Documentation ¶
Overview ¶
package fde implements helper used by low level parts like secboot in snap-bootstrap and high level parts like DeviceManager in snapd.
Note that it must never import anything overlord related itself to avoid increasing the size of snap-bootstrap.
Index ¶
- Constants
- func CheckFeatures(runSetupHook RunSetupHookFunc) ([]string, error)
- func DeviceSetup(runSetupHook RunSetupHookFunc, params *DeviceSetupParams) error
- func DeviceUnlock(params