From 6b5d83e745dcd0df26a644c60d78d486a69a1f8e Mon Sep 17 00:00:00 2001
From: Valentin David <valentin.david@canonical.com>
Date: Thu, 12 Dec 2024 13:31:08 +0100
Subject: [PATCH] fixup! many: propagate the primary key from when we set
 encrypted containers

---
 overlord/fdestate/backend/seal.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/overlord/fdestate/backend/seal.go b/overlord/fdestate/backend/seal.go
index 4fdbc1aa944..c2a84a56c79 100644
--- a/overlord/fdestate/backend/seal.go
+++ b/overlord/fdestate/backend/seal.go
@@ -93,7 +93,7 @@ func fallbackKeySealRequests(key, saveKey secboot.BootstrappedContainer, factory
 	}
 }
 
-func sealRunObjectKeys(key secboot.BootstrappedContainer, pbc boot.PredictableBootChains, primaryKey []byte, roleToBlName map[bootloader.Role]string, pcrHandle uint32, useTokens bool) ([]byte, error) {
+func sealRunObjectKeys(key secboot.BootstrappedContainer, pbc boot.PredictableBootChains, maybePrimaryKey []byte, roleToBlName map[bootloader.Role]string, pcrHandle uint32, useTokens bool) ([]byte, error) {
 	modelParams, err := boot.SealKeyModelParams(pbc, roleToBlName)
 	if err != nil {
 		return nil, fmt.Errorf("cannot prepare for key sealing: %v", err)
@@ -101,7 +101,7 @@ func sealRunObjectKeys(key secboot.BootstrappedContainer, pbc boot.PredictableBo
 
 	sealKeyParams := &secboot.SealKeysParams{
 		ModelParams:            modelParams,
-		PrimaryKey:             primaryKey,
+		PrimaryKey:             maybePrimaryKey,
 		TPMPolicyAuthKeyFile:   filepath.Join(boot.InstallHostFDESaveDir, "tpm-policy-auth-key"),
 		PCRPolicyCounterHandle: pcrHandle,
 	}
@@ -112,12 +112,12 @@ func sealRunObjectKeys(key secboot.BootstrappedContainer, pbc boot.PredictableBo
 	// path only unseals one object because unsealing is expensive.
 	// Furthermore, the run object key is stored on ubuntu-boot so that we do not
 	// need to continually write/read keys from ubuntu-seed.
-	createdPrimaryKey, err := secbootSealKeys(runKeySealRequests(key, useTokens), sealKeyParams)
+	primaryKey, err := secbootSealKeys(runKeySealRequests(key, useTokens), sealKeyParams)
 	if err != nil {
 		return nil, fmt.Errorf("cannot seal the encryption keys: %v", err)
 	}
 
-	return createdPrimaryKey, nil
+	return primaryKey, nil
 }
 
 func sealFallbackObjectKeys(key, saveKey secboot.BootstrappedContainer, pbc boot.PredictableBootChains, primaryKey []byte, roleToBlName map[bootloader.Role]string, factoryReset bool, pcrHandle uint32, useTokens bool) error {