secboot/keys: move the key types to a separate package

Signed-off-by: Maciej Borzecki <[email protected]>
canonical · Apr 26, 2022 · af8da5a · af8da5a
1 parent d6b5ca0
commit af8da5a
Show file tree

Hide file tree

Showing 11 changed files with 294 additions and 206 deletions.
diff --git a/secboot/encrypt.go b/secboot/encrypt.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2021 Canonical Ltd
+ * Copyright (C) 2022 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -19,104 +19,6 @@
 
 package secboot
 
-import (
-	"crypto/rand"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-
-	"github.com/snapcore/snapd/osutil"
-)
-
-const (
-	// The encryption key size is set so it has the same entropy as the derived
-	// key.
-	encryptionKeySize = 32
-
-	// XXX: needs to be in sync with
-	//      github.com/snapcore/secboot/crypto.go:"type RecoveryKey"
-	// Size of the recovery key.
-	recoveryKeySize = 16
-
-	// The auxiliary key is used to bind keys to models
-	auxKeySize = 32
-)
-
-// used in tests
-var randRead = rand.Read
-
-// EncryptionKey is the key used to encrypt the data partition.
-type EncryptionKey []byte
-
-func NewEncryptionKey() (EncryptionKey, error) {
-	key := make(EncryptionKey, encryptionKeySize)
-	// rand.Read() is protected against short reads
-	_, err := randRead(key[:])
-	// On return, n == len(b) if and only if err == nil
-	return key, err
-}
-
-// Save writes the key in the location specified by filename.
-func (key EncryptionKey) Save(filename string) error {
-	if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
-		return err
-	}
-	return osutil.AtomicWriteFile(filename, key[:], 0600, 0)
-}
-
-// RecoveryKey is a key used to unlock the encrypted partition when
-// the encryption key can't be used, for example when unseal fails.
-type RecoveryKey [recoveryKeySize]byte
-
-func NewRecoveryKey() (RecoveryKey, error) {
-	var key RecoveryKey
-	// rand.Read() is protected against short reads
-	_, err := randRead(key[:])
-	// On return, n == len(b) if and only if err == nil
-	return key, err
-}
-
-// Save writes the recovery key in the location specified by filename.
-func (key RecoveryKey) Save(filename string) error {
-	if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
-		return err
-	}
-	return osutil.AtomicWriteFile(filename, key[:], 0600, 0)
-}
-
-func RecoveryKeyFromFile(recoveryKeyFile string) (*RecoveryKey, error) {
-	f, err := os.Open(recoveryKeyFile)
-	if err != nil {
-		return nil, fmt.Errorf("cannot open recovery key: %v", err)
-	}
-	defer f.Close()
-	st, err := f.Stat()
-	if err != nil {
-		return nil, fmt.Errorf("cannot stat recovery key: %v", err)
-	}
-	if st.Size() != int64(len(RecoveryKey{})) {
-		return nil, fmt.Errorf("cannot read recovery key: unexpected size %v for the recovery key file %s", st.Size(), recoveryKeyFile)
-	}
-
-	var rkey RecoveryKey
-	if _, err := io.ReadFull(f, rkey[:]); err != nil {
-		return nil, fmt.Errorf("cannot read recovery key: %v", err)
-	}
-	return &rkey, nil
-}
-
-// AuxKey is the key to bind models to keys.
-type AuxKey [auxKeySize]byte
-
-func NewAuxKey() (AuxKey, error) {
-	var key AuxKey
-	// rand.Read() is protected against short reads
-	_, err := randRead(key[:])
-	// On return, n == len(b) if and only if err == nil
-	return key, err
-}
-
 // EncryptionType specifies what encryption backend should be used (if any)
 type EncryptionType string
 

diff --git a/secboot/encrypt_sb.go b/secboot/encrypt_sb.go
@@ -27,6 +27,7 @@ import (
 	sb "github.com/snapcore/secboot"
 
 	"github.com/snapcore/snapd/osutil"
+	"github.com/snapcore/snapd/secboot/keys"
 )
 
 var (
@@ -40,7 +41,7 @@ const metadataKiBSize = 2048     // 2MB
 // FormatEncryptedDevice initializes an encrypted volume on the block device
 // given by node, setting the specified label. The key used to unlock the volume
 // is provided using the key argument.
-func FormatEncryptedDevice(key EncryptionKey, label, node string) error {
+func FormatEncryptedDevice(key keys.EncryptionKey, label, node string) error {
 	opts := &sb.InitializeLUKS2ContainerOptions{
 		// use a lower, but still reasonable size that should give us
 		// enough room
@@ -63,7 +64,7 @@ func FormatEncryptedDevice(key EncryptionKey, label, node string) error {
 // The existing key to the encrypted volume is provided in the key argument.
 //
 // A heuristic memory cost is used.
-func AddRecoveryKey(key EncryptionKey, rkey RecoveryKey, node string) error {
+func AddRecoveryKey(key keys.EncryptionKey, rkey keys.RecoveryKey, node string) error {
 	usableMem, err := osutil.TotalUsableMemory()
 	if err != nil {
 		return fmt.Errorf("cannot get usable memory for KDF parameters when adding the recovery key: %v", err)
@@ -90,7 +91,3 @@ func AddRecoveryKey(key EncryptionKey, rkey RecoveryKey, node string) error {
 
 	return sbAddRecoveryKeyToLUKS2Container(node, key[:], sb.RecoveryKey(rkey), opts)
 }
-
-func (k RecoveryKey) String() string {
-	return sb.RecoveryKey(k).String()
-}
diff --git a/secboot/encrypt_sb_test.go b/secboot/encrypt_sb_test.go
@@ -3,7 +3,7 @@
 // +build !nosecboot
 
