-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secboot: re-introduce v1 fde hook format #14638
base: fde-manager-features
Are you sure you want to change the base?
secboot: re-introduce v1 fde hook format #14638
Conversation
b9599c8
to
837045c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
fcc5e2e
to
24018ee
Compare
837045c
to
9955ff3
Compare
This was manually tested with
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## fde-manager-features #14638 +/- ##
========================================================
- Coverage 78.87% 78.85% -0.03%
========================================================
Files 1092 1092
Lines 147404 147483 +79
========================================================
+ Hits 116270 116298 +28
- Misses 23886 23935 +49
- Partials 7248 7250 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
secboot/secboot_sb.go
Outdated
@@ -161,6 +161,22 @@ func UnlockVolumeUsingSealedKeyIfEncrypted(disk disks.Disk, name string, sealedE | |||
return res, fmt.Errorf("internal error: cannot build an auth requestor: %v", err) | |||
} | |||
|
|||
if loadedKey.SealedKeyV1 != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this feels like it's a leaky abstraction which only muddies the whole picture, could we do something more explicit, eg:
// legacy fde-hooks keys which did not carry any metadata
var legacyV1Key []byte
// more modern keys with metadata
var keys []*sb.KeyData
// isLegacyV1Key - simply checks the header
if fdeHasRevealKey() && isLegacyV1Key(sealedEncryptioKeyFile) {
legacyV1Key, err = os.ReadFile()
...
} else {
if err := readKeyFile(sealedEncryptionKeyFile, loadedKey); err != nil {
return res, err
}
}
...
if len(legacyV1KeyFile) != 0 {
}
...
// continue with ActivateVolumeWithKeyData
and then simply drop the loader thingy
Signed-off-by: Maciej Borzecki <[email protected]>
No description provided.