFallbackKeyFactory) {
 		oldKeys = append(oldKeys, defaultSaveKey)
 		renameKey = true

diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go
@@ -936,9 +936,9 @@ func mockableReadKeyFileImpl(keyFile string, keyLoader *mockableKeyLoader, hintE
 
 var mockableReadKeyFile = mockableReadKeyFileImpl
 
-// GetPCRHandle returns the handle used by a key.  The key will be
-// search on as token on node in the keySlot. If keySlot has no
-// KeyData, then the key will be loaded at path keyFile.
+// GetPCRHandle returns the handle used by a key. The key will be
+// searched on the token of the keySlot from the node. If that keySlot
+// has no KeyData, then the key will be loaded at path keyFile.
 func GetPCRHandle(node, keySlot, keyFile string) (uint32, error) {
 	slots, err := sbListLUKS2ContainerUnlockKeyNames(node)
 	if err != nil {