diff --git a/secboot/encrypt.go b/secboot/encrypt.go
index 0f30fb2011c..9e4625b95fb 100644
--- a/secboot/encrypt.go
+++ b/secboot/encrypt.go
@@ -1,7 +1,7 @@
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
- * Copyright (C) 2021 Canonical Ltd
+ * Copyright (C) 2022 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
@@ -19,104 +19,6 @@
package secboot
-import (
- "crypto/rand"
- "fmt"
- "io"
- "os"
- "path/filepath"
-
- "github.com/snapcore/snapd/osutil"
-)
-
-const (
- // The encryption key size is set so it has the same entropy as the derived
- // key.
- encryptionKeySize = 32
-
- // XXX: needs to be in sync with
- // github.com/snapcore/secboot/crypto.go:"type RecoveryKey"
- // Size of the recovery key.
- recoveryKeySize = 16
-
- // The auxiliary key is used to bind keys to models
- auxKeySize = 32
-)
-
-// used in tests
-var randRead = rand.Read
-
-// EncryptionKey is the key used to encrypt the data partition.
-type EncryptionKey []byte
-
-func NewEncryptionKey() (EncryptionKey, error) {
- key := make(EncryptionKey, encryptionKeySize)
- // rand.Read() is protected against short reads
- _, err := randRead(key[:])
- // On return, n == len(b) if and only if err == nil
- return key, err
-}
-
-// Save writes the key in the location specified by filename.
-func (key EncryptionKey) Save(filename string) error {
- if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
- return err
- }
- return osutil.AtomicWriteFile(filename, key[:], 0600, 0)
-}
-
-// RecoveryKey is a key used to unlock the encrypted partition when
-// the encryption key can't be used, for example when unseal fails.
-type RecoveryKey [recoveryKeySize]byte
-
-func NewRecoveryKey() (RecoveryKey, error) {
- var key RecoveryKey
- // rand.Read() is protected against short reads
- _, err := randRead(key[:])
- // On return, n == len(b) if and only if err == nil
- return key, err
-}
-
-// Save writes the recovery key in the location specified by filename.
-func (key RecoveryKey) Save(filename string) error {
- if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
- return err
- }
- return osutil.AtomicWriteFile(filename, key[:], 0600, 0)
-}
-
-func RecoveryKeyFromFile(recoveryKeyFile string) (*RecoveryKey, error) {
- f, err := os.Open(recoveryKeyFile)
- if err != nil {
- return nil, fmt.Errorf("cannot open recovery key: %v", err)
- }
- defer f.Close()
- st, err := f.Stat()
- if err != nil {
- return nil, fmt.Errorf("cannot stat recovery key: %v", err)
- }
- if st.Size() != int64(len(RecoveryKey{})) {
- return nil, fmt.Errorf("cannot read recovery key: unexpected size %v for the recovery key file %s", st.Size(), recoveryKeyFile)
- }
-
- var rkey RecoveryKey
- if _, err := io.ReadFull(f, rkey[:]); err != nil {
- return nil, fmt.Errorf("cannot read recovery key: %v", err)
- }
- return &rkey, nil
-}
-
-// AuxKey is the key to bind models to keys.
-type AuxKey [auxKeySize]byte
-
-func NewAuxKey() (AuxKey, error) {
- var key AuxKey
- // rand.Read() is protected against short reads
- _, err := randRead(key[:])
- // On return, n == len(b) if and only if err == nil
- return key, err
-}
-
// EncryptionType specifies what encryption backend should be used (if any)
type EncryptionType string
diff --git a/secboot/encrypt_sb.go b/secboot/encrypt_sb.go
index 28136ded128..64211de9f2d 100644
--- a/secboot/encrypt_sb.go
+++ b/secboot/encrypt_sb.go
@@ -27,6 +27,7 @@ import (
sb "github.com/snapcore/secboot"
"github.com/snapcore/snapd/osutil"
+ "github.com/snapcore/snapd/secboot/keys"
)
var (
@@ -40,7 +41,7 @@ const metadataKiBSize = 2048 // 2MB
// FormatEncryptedDevice initializes an encrypted volume on the block device
// given by node, setting the specified label. The key used to unlock the volume
// is provided using the key argument.