 /*
- * Copyright (C) 2021 Canonical Ltd
+ * Copyright (C) 2022 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -31,6 +31,7 @@ import (
 
 	"github.com/snapcore/snapd/osutil"
 	"github.com/snapcore/snapd/secboot"
+	"github.com/snapcore/snapd/secboot/keys"
 )
 
 func (s *encryptSuite) TestFormatEncryptedDevice(c *C) {
@@ -42,7 +43,7 @@ func (s *encryptSuite) TestFormatEncryptedDevice(c *C) {
 		{initErr: errors.New("some error"), err: "some error"},
 	} {
 		// create empty key to prevent blocking on lack of system entropy
-		myKey := secboot.EncryptionKey{}
+		myKey := keys.EncryptionKey{}
 		for i := range myKey {
 			myKey[i] = byte(i)
 		}
@@ -95,12 +96,12 @@ func (s *encryptSuite) TestAddRecoveryKey(c *C) {
 		{addErr: errors.New("some error"), err: "some error"},
 	} {
 		// create empty key to prevent blocking on lack of system entropy
-		myKey := secboot.EncryptionKey{}
+		myKey := keys.EncryptionKey{}
 		for i := range myKey {
 			myKey[i] = byte(i)
 		}
 
-		myRecoveryKey := secboot.RecoveryKey{15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}
+		myRecoveryKey := keys.RecoveryKey{15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}
 
 		calls := 0
 		restore := secboot.MockSbAddRecoveryKeyToLUKS2Container(func(devicePath string, key []byte, recoveryKey sb.RecoveryKey, opts *sb.KDFOptions) error {

diff --git a/secboot/encrypt_test.go b/secboot/encrypt_test.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2019-2021 Canonical Ltd
+ * Copyright (C) 2019-2022 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -20,15 +20,9 @@
 package secboot_test
 
 import (
-	"fmt"
-	"os"
-	"path/filepath"
 	"testing"
 
 	. "gopkg.in/check.v1"
-
-	"github.com/snapcore/snapd/secboot"
-	"github.com/snapcore/snapd/testutil"
 )
 
 func TestSecboot(t *testing.T) { TestingT(t) }
@@ -42,75 +36,3 @@ var _ = Suite(&encryptSuite{})
 func (s *encryptSuite) SetUpTest(c *C) {
 	s.dir = c.MkDir()
 }
-
-func (s *encryptSuite) TestRecoveryKeySave(c *C) {
-	kf := filepath.Join(s.dir, "test-key")
-	kfNested := filepath.Join(s.dir, "deeply/nested/test-key")
-
-	rkey := secboot.RecoveryKey{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 255}
-	err := rkey.Save(kf)
-	c.Assert(err, IsNil)
-	c.Assert(kf, testutil.FileEquals, rkey[:])
-
-	fileInfo, err := os.Stat(kf)
-	c.Assert(err, IsNil)
-	c.Assert(fileInfo.Mode(), Equals, os.FileMode(0600))
-
-	err = rkey.Save(kfNested)
-	c.Assert(err, IsNil)
-	c.Assert(kfNested, testutil.FileEquals, rkey[:])
-	di, err := os.Stat(filepath.Dir(kfNested))
-	c.Assert(err, IsNil)
-	c.Assert(di.Mode().Perm(), Equals, os.FileMode(0755))
-}
-
-func (s *encryptSuite) TestEncryptionKeySave(c *C) {
-	kf := filepath.Join(s.dir, "test-key")
-	kfNested := filepath.Join(s.dir, "deeply/nested/test-key")
-
-	ekey := secboot.EncryptionKey{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 255}
-	err := ekey.Save(kf)
-	c.Assert(err, IsNil)
-	c.Assert(kf, testutil.FileEquals, []byte(ekey))
-
-	fileInfo, err := os.Stat(kf)
-	c.Assert(err, IsNil)
-	c.Assert(fileInfo.Mode(), Equals, os.FileMode(0600))
-
-	err = ekey.Save(kfNested)
-	c.Assert(err, IsNil)
-	c.Assert(kfNested, testutil.FileEquals, []byte(ekey))
-	di, err := os.Stat(filepath.Dir(kfNested))
-	c.Assert(err, IsNil)
-	c.Assert(di.Mode().Perm(), Equals, os.FileMode(0755))
-}
-
-func (s *encryptSuite) TestNewAuxKeyHappy(c *C) {
-	restore := secboot.MockRandRead(func(p []byte) (int, error) {
-		for i := range p {
-			p[i] = byte(i % 10)
-		}
-		return len(p), nil
-	})
-	defer restore()
-
-	auxKey, err := secboot.NewAuxKey()
-	c.Assert(err, IsNil)
-	c.Assert(auxKey, HasLen, 32)
-	c.Check(auxKey[:], DeepEquals, []byte{
-		0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
-		0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
-		0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
-		0x0, 0x1,
-	})
-}
-
-func (s *encryptSuite) TestNewAuxKeySad(c *C) {
-	restore := secboot.MockRandRead(func(p []byte) (int, error) {
-		return 0, fmt.Errorf("fail")
-	})
-	defer restore()
-
-	_, err := secboot.NewAuxKey()
-	c.Check(err, ErrorMatches, "fail")
-}
diff --git a/secboot/export_test.go → secboot/keys/export_test.go b/secboot/export_test.go → secboot/keys/export_test.go
@@ -1,7 +1,7 @@
 // -*- Mode: Go; indent-tabs-mode: t -*-
 
 /*
- * Copyright (C) 2021 Canonical Ltd
+ * Copyright (C) 2022 Canonical Ltd
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
@@ -17,7 +17,7 @@
  *
  */
 
-package secboot
+package keys
 
 func MockRandRead(f func(p []byte) (int, error)) (restore func()) {
 	oldRandRead := randRead