From 7713d6cd4c6201bb3b4575b0812780be64f625a1 Mon Sep 17 00:00:00 2001 From: Zeyad Gouda Date: Fri, 13 Dec 2024 14:22:35 +0200 Subject: [PATCH 1/2] many: move secboot.EncryptionType under gadget/device Signed-off-by: Zeyad Gouda --- client/systems.go | 6 +- cmd/snap-bootstrap/cmd_initramfs_mounts.go | 2 +- daemon/api_systems.go | 2 +- daemon/api_systems_test.go | 4 +- gadget/device/encrypt.go | 14 +++ gadget/gadget.go | 4 +- gadget/gadget_test.go | 14 +-- gadget/gadgettest/gadgettest.go | 8 +- gadget/install/encrypt.go | 3 +- gadget/install/encrypt_test.go | 5 +- gadget/install/export_secboot_test.go | 3 +- gadget/install/install.go | 19 ++-- gadget/install/install_dummy.go | 3 +- gadget/install/install_test.go | 21 ++-- gadget/install/params.go | 3 +- gadget/layout.go | 8 +- gadget/layout_test.go | 10 +- overlord/devicestate/devicemgr.go | 2 +- .../devicestate_install_api_test.go | 5 +- .../devicestate_install_mode_test.go | 27 ++--- overlord/devicestate/export_test.go | 5 +- overlord/devicestate/handlers_install.go | 12 +-- overlord/install/install.go | 18 ++-- overlord/install/install_test.go | 101 +++++++++--------- secboot/encrypt.go | 14 --- secboot/encrypt_sb.go | 5 +- secboot/encrypt_sb_test.go | 5 +- tests/lib/muinstaller/main.go | 9 +- tests/lib/uc20-create-partitions/main.go | 5 +- 29 files changed, 173 insertions(+), 164 deletions(-) diff --git a/client/systems.go b/client/systems.go index d133bc162da..9ca6df2b8b0 100644 --- a/client/systems.go +++ b/client/systems.go @@ -27,6 +27,7 @@ import ( "golang.org/x/xerrors" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/snap" ) @@ -162,9 +163,8 @@ type StorageEncryption struct { // StorageSafety can have values of asserts.StorageSafety StorageSafety string `json:"storage-safety,omitempty"` - // Type has values of secboot.EncryptionType: "", "cryptsetup", - // "cryptsetup-with-inline-crypto-engine" - Type string `json:"encryption-type,omitempty"` + // Type has values of device.EncryptionType. + Type device.EncryptionType `json:"encryption-type,omitempty"` // UnavailableReason describes why the encryption is not // available in a human readable form. Depending on if diff --git a/cmd/snap-bootstrap/cmd_initramfs_mounts.go b/cmd/snap-bootstrap/cmd_initramfs_mounts.go index c9c817b4a2f..ca276041e77 100644 --- a/cmd/snap-bootstrap/cmd_initramfs_mounts.go +++ b/cmd/snap-bootstrap/cmd_initramfs_mounts.go @@ -306,7 +306,7 @@ func doInstall(mst *initramfsMountsState, model *asserts.Model, sysSnaps map[sna if err != nil { return err } - useEncryption := (encryptionSupport != secboot.EncryptionTypeNone) + useEncryption := (encryptionSupport != device.EncryptionTypeNone) installObserver, trustedInstallObserver, err := installBuildInstallObserver(model, gadgetMountDir, useEncryption) if err != nil { diff --git a/daemon/api_systems.go b/daemon/api_systems.go index 4ba32982c36..4e45109a9b9 100644 --- a/daemon/api_systems.go +++ b/daemon/api_systems.go @@ -127,7 +127,7 @@ func storageEncryption(encInfo *install.EncryptionSupportInfo) *client.StorageEn } storageEnc := &client.StorageEncryption{ StorageSafety: string(encInfo.StorageSafety), - Type: string(encInfo.Type), + Type: encInfo.Type, } required := (encInfo.StorageSafety == asserts.StorageSafetyEncrypted) switch { diff --git a/daemon/api_systems_test.go b/daemon/api_systems_test.go index bd9bf65a5e7..9c32adaed15 100644 --- a/daemon/api_systems_test.go +++ b/daemon/api_systems_test.go @@ -45,6 +45,7 @@ import ( "github.com/snapcore/snapd/daemon" "github.com/snapcore/snapd/dirs" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/overlord/assertstate/assertstatetest" "github.com/snapcore/snapd/overlord/auth" @@ -55,7 +56,6 @@ import ( "github.com/snapcore/snapd/overlord/snapstate" "github.com/snapcore/snapd/overlord/state" "github.com/snapcore/snapd/release" - "github.com/snapcore/snapd/secboot" "github.com/snapcore/snapd/seed" "github.com/snapcore/snapd/seed/seedtest" "github.com/snapcore/snapd/snap" @@ -819,7 +819,7 @@ func (s *systemsSuite) TestSystemsGetSystemDetailsForLabel(c *check.C) { for _, tc := range []struct { disabled, available bool storageSafety asserts.StorageSafety - typ secboot.EncryptionType + typ device.EncryptionType unavailableErr, unavailableWarning string expectedSupport client.StorageEncryptionSupport diff --git a/gadget/device/encrypt.go b/gadget/device/encrypt.go index 2c399edd32d..f1620e9c337 100644 --- a/gadget/device/encrypt.go +++ b/gadget/device/encrypt.go @@ -137,3 +137,17 @@ func SealedKeysMethod(rootdir string) (sm SealingMethod, err error) { } return SealingMethod(content), err } + +// EncryptionType specifies what encryption backend should be used (if any) +type EncryptionType string + +const ( + EncryptionTypeNone EncryptionType = "" + EncryptionTypeLUKS EncryptionType = "cryptsetup" + EncryptionTypeLUKSWithICE EncryptionType = "cryptsetup-with-inline-crypto-engine" +) + +// TODO:ICE: all EncryptionTypes are LUKS based now so this could be removed? +func (et EncryptionType) IsLUKS() bool { + return et == EncryptionTypeLUKS || et == EncryptionTypeLUKSWithICE +} diff --git a/gadget/gadget.go b/gadget/gadget.go index 502f5c0afe1..080605e40a7 100644 --- a/gadget/gadget.go +++ b/gadget/gadget.go @@ -35,6 +35,7 @@ import ( "gopkg.in/yaml.v2" "github.com/snapcore/snapd/asserts" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/edition" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/logger" @@ -42,7 +43,6 @@ import ( "github.com/snapcore/snapd/osutil" "github.com/snapcore/snapd/osutil/disks" "github.com/snapcore/snapd/osutil/kcmdline" - "github.com/snapcore/snapd/secboot" "github.com/snapcore/snapd/snap" "github.com/snapcore/snapd/snap/naming" "github.com/snapcore/snapd/snap/snapfile" @@ -1725,7 +1725,7 @@ func checkCompatibleSchema(old, new *Volume) error { // LaidOutVolumesFromGadget takes gadget volumes, gadget and kernel rootdirs // and lays out the partitions on all volumes as specified. It returns the // volumes mentioned in the gadget.yaml and their laid out representations. -func LaidOutVolumesFromGadget(vols map[string]*Volume, gadgetRoot, kernelRoot string, encType secboot.EncryptionType, volToGadgetToDiskStruct map[string]map[int]*OnDiskStructure) (all map[string]*LaidOutVolume, err error) { +func LaidOutVolumesFromGadget(vols map[string]*Volume, gadgetRoot, kernelRoot string, encType device.EncryptionType, volToGadgetToDiskStruct map[string]map[int]*OnDiskStructure) (all map[string]*LaidOutVolume, err error) { all = make(map[string]*LaidOutVolume) // layout all volumes saving them diff --git a/gadget/gadget_test.go b/gadget/gadget_test.go index 4ea2a8bdc3d..1b35ac1549a 100644 --- a/gadget/gadget_test.go +++ b/gadget/gadget_test.go @@ -34,12 +34,12 @@ import ( "github.com/snapcore/snapd/dirs" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/gadgettest" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/logger" "github.com/snapcore/snapd/osutil/disks" "github.com/snapcore/snapd/osutil/kcmdline" - "github.com/snapcore/snapd/secboot" "github.com/snapcore/snapd/snap" "github.com/snapcore/snapd/snap/snapfile" "github.com/snapcore/snapd/snap/snaptest" @@ -2353,7 +2353,7 @@ func (s *gadgetYamlTestSuite) TestLaidOutVolumesFromGadgetMultiVolume(c *C) { err = os.WriteFile(filepath.Join(s.dir, "u-boot.imz"), nil, 0644) c.Assert(err, IsNil) - all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", uc20Mod, secboot.EncryptionTypeNone, nil) + all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", uc20Mod, device.EncryptionTypeNone, nil) c.Assert(err, IsNil) c.Assert(all, HasLen, 2) @@ -2395,7 +2395,7 @@ func (s *gadgetYamlTestSuite) TestLaidOutVolumesFromGadgetHappy(c *C) { c.Assert(err, IsNil) } - all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", coreMod, secboot.EncryptionTypeNone, nil) + all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", coreMod, device.EncryptionTypeNone, nil) c.Assert(err, IsNil) c.Assert(all, HasLen, 1) c.Assert(all["pc"].Volume.Bootloader, Equals, "grub") @@ -2419,7 +2419,7 @@ func (s *gadgetYamlTestSuite) TestLaidOutVolumesFromGadgetAndDiskHappy(c *C) { 4: {Name: "ubuntu-save"}, 5: {Name: "ubuntu-data"}, } - all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", uc20Mod, secboot.EncryptionTypeNone, nil) + all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", uc20Mod, device.EncryptionTypeNone, nil) c.Assert(err, IsNil) c.Assert(all, HasLen, 1) c.Assert(all["pc"].Volume.Bootloader, Equals, "grub") @@ -2446,7 +2446,7 @@ func (s *gadgetYamlTestSuite) TestLaidOutVolumesFromGadgetAndDiskFail(c *C) { volToGadgetToDiskStruct := map[string]map[int]*gadget.OnDiskStructure{ "pc": gadgetToDiskStruct, } - all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", uc20Mod, secboot.EncryptionTypeNone, volToGadgetToDiskStruct) + all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", uc20Mod, device.EncryptionTypeNone, volToGadgetToDiskStruct) c.Assert(err.Error(), Equals, `internal error: partition "ubuntu-seed" not in disk map`) c.Assert(all, IsNil) } @@ -2459,7 +2459,7 @@ func (s *gadgetYamlTestSuite) testLaidOutVolumesFromGadgetUCHappy(c *C, gadgetYa c.Assert(err, IsNil) } - all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", uc20Mod, secboot.EncryptionTypeNone, nil) + all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", uc20Mod, device.EncryptionTypeNone, nil) c.Assert(err, IsNil) c.Assert(all, HasLen, 1) c.Assert(all["pc"].Volume.Bootloader, Equals, "grub") @@ -4337,7 +4337,7 @@ func (s *gadgetYamlTestSuite) TestLaidOutVolumesFromClassicWithModesGadgetHappy( c.Assert(err, IsNil) } - all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", classicWithModesMod, secboot.EncryptionTypeNone, nil) + all, err := gadgettest.LaidOutVolumesFromGadget(s.dir, "", classicWithModesMod, device.EncryptionTypeNone, nil) c.Assert(err, IsNil) c.Assert(all, HasLen, 1) c.Assert(all["pc"].Volume.Bootloader, Equals, "grub") diff --git a/gadget/gadgettest/gadgettest.go b/gadget/gadgettest/gadgettest.go index 96c21fb5c66..0ccda47a236 100644 --- a/gadget/gadgettest/gadgettest.go +++ b/gadget/gadgettest/gadgettest.go @@ -27,12 +27,12 @@ import ( "github.com/snapcore/snapd/asserts" "github.com/snapcore/snapd/boot/boottest" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/osutil/disks" - "github.com/snapcore/snapd/secboot" ) -func LaidOutVolumesFromGadget(gadgetRoot, kernelRoot string, model gadget.Model, encType secboot.EncryptionType, volToGadgetToDiskStruct map[string]map[int]*gadget.OnDiskStructure) (all map[string]*gadget.LaidOutVolume, err error) { +func LaidOutVolumesFromGadget(gadgetRoot, kernelRoot string, model gadget.Model, encType device.EncryptionType, volToGadgetToDiskStruct map[string]map[int]*gadget.OnDiskStructure) (all map[string]*gadget.LaidOutVolume, err error) { // rely on the basic validation from ReadInfo to ensure that the system-* // roles are all on the same volume for example info, err := gadget.ReadInfoAndValidate(gadgetRoot, model, nil) @@ -63,7 +63,7 @@ func LayoutMultiVolumeFromYaml(newDir, kernelDir, gadgetYaml string, model gadge return nil, err } - allVolumes, err := LaidOutVolumesFromGadget(gadgetRoot, kernelDir, model, secboot.EncryptionTypeNone, nil) + allVolumes, err := LaidOutVolumesFromGadget(gadgetRoot, kernelDir, model, device.EncryptionTypeNone, nil) if err != nil { return nil, fmt.Errorf("cannot layout volumes: %v", err) } @@ -267,7 +267,7 @@ func MockGadgetPartitionedDisk(gadgetYaml, gadgetRoot string) (ginfo *gadget.Inf if err != nil { return nil, nil, nil, nil, err } - laidVols, err = LaidOutVolumesFromGadget(gadgetRoot, "", model, secboot.EncryptionTypeNone, nil) + laidVols, err = LaidOutVolumesFromGadget(gadgetRoot, "", model, device.EncryptionTypeNone, nil) if err != nil { return nil, nil, nil, nil, err } diff --git a/gadget/install/encrypt.go b/gadget/install/encrypt.go index ee7c45effbe..08bc273fdd0 100644 --- a/gadget/install/encrypt.go +++ b/gadget/install/encrypt.go @@ -23,6 +23,7 @@ package install import ( "fmt" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/secboot" ) @@ -48,7 +49,7 @@ var _ = encryptedDevice(&encryptedDeviceLUKS{}) // newEncryptedDeviceLUKS creates an encrypted device in the existing // partition using the specified key with the LUKS backend. -func newEncryptedDeviceLUKS(devNode string, encType secboot.EncryptionType, key secboot.DiskUnlockKey, label, name string) (encryptedDevice, error) { +func newEncryptedDeviceLUKS(devNode string, encType device.EncryptionType, key secboot.DiskUnlockKey, label, name string) (encryptedDevice, error) { encLabel := label + "-enc" if err := secbootFormatEncryptedDevice(key, encType, encLabel, devNode); err != nil { return nil, fmt.Errorf("cannot format encrypted device: %v", err) diff --git a/gadget/install/encrypt_test.go b/gadget/install/encrypt_test.go index 4114677192b..1fcd47895fd 100644 --- a/gadget/install/encrypt_test.go +++ b/gadget/install/encrypt_test.go @@ -27,6 +27,7 @@ import ( . "gopkg.in/check.v1" "github.com/snapcore/snapd/dirs" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/install" "github.com/snapcore/snapd/secboot" "github.com/snapcore/snapd/secboot/keys" @@ -88,7 +89,7 @@ func (s *encryptSuite) TestNewEncryptedDeviceLUKS(c *C) { })() calls := 0 - restore := install.MockSecbootFormatEncryptedDevice(func(key []byte, encType secboot.EncryptionType, label, node string) error { + restore := install.MockSecbootFormatEncryptedDevice(func(key []byte, encType device.EncryptionType, label, node string) error { calls++ c.Assert(key, DeepEquals, []byte(s.mockedEncryptionKey)) c.Assert(label, Equals, "some-label-enc") @@ -97,7 +98,7 @@ func (s *encryptSuite) TestNewEncryptedDeviceLUKS(c *C) { }) defer restore() - dev, err := install.NewEncryptedDeviceLUKS("/dev/node1", secboot.EncryptionTypeLUKS, secboot.DiskUnlockKey(s.mockedEncryptionKey), "some-label", "some-label") + dev, err := install.NewEncryptedDeviceLUKS("/dev/node1", device.EncryptionTypeLUKS, secboot.DiskUnlockKey(s.mockedEncryptionKey), "some-label", "some-label") c.Assert(calls, Equals, 1) if tc.expectedErr == "" { c.Assert(err, IsNil) diff --git a/gadget/install/export_secboot_test.go b/gadget/install/export_secboot_test.go index eddb9dbe308..fa5a8a5e99d 100644 --- a/gadget/install/export_secboot_test.go +++ b/gadget/install/export_secboot_test.go @@ -21,6 +21,7 @@ package install import ( + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/secboot" "github.com/snapcore/snapd/testutil" ) @@ -30,7 +31,7 @@ var ( NewEncryptedDeviceLUKS = newEncryptedDeviceLUKS ) -func MockSecbootFormatEncryptedDevice(f func(key []byte, encType secboot.EncryptionType, label, node string) error) (restore func()) { +func MockSecbootFormatEncryptedDevice(f func(key []byte, encType device.EncryptionType, label, node string) error) (restore func()) { r := testutil.Backup(&secbootFormatEncryptedDevice) secbootFormatEncryptedDevice = f return r diff --git a/gadget/install/install.go b/gadget/install/install.go index a72af1f01e3..9a39d10c0aa 100644 --- a/gadget/install/install.go +++ b/gadget/install/install.go @@ -30,6 +30,7 @@ import ( "github.com/snapcore/snapd/boot" "github.com/snapcore/snapd/dirs" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/kernel" "github.com/snapcore/snapd/logger" @@ -99,10 +100,10 @@ func saveStorageTraits(mod gadget.Model, allVols map[string]*gadget.Volume, opts return nil } -func maybeEncryptPartition(dgpair *gadget.OnDiskAndGadgetStructurePair, encryptionType