Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secboot: check legacy path for keyring when reading the primary key #14966

Merged
merged 1 commit into from
Feb 4, 2025
Merged

secboot: check legacy path for keyring when reading the primary key #14966

merged 1 commit into from
Feb 4, 2025

Conversation

valentindavid
Copy link
Contributor

No description provided.

@valentindavid valentindavid added Run nested The PR also runs tests inluded in nested suite FDE Manager Pull requests that target FDE manager branch labels Jan 23, 2025
@valentindavid valentindavid marked this pull request as ready for review January 23, 2025 12:29
@codecov Codecov
Copy link

codecov bot commented Jan 23, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 79.41176% with 7 lines in your changes missing coverage. Please review.

Please upload report for BASE (fde-manager-features@ca5418e). Learn more about missing BASE report.

Files with missing lines Patch % Lines
secboot/secboot_sb.go 70.83% 5 Missing and 2 partials ⚠️
Additional details and impacted files 
@@                   Coverage Diff                   @@
##             fde-manager-features   #14966   +/-   ##
=======================================================
  Coverage                        ?   78.14%           
=======================================================
  Files                           ?     1174           
  Lines                           ?   156057           
  Branches                        ?        0           
=======================================================
  Hits                            ?   121951           
  Misses                          ?    26545           
  Partials                        ?     7561
Flag Coverage Δ
unittests 78.14% <79.41%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@valentindavid valentindavid requested review from pedronis and bboozzoo and removed request for pedronis January 23, 2025 12:48
pedronis
pedronis approved these changes Jan 23, 2025
View reviewed changes
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you

secboot/secboot_sb.go Outdated
}

// GetPrimaryKeyDigest retrieve the primary key for a disk from the
// keyring and returns it digest. If the path given does not match
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: s/it/its/

@valentindavid valentindavid force-pushed the valentindavid/fallback-partuuid branch from 05b58eb to 2ae271a Compare January 23, 2025 15:40
@valentindavid valentindavid force-pushed the valentindavid/fallback-partuuid branch from 2ae271a to b0a5f1f Compare January 24, 2025 15:37
@pedronis pedronis force-pushed the fde-manager-features branch from 7005c64 to 25f9119 Compare January 29, 2025 10:49
@valentindavid valentindavid force-pushed the valentindavid/fallback-partuuid branch from b0a5f1f to 413aad0 Compare January 29, 2025 10:54
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 29, 2025
edited
Loading

Tue Feb 4 13:31:33 UTC 2025
The following results are from: https://github.com/canonical/snapd/actions/runs/13119360157

Failures:

Preparing:

  • google-nested:ubuntu-20.04-64:tests/nested/manual/remodel-uc20-to-uc22:encrypted
  • google-nested:ubuntu-22.04-64:tests/nested/manual/recovery-system-reboot:factory_reset
  • google-nested:ubuntu-22.04-64:tests/nested/manual/recovery-system-reboot:recover
  • google-nested:ubuntu-24.04-64:tests/nested/manual/recovery-system-reboot:recover
  • google-nested:ubuntu-24.04-64:tests/nested/manual/recovery-system-reboot:factory_reset
  • google-nested:ubuntu-24.04-64:tests/nested/manual/kernel-modules-components:encrypted
  • google-nested:ubuntu-24.04-64:tests/nested/manual/build-with-kernel-modules-components:encrypted
  • google-nested:ubuntu-24.04-64:tests/nested/manual/core20-fault-inject-on-install-component:kernel_panic_prepare_kernel_components
  • google-nested:ubuntu-24.04-64:tests/nested/manual/uc20-fde-hooks:tokens

Executing:

  • openstack:debian-12-64:tests/main/microk8s-smoke:edge
  • openstack:debian-sid-64:tests/main/microk8s-smoke:edge
  • google-nested:ubuntu-20.04-64:tests/nested/manual/remodel-offline:local_and_installed_snaps
  • google-nested:ubuntu-20.04-64:tests/nested/manual/remodel-offline:local_assertions
  • google-nested:ubuntu-20.04-64:tests/nested/manual/remodel-offline:installed_snaps
  • google-nested:ubuntu-24.04-64:tests/nested/manual/remodel-min-size
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh:regular
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh-gating
  • openstack:opensuse-tumbleweed-64:tests/main/snap-refresh-hold
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh-gating-from-snap
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh-pre-download:restart
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh-pre-download:ignore
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh-backoff
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh-pre-download:close
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh-pre-download:close_mid_restart
  • openstack:opensuse-tumbleweed-64:tests/main/microk8s-smoke:edge
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh:parallel
  • openstack:opensuse-tumbleweed-64:tests/main/auto-refresh-retry
  • openstack:opensuse-15.6-64:tests/main/microk8s-smoke:edge
  • openstack:opensuse-tumbleweed-64:tests/main/refresh-app-awareness-notify
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups:uinput
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-serial-port
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups:kmsg
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-required-or-optional
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-self-manage
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-helper
  • google:ubuntu-25.04-64:tests/main/lxd-mount-units
  • google:ubuntu-25.04-64:tests/main/cgroup-devices-v2
  • google:ubuntu-16.04-64:tests/unit/go:static

Restoring:

  • openstack:opensuse-tumbleweed-64:tests/main/refresh-app-awareness-notify
  • google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced

@valentindavid valentindavid force-pushed the valentindavid/fallback-partuuid branch 2 times, most recently from 8bdf5da to 112b128 Compare February 3, 2025 09:24
@valentindavid
secboot: check legacy path for keyring when reading the primary key
2feea80 
In the case we update snapd with and old kernel, then reseal, the FDE
state might be not set because we did not find the primary key from
the initrd that set it in the legacy path. So if we do not find the
key in the keyring, we should try and see if we find it in the old
path.
@valentindavid valentindavid force-pushed the valentindavid/fallback-partuuid branch from 112b128 to 2feea80 Compare February 3, 2025 17:34
@pedronis pedronis merged commit 1c1b779 into canonical:fde-manager-features Feb 4, 2025
60 of 67 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedronis pedronis pedronis approved these changes

@bboozzoo bboozzoo bboozzoo approved these changes

Assignees
No one assigned
Labels
FDE Manager Pull requests that target FDE manager branch Run nested The PR also runs tests inluded in nested suite
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@valentindavid @bboozzoo @pedronis