github.com/stolowski/snapd@v0.0.0-20210407085831-115137ce5a22/secboot/secboot.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2020 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package secboot 21 22 // This file must not have a build-constraint and must not import 23 // the github.com/snapcore/secboot repository. That will ensure 24 // it can be build as part of the debian build without secboot. 25 // Debian does run "go list" without any support for passing -tags. 26 27 import ( 28 "crypto/ecdsa" 29 30 "github.com/snapcore/snapd/asserts" 31 "github.com/snapcore/snapd/bootloader" 32 ) 33 34 const ( 35 // Handles are in the block reserved for TPM owner objects (0x01800000 - 0x01bfffff) 36 RunObjectPCRPolicyCounterHandle = 0x01880001 37 FallbackObjectPCRPolicyCounterHandle = 0x01880002 38 ) 39 40 type LoadChain struct { 41 *bootloader.BootFile 42 // Next is a list of alternative chains that can be loaded 43 // following the boot file. 44 Next []*LoadChain 45 } 46 47 // NewLoadChain returns a LoadChain corresponding to loading the given 48 // BootFile before any of the given next chains. 49 func NewLoadChain(bf bootloader.BootFile, next ...*LoadChain) *LoadChain { 50 return &LoadChain{ 51 BootFile: &bf, 52 Next: next, 53 } 54 } 55 56 type SealKeyRequest struct { 57 // The key to seal 58 Key EncryptionKey 59 // The key name; identical keys should have identical names 60 KeyName string 61 // The path to store the sealed key file. The same Key/KeyName 62 // can be stored under multiple KeyFile names for safety. 63 KeyFile string 64 } 65 66 type SealKeyModelParams struct { 67 // The snap model 68 Model *asserts.Model 69 // The set of EFI binary load chains for the current device 70 // configuration 71 EFILoadChains []*LoadChain 72 // The kernel command line 73 KernelCmdlines []string 74 } 75 76 type SealKeysParams struct { 77 // The parameters we're sealing the key to 78 ModelParams []*SealKeyModelParams 79 // The authorization policy update key file (only relevant for TPM) 80 TPMPolicyAuthKey *ecdsa.PrivateKey 81 // The path to the authorization policy update key file (only relevant for TPM, 82 // if empty the key will not be saved) 83 TPMPolicyAuthKeyFile string 84 // The path to the lockout authorization file (only relevant for TPM and only 85 // used if TPMProvision is set to true) 86 TPMLockoutAuthFile string 87 // Whether we should provision the TPM 88 TPMProvision bool 89 // The handle at which to create a NV index for dynamic authorization policy revocation support 90 PCRPolicyCounterHandle uint32 91 } 92 93 type ResealKeysParams struct { 94 // The snap model parameters 95 ModelParams []*SealKeyModelParams 96 // The path to the sealed key files 97 KeyFiles []string 98 // The path to the authorization policy update key file (only relevant for TPM) 99 TPMPolicyAuthKeyFile string 100 } 101 102 // UnlockVolumeUsingSealedKeyOptions contains options for unlocking encrypted 103 // volumes using keys sealed to the TPM. 104 type UnlockVolumeUsingSealedKeyOptions struct { 105 // AllowRecoveryKey when true indicates activation with the recovery key 106 // will be attempted if activation with the sealed key failed. 107 AllowRecoveryKey bool 108 } 109 110 // UnlockMethod is the method that was used to unlock a volume. 111 type UnlockMethod int 112 113 const ( 114 // NotUnlocked indicates that the device was either not unlocked or is not 115 // an encrypted device. 116 NotUnlocked UnlockMethod = iota 117 // UnlockedWithSealedKey indicates that the device was unlocked with the 118 // provided sealed key object. 119 UnlockedWithSealedKey 120 // UnlockedWithRecoveryKey indicates that the device was unlocked by the 121 // user providing the recovery key at the prompt. 122 UnlockedWithRecoveryKey 123 // UnlockedWithKey indicates that the device was unlocked with the provided 124 // key, which is not sealed. 125 UnlockedWithKey 126 // UnlockStatusUnknown indicates that the unlock status of the device is not clear. 127 UnlockStatusUnknown 128 ) 129 130 // UnlockResult is the result of trying to unlock a volume. 131 type UnlockResult struct { 132 // FsDevice is the device with filesystem ready to mount. 133 // It is the activated device if encrypted or just 134 // the underlying device (same as PartDevice) if non-encrypted. 135 // FsDevice can be empty when none was found. 136 FsDevice string 137 // PartDevice is the underlying partition device. 138 // PartDevice can be empty when no device was found. 139 PartDevice string 140 // IsEncrypted indicates that PartDevice is encrypted. 141 IsEncrypted bool 142 // UnlockMethod is the method used to unlock the device. Valid values are 143 // - NotUnlocked 144 // - UnlockedWithRecoveryKey 145 // - UnlockedWithSealedKey 146 // - UnlockedWithKey 147 UnlockMethod UnlockMethod 148 } 149 150 // FDEHasReveal is setup by devicestate/fde to support device-specific 151 // full disk encryption implementations. 152 var FDEHasRevealKey = func() bool { return false } 153 154 // EncryptedPartitionName returns the name/label used by an encrypted partition 155 // corresponding to a given name. 156 func EncryptedPartitionName(name string) string { 157 return name + "-enc" 158 }