github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/secboot/encrypt_tpm.go

github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/secboot/encrypt_tpm.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  // +build !nosecboot
     3  
     4  /*
     5   * Copyright (C) 2020 Canonical Ltd
     6   *
     7   * This program is free software: you can redistribute it and/or modify
     8   * it under the terms of the GNU General Public License version 3 as
     9   * published by the Free Software Foundation.
    10   *
    11   * This program is distributed in the hope that it will be useful,
    12   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    13   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14   * GNU General Public License for more details.
    15   *
    16   * You should have received a copy of the GNU General Public License
    17   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    18   *
    19   */
    20  
    21  package secboot
    22  
    23  import (
    24  	sb "github.com/snapcore/secboot"
    25  )
    26  
    27  var (
    28  	sbInitializeLUKS2Container       = sb.InitializeLUKS2Container
    29  	sbAddRecoveryKeyToLUKS2Container = sb.AddRecoveryKeyToLUKS2Container
    30  )
    31  
    32  const keyslotsAreaKiBSize = 2560 // 2.5MB
    33  const metadataKiBSize = 2048     // 2MB
    34  
    35  // FormatEncryptedDevice initializes an encrypted volume on the block device
    36  // given by node, setting the specified label. The key used to unlock the volume
    37  // is provided using the key argument.
    38  func FormatEncryptedDevice(key EncryptionKey, label, node string) error {
    39  	opts := &sb.InitializeLUKS2ContainerOptions{
    40  		// use a lower, but still reasonable size that should give us
    41  		// enough room
    42  		MetadataKiBSize:     metadataKiBSize,
    43  		KeyslotsAreaKiBSize: keyslotsAreaKiBSize,
    44  	}
    45  	return sbInitializeLUKS2Container(node, label, key[:], opts)
    46  }
    47  
    48  // AddRecoveryKey adds a fallback recovery key rkey to the existing encrypted
    49  // volume created with FormatEncryptedDevice on the block device given by node.
    50  // The existing key to the encrypted volume is provided in the key argument.
    51  func AddRecoveryKey(key EncryptionKey, rkey RecoveryKey, node string) error {
    52  	return sbAddRecoveryKeyToLUKS2Container(node, key[:], sb.RecoveryKey(rkey))
    53  }
    54  
    55  func (k RecoveryKey) String() string {
    56  	return sb.RecoveryKey(k).String()
    57  }