secboot.EncryptionType, sectorSize quantity.Size, perfTimings timings.Measurer) (fsParams *mkfsParams, diskEncryptionKey secboot.DiskUnlockKey, err error) { +func maybeEncryptPartition(dgpair *gadget.OnDiskAndGadgetStructurePair, encryptionType device.EncryptionType, sectorSize quantity.Size, perfTimings timings.Measurer) (fsParams *mkfsParams, diskEncryptionKey secboot.DiskUnlockKey, err error) { diskPart := dgpair.DiskStructure volStruct := dgpair.GadgetStructure - mustEncrypt := (encryptionType != secboot.EncryptionTypeNone) + mustEncrypt := (encryptionType != device.EncryptionTypeNone) // fsParams.Device is the kernel device that carries the // filesystem, which is either the raw /dev/, or // the mapped LUKS device if the structure is encrypted (if @@ -134,7 +135,7 @@ func maybeEncryptPartition(dgpair *gadget.OnDiskAndGadgetStructurePair, encrypti logger.Noticef("encrypting partition device %v", diskPart.Node) var dataPart encryptedDevice switch encryptionType { - case secboot.EncryptionTypeLUKS, secboot.EncryptionTypeLUKSWithICE: + case device.EncryptionTypeLUKS, device.EncryptionTypeLUKSWithICE: timings.Run(perfTimings, fmt.Sprintf("new-encrypted-device[%s] (%v)", volStruct.Role, encryptionType), fmt.Sprintf("Create encryption device for %s (%s)", volStruct.Role, encryptionType), func(timings.Measurer) { @@ -192,7 +193,7 @@ func writePartitionContent(laidOut *gadget.LaidOutStructure, kSnapInfo *KernelSn func installOnePartition(dgpair *gadget.OnDiskAndGadgetStructurePair, kernelInfo *kernel.Info, kernelSnapInfo *KernelSnapInfo, gadgetRoot string, - encryptionType secboot.EncryptionType, sectorSize quantity.Size, + encryptionType device.EncryptionType, sectorSize quantity.Size, observer gadget.ContentObserver, perfTimings timings.Measurer, ) (fsDevice string, encryptionKey secboot.DiskUnlockKey, err error) { // 1. Encrypt @@ -305,9 +306,9 @@ func createPartitions(model gadget.Model, info *gadget.Info, gadgetRoot, kernelR return bootVolGadgetName, created, bootVolSectorSize, nil } -func createEncryptionParams(encTyp secboot.EncryptionType) gadget.StructureEncryptionParameters { +func createEncryptionParams(encTyp device.EncryptionType) gadget.StructureEncryptionParameters { switch encTyp { - case secboot.EncryptionTypeLUKS, secboot.EncryptionTypeLUKSWithICE: + case device.EncryptionTypeLUKS, device.EncryptionTypeLUKSWithICE: return gadget.StructureEncryptionParameters{ // TODO:ICE: remove "Method" entirely, there is only LUKS Method: gadget.EncryptionLUKS, @@ -629,7 +630,7 @@ func SaveStorageTraits(model gadget.Model, vols map[string]*gadget.Volume, encry return nil } -func EncryptPartitions(onVolumes map[string]*gadget.Volume, encryptionType secboot.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, perfTimings timings.Measurer) (*EncryptionSetupData, error) { +func EncryptPartitions(onVolumes map[string]*gadget.Volume, encryptionType device.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, perfTimings timings.Measurer) (*EncryptionSetupData, error) { setupData := &EncryptionSetupData{ parts: make(map[string]partEncryptionData), } @@ -721,10 +722,10 @@ func FactoryReset(model gadget.Model, gadgetRoot string, kernelSnapInfo *KernelS AssumeCreatablePartitionsCreated: true, ExpectedStructureEncryption: map[string]gadget.StructureEncryptionParameters{}, } - if options.EncryptionType != secboot.EncryptionTypeNone { + if options.EncryptionType != device.EncryptionTypeNone { var encryptionParam gadget.StructureEncryptionParameters switch options.EncryptionType { - case secboot.EncryptionTypeLUKS, secboot.EncryptionTypeLUKSWithICE: + case device.EncryptionTypeLUKS, device.EncryptionTypeLUKSWithICE: encryptionParam = gadget.StructureEncryptionParameters{Method: gadget.EncryptionLUKS} default: // XXX what about ICE? diff --git a/gadget/install/install_dummy.go b/gadget/install/install_dummy.go index 54ff37fe6b4..cbc00da2148 100644 --- a/gadget/install/install_dummy.go +++ b/gadget/install/install_dummy.go @@ -25,6 +25,7 @@ import ( "github.com/snapcore/snapd/asserts" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/secboot" "github.com/snapcore/snapd/timings" ) @@ -49,7 +50,7 @@ func SaveStorageTraits(model gadget.Model, vols map[string]*gadget.Volume, encry return fmt.Errorf("build without secboot support") } -func EncryptPartitions(onVolumes map[string]*gadget.Volume, encryptionType secboot.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, +func EncryptPartitions(onVolumes map[string]*gadget.Volume, encryptionType device.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, perfTimings timings.Measurer) (*EncryptionSetupData, error) { return nil, fmt.Errorf("build without secboot support") } diff --git a/gadget/install/install_test.go b/gadget/install/install_test.go index bfce4743c26..d2ff915ae54 100644 --- a/gadget/install/install_test.go +++ b/gadget/install/install_test.go @@ -34,6 +34,7 @@ import ( "github.com/snapcore/snapd/boot" "github.com/snapcore/snapd/dirs" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/gadgettest" "github.com/snapcore/snapd/gadget/install" "github.com/snapcore/snapd/gadget/quantity" @@ -332,12 +333,12 @@ fi keys := make(map[string][]byte) secbootFormatEncryptedDeviceCall := 0 - restore = install.MockSecbootFormatEncryptedDevice(func(key []byte, encType secboot.EncryptionType, label, node string) error { + restore = install.MockSecbootFormatEncryptedDevice(func(key []byte, encType device.EncryptionType, label, node string) error { if !opts.encryption { c.Error("unexpected call to secboot.FormatEncryptedDevice when encryption is off") return fmt.Errorf("no encryption functions should be called") } - c.Check(encType, Equals, secboot.EncryptionTypeLUKS) + c.Check(encType, Equals, device.EncryptionTypeLUKS) secbootFormatEncryptedDeviceCall++ switch secbootFormatEncryptedDeviceCall { case 1: @@ -363,7 +364,7 @@ fi // finally actually run the install runOpts := install.Options{} if opts.encryption { - runOpts.EncryptionType = secboot.EncryptionTypeLUKS + runOpts.EncryptionType = device.EncryptionTypeLUKS } defer install.MockCryptsetupOpen(func(key secboot.DiskUnlockKey, node, name string) error { @@ -752,12 +753,12 @@ fi c.Assert(err, IsNil) secbootFormatEncryptedDeviceCall := 0 - restore = install.MockSecbootFormatEncryptedDevice(func(key []byte, encType secboot.EncryptionType, label, node string) error { + restore = install.MockSecbootFormatEncryptedDevice(func(key []byte, encType device.EncryptionType, label, node string) error { if !opts.encryption { c.Error("unexpected call to secboot.FormatEncryptedDevice") return fmt.Errorf("unexpected call") } - c.Check(encType, Equals, secboot.EncryptionTypeLUKS) + c.Check(encType, Equals, device.EncryptionTypeLUKS) secbootFormatEncryptedDeviceCall++ switch secbootFormatEncryptedDeviceCall { case 1: @@ -776,7 +777,7 @@ fi // finally actually run the factory reset runOpts := install.Options{} if opts.encryption { - runOpts.EncryptionType = secboot.EncryptionTypeLUKS + runOpts.EncryptionType = device.EncryptionTypeLUKS } defer install.MockCryptsetupOpen(func(key secboot.DiskUnlockKey, node, name string) error { @@ -1080,7 +1081,7 @@ func (s *installSuite) TestInstallWriteContentDeviceNotFound(c *C) { } type encryptPartitionsOpts struct { - encryptType secboot.EncryptionType + encryptType device.EncryptionType } func (s *installSuite) testEncryptPartitions(c *C, opts encryptPartitionsOpts) { @@ -1117,7 +1118,7 @@ func (s *installSuite) testEncryptPartitions(c *C, opts encryptPartitionsOpts) { return nil })() - defer install.MockSecbootFormatEncryptedDevice(func(key []byte, encType secboot.EncryptionType, label, node string) error { + defer install.MockSecbootFormatEncryptedDevice(func(key []byte, encType device.EncryptionType, label, node string) error { return nil })() @@ -1133,7 +1134,7 @@ func (s *installSuite) testEncryptPartitions(c *C, opts encryptPartitionsOpts) { func (s *installSuite) TestInstallEncryptPartitionsLUKSHappy(c *C) { s.testEncryptPartitions(c, encryptPartitionsOpts{ - encryptType: secboot.EncryptionTypeLUKS, + encryptType: device.EncryptionTypeLUKS, }) } @@ -1150,7 +1151,7 @@ func (s *installSuite) TestInstallEncryptPartitionsNoDeviceSet(c *C) { c.Assert(err, IsNil) defer restore() - encryptSetup, err := install.EncryptPartitions(ginfo.Volumes, secboot.EncryptionTypeLUKS, model, gadgetRoot, "", timings.New(nil)) + encryptSetup, err := install.EncryptPartitions(ginfo.Volumes, device.EncryptionTypeLUKS, model, gadgetRoot, "", timings.New(nil)) c.Check(err.Error(), Equals, `volume "pc" has no device assigned`) c.Check(encryptSetup, IsNil) diff --git a/gadget/install/params.go b/gadget/install/params.go index aad7efb3b02..2555aa382b9 100644 --- a/gadget/install/params.go +++ b/gadget/install/params.go @@ -21,6 +21,7 @@ package install import ( "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/secboot" ) @@ -29,7 +30,7 @@ type Options struct { // Also mount the filesystems after creation Mount bool // Encrypt the data/save partitions - EncryptionType secboot.EncryptionType + EncryptionType device.EncryptionType } // InstalledSystemSideData carries side data of an installed system, eg. secrets diff --git a/gadget/layout.go b/gadget/layout.go index e2a39871669..1414feff88e 100644 --- a/gadget/layout.go +++ b/gadget/layout.go @@ -26,9 +26,9 @@ import ( "sort" "strings" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/kernel" - "github.com/snapcore/snapd/secboot" ) // LayoutOptions defines the options to layout a given volume. @@ -49,7 +49,7 @@ type LayoutOptions struct { GadgetRootDir string KernelRootDir string - EncType secboot.EncryptionType + EncType device.EncryptionType } // NonMBRStartOffset is the minimum start offset of the first non-MBR structure @@ -219,10 +219,10 @@ func layoutVolumePartially(volume *Volume, gadgetToDiskStruct map[int]*OnDiskStr return vol, nil } -func setOnDiskLabelAndTypeInLaidOut(los *LaidOutStructure, encType secboot.EncryptionType) { +func setOnDiskLabelAndTypeInLaidOut(los *LaidOutStructure, encType device.EncryptionType) { los.PartitionFSLabel = los.Label() los.PartitionFSType = los.Filesystem() - if encType != secboot.EncryptionTypeNone { + if encType != device.EncryptionTypeNone { switch los.Role() { case SystemData, SystemSave: los.PartitionFSLabel += "-enc" diff --git a/gadget/layout_test.go b/gadget/layout_test.go index 61cfc4e47f7..0746dd3a4a6 100644 --- a/gadget/layout_test.go +++ b/gadget/layout_test.go @@ -30,9 +30,9 @@ import ( . "gopkg.in/check.v1" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/kernel" - "github.com/snapcore/snapd/secboot" ) type layoutTestSuite struct { @@ -125,7 +125,7 @@ volumes: }) } -func (p *layoutTestSuite) testLayoutVolumeWithDataPartitions(c *C, encType secboot.EncryptionType) { +func (p *layoutTestSuite) testLayoutVolumeWithDataPartitions(c *C, encType device.EncryptionType) { gadgetYaml := ` volumes: first: @@ -156,7 +156,7 @@ volumes: saveFsType := "ext4" dataFsLabel := "ubuntu-data" dataFsType := "ext4" - if encType == secboot.EncryptionTypeLUKS { + if encType == device.EncryptionTypeLUKS { saveFsLabel = "ubuntu-save-enc" saveFsType = "crypto_LUKS" dataFsLabel = "ubuntu-data-enc" @@ -190,11 +190,11 @@ volumes: } func (p *layoutTestSuite) TestLayoutVolumeWithDataPartitions(c *C) { - p.testLayoutVolumeWithDataPartitions(c, secboot.EncryptionTypeNone) + p.testLayoutVolumeWithDataPartitions(c, device.EncryptionTypeNone) } func (p *layoutTestSuite) TestLayoutVolumeWithDataPartitionsEncrypted(c *C) { - p.testLayoutVolumeWithDataPartitions(c, secboot.EncryptionTypeLUKS) + p.testLayoutVolumeWithDataPartitions(c, device.EncryptionTypeLUKS) } func (p *layoutTestSuite) TestLayoutVolumeImplicitOrdering(c *C) { diff --git a/overlord/devicestate/devicemgr.go b/overlord/devicestate/devicemgr.go index a753e62793d..80824e2bb09 100644 --- a/overlord/devicestate/devicemgr.go +++ b/overlord/devicestate/devicemgr.go @@ -2783,7 +2783,7 @@ func (m *DeviceManager) RemoveRecoveryKeys() error { // checkEncryption verifies whether encryption should be used based on the // model grade and the availability of a TPM device or a fde-setup hook // in the kernel. -func (m *DeviceManager) checkEncryption(st *state.State, deviceCtx snapstate.DeviceContext, tpmMode secboot.TPMProvisionMode) (secboot.EncryptionType, error) { +func (m *DeviceManager) checkEncryption(st *state.State, deviceCtx snapstate.DeviceContext, tpmMode secboot.TPMProvisionMode) (device.EncryptionType, error) { model := deviceCtx.Model() kernelInfo, err := snapstate.KernelInfo(st, deviceCtx) diff --git a/overlord/devicestate/devicestate_install_api_test.go b/overlord/devicestate/devicestate_install_api_test.go index 546bbef04da..8ee71c7ec6c 100644 --- a/overlord/devicestate/devicestate_install_api_test.go +++ b/overlord/devicestate/devicestate_install_api_test.go @@ -36,6 +36,7 @@ import ( "github.com/snapcore/snapd/bootloader" "github.com/snapcore/snapd/dirs" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/gadgettest" "github.com/snapcore/snapd/gadget/install" "github.com/snapcore/snapd/gadget/quantity" @@ -842,9 +843,9 @@ func (s *deviceMgrInstallAPISuite) testInstallSetupStorageEncryption(c *C, hasTP // Mock encryption of partitions encrytpPartCalls := 0 - restore := devicestate.MockInstallEncryptPartitions(func(onVolumes map[string]*gadget.Volume, encryptionType secboot.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, perfTimings timings.Measurer) (*install.EncryptionSetupData, error) { + restore := devicestate.MockInstallEncryptPartitions(func(onVolumes map[string]*gadget.Volume, encryptionType device.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, perfTimings timings.Measurer) (*install.EncryptionSetupData, error) { encrytpPartCalls++ - c.Check(encryptionType, Equals, secboot.EncryptionTypeLUKS) + c.Check(encryptionType, Equals, device.EncryptionTypeLUKS) saveFound := false dataFound := false for _, strct := range onVolumes["pc"].Structure { diff --git a/overlord/devicestate/devicestate_install_mode_test.go b/overlord/devicestate/devicestate_install_mode_test.go index 32790cd22dc..9fdebb48ffe 100644 --- a/overlord/devicestate/devicestate_install_mode_test.go +++ b/overlord/devicestate/devicestate_install_mode_test.go @@ -38,6 +38,7 @@ import ( "github.com/snapcore/snapd/bootloader/bootloadertest" "github.com/snapcore/snapd/dirs" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/install" "github.com/snapcore/snapd/logger" "github.com/snapcore/snapd/osutil" @@ -358,7 +359,7 @@ func (s *deviceMgrInstallModeSuite) doRunChangeTestWithEncryption(c *C, grade st if tc.encrypt { c.Assert(brOpts, DeepEquals, install.Options{ Mount: true, - EncryptionType: secboot.EncryptionTypeLUKS, + EncryptionType: device.EncryptionTypeLUKS, }) } else { c.Assert(brOpts, DeepEquals, install.Options{ @@ -1130,8 +1131,8 @@ func (s *deviceMgrInstallModeSuite) TestInstallSecuredBypassEncryption(c *C) { } func (s *deviceMgrInstallModeSuite) TestInstallBootloaderVarSetFails(c *C) { - restore := devicestate.MockInstallRun(func(mod gadget.Model, gadgetRoot string, kernelSnapInfo *install.KernelSnapInfo, device string, options install.Options, _ gadget.ContentObserver, _ timings.Measurer) (*install.InstalledSystemSideData, error) { - c.Check(options.EncryptionType, Equals, secboot.EncryptionTypeNone) + restore := devicestate.MockInstallRun(func(mod gadget.Model, gadgetRoot string, kernelSnapInfo *install.KernelSnapInfo, _ string, options install.Options, _ gadget.ContentObserver, _ timings.Measurer) (*install.InstalledSystemSideData, error) { + c.Check(options.EncryptionType, Equals, device.EncryptionTypeNone) // no keys set return &install.InstalledSystemSideData{}, nil }) @@ -1198,8 +1199,8 @@ func (s *deviceMgrInstallModeSuite) testInstallEncryptionValidityChecks(c *C, er } func (s *deviceMgrInstallModeSuite) TestInstallEncryptionValidityChecksNoKeys(c *C) { - restore := devicestate.MockInstallRun(func(mod gadget.Model, gadgetRoot string, kernelSnapInfo *install.KernelSnapInfo, device string, options install.Options, _ gadget.ContentObserver, _ timings.Measurer) (*install.InstalledSystemSideData, error) { - c.Check(options.EncryptionType, Equals, secboot.EncryptionTypeLUKS) + restore := devicestate.MockInstallRun(func(mod gadget.Model, gadgetRoot string, kernelSnapInfo *install.KernelSnapInfo, _ string, options install.Options, _ gadget.ContentObserver, _ timings.Measurer) (*install.InstalledSystemSideData, error) { + c.Check(options.EncryptionType, Equals, device.EncryptionTypeLUKS) // no keys set return &install.InstalledSystemSideData{}, nil }) @@ -1209,8 +1210,8 @@ func (s *deviceMgrInstallModeSuite) TestInstallEncryptionValidityChecksNoKeys(c } func (s *deviceMgrInstallModeSuite) TestInstallEncryptionValidityChecksNoSystemDataKey(c *C) { - restore := devicestate.MockInstallRun(func(mod gadget.Model, gadgetRoot string, kernelSnapInfo *install.KernelSnapInfo, device string, options install.Options, _ gadget.ContentObserver, _ timings.Measurer) (*install.InstalledSystemSideData, error) { - c.Check(options.EncryptionType, Equals, secboot.EncryptionTypeLUKS) + restore := devicestate.MockInstallRun(func(mod gadget.Model, gadgetRoot string, kernelSnapInfo *install.KernelSnapInfo, _ string, options install.Options, _ gadget.ContentObserver, _ timings.Measurer) (*install.InstalledSystemSideData, error) { + c.Check(options.EncryptionType, Equals, device.EncryptionTypeLUKS) // no keys set return &install.InstalledSystemSideData{ // empty map @@ -1434,14 +1435,14 @@ func (s *deviceMgrInstallModeSuite) TestInstallCheckEncrypted(c *C) { fdeSetupHookFeatures string hasTPM bool - encryptionType secboot.EncryptionType + encryptionType device.EncryptionType }{ // unhappy: no tpm, no hook - {false, "[]", false, secboot.EncryptionTypeNone}, + {false, "[]", false, device.EncryptionTypeNone}, // happy: either tpm or hook or both - {false, "[]", true, secboot.EncryptionTypeLUKS}, - {true, "[]", false, secboot.EncryptionTypeLUKS}, - {true, "[]", true, secboot.EncryptionTypeLUKS}, + {false, "[]", true, device.EncryptionTypeLUKS}, + {true, "[]", false, device.EncryptionTypeLUKS}, + {true, "[]", true, device.EncryptionTypeLUKS}, } { hookInvoke := func(ctx *hookstate.Context, tomb *tomb.Tomb) ([]byte, error) { ctx.Lock() @@ -1759,7 +1760,7 @@ func (s *deviceMgrInstallModeSuite) doRunFactoryResetChange(c *C, model *asserts if tc.encrypt { c.Assert(brOpts, DeepEquals, install.Options{ Mount: true, - EncryptionType: secboot.EncryptionTypeLUKS, + EncryptionType: device.EncryptionTypeLUKS, }) } else { c.Assert(brOpts, DeepEquals, install.Options{ diff --git a/overlord/devicestate/export_test.go b/overlord/devicestate/export_test.go index 089771dbe23..dad4578ada8 100644 --- a/overlord/devicestate/export_test.go +++ b/overlord/devicestate/export_test.go @@ -28,6 +28,7 @@ import ( "github.com/snapcore/snapd/asserts" "github.com/snapcore/snapd/boot" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/install" "github.com/snapcore/snapd/httputil" "github.com/snapcore/snapd/kernel/fde" @@ -421,7 +422,7 @@ func MockInstallMountVolumes(f func(onVolumes map[string]*gadget.Volume, encSetu } } -func MockInstallEncryptPartitions(f func(onVolumes map[string]*gadget.Volume, encryptionType secboot.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, perfTimings timings.Measurer) (*install.EncryptionSetupData, error)) (restore func()) { +func MockInstallEncryptPartitions(f func(onVolumes map[string]*gadget.Volume, encryptionType device.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, perfTimings timings.Measurer) (*install.EncryptionSetupData, error)) (restore func()) { old := installEncryptPartitions installEncryptPartitions = f return func() { @@ -480,7 +481,7 @@ func DeviceManagerRunFDESetupHook(mgr *DeviceManager, req *fde.SetupRequest) ([] return mgr.runFDESetupHook(req) } -func DeviceManagerCheckEncryption(mgr *DeviceManager, st *state.State, deviceCtx snapstate.DeviceContext, mode secboot.TPMProvisionMode) (secboot.EncryptionType, error) { +func DeviceManagerCheckEncryption(mgr *DeviceManager, st *state.State, deviceCtx snapstate.DeviceContext, mode secboot.TPMProvisionMode) (device.EncryptionType, error) { return mgr.checkEncryption(st, deviceCtx, mode) } diff --git a/overlord/devicestate/handlers_install.go b/overlord/devicestate/handlers_install.go index b49f9ea630b..6ffd1609ce8 100644 --- a/overlord/devicestate/handlers_install.go +++ b/overlord/devicestate/handlers_install.go @@ -249,7 +249,7 @@ func (m *DeviceManager) doSetupRunSystem(t *state.Task, _ *tomb.Tomb) error { return err } bopts.EncryptionType = encryptionType - useEncryption := (encryptionType != secboot.EncryptionTypeNone) + useEncryption := (encryptionType != device.EncryptionTypeNone) model := deviceCtx.Model() @@ -509,7 +509,7 @@ func (m *DeviceManager) doFactoryResetRunSystem(t *state.Task, _ *tomb.Tomb) err return err } bopts.EncryptionType = encryptionType - useEncryption := (encryptionType != secboot.EncryptionTypeNone) + useEncryption := (encryptionType != device.EncryptionTypeNone) hasMarker := device.HasEncryptedMarkerUnder(boot.InstallHostFDESaveDir) // TODO verify that the same encryption mechanism is used if hasMarker != useEncryption { @@ -1006,10 +1006,10 @@ func (m *DeviceManager) doInstallFinish(t *state.Task, _ *tomb.Tomb) error { return err } - encType := secboot.EncryptionTypeNone - // TODO:ICE: support secboot.EncryptionTypeLUKSWithICE in the API + encType := device.EncryptionTypeNone + // TODO:ICE: support device.EncryptionTypeLUKSWithICE in the API if useEncryption { - encType = secboot.EncryptionTypeLUKS + encType = device.EncryptionTypeLUKS } kernMntPoint := mntPtForType[snap.TypeKernel] allLaidOutVols, err := gadget.LaidOutVolumesFromGadget(mergedVols, @@ -1207,7 +1207,7 @@ func (m *DeviceManager) doInstallSetupStorageEncryption(t *state.Task, _ *tomb.T } // TODO:ICE: support secboot.EncryptionTypeLUKSWithICE in the API - encType := secboot.EncryptionTypeLUKS + encType := device.EncryptionTypeLUKS encryptionSetupData, err := installEncryptPartitions(onVolumes, encType, systemAndSeeds.Model, mntPtForType[snap.TypeGadget], mntPtForType[snap.TypeKernel], perfTimings) if err != nil { return err diff --git a/overlord/install/install.go b/overlord/install/install.go index a84066f0008..4cf1c352907 100644 --- a/overlord/install/install.go +++ b/overlord/install/install.go @@ -70,7 +70,7 @@ type EncryptionSupportInfo struct { // Type is set to the EncryptionType that can be used if // Available is true. - Type secboot.EncryptionType + Type device.EncryptionType // UnvailableErr is set if the encryption support availability of // the this device and used gadget do not match the @@ -130,7 +130,7 @@ func GetEncryptionSupportInfo(model *asserts.Model, tpmMode secboot.TPMProvision case checkSecbootEncryption: checkEncryptionErr = secbootCheckTPMKeySealingSupported(tpmMode) if checkEncryptionErr == nil { - res.Type = secboot.EncryptionTypeLUKS + res.Type = device.EncryptionTypeLUKS } default: return res, fmt.Errorf("internal error: no encryption checked in encryptionSupportInfo") @@ -165,7 +165,7 @@ func GetEncryptionSupportInfo(model *asserts.Model, tpmMode secboot.TPMProvision res.UnavailableWarning = fmt.Sprintf("cannot use encryption with the gadget, disabling encryption: %v", err) } res.Available = false - res.Type = secboot.EncryptionTypeNone + res.Type = device.EncryptionTypeNone } } @@ -177,7 +177,7 @@ func hasFDESetupHookInKernel(kernelInfo *snap.Info) bool { return ok } -func checkFDEFeatures(runSetupHook fde.RunSetupHookFunc) (et secboot.EncryptionType, err error) { +func checkFDEFeatures(runSetupHook fde.RunSetupHookFunc) (et device.EncryptionType, err error) { // Run fde-setup hook with "op":"features". If the hook // returns any {"features":[...]