fde

package

v0.1.0 Latest Latest Go to latest Published: Nov 12, 2022 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

gitee.com/mysnapcore/mysnapd

Links

Open Source Insights

Documentation ¶

Overview ¶

package fde implements helper used by low level parts like secboot in snap-bootstrap and high level parts like DeviceManager in snapd.

Note that it must never import anything overlord related itself to avoid increasing the size of snap-bootstrap.

Index ¶

Constants
func CheckFeatures(runSetupHook RunSetupHookFunc) ([]string, error)
func DeviceSetup(runSetupHook RunSetupHookFunc, params *DeviceSetupParams) error
func DeviceUnlock(params *DeviceUnlockParams) (err error)
func DeviceUnlockKernelHookDeviceMapperBackResolver(dmUUID, dmName []byte) (dev string, ok bool)
func EncryptedDeviceMapperName(name string) string
func HasDeviceUnlock() bool
func HasRevealKey() bool
func IsHardwareEncryptedDeviceMapperName(dmName string) bool
func LockSealedKeys() error
func MockRunFDEDeviceUnlock(mock func(*DeviceUnlockRequest) ([]byte, error)) (restore func())
func MockRunFDERevealKey(mock func(*RevealKeyRequest) ([]byte, error)) (restore func())
func Reveal(params *RevealParams) (payload []byte, err error)
type DeviceSetupParams
type DeviceUnlockParams
type DeviceUnlockRequest
type InitialSetupParams
type InitialSetupResult
- func InitialSetup(runSetupHook RunSetupHookFunc, params *InitialSetupParams) (*InitialSetupResult, error)
type RevealKeyRequest
type RevealParams
type RunSetupHookFunc
type SetupRequest

Constants ¶

View Source

const DeviceSetupHookPartitionOffset = uint64(1 * 1024 * 1024)

DeviceSetupHookPartitionOffset defines the free space that is reserved at the start of a device-setup based partition for future use (like to simulate LUKS keyslot like setup).

Variables ¶

This section is empty.

Functions ¶

func CheckFeatures ¶

func CheckFeatures(runSetupHook RunSetupHookFunc) ([]string, error)

CheckFeatures returns the features of fde-setup hook.

func DeviceSetup ¶

func DeviceSetup(runSetupHook RunSetupHookFunc, params *DeviceSetupParams) error

DeviceSetup invokes the "device-setup" op running the fde-setup hook via runSetupHook. This can be used to e.g. initialize inline crypto hardware.

func DeviceUnlock ¶

func DeviceUnlock(params *DeviceUnlockParams) (err error)

DeviceUnlock invokes the "fde-device-unlock" helper with the "device-unlock" operation.

func DeviceUnlockKernelHookDeviceMapperBackResolver ¶

func DeviceUnlockKernelHookDeviceMapperBackResolver(dmUUID, dmName []byte) (dev string, ok bool)

DeviceUnlockKernelHookDeviceMapperBackResolver is a back resolver to be used with disks.RegisterDeviceMapperBackResolver for devices that implement full disk encryption via hardware devices with kernel snap hooks.

func EncryptedDeviceMapperName ¶

func EncryptedDeviceMapperName(name string) string

EncryptedDeviceMapperName returns the name to use in device mapper for a device that is encrypted using FDE hooks

func HasDeviceUnlock ¶

func HasDeviceUnlock() bool

HasDeviceUnlock returns true if the current system has a "fde-device-unlock" binary (usually used in the initrd).

This will be used by the initrd to determine if cryptsetup is skipped and a hook needs to be used to unlock individual device.

func HasRevealKey ¶

func HasRevealKey() bool

HasRevealKey return true if the current system has a "fde-reveal-key" binary (usually used in the initrd).