-func FormatEncryptedDevice(key EncryptionKey, label, node string) error {
+func FormatEncryptedDevice(key keys.EncryptionKey, label, node string) error {
opts := &sb.InitializeLUKS2ContainerOptions{
// use a lower, but still reasonable size that should give us
// enough room
@@ -63,7 +64,7 @@ func FormatEncryptedDevice(key EncryptionKey, label, node string) error {
// The existing key to the encrypted volume is provided in the key argument.
//
// A heuristic memory cost is used.
-func AddRecoveryKey(key EncryptionKey, rkey RecoveryKey, node string) error {
+func AddRecoveryKey(key keys.EncryptionKey, rkey keys.RecoveryKey, node string) error {
usableMem, err := osutil.TotalUsableMemory()
if err != nil {
return fmt.Errorf("cannot get usable memory for KDF parameters when adding the recovery key: %v", err)
@@ -90,7 +91,3 @@ func AddRecoveryKey(key EncryptionKey, rkey RecoveryKey, node string) error {
return sbAddRecoveryKeyToLUKS2Container(node, key[:], sb.RecoveryKey(rkey), opts)
}
-
-func (k RecoveryKey) String() string {
- return sb.RecoveryKey(k).String()
-}
diff --git a/secboot/encrypt_sb_test.go b/secboot/encrypt_sb_test.go
index 3841786736e..b5787872083 100644
--- a/secboot/encrypt_sb_test.go
+++ b/secboot/encrypt_sb_test.go
@@ -3,7 +3,7 @@
// +build !nosecboot
/*
- * Copyright (C) 2021 Canonical Ltd
+ * Copyright (C) 2022 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
@@ -31,6 +31,7 @@ import (
"github.com/snapcore/snapd/osutil"
"github.com/snapcore/snapd/secboot"
+ "github.com/snapcore/snapd/secboot/keys"
)
func (s *encryptSuite) TestFormatEncryptedDevice(c *C) {
@@ -42,7 +43,7 @@ func (s *encryptSuite) TestFormatEncryptedDevice(c *C) {
{initErr: errors.New("some error"), err: "some error"},
} {
// create empty key to prevent blocking on lack of system entropy
- myKey := secboot.EncryptionKey{}
+ myKey := keys.EncryptionKey{}
for i := range myKey {
myKey[i] = byte(i)
}
@@ -95,12 +96,12 @@ func (s *encryptSuite) TestAddRecoveryKey(c *C) {
{addErr: errors.New("some error"), err: "some error"},
} {
// create empty key to prevent blocking on lack of system entropy
- myKey := secboot.EncryptionKey{}
+ myKey := keys.EncryptionKey{}
for i := range myKey {
myKey[i] = byte(i)
}
- myRecoveryKey := secboot.RecoveryKey{15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}
+ myRecoveryKey := keys.RecoveryKey{15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0}
calls := 0
restore := secboot.MockSbAddRecoveryKeyToLUKS2Container(func(devicePath string, key []byte, recoveryKey sb.RecoveryKey, opts *sb.KDFOptions) error {
diff --git a/secboot/encrypt_test.go b/secboot/encrypt_test.go
index 51378a87cd8..28c0dbd1c2d 100644
--- a/secboot/encrypt_test.go
+++ b/secboot/encrypt_test.go
@@ -1,7 +1,7 @@
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
- * Copyright (C) 2019-2021 Canonical Ltd
+ * Copyright (C) 2019-2022 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
@@ -20,15 +20,9 @@
package secboot_test
import (
- "fmt"
- "os"
- "path/filepath"
"testing"
. "gopkg.in/check.v1"
-
- "github.com/snapcore/snapd/secboot"
- "github.com/snapcore/snapd/testutil"
)
func TestSecboot(t *testing.T) { TestingT(t) }
@@ -42,75 +36,3 @@ var _ = Suite(&encryptSuite{})
func (s *encryptSuite) SetUpTest(c *C) {
s.dir = c.MkDir()
}
-
-func (s *encryptSuite) TestRecoveryKeySave(c *C) {
- kf := filepath.Join(s.dir, "test-key")
- kfNested := filepath.Join(s.dir, "deeply/nested/test-key")
-
