github.com/ethanhsieh/snapd@v0.0.0-20210615102523-3db9b8e4edc5/secboot/secboot.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2021 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package secboot 21 22 // This file must not have a build-constraint and must not import 23 // the github.com/snapcore/secboot repository. That will ensure 24 // it can be build as part of the debian build without secboot. 25 // Debian does run "go list" without any support for passing -tags. 26 27 import ( 28 "crypto/ecdsa" 29 30 "github.com/snapcore/snapd/asserts" 31 "github.com/snapcore/snapd/bootloader" 32 ) 33 34 const ( 35 // Handles are in the block reserved for TPM owner objects (0x01800000 - 0x01bfffff) 36 RunObjectPCRPolicyCounterHandle = 0x01880001 37 FallbackObjectPCRPolicyCounterHandle = 0x01880002 38 ) 39 40 // WithSecbootSupport is true if this package was built with githbu.com/snapcore/secboot. 41 var WithSecbootSupport = false 42 43 type LoadChain struct { 44 *bootloader.BootFile 45 // Next is a list of alternative chains that can be loaded 46 // following the boot file. 47 Next []*LoadChain 48 } 49 50 // NewLoadChain returns a LoadChain corresponding to loading the given 51 // BootFile before any of the given next chains. 52 func NewLoadChain(bf bootloader.BootFile, next ...*LoadChain) *LoadChain { 53 return &LoadChain{ 54 BootFile: &bf, 55 Next: next, 56 } 57 } 58 59 type SealKeyRequest struct { 60 // The key to seal 61 Key EncryptionKey 62 // The key name; identical keys should have identical names 63 KeyName string 64 // The path to store the sealed key file. The same Key/KeyName 65 // can be stored under multiple KeyFile names for safety. 66 KeyFile string 67 } 68 69 type SealKeyModelParams struct { 70 // The snap model 71 Model *asserts.Model 72 // The set of EFI binary load chains for the current device 73 // configuration 74 EFILoadChains []*LoadChain 75 // The kernel command line 76 KernelCmdlines []string 77 } 78 79 type SealKeysParams struct { 80 // The parameters we're sealing the key to 81 ModelParams []*SealKeyModelParams 82 // The authorization policy update key file (only relevant for TPM) 83 TPMPolicyAuthKey *ecdsa.PrivateKey 84 // The path to the authorization policy update key file (only relevant for TPM, 85 // if empty the key will not be saved) 86 TPMPolicyAuthKeyFile string 87 // The path to the lockout authorization file (only relevant for TPM and only 88 // used if TPMProvision is set to true) 89 TPMLockoutAuthFile string 90 // Whether we should provision the TPM 91 TPMProvision bool 92 // The handle at which to create a NV index for dynamic authorization policy revocation support 93 PCRPolicyCounterHandle uint32 94 } 95 96 type SealKeysWithFDESetupHookParams struct { 97 // Initial model to bind sealed keys to. 98 Model *asserts.Model 99 // AuxKey is the auxiliary key used to bind models. 100 AuxKey AuxKey 101 // The path to the aux key file (if empty the key will not be 102 // saved) 103 AuxKeyFile string 104 } 105 106 type ResealKeysParams struct { 107 // The snap model parameters 108 ModelParams []*SealKeyModelParams 109 // The path to the sealed key files 110 KeyFiles []string 111 // The path to the authorization policy update key file (only relevant for TPM) 112 TPMPolicyAuthKeyFile string 113 } 114 115 // UnlockVolumeUsingSealedKeyOptions contains options for unlocking encrypted 116 // volumes using keys sealed to the TPM. 117 type UnlockVolumeUsingSealedKeyOptions struct { 118 // AllowRecoveryKey when true indicates activation with the recovery key 119 // will be attempted if activation with the sealed key failed. 120 AllowRecoveryKey bool 121 // WhichModel if invoked should return the device model 122 // assertion for which the disk is being unlocked. 123 WhichModel func() (*asserts.Model, error) 124 } 125 126 // UnlockMethod is the method that was used to unlock a volume. 127 type UnlockMethod int 128 129 const ( 130 // NotUnlocked indicates that the device was either not unlocked or is not 131 // an encrypted device. 132 NotUnlocked UnlockMethod = iota 133 // UnlockedWithSealedKey indicates that the device was unlocked with the 134 // provided sealed key object. 135 UnlockedWithSealedKey 136 // UnlockedWithRecoveryKey indicates that the device was unlocked by the 137 // user providing the recovery key at the prompt. 138 UnlockedWithRecoveryKey 139 // UnlockedWithKey indicates that the device was unlocked with the provided 140 // key, which is not sealed. 141 UnlockedWithKey 142 // UnlockStatusUnknown indicates that the unlock status of the device is not clear. 143 UnlockStatusUnknown 144 ) 145 146 // UnlockResult is the result of trying to unlock a volume. 147 type UnlockResult struct { 148 // FsDevice is the device with filesystem ready to mount. 149 // It is the activated device if encrypted or just 150 // the underlying device (same as PartDevice) if non-encrypted. 151 // FsDevice can be empty when none was found. 152 FsDevice string 153 // PartDevice is the underlying partition device. 154 // PartDevice can be empty when no device was found. 155 PartDevice string 156 // IsEncrypted indicates that PartDevice is encrypted. 157 IsEncrypted bool 158 // UnlockMethod is the method used to unlock the device. Valid values are 159 // - NotUnlocked 160 // - UnlockedWithRecoveryKey 161 // - UnlockedWithSealedKey 162 // - UnlockedWithKey 163 UnlockMethod UnlockMethod 164 } 165 166 // EncryptedPartitionName returns the name/label used by an encrypted partition 167 // corresponding to a given name. 168 func EncryptedPartitionName(name string) string { 169 return name + "-enc" 170 }