-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
many: rebase fde branch #14637
Open
valentindavid
wants to merge
31
commits into
canonical:master
Choose a base branch
from
valentindavid:valentindavid/fde-branch-rebased
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
many: rebase fde branch #14637
valentindavid
wants to merge
31
commits into
canonical:master
from
valentindavid:valentindavid/fde-branch-rebased
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We also make the FDE state manager install the the backend function to be associated with the state.
It can happen that an update of assets in seed partition is interupted and shim is old, but grub is new. That means that the new grub has to be signed with a vendor key from shim. Secboot will refuse to reseal if we have a potential impossible boot chain. So we should not test that impossible case.
Because we will need to enroll multiple keys, we need to make the first key at volume creation a bootstrap key that we remove in the end. This commit does not implement it, but it does add the abstraction where to allow us to do it.
When using FDE with hooks or tpm, modifying the run model in the boot partition should result in disk that does not unlock. A recovery must be used in that case.
Its use was removed in 3988a93 which was in PR canonical#11715
Also update github.com/mvo5/goconfigparser to latest.
`by-partuuid` does not make much sense because it uselessly assumes that it is a partition. Conceptually we should not care about it. It also makes the resolution more complex as we need to fetch information about the device which we do not really need at this point. It is more common to resolve by filesystem UUID than part UUID. For instance cryptsetup accepts path as `UUID=deadbeef-dead-dead-dead-deaddeafbeef`. But it does not accept this kind of syntax for partitions.
Stubs Signed-off-by: Maciej Borzecki <[email protected]>
… process being root Add a new access checker which verifies that the request is coming from a root user and if the process is a snap, a required interface is connected, with that snap present on the slot side. Signed-off-by: Maciej Borzecki <[email protected]>
…ureboot key DBs Add a new endpoint for integration with a local manager of EFI secureboot key databases. Signed-off-by: Maciej Borzecki <[email protected]>
This factors and simplifies the TPM and FDE Hook code together. This does not yet factor the key file base one.
* overlord/fdestate: keep FDE state up to date StartUp() initializes the empty profiles, and reseal updates them. * secboot: reexeport secboot's kernel-key-not-found error Signed-off-by: Maciej Borzecki <[email protected]> * overlord/fdestate: use correct mount point for ubuntu-data Signed-off-by: Maciej Borzecki <[email protected]> * overlord/fdestate: skip key verification when key not in keyring For interim compatibilty, the key used to unlock ubuntu-save may not be present in the kernel keyring, so allow key digest verification step to be skipped in such scenario. Signed-off-by: Maciej Borzecki <[email protected]> * secboot: use secboot marshallers instead of encoding/json for PCR profiles Signed-off-by: Maciej Borzecki <[email protected]> --------- Signed-off-by: Maciej Borzecki <[email protected]> Co-authored-by: Maciej Borzecki <[email protected]>
github-actions
bot
added
Needs Documentation -auto-
Label automatically added which indicates the change needs documentation
Run Nested -auto-
Label automatically added in case nested tests need to be executed
labels
Oct 17, 2024
valentindavid
added
the
Run nested
The PR also runs tests inluded in nested suite
label
Oct 17, 2024
valentindavid
force-pushed
the
valentindavid/fde-branch-rebased
branch
from
October 17, 2024 08:42
3c716ac
to
6dcf4a7
Compare
valentindavid
force-pushed
the
valentindavid/fde-branch-rebased
branch
from
October 17, 2024 10:23
6dcf4a7
to
fd3e847
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #14637 +/- ##
==========================================
- Coverage 78.89% 78.87% -0.02%
==========================================
Files 1083 1092 +9
Lines 146377 147404 +1027
==========================================
+ Hits 115479 116270 +791
- Misses 23695 23886 +191
- Partials 7203 7248 +45
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
This was referenced Oct 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
⛔ Blocked
Needs Documentation -auto-
Label automatically added which indicates the change needs documentation
Run Nested -auto-
Label automatically added in case nested tests need to be executed
Run nested
The PR also runs tests inluded in nested suite
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.