} reply we consider the // hardware supported. If the hook errors or if it returns @@ -188,18 +188,18 @@ func checkFDEFeatures(runSetupHook fde.RunSetupHookFunc) (et secboot.EncryptionT } switch { case strutil.ListContains(features, "inline-crypto-engine"): - et = secboot.EncryptionTypeLUKSWithICE + et = device.EncryptionTypeLUKSWithICE default: - et = secboot.EncryptionTypeLUKS + et = device.EncryptionTypeLUKS } return et, nil } // CheckEncryptionSupport checks the type of encryption support for disks -// available if any and returns the corresponding secboot.EncryptionType, +// available if any and returns the corresponding device.EncryptionType, // internally it uses GetEncryptionSupportInfo with the provided parameters. -func CheckEncryptionSupport(model *asserts.Model, tpmMode secboot.TPMProvisionMode, kernelInfo *snap.Info, gadgetInfo *gadget.Info, runSetupHook fde.RunSetupHookFunc) (secboot.EncryptionType, error) { +func CheckEncryptionSupport(model *asserts.Model, tpmMode secboot.TPMProvisionMode, kernelInfo *snap.Info, gadgetInfo *gadget.Info, runSetupHook fde.RunSetupHookFunc) (device.EncryptionType, error) { res, err := GetEncryptionSupportInfo(model, tpmMode, kernelInfo, gadgetInfo, runSetupHook) if err != nil { return "", err @@ -209,7 +209,7 @@ func CheckEncryptionSupport(model *asserts.Model, tpmMode secboot.TPMProvisionMo } // encryption disabled or preferred unencrypted: follow the model preferences here even if encryption would be available if res.Disabled || res.StorageSafety == asserts.StorageSafetyPreferUnencrypted { - res.Type = secboot.EncryptionTypeNone + res.Type = device.EncryptionTypeNone } return res.Type, res.UnavailableErr diff --git a/overlord/install/install_test.go b/overlord/install/install_test.go index 55fc4c98b5a..943a37dde22 100644 --- a/overlord/install/install_test.go +++ b/overlord/install/install_test.go @@ -38,6 +38,7 @@ import ( "github.com/snapcore/snapd/bootloader/bootloadertest" "github.com/snapcore/snapd/dirs" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/quantity" "github.com/snapcore/snapd/kernel/fde" "github.com/snapcore/snapd/logger" @@ -219,14 +220,14 @@ func (s *installSuite) TestEncryptionSupportInfoWithTPM(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "dangerous", "", fmt.Errorf("no tpm"), install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableWarning: "not encrypting device storage as checking TPM gave: no tpm", }, }, { @@ -234,14 +235,14 @@ func (s *installSuite) TestEncryptionSupportInfoWithTPM(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "dangerous", "encrypted", fmt.Errorf("no tpm"), install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableErr: fmt.Errorf("cannot encrypt device storage as mandated by encrypted storage-safety model option: no tpm"), }, }, @@ -251,7 +252,7 @@ func (s *installSuite) TestEncryptionSupportInfoWithTPM(c *C) { Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferUnencrypted, // Note that encryption type is set to what is available - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { @@ -259,14 +260,14 @@ func (s *installSuite) TestEncryptionSupportInfoWithTPM(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "signed", "", fmt.Errorf("no tpm"), install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableWarning: "not encrypting device storage as checking TPM gave: no tpm", }, }, { @@ -274,7 +275,7 @@ func (s *installSuite) TestEncryptionSupportInfoWithTPM(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "signed", "prefer-unencrypted", nil, @@ -282,14 +283,14 @@ func (s *installSuite) TestEncryptionSupportInfoWithTPM(c *C) { Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferUnencrypted, // Note that encryption type is set to what is available - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "signed", "encrypted", fmt.Errorf("no tpm"), install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableErr: fmt.Errorf("cannot encrypt device storage as mandated by encrypted storage-safety model option: no tpm"), }, }, { @@ -297,14 +298,14 @@ func (s *installSuite) TestEncryptionSupportInfoWithTPM(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "secured", "encrypted", fmt.Errorf("no tpm"), install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableErr: fmt.Errorf("cannot encrypt device storage as mandated by model grade secured: no tpm"), }, }, { @@ -312,14 +313,14 @@ func (s *installSuite) TestEncryptionSupportInfoWithTPM(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "secured", "", fmt.Errorf("no tpm"), install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableErr: fmt.Errorf("cannot encrypt device storage as mandated by model grade secured: no tpm"), }, }, @@ -355,7 +356,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { @@ -367,7 +368,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { // performed. Available: false, Disabled: true, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, }, }, { @@ -377,7 +378,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { // here so the "no tpm" error is never visible Available: false, Disabled: true, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, }, }, // not possible to disable encryption on non-dangerous devices @@ -386,7 +387,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { @@ -394,7 +395,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { @@ -402,7 +403,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableWarning: "not encrypting device storage as checking TPM gave: no tpm", }, }, @@ -411,7 +412,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { @@ -419,7 +420,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { @@ -427,7 +428,7 @@ func (s *installSuite) TestEncryptionSupportInfoForceUnencrypted(c *C) { install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableErr: fmt.Errorf("cannot encrypt device storage as mandated by model grade secured: no tpm"), }, }, @@ -503,14 +504,14 @@ func (s *installSuite) TestEncryptionSupportInfoGadgetIncompatibleWithEncryption install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "dangerous", "", gadgetWithoutUbuntuSave, install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableWarning: "cannot use encryption with the gadget, disabling encryption: gadget does not support encrypted data: required partition with system-save role is missing", }, }, { @@ -518,7 +519,7 @@ func (s *installSuite) TestEncryptionSupportInfoGadgetIncompatibleWithEncryption install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableErr: fmt.Errorf("cannot use encryption with the gadget: gadget does not support encrypted data: required partition with system-save role is missing"), }, }, { @@ -526,14 +527,14 @@ func (s *installSuite) TestEncryptionSupportInfoGadgetIncompatibleWithEncryption install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "signed", "", gadgetWithoutUbuntuSave, install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyPreferEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableWarning: "cannot use encryption with the gadget, disabling encryption: gadget does not support encrypted data: required partition with system-save role is missing", }, }, { @@ -541,7 +542,7 @@ func (s *installSuite) TestEncryptionSupportInfoGadgetIncompatibleWithEncryption install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableErr: fmt.Errorf("cannot use encryption with the gadget: gadget does not support encrypted data: required partition with system-save role is missing"), }, }, { @@ -549,14 +550,14 @@ func (s *installSuite) TestEncryptionSupportInfoGadgetIncompatibleWithEncryption install.EncryptionSupportInfo{ Available: true, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeLUKS, + Type: device.EncryptionTypeLUKS, }, }, { "secured", "", gadgetWithoutUbuntuSave, install.EncryptionSupportInfo{ Available: false, Disabled: false, StorageSafety: asserts.StorageSafetyEncrypted, - Type: secboot.EncryptionTypeNone, + Type: device.EncryptionTypeNone, UnavailableErr: fmt.Errorf("cannot use encryption with the gadget: gadget does not support encrypted data: required partition with system-save role is missing"), }, }, @@ -578,25 +579,25 @@ func (s *installSuite) TestInstallCheckEncryptedFDEHook(c *C) { hookOutput string expectedErr string - encryptionType secboot.EncryptionType + encryptionType device.EncryptionType }{ // invalid json - {"xxx", `cannot parse hook output "xxx": invalid character 'x' looking for beginning of value`, secboot.EncryptionTypeNone}, + {"xxx", `cannot parse hook output "xxx": invalid character 'x' looking for beginning of value`, device.EncryptionTypeNone}, // no output is invalid - {"", `cannot parse hook output "": unexpected end of JSON input`, secboot.EncryptionTypeNone}, + {"", `cannot parse hook output "": unexpected end of JSON input`, device.EncryptionTypeNone}, // specific error - {`{"error":"failed"}`, `cannot use hook: it returned error: failed`, secboot.EncryptionTypeNone}, - {`{}`, `cannot use hook: neither "features" nor "error" returned`, secboot.EncryptionTypeNone}, + {`{"error":"failed"}`, `cannot use hook: it returned error: failed`, device.EncryptionTypeNone}, + {`{}`, `cannot use hook: neither "features" nor "error" returned`, device.EncryptionTypeNone}, // valid - {`{"features":[]}`, "", secboot.EncryptionTypeLUKS}, - {`{"features":["a"]}`, "", secboot.EncryptionTypeLUKS}, - {`{"features":["a","b"]}`, "", secboot.EncryptionTypeLUKS}, + {`{"features":[]}`, "", device.EncryptionTypeLUKS}, + {`{"features":["a"]}`, "", device.EncryptionTypeLUKS}, + {`{"features":["a","b"]}`, "", device.EncryptionTypeLUKS}, // features must be list of strings - {`{"features":[1]}`, `cannot parse hook output ".*": json: cannot unmarshal number into Go struct.*`, secboot.EncryptionTypeNone}, - {`{"features":1}`, `cannot parse hook output ".*": json: cannot unmarshal number into Go struct.*`, secboot.EncryptionTypeNone}, - {`{"features":"1"}`, `cannot parse hook output ".*": json: cannot unmarshal string into Go struct.*`, secboot.EncryptionTypeNone}, + {`{"features":[1]}`, `cannot parse hook output ".*": json: cannot unmarshal number into Go struct.*`, device.EncryptionTypeNone}, + {`{"features":1}`, `cannot parse hook output ".*": json: cannot unmarshal number into Go struct.*`, device.EncryptionTypeNone}, + {`{"features":"1"}`, `cannot parse hook output ".*": json: cannot unmarshal string into Go struct.*`, device.EncryptionTypeNone}, // valid and uses ice - {`{"features":["a","inline-crypto-engine","b"]}`, "", secboot.EncryptionTypeLUKSWithICE}, + {`{"features":["a","inline-crypto-engine","b"]}`, "", device.EncryptionTypeLUKSWithICE}, } { runFDESetup := func(_ *fde.SetupRequest) ([]byte, error) { return []byte(tc.hookOutput), nil @@ -624,12 +625,12 @@ func (s *installSuite) TestInstallCheckEncryptionSupportTPM(c *C) { for _, tc := range []struct { hasTPM bool - encryptionType secboot.EncryptionType + encryptionType device.EncryptionType }{ // unhappy: no tpm, no hook - {false, secboot.EncryptionTypeNone}, + {false, device.EncryptionTypeNone}, // happy: tpm - {true, secboot.EncryptionTypeLUKS}, + {true, device.EncryptionTypeLUKS}, } { restore := install.MockSecbootCheckTPMKeySealingSupported(func(secboot.TPMProvisionMode) error { if tc.hasTPM { @@ -663,10 +664,10 @@ func (s *installSuite) TestInstallCheckEncryptionSupportHook(c *C) { fdeSetupHookFeatures string hasTPM bool - encryptionType secboot.EncryptionType + encryptionType device.EncryptionType }{ - {"[]", false, secboot.EncryptionTypeLUKS}, - {"[]", true, secboot.EncryptionTypeLUKS}, + {"[]", false, device.EncryptionTypeLUKS}, + {"[]", true, device.EncryptionTypeLUKS}, } { runFDESetup := func(_ *fde.SetupRequest) ([]byte, error) { return []byte(fmt.Sprintf(`{"features":%s}`, tc.fdeSetupHookFeatures)), nil @@ -723,7 +724,7 @@ func (s *installSuite) TestInstallCheckEncryptionSupportStorageSafety(c *C) { encryptionType, err := install.CheckEncryptionSupport(mockModel, secboot.TPMProvisionFull, kernelInfo, gadgetInfo, nil) c.Assert(err, IsNil) - encrypt := (encryptionType != secboot.EncryptionTypeNone) + encrypt := (encryptionType != device.EncryptionTypeNone) c.Check(encrypt, Equals, tc.expectedEncryption, Commentf("%v", tc)) } } diff --git a/secboot/encrypt.go b/secboot/encrypt.go index 9bb498f75ff..54674f0645c 100644 --- a/secboot/encrypt.go +++ b/secboot/encrypt.go @@ -19,20 +19,6 @@ package secboot -// EncryptionType specifies what encryption backend should be used (if any) -type EncryptionType string - -const ( - EncryptionTypeNone EncryptionType = "" - EncryptionTypeLUKS EncryptionType = "cryptsetup" - EncryptionTypeLUKSWithICE EncryptionType = "cryptsetup-with-inline-crypto-engine" -) - -// TODO:ICE: all EncryptionTypes are LUKS based now so this could be removed? -func (et EncryptionType) IsLUKS() bool { - return et == EncryptionTypeLUKS || et == EncryptionTypeLUKSWithICE -} - type RecoveryKeyDevice struct { // Mountpoint of the device Mountpoint string diff --git a/secboot/encrypt_sb.go b/secboot/encrypt_sb.go index e5c3a028b68..edbfe385753 100644 --- a/secboot/encrypt_sb.go +++ b/secboot/encrypt_sb.go @@ -29,6 +29,7 @@ import ( sb "github.com/snapcore/secboot" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/logger" "github.com/snapcore/snapd/osutil/disks" "github.com/snapcore/snapd/secboot/keymgr" @@ -52,12 +53,12 @@ const metadataKiBSize = 2048 // 2MB // FormatEncryptedDevice initializes an encrypted volume on the block device // given by node, setting the specified label. The key used to unlock the volume // is provided using the key argument. -func FormatEncryptedDevice(key []byte, encType EncryptionType, label, node string) error { +func FormatEncryptedDevice(key []byte, encType device.EncryptionType, label, node string) error { if !encType.IsLUKS() { return fmt.Errorf("internal error: FormatEncryptedDevice for %q expects a LUKS encryption type, not %q", node, encType) } - useICE := encType == EncryptionTypeLUKSWithICE + useICE := encType == device.EncryptionTypeLUKSWithICE logger.Debugf("node %q uses ICE: %v", node, useICE) opts := &sb.InitializeLUKS2ContainerOptions{ diff --git a/secboot/encrypt_sb_test.go b/secboot/encrypt_sb_test.go index be591d5f3da..d37250d8b52 100644 --- a/secboot/encrypt_sb_test.go +++ b/secboot/encrypt_sb_test.go @@ -32,6 +32,7 @@ import ( . "gopkg.in/check.v1" "github.com/snapcore/snapd/dirs" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/osutil" "github.com/snapcore/snapd/secboot" "github.com/snapcore/snapd/secboot/keys" @@ -70,7 +71,7 @@ func (s *encryptSuite) TestFormatEncryptedDevice(c *C) { }) defer restore() - err := secboot.FormatEncryptedDevice(myKey, secboot.EncryptionTypeLUKS, "my label", "/dev/node") + err := secboot.FormatEncryptedDevice(myKey, device.EncryptionTypeLUKS, "my