secboot,overlord/fdestate/backend: use same primary key with FDE hook

If a plainkey token is used then the key sealed with FDE hook should have the same primary key. This was added for TPM, but I forgot to add it to FDE hook.
canonical · Feb 4, 2025 · 36698c0 · 36698c0
1 parent 407bebd
commit 36698c0
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 0 deletions.
diff --git a/overlord/fdestate/backend/seal.go b/overlord/fdestate/backend/seal.go
@@ -146,6 +146,7 @@ func sealFallbackObjectKeys(key, saveKey secboot.BootstrappedContainer, pbc boot
 func sealKeyForBootChainsHook(key, saveKey secboot.BootstrappedContainer, params *boot.SealKeyForBootChainsParams) error {
 	sealingParams := secboot.SealKeysWithFDESetupHookParams{
 		AuxKeyFile: filepath.Join(boot.InstallHostFDESaveDir, "aux-key"),
+		PrimaryKey: params.PrimaryKey,
 	}
 
 	for _, runChain := range params.RunModeBootChains {

diff --git a/overlord/fdestate/backend/seal_test.go b/overlord/fdestate/backend/seal_test.go
@@ -436,6 +436,7 @@ func (s *sealSuite) testSealToModeenvWithFdeHookHappy(c *C, useTokens bool) {
 		c.Check(params.Model.Model(), Equals, model.Model())
 		c.Check(params.Model.Model(), Equals, model.Model())
 		c.Check(params.AuxKeyFile, Equals, filepath.Join(boot.InstallHostFDESaveDir, "aux-key"))
+		c.Check(params.PrimaryKey, DeepEquals, []byte{1, 2, 3, 4})
 		for _, skr := range skrs {
 			var expectedBootstrappedContainer secboot.BootstrappedContainer
 			switch skr.KeyName {
@@ -490,6 +491,7 @@ func (s *sealSuite) testSealToModeenvWithFdeHookHappy(c *C, useTokens bool) {
 		FactoryReset:           false,
 		InstallHostWritableDir: filepath.Join(boot.InstallUbuntuDataDir, "system-data"),
 		UseTokens:              useTokens,
+		PrimaryKey:             []byte{1, 2, 3, 4},
 	}
 	err := boot.SealKeyForBootChains(device.SealingMethodFDESetupHook, dataContainer, saveContainer, nil, params)
 	c.Assert(err, IsNil)

diff --git a/secboot/secboot.go b/secboot/secboot.go
@@ -149,6 +149,8 @@ type SealKeysWithFDESetupHookParams struct {
 	// The path to the aux key file (if empty the key will not be
 	// saved)
 	AuxKeyFile string
+	// The primary key to use, nil if needs to be generated
+	PrimaryKey []byte
 }
 
 // KeyDataLocation represents the possible places where key data

diff --git a/secboot/secboot_hooks.go b/secboot/secboot_hooks.go
@@ -71,6 +71,10 @@ func (h *hookKeyProtector) ProtectKey(rand io.Reader, cleartext, aad []byte) (ci
 
 func SealKeysWithFDESetupHook(runHook fde.RunSetupHookFunc, keys []SealKeyRequest, params *SealKeysWithFDESetupHookParams) error {
 	var primaryKey sb.PrimaryKey
+	if params.PrimaryKey != nil {
+		// FIXME: add unit test taking that primary key
+		primaryKey = params.PrimaryKey
+	}
 
 	for _, skr := range keys {
 		protector := &hookKeyProtector{