overlord/devicestate,secboot: fix factory reset on older versions #14471
Conversation
github-actions
bot
added
the
Run Nested -auto-
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
e820f9a to
21ed272
Compare
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
21ed272 to
4b3991d
Compare
valentindavid
added
the
Run nested
pedronis
force-pushed
the
fde-manager-features
branch
from
fcc5e2e to
24018ee
Compare
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
4b3991d to
f463a03
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## fde-manager-features #14471 +/- ##
=======================================================
Coverage ? 77.67%
=======================================================
Files ? 1168
Lines ? 155564
Branches ? 0
=======================================================
Hits ? 120830
Misses ? 27239
Partials ? 7495
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
2 times, most recently
from
3fe46ac to
29dd378
Compare
|
This might still need #14718 to work. We will see. |
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
4 times, most recently
from
c0efc73 to
d43620a
Compare
|
We are missing a piece, I have forgotten about that. We need to be able to convert LUKS2 disk without tokens to ones with tokens, just for the names, so we can rename and delete them. |
|
I have opened canonical/secboot#349 to have a way to write factory reset in a way that works. |
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
d43620a to
bfbb339
Compare
|
This also depends on canonical/secboot#355 |
|
Draft, because it needs PRs to be merged on secboot. |
pedronis
force-pushed
the
fde-manager-features
branch
from
5802840 to
5ec2e43
Compare
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
bfbb339 to
f503fb1
Compare
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
f503fb1 to
288d176
Compare
valentindavid
changed the title
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
288d176 to
7c2e31f
Compare
secboot/secboot_sb.go
Outdated
| @@ -348,7 +348,7 @@ func AddBootstrapKeyOnExistingDisk(node string, newKey keys.EncryptionKey) error | |||
| // Rename key slots on LUKS2 container. If the key slot does not | |||
| // exist, it is ignored. If cryptsetup does not support renaming, then | |||
| // the key slots are instead removed. | |||
| func RenameOrDeleteKeys(node string, renames map[string]string) error { | |||
| func RenameKeys(nonAtomic *NonAtomicOperationAllowedFlag, node string, renames map[string]string) error { | |||
There was a problem hiding this comment.
are there calls to RenameKeys that will not pass nonAtomic?
There was a problem hiding this comment.
At this point we have only one call.
There was a problem hiding this comment.
then the nonAtomic bit here is probably overkill, we can just have a comment
There was a problem hiding this comment.
OK, I will simplify it then.
| if err := secbootDeleteKeys(diskPath, toDelete); err != nil { | ||
| return fmt.Errorf("cannot delete previous keys: %w", err) | ||
| } | ||
| if err := secbootRemoveOldDiskKeys(diskPath); err != nil { |
There was a problem hiding this comment.
it a bit strange that we both call DeleteKeys and then call a helper that does a bit of that as well, at a minimum these need comments about what each does
There was a problem hiding this comment.
It is also difficult to explain the name of the function. One remove old keys if you reset from a new version. The other one is if you reset from an old version where snapd was updated in the seed with a remodel.
There was a problem hiding this comment.
I have added comments before the calls to explain what both are doing.
secboot/secboot_sb.go
Outdated
| @@ -348,7 +348,7 @@ func AddBootstrapKeyOnExistingDisk(node string, newKey keys.EncryptionKey) error | |||
| // Rename key slots on LUKS2 container. If the key slot does not | |||
| // exist, it is ignored. If cryptsetup does not support renaming, then | |||
| // the key slots are instead removed. | |||
| func RenameOrDeleteKeys(node string, renames map[string]string) error { | |||
| func RenameKeys(nonAtomic *NonAtomicOperationAllowedFlag, node string, renames map[string]string) error { | |||
There was a problem hiding this comment.
this is a very weird API tbh. The call sites where this isn't passed will see a bare nil as the first argument which is even more confusing than bare true/false. I understand canonical/secboot does this, but it doesn't make it any less weird and it doesn't need to be exposed outside of the secboot package.