label", "/dev/node") c.Assert(calls, Equals, 1) if tc.err == "" { c.Assert(err, IsNil) @@ -81,7 +82,7 @@ func (s *encryptSuite) TestFormatEncryptedDevice(c *C) { } func (s *encryptSuite) TestFormatEncryptedDeviceInvalidEncType(c *C) { - err := secboot.FormatEncryptedDevice(keys.EncryptionKey{}, secboot.EncryptionType("other-enc-type"), "my label", "/dev/node") + err := secboot.FormatEncryptedDevice(keys.EncryptionKey{}, device.EncryptionType("other-enc-type"), "my label", "/dev/node") c.Check(err, ErrorMatches, `internal error: FormatEncryptedDevice for "/dev/node" expects a LUKS encryption type, not "other-enc-type"`) } diff --git a/tests/lib/muinstaller/main.go b/tests/lib/muinstaller/main.go index e5ba965d9a8..58e7498dcc7 100644 --- a/tests/lib/muinstaller/main.go +++ b/tests/lib/muinstaller/main.go @@ -44,7 +44,6 @@ import ( "github.com/snapcore/snapd/osutil" "github.com/snapcore/snapd/osutil/disks" "github.com/snapcore/snapd/osutil/mkfs" - "github.com/snapcore/snapd/secboot" ) func waitForDevice() string { @@ -156,7 +155,7 @@ func maybeCreatePartitionTable(bootDevice, schema string) error { return nil } -func createPartitions(bootDevice string, volumes map[string]*gadget.Volume, encType secboot.EncryptionType) ([]*gadget.OnDiskAndGadgetStructurePair, error) { +func createPartitions(bootDevice string, volumes map[string]*gadget.Volume) ([]*gadget.OnDiskAndGadgetStructurePair, error) { vol := firstVol(volumes) // snapd does not create partition tables so we have to do it here // or gadget.OnDiskVolumeFromDevice() will fail @@ -548,11 +547,7 @@ func run(seedLabel, bootDevice, rootfsCreator, optionalInstallPath string) error } // TODO: grow the data-partition based on disk size - encType := secboot.EncryptionTypeNone - if shouldEncrypt { - encType = secboot.EncryptionTypeLUKS - } - dgpairs, err := createPartitions(bootDevice, details.Volumes, encType) + dgpairs, err := createPartitions(bootDevice, details.Volumes) if err != nil { return fmt.Errorf("cannot setup partitions: %v", err) } diff --git a/tests/lib/uc20-create-partitions/main.go b/tests/lib/uc20-create-partitions/main.go index a9228436975..c1af0bb1dfd 100644 --- a/tests/lib/uc20-create-partitions/main.go +++ b/tests/lib/uc20-create-partitions/main.go @@ -27,6 +27,7 @@ import ( "github.com/snapcore/snapd/asserts" "github.com/snapcore/snapd/gadget" + "github.com/snapcore/snapd/gadget/device" "github.com/snapcore/snapd/gadget/install" "github.com/snapcore/snapd/i18n" "github.com/snapcore/snapd/logger" @@ -76,9 +77,9 @@ func main() { obs := &simpleObserver{} - var encryptionType secboot.EncryptionType + var encryptionType device.EncryptionType if args.Encrypt { - encryptionType = secboot.EncryptionTypeLUKS + encryptionType = device.EncryptionTypeLUKS } options := install.Options{ From 0c49e23215e0bc512391f7d80b763668c346b9b9 Mon Sep 17 00:00:00 2001 From: Zeyad Gouda Date: Mon, 16 Dec 2024 12:13:19 +0200 Subject: [PATCH 2/2] fixup! many: formatting improvements Signed-off-by: Zeyad Gouda --- gadget/gadget.go | 7 ++++++- gadget/gadgettest/gadgettest.go | 7 ++++++- gadget/install/install.go | 15 +++++++++++++-- overlord/install/install.go | 8 +++++++- 4 files changed, 32 insertions(+), 5 deletions(-) diff --git a/gadget/gadget.go b/gadget/gadget.go index 080605e40a7..b45b9bc7370 100644 --- a/gadget/gadget.go +++ b/gadget/gadget.go @@ -1725,7 +1725,12 @@ func checkCompatibleSchema(old, new *Volume) error { // LaidOutVolumesFromGadget takes gadget volumes, gadget and kernel rootdirs // and lays out the partitions on all volumes as specified. It returns the // volumes mentioned in the gadget.yaml and their laid out representations. -func LaidOutVolumesFromGadget(vols map[string]*Volume, gadgetRoot, kernelRoot string, encType device.EncryptionType, volToGadgetToDiskStruct map[string]map[int]*OnDiskStructure) (all map[string]*LaidOutVolume, err error) { +func LaidOutVolumesFromGadget( + vols map[string]*Volume, + gadgetRoot, kernelRoot string, + encType device.EncryptionType, + volToGadgetToDiskStruct map[string]map[int]*OnDiskStructure, +) (all map[string]*LaidOutVolume, err error) { all = make(map[string]*LaidOutVolume) // layout all volumes saving them diff --git a/gadget/gadgettest/gadgettest.go b/gadget/gadgettest/gadgettest.go index 0ccda47a236..27f1d036433 100644 --- a/gadget/gadgettest/gadgettest.go +++ b/gadget/gadgettest/gadgettest.go @@ -32,7 +32,12 @@ import ( "github.com/snapcore/snapd/osutil/disks" ) -func LaidOutVolumesFromGadget(gadgetRoot, kernelRoot string, model gadget.Model, encType device.EncryptionType, volToGadgetToDiskStruct map[string]map[int]*gadget.OnDiskStructure) (all map[string]*gadget.LaidOutVolume, err error) { +func LaidOutVolumesFromGadget( + gadgetRoot, kernelRoot string, + model gadget.Model, + encType device.EncryptionType, + volToGadgetToDiskStruct map[string]map[int]*gadget.OnDiskStructure, +) (all map[string]*gadget.LaidOutVolume, err error) { // rely on the basic validation from ReadInfo to ensure that the system-* // roles are all on the same volume for example info, err := gadget.ReadInfoAndValidate(gadgetRoot, model, nil) diff --git a/gadget/install/install.go b/gadget/install/install.go index 9a39d10c0aa..3073457168c 100644 --- a/gadget/install/install.go +++ b/gadget/install/install.go @@ -100,7 +100,12 @@ func saveStorageTraits(mod gadget.Model, allVols map[string]*gadget.Volume, opts return nil } -func maybeEncryptPartition(dgpair *gadget.OnDiskAndGadgetStructurePair, encryptionType device.EncryptionType, sectorSize quantity.Size, perfTimings timings.Measurer) (fsParams *mkfsParams, diskEncryptionKey secboot.DiskUnlockKey, err error) { +func maybeEncryptPartition( + dgpair *gadget.OnDiskAndGadgetStructurePair, + encryptionType device.EncryptionType, + sectorSize quantity.Size, + perfTimings timings.Measurer, +) (fsParams *mkfsParams, diskEncryptionKey secboot.DiskUnlockKey, err error) { diskPart := dgpair.DiskStructure volStruct := dgpair.GadgetStructure mustEncrypt := (encryptionType != device.EncryptionTypeNone) @@ -630,7 +635,13 @@ func SaveStorageTraits(model gadget.Model, vols map[string]*gadget.Volume, encry return nil } -func EncryptPartitions(onVolumes map[string]*gadget.Volume, encryptionType device.EncryptionType, model *asserts.Model, gadgetRoot, kernelRoot string, perfTimings timings.Measurer) (*EncryptionSetupData, error) { +func EncryptPartitions( + onVolumes map[string]*gadget.Volume, + encryptionType device.EncryptionType, + model *asserts.Model, + gadgetRoot, kernelRoot string, + perfTimings timings.Measurer, +) (*EncryptionSetupData, error) { setupData := &EncryptionSetupData{ parts: make(map[string]partEncryptionData), } diff --git a/overlord/install/install.go b/overlord/install/install.go index 4cf1c352907..a03f6a0912d 100644 --- a/overlord/install/install.go +++ b/overlord/install/install.go @@ -199,7 +199,13 @@ func checkFDEFeatures(runSetupHook fde.RunSetupHookFunc) (et device.EncryptionTy // CheckEncryptionSupport checks the type of encryption support for disks // available if any and returns the corresponding device.EncryptionType, // internally it uses GetEncryptionSupportInfo with the provided parameters. -func CheckEncryptionSupport(model *asserts.Model, tpmMode secboot.TPMProvisionMode, kernelInfo *snap.Info, gadgetInfo *gadget.Info, runSetupHook fde.RunSetupHookFunc) (device.EncryptionType, error) { +func CheckEncryptionSupport( + model *asserts.Model, + tpmMode secboot.TPMProvisionMode, + kernelInfo *snap.Info, + gadgetInfo *gadget.Info, + runSetupHook fde.RunSetupHookFunc, +) (device.EncryptionType, error) { res, err := GetEncryptionSupportInfo(model, tpmMode, kernelInfo, gadgetInfo, runSetupHook) if err != nil { return "", err