This will be setup by devicestate to support device-specific full disk encryption implementations.

func IsHardwareEncryptedDeviceMapperName ¶

func IsHardwareEncryptedDeviceMapperName(dmName string) bool

IsEncryptedDevice returns true when the provided device mapper name indicates that it is encrypted using FDE hooks.

func LockSealedKeys ¶

func LockSealedKeys() error

func MockRunFDEDeviceUnlock ¶

func MockRunFDEDeviceUnlock(mock func(*DeviceUnlockRequest) ([]byte, error)) (restore func())

func MockRunFDERevealKey ¶

func MockRunFDERevealKey(mock func(*RevealKeyRequest) ([]byte, error)) (restore func())

func Reveal ¶

func Reveal(params *RevealParams) (payload []byte, err error)

Reveal invokes the fde-reveal-key reveal operation.

Types ¶

type DeviceSetupParams ¶

type DeviceSetupParams struct {
	Key           []byte
	Device        string
	PartitionName string
}

DeviceSetupParams contains the inputs for the fde-setup hook. The encryption key and the device (partition) are passed in.

type DeviceUnlockParams ¶

type DeviceUnlockParams struct {
	Key    []byte
	Device string
	// Name of the partition
	PartitionName string
}

DeviceUnlockParams contains the parameters for fde-device-unlock "device-unlock" operation.

type DeviceUnlockRequest ¶

type DeviceUnlockRequest struct {
	Op string `json:"op"`

	Key []byte `json:"key,omitempty"`

	// Device is the device to unlock in /dev/ somewhere such as
	// /dev/disk/by-partuuid/foo.
	Device string `json:"device,omitempty"`

	PartitionName string `json:"partition-name,omitempty"`
}

DeviceUnlockRequest carries the operation and parameters for the fde-device-unlock hook that receives them serialized over stdin.

type InitialSetupParams ¶

type InitialSetupParams struct {
	Key     []byte
	KeyName string
}

InitialSetupParams contains the inputs for the fde-setup hook

type InitialSetupResult ¶

type InitialSetupResult struct {
	// result when called with "initial-setup"
	// XXX call this encrypted-key if possible?
	EncryptedKey []byte           `json:"sealed-key"`
	Handle       *json.RawMessage `json:"handle"`
}

InitalSetupResult contains the outputs of the fde-setup hook

func InitialSetup ¶

func InitialSetup(runSetupHook RunSetupHookFunc, params *InitialSetupParams) (*InitialSetupResult, error)

InitialSetup invokes the initial-setup op running the kernel hook via runSetupHook.

type RevealKeyRequest ¶

type RevealKeyRequest struct {
	Op string `json:"op"`

	SealedKey []byte           `json:"sealed-key,omitempty"`
	Handle    *json.RawMessage `json:"handle,omitempty"`
	// deprecated for v1
	KeyName string `json:"key-name,omitempty"`
}

RevealKeyRequest carries the operation parameters to the fde-reavel-key helper that receives them serialized over stdin.

type RevealParams ¶

type RevealParams struct {
	SealedKey []byte
	Handle    *json.RawMessage
	// V2Payload is set true if SealedKey is expected to contain a v2 payload
	// (disk key + aux key)
	V2Payload bool
}

RevealParams contains the parameters for fde-reveal-key reveal operation.

type RunSetupHookFunc ¶

type RunSetupHookFunc func(req *SetupRequest) ([]byte, error)

A RunSetupHookFunc implements running the fde-setup kernel hook.

type SetupRequest ¶

type SetupRequest struct {
	Op string `json:"op"`

	// This needs to be a []byte so that Go's standard library will base64
	// encode it automatically for us
	Key []byte `json:"key,omitempty"`

	// Only used when called with "initial-setup"
	KeyName string `json:"key-name,omitempty"`

	// The part of the device kernel path for a "setup-device" call.
	// Only used when called with "device-setup"
	Device string `json:"device,omitempty"`

	// Name of the partition
	PartitionName string `json:"partition-name,omitempty"`
}

TODO: unexport this because how the hook is driven is an implemenation

detail. It creates quite a bit of churn unfortunately, see
https://github.com/snapcore/snapd/compare/master...mvo5:ice/refactor-fde?expand=1

SetupRequest carries the operation and parameters for the fde-setup hooks made available to them via the snapctl fde-setup-request command.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL