many: add passphrase authentication support #14918
Conversation
ZeyadYasser
added
Needs Samuele review
pedronis
force-pushed
the
fde-manager-features
branch
from
5802840 to
5ec2e43
Compare
This is still not exposed through the API until target system and entropy checks are added. Signed-off-by: Zeyad Gouda <[email protected]>
ZeyadYasser
force-pushed
the
fde-passphrase-support
branch
from
8b6b37c to
7da02d3
Compare
| @@ -1356,7 +1357,7 @@ func createSaveBootstrappedContainer(saveNode string) (secboot.BootstrappedConta | |||
| return nil, err | |||
| } | |||
|
|
|||
| return secbootCreateBootstrappedContainer(secboot.DiskUnlockKey(saveEncryptionKey), saveNode), nil | |||
| return secbootCreateBootstrappedContainer(secboot.DiskUnlockKey(saveEncryptionKey), saveNode, nil), nil | |||
There was a problem hiding this comment.
shouldn't we take the value from the cache passed it in? is the test currently only dealing with mocked stuff?
There was a problem hiding this comment.
createSaveBootstrappedContainer is only called during factory reset
The value is passed from cache in EncryptPartitions() in the install code path.
There was a problem hiding this comment.
can you point to the relevant code for EncryptPartitions?
There was a problem hiding this comment.
Ahh yes, my bad
snapd/overlord/devicestate/handlers_install.go
Line 1297 in 39dc92b
There was a problem hiding this comment.
I was confused because I missed this change:
https://github.com/canonical/snapd/pull/14918/files#diff-f796a3322af4dad794f8018bb1c4de9e30562adc6e9a5a43e30595e157a138a2R722
secboot/secboot_tpm.go
Outdated
| return nil | ||
| } | ||
|
|
||
| func kdfOptions(volumesAuth device.VolumesAuthOptions) (sb.KDFOptions, error) { |
There was a problem hiding this comment.
this probably should take a pointer as well to device.VolumesAuthOptions)
There was a problem hiding this comment.
updated, thanks!
Signed-off-by: Zeyad Gouda <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## fde-manager-features #14918 +/- ##
=======================================================
Coverage ? 78.16%
=======================================================
Files ? 1166
Lines ? 154990
Branches ? 0
=======================================================
Hits ? 121149
Misses ? 26330
Partials ? 7511
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
This looks fine apart from putting the volume auth options into the bootstrapped container. It should be one set options for the whole system. In the extreme, it could make sense to have different options for every slot. Or a middle ground for each key role. But not per volume, it does not make sense. The run save key and the run data key should have the same configuration. The recover boot key and the recover save key should have the same configuration.
Not related totally related to this PR, but I think the idea that installation is what sets a passphrase is wrong for user experience. It should be the first boot that does it.
Install should be about hardware (including keyboard mapping), software and default locale. Not user configuration. The first boot is where anything from the user can be configured. That means a passphrase should be set during first boot. There is nothing to protect anyway before the user has stored any personal configuration.
If you do not split the install from the first boot. You cannot possibly have factory reset.
Then you also need also the code to work both for installation context and changes. Which is twice the amount of bugs.
You cannot have a (real) OEM installation.
It is a weird thing that some Linux distributions still mix up those 2 phases. Other operating systems do it correctly.
| @@ -490,15 +572,6 @@ func SealKeys(keys []SealKeyRequest, params *SealKeysParams) ([]byte, error) { | |||
| return nil, fmt.Errorf("at least one set of model-specific parameters is required") | |||
| } | |||
|
|
|||
| tpm, err := sbConnectToDefaultTPM() | |||
There was a problem hiding this comment.
would it be a problem if the withTPMConnection() wrapper was called here?
| @@ -481,6 +483,86 @@ func ProvisionForCVM(initramfsUbuntuSeedDir string) error { | |||
| return nil | |||
| } | |||
|
|
|||
| func withTPMConnection(fn func(tpm *sb_tpm2.Connection)) error { | |||
There was a problem hiding this comment.
| func withTPMConnection(fn func(tpm *sb_tpm2.Connection)) error { | |
| func withSingleTPMConnection(fn func(tpm *sb_tpm2.Connection)) error { |
| @@ -481,6 +483,86 @@ func ProvisionForCVM(initramfsUbuntuSeedDir string) error { | |||
| return nil | |||
| } | |||
|
|
|||
| func withTPMConnection(fn func(tpm *sb_tpm2.Connection)) error { | |||
There was a problem hiding this comment.
the function likely needs a comment explaining how the global state is changed
|
@pedronis @valentindavid @bboozzoo I opened #14954 in favor of this PR to implement suggestions from #14918 (review), changes were big enough to warrant a separate PR to avoid confusing diffs. |
|
Closed in favor of #14954 |
This PR implements passphrase authentication support during installation. Currently all volumes created during installation are passphrase encrypted, i.e.
ubuntu-dataandubuntu-save.The implications of having
ubuntu-saveoptionally passphrase-protected is that a factory reset would require a passphrase to be entered to work. This is still an open question on what is optimal from a UX perspective.Note: This is still not exposed through the API until target system and entropy checks are added. This is done by not including
passphrase-authin the list of supported encryption features (Check SD201).I tested the implementation against the spread test from #14867.