If this needs an argument then pass it in a struct:
type RenameKeysFlags struct {
AllowNonAtomic bool
}
func RenameKeys(node string, renames map[string]string, flags RenameKeysFlags) error {
..
There was a problem hiding this comment.
It is on purpose weird because should avoid using this mode. Chris was concerned that would get used when we do not need to.
There was a problem hiding this comment.
As requested by @pedronis this was simplified.
pedronis
force-pushed
the
fde-manager-features
branch
from
7005c64 to
25f9119
Compare
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
91da819 to
1e6820c
Compare
|
Tue Feb 4 00:34:40 UTC 2025 Failures:Preparing:
Executing:
Restoring:
|
secboot/secboot_sb.go
Outdated
| // ConvertOldDisk takes on disk using legacy keyslots 0, 1, 2 and add | ||
| // names to those keyslots. This is needed to convert the save disk | ||
| // during a factory reset. | ||
| func ConvertOldDisk(devicePath string) error { |
There was a problem hiding this comment.
s/Convert/TemporaryNameOldKeys/ would probably describe better what this does
There was a problem hiding this comment.
Also this should mention that it is for migrating during factory-reset and that it is a noop if not unamed legacy keyslots exists.
secboot/secboot_sb.go
Outdated
| @@ -348,7 +348,8 @@ func AddBootstrapKeyOnExistingDisk(node string, newKey keys.EncryptionKey) error | |||
| // Rename key slots on LUKS2 container. If the key slot does not | |||
| // exist, it is ignored. If cryptsetup does not support renaming, then | |||
| // the key slots are instead removed. | |||
| func RenameOrDeleteKeys(node string, renames map[string]string) error { | |||
| // WARNING: this function is not atomic. Please avoid using it. | |||
There was a problem hiding this comment.
Sure, it is not atomic only if cryptsetup is too old. I will amend that.
secboot/secboot_sb.go
Outdated
|
|
||
| // RemoveOldDiskKeys removes key slots from an old installation that | ||
| // had names created by ConvertOldDisk. | ||
| func RemoveOldDiskKeys(devicePath string) error { |
There was a problem hiding this comment.
wouldn't DeleteOldKeys be more consistent with other naming here?
There was a problem hiding this comment.
this will not fail if the key don't exist right?
There was a problem hiding this comment.
It is the keys of an old disk.
There was a problem hiding this comment.
DeleteOldKeys is fine, I will change to it.
| return nil, fmt.Errorf("cannot rename existing keys: %w", err) | ||
| } | ||
|
|
||
| if err := secbootConvertOldDisk(saveNode); err != nil { |
There was a problem hiding this comment.
// deal as needed instead with naming unamed keyslots, they will be removed at the end of factory reset
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
5750e24 to
b835a09
Compare
For the preparation of the factory reset, if the preparation is not finished, the keys are already named or renamed. If the factory reset clean up does not finish, it should run again. Because we have a flag that needs to be removed last. |
secboot/secboot_sb.go
Outdated
| // old, it will try to copy and delete keys instead. Please avoid | ||
| // using this function. |
There was a problem hiding this comment.
| // old, it will try to copy and delete keys instead. Please avoid | |
| // using this function. | |
| // old, it will try to copy and delete keys instead. Avoid | |
| // using this function in new code. |
secboot/secboot_sb.go
Outdated
| // add names to those keyslots. This is needed to convert the save | ||
| // disk during a factory reset. This is a no-operation if no keyslot | ||
| // are unnamed. |
There was a problem hiding this comment.
| // add names to those keyslots. This is needed to convert the save | |
| // disk during a factory reset. This is a no-operation if no keyslot | |
| // are unnamed. | |
| // adds names to those keyslots. This is needed to convert the save | |
| // disk during a factory reset. This is a no-operation if keyslots | |
| // are already named. |
|
|
||
| prepare: | | ||
| # Install what is needed before using the fake store | ||
| snap install jq remarshal |
There was a problem hiding this comment.
shouldn't be needed anymore, nested.sh was updated to use gojq
| snap install jq remarshal |
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
b835a09 to
9a27837
Compare
There was a problem hiding this comment.