- rkey := secboot.RecoveryKey{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 255}
- err := rkey.Save(kf)
- c.Assert(err, IsNil)
- c.Assert(kf, testutil.FileEquals, rkey[:])
-
- fileInfo, err := os.Stat(kf)
- c.Assert(err, IsNil)
- c.Assert(fileInfo.Mode(), Equals, os.FileMode(0600))
-
- err = rkey.Save(kfNested)
- c.Assert(err, IsNil)
- c.Assert(kfNested, testutil.FileEquals, rkey[:])
- di, err := os.Stat(filepath.Dir(kfNested))
- c.Assert(err, IsNil)
- c.Assert(di.Mode().Perm(), Equals, os.FileMode(0755))
-}
-
-func (s *encryptSuite) TestEncryptionKeySave(c *C) {
- kf := filepath.Join(s.dir, "test-key")
- kfNested := filepath.Join(s.dir, "deeply/nested/test-key")
-
- ekey := secboot.EncryptionKey{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 255}
- err := ekey.Save(kf)
- c.Assert(err, IsNil)
- c.Assert(kf, testutil.FileEquals, []byte(ekey))
-
- fileInfo, err := os.Stat(kf)
- c.Assert(err, IsNil)
- c.Assert(fileInfo.Mode(), Equals, os.FileMode(0600))
-
- err = ekey.Save(kfNested)
- c.Assert(err, IsNil)
- c.Assert(kfNested, testutil.FileEquals, []byte(ekey))
- di, err := os.Stat(filepath.Dir(kfNested))
- c.Assert(err, IsNil)
- c.Assert(di.Mode().Perm(), Equals, os.FileMode(0755))
-}
-
-func (s *encryptSuite) TestNewAuxKeyHappy(c *C) {
- restore := secboot.MockRandRead(func(p []byte) (int, error) {
- for i := range p {
- p[i] = byte(i % 10)
- }
- return len(p), nil
- })
- defer restore()
-
- auxKey, err := secboot.NewAuxKey()
- c.Assert(err, IsNil)
- c.Assert(auxKey, HasLen, 32)
- c.Check(auxKey[:], DeepEquals, []byte{
- 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
- 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
- 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
- 0x0, 0x1,
- })
-}
-
-func (s *encryptSuite) TestNewAuxKeySad(c *C) {
- restore := secboot.MockRandRead(func(p []byte) (int, error) {
- return 0, fmt.Errorf("fail")
- })
- defer restore()
-
- _, err := secboot.NewAuxKey()
- c.Check(err, ErrorMatches, "fail")
-}
diff --git a/secboot/export_test.go b/secboot/keys/export_test.go
similarity index 93%
rename from secboot/export_test.go
rename to secboot/keys/export_test.go
index 49f90ce49ad..4d41e7add9a 100644
--- a/secboot/export_test.go
+++ b/secboot/keys/export_test.go
@@ -1,7 +1,7 @@
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
- * Copyright (C) 2021 Canonical Ltd
+ * Copyright (C) 2022 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
@@ -17,7 +17,7 @@
*
*/
-package secboot
+package keys
func MockRandRead(f func(p []byte) (int, error)) (restore func()) {
oldRandRead := randRead
diff --git a/secboot/keys/keys.go b/secboot/keys/keys.go
new file mode 100644
index 00000000000..ed7cd98933e
--- /dev/null
+++ b/secboot/keys/keys.go
@@ -0,0 +1,118 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2022 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+package keys
+
+import (
+ "crypto/rand"
+ "fmt"
+ "io"
+ "os"
+ "path/filepath"
+
+ "github.com/snapcore/snapd/osutil"
+)
+
+const (
+ // The encryption key size is set so it has the same entropy as the derived
+ // key.
+ EncryptionKeySize = 32
+
+ // XXX: needs to be in sync with
+ // github.com/snapcore/secboot/crypto.go:"type RecoveryKey"
+ // Size of the recovery key.
+ RecoveryKeySize = 16
+
+ // The auxiliary key is used to bind keys to models
+ AuxKeySize = 32
+)
+
+// used in tests
+var randRead = rand.Read
+
+// EncryptionKey is the key used to encrypt the data partition.