This looks mostly ok - I've left a few comments, including a suggestion for TemporaryNameOldKeys.
I know we're trying to deliver a MVP for this cycle, but it feels a bit like factory-reset and reprovision are getting tangled together quite a bit. I just want to keep in mind that as per FO166, reprovision should be able to operate independently of factory reset eventually, and it will be required to do so for the post-recovery repair functionality in any case.
| return nil, err | ||
| // Temporarily rename keyslots across the factory reset to | ||
| // allow to create the new ones. | ||
| if err := secbootRenameKeys(saveNode, renames); err != nil { |
There was a problem hiding this comment.
FO166, which describes reprovisioning for FDE, suggests renaming existing keyslots early on to reprovision-XX (with XX being a numeric identifier).
There was a problem hiding this comment.
I can change that.
There was a problem hiding this comment.
Not sure though what "persist the mapping of temporary to old key slot names" means this case. I wonder if maybe we can add a FIXME here and change the names once we have this persisting of the mapping.
There was a problem hiding this comment.
I could prefix with "reprovision-" but keep the name instead of using an id for now.
| // disk during a factory reset. This is a no-operation if all keyslots | ||
| // are already named. | ||
| func TemporaryNameOldKeys(devicePath string) error { | ||
| if err := sb.NameLegacyLUKS2ContainerKey(devicePath, 0, "old-default-key"); err != nil && !errors.Is(err, sb.KeyslotAlreadyHasANameErr) { |
There was a problem hiding this comment.
As this function is making assumption that the container structure is unmodified from the original install, I think it could be improved a bit to make it safer.
If the error is secboot.KeyslotAlreadyHasANameErr, should you check that the keyslot has the expected name before ignoring the error? I think you can probably do that by listing all names with secboot.ListLUKS2ContainerUnlockKeyNames, and then creating a secboot.LUKSKeyDataReader from each name and calling the KeyslotID method to verify that no unexpected name points to each of the keyslots 0-2.
Or an alternative way might be to turn secboot.KeyslotAlreadyHasANameErr into a structure that contains the keyslot's existing name, or define the type of the error based on a string.
There was a problem hiding this comment.
I would prefer doing the removal of other keys that are named out of this function. They are named, so it is part of normal factory reset.
secboot/secboot_tpm.go
Outdated
| @@ -837,7 +837,7 @@ func PCRHandleOfSealedKey(p string) (uint32, error) { | |||
| func tpmReleaseResourcesImpl(tpm *sb_tpm2.Connection, handle tpm2.Handle) error { | |||
| rc, err := tpm.CreateResourceContextFromTPM(handle) | |||
| if err != nil { | |||
| if _, ok := err.(tpm2.ResourceUnavailableError); ok { | |||
| if errors.Is(err, &tpm2.ResourceUnavailableError{}) { | |||
There was a problem hiding this comment.
There is also tpm2.IsResourceUnavailableError
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
9a27837 to
9b8bfaf
Compare
Until now, we were just delete old keys on factory-reset instead of renaming if cryptsetup was too old. But this is a bit too dangerous. Instead we copy-delete them. Second, we need to convert old keyslots to have a name so we can remove them after.
valentindavid
force-pushed
the
valentindavid/remodel-then-factory-reset
branch
from
9b8bfaf to
d784faa
Compare
Until now, we were just delete old keys on factory-reset instead of
renaming if cryptsetup was too old. But this is a bit too dangerous.
Instead we copy-delete them.
Second, we need to convert old keyslots to have a name so we can
remove them after.