+type EncryptionKey []byte
+
+func NewEncryptionKey() (EncryptionKey, error) {
+ key := make(EncryptionKey, EncryptionKeySize)
+ // rand.Read() is protected against short reads
+ _, err := randRead(key[:])
+ // On return, n == len(b) if and only if err == nil
+ return key, err
+}
+
+// Save writes the key in the location specified by filename.
+func (key EncryptionKey) Save(filename string) error {
+ if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
+ return err
+ }
+ return osutil.AtomicWriteFile(filename, key[:], 0600, 0)
+}
+
+// RecoveryKey is a key used to unlock the encrypted partition when
+// the encryption key can't be used, for example when unseal fails.
+type RecoveryKey [RecoveryKeySize]byte
+
+func NewRecoveryKey() (RecoveryKey, error) {
+ var key RecoveryKey
+ // rand.Read() is protected against short reads
+ _, err := randRead(key[:])
+ // On return, n == len(b) if and only if err == nil
+ return key, err
+}
+
+// Save writes the recovery key in the location specified by filename.
+func (key RecoveryKey) Save(filename string) error {
+ if err := os.MkdirAll(filepath.Dir(filename), 0755); err != nil {
+ return err
+ }
+ return osutil.AtomicWriteFile(filename, key[:], 0600, 0)
+}
+
+func RecoveryKeyFromFile(recoveryKeyFile string) (*RecoveryKey, error) {
+ f, err := os.Open(recoveryKeyFile)
+ if err != nil {
+ return nil, fmt.Errorf("cannot open recovery key: %v", err)
+ }
+ defer f.Close()
+ st, err := f.Stat()
+ if err != nil {
+ return nil, fmt.Errorf("cannot stat recovery key: %v", err)
+ }
+ if st.Size() != int64(len(RecoveryKey{})) {
+ return nil, fmt.Errorf("cannot read recovery key: unexpected size %v for the recovery key file %s", st.Size(), recoveryKeyFile)
+ }
+
+ var rkey RecoveryKey
+ if _, err := io.ReadFull(f, rkey[:]); err != nil {
+ return nil, fmt.Errorf("cannot read recovery key: %v", err)
+ }
+ return &rkey, nil
+}
+
+// AuxKey is the key to bind models to keys.
+type AuxKey [AuxKeySize]byte
+
+func NewAuxKey() (AuxKey, error) {
+ var key AuxKey
+ // rand.Read() is protected against short reads
+ _, err := randRead(key[:])
+ // On return, n == len(b) if and only if err == nil
+ return key, err
+}
diff --git a/secboot/encrypt_dummy.go b/secboot/keys/keys_dummy.go
similarity index 93%
rename from secboot/encrypt_dummy.go
rename to secboot/keys/keys_dummy.go
index 6f08781ec4e..dd2cf35f877 100644
--- a/secboot/encrypt_dummy.go
+++ b/secboot/keys/keys_dummy.go
@@ -3,7 +3,7 @@
// +build nosecboot
/*
- * Copyright (C) 2020 Canonical Ltd
+ * Copyright (C) 2022 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
@@ -19,7 +19,7 @@
*
*/
-package secboot
+package keys
func (k RecoveryKey) String() string {
return "not-implemented"
diff --git a/secboot/keys/keys_sb.go b/secboot/keys/keys_sb.go
new file mode 100644
index 00000000000..674268036ef
--- /dev/null
+++ b/secboot/keys/keys_sb.go
@@ -0,0 +1,30 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+//go:build !nosecboot
+// +build !nosecboot
+
+/*
+ * Copyright (C) 2022 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+package keys
+
+import (
+ sb "github.com/snapcore/secboot"
+)
+
+func (k RecoveryKey) String() string {
+ return sb.RecoveryKey(k).String()
+}
diff --git a/secboot/keys/keys_test.go b/secboot/keys/keys_test.go
new file mode 100644
index 00000000000..30da33d2652
--- /dev/null
+++ b/secboot/keys/keys_test.go
@@ -0,0 +1,116 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2019-2022 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ *
+ */
+
+package keys_test
+
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+ "testing"
+
+ . "gopkg.in/check.v1"
+
+ "github.com/snapcore/snapd/secboot/keys"
+ "github.com/snapcore/snapd/testutil"
+)
+
+func TestSecboot(t *testing.T) { TestingT(t) }
+
+type keysSuite struct {
+ dir string
+}
+
+var _ = Suite(&keysSuite{})
+
+func (s *keysSuite) SetUpTest(c *C) {
+ s.dir = c.MkDir()
+}
+
+func (s *keysSuite) TestRecoveryKeySave(c *C) {
+ kf := filepath.Join(s.dir, "test-key")
+ kfNested := filepath.Join(s.dir, "deeply/nested/test-key")
+
+ rkey := keys.RecoveryKey{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 255}
+ err := rkey.Save(kf)
+ c.Assert(err, IsNil)
+ c.Assert(kf, testutil.FileEquals, rkey[:])
+
+ fileInfo, err := os.Stat(kf)
+ c.Assert(err, IsNil)
+ c.Assert(fileInfo.Mode(), Equals, os.FileMode(0600))
+
+ err = rkey.Save(kfNested)
+ c.Assert(err, IsNil)
+ c.Assert(kfNested, testutil.FileEquals, rkey[:])
+ di, err := os.Stat(filepath.Dir(kfNested))
+ c.Assert(err, IsNil)
+ c.Assert(di.Mode().Perm(), Equals, os.FileMode(0755))
+}
+
+func (s *keysSuite) TestEncryptionKeySave(c *C) {
+ kf := filepath.Join(s.dir, "test-key")
+ kfNested := filepath.Join(s.dir, "deeply/nested/test-key")
+
+ ekey := keys.EncryptionKey{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 255}
+ err := ekey.Save(kf)
+ c.Assert(err, IsNil)
+ c.Assert(kf, testutil.FileEquals, []byte(ekey))
+
+ fileInfo, err := os.Stat(kf)
+ c.Assert(err, IsNil)
+ c.Assert(fileInfo.Mode(), Equals, os.FileMode(0600))
+
+ err = ekey.Save(kfNested)
+ c.Assert(err, IsNil)
+ c.Assert(kfNested, testutil.FileEquals, []byte(ekey))
+ di, err := os.Stat(filepath.Dir(kfNested))
+ c.Assert(err, IsNil)
+ c.Assert(di.Mode().Perm(), Equals, os.FileMode(0755))
+}
+
+func (s *keysSuite) TestNewAuxKeyHappy(c *C) {
+ restore := keys.MockRandRead(func(p []byte) (int, error) {
+ for i := range p {
+ p[i] = byte(i % 10)
+ }
+ return len(p), nil
+ })
+ defer restore()
+
+ auxKey, err := keys.NewAuxKey()
+ c.Assert(err, IsNil)
+ c.Assert(auxKey, HasLen, 32)
+ c.Check(auxKey[:], DeepEquals, []byte{
+ 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
+ 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
+ 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9,
+ 0x0, 0x1,
+ })
+}
+
+func (s *keysSuite) TestNewAuxKeySad(c *C) {
+ restore := keys.MockRandRead(func(p []byte) (int, error) {
+ return 0, fmt.Errorf("fail")
+ })
+ defer restore()
+
+ _, err := keys.NewAuxKey()
+ c.Check(err, ErrorMatches, "fail")
+}
diff --git a/secboot/secboot.go b/secboot/secboot.go
index 27d5768d960..7ec008f8ba9 100644
--- a/secboot/secboot.go
+++ b/secboot/secboot.go
@@ -29,6 +29,7 @@ import (
"github.com/snapcore/snapd/asserts"
"github.com/snapcore/snapd/bootloader"
+ "github.com/snapcore/snapd/secboot/keys"
)
const (
@@ -58,7 +59,7 @@ func NewLoadChain(bf bootloader.BootFile, next ...*LoadChain) *LoadChain {
type SealKeyRequest struct {
// The key to seal
- Key EncryptionKey
+ Key keys.EncryptionKey
// The key name; identical keys should have identical names
KeyName string
// The path to store the sealed key file. The same Key/KeyName
@@ -107,7 +108,7 @@ type SealKeysWithFDESetupHookParams struct {
// Initial model to bind sealed keys to.
Model ModelForSealing
// AuxKey is the auxiliary key used to bind models.
- AuxKey AuxKey
+ AuxKey keys.AuxKey
// The path to the aux key file (if empty the key will not be
// saved)
AuxKeyFile string
diff --git a/secboot/secboot_sb_test.go b/secboot/secboot_sb_test.go
index 3b0ac831468..9b8f323aa7c 100644
--- a/secboot/secboot_sb_test.go
+++ b/secboot/secboot_sb_test.go
@@ -49,6 +49,7 @@ import (
"github.com/snapcore/snapd/osutil"
"github.com/snapcore/snapd/osutil/disks"
"github.com/snapcore/snapd/secboot"
+ "github.com/snapcore/snapd/secboot/keys"
"github.com/snapcore/snapd/snap"
"github.com/snapcore/snapd/snap/snapfile"
"github.com/snapcore/snapd/snap/squashfs"
@@ -698,8 +699,8 @@ func (s *secbootSuite) TestSealKey(c *C) {
PCRPolicyCounterHandle: 42,
}
- myKey := secboot.EncryptionKey{}
- myKey2 := secboot.EncryptionKey{}
+ myKey := keys.EncryptionKey{}
+ myKey2 := keys.EncryptionKey{}
for i := range myKey {
myKey[i] = byte(i)
myKey2[i] = byte(128 + i)
@@ -1098,7 +1099,7 @@ func (s *secbootSuite) TestResealKey(c *C) {
func (s *secbootSuite) TestSealKeyNoModelParams(c *C) {
myKeys := []secboot.SealKeyRequest{
{
- Key: secboot.EncryptionKey{},
+ Key: keys.EncryptionKey{},
KeyFile: "keyfile",
},
}
@@ -1349,9 +1350,9 @@ func (s *secbootSuite) TestSealKeysWithFDESetupHookHappy(c *C) {
return json.Marshal(res)
}
- key1 := secboot.EncryptionKey{1, 2, 3, 4}
- key2 := secboot.EncryptionKey{5, 6, 7, 8}
- auxKey := secboot.AuxKey{9, 10, 11, 12}
+ key1 := keys.EncryptionKey{1, 2, 3, 4}
+ key2 := keys.EncryptionKey{5, 6, 7, 8}
+ auxKey := keys.AuxKey{9, 10, 11, 12}
key1Fn := filepath.Join(tmpdir, "key1.key")
key2Fn := filepath.Join(tmpdir, "key2.key")
auxKeyFn := filepath.Join(tmpdir, "aux-key")
@@ -1392,8 +1393,8 @@ func (s *secbootSuite) TestSealKeysWithFDESetupHookSad(c *C) {
return nil, fmt.Errorf("hook failed")
}
- key := secboot.EncryptionKey{1, 2, 3, 4}
- auxKey := secboot.AuxKey{5, 6, 7, 8}
+ key := keys.EncryptionKey{1, 2, 3, 4}
+ auxKey := keys.AuxKey{5, 6, 7, 8}
keyFn := filepath.Join(tmpdir, "key.key")
auxKeyFn := filepath.Join(tmpdir, "aux-key")
params := secboot.SealKeysWithFDESetupHookParams{
@@ -1410,12 +1411,12 @@ func (s *secbootSuite) TestSealKeysWithFDESetupHookSad(c *C) {
c.Check(auxKeyFn, testutil.FileAbsent)
}
-func makeMockDiskKey() secboot.EncryptionKey {
- return secboot.EncryptionKey{0, 1, 2, 3, 4, 5}
+func makeMockDiskKey() keys.EncryptionKey {
+ return keys.EncryptionKey{0, 1, 2, 3, 4, 5}
}
-func makeMockAuxKey() secboot.AuxKey {
- return secboot.AuxKey{6, 7, 8, 9}
+func makeMockAuxKey() keys.AuxKey {
+ return keys.AuxKey{6, 7, 8, 9}
}
func makeMockUnencryptedPayload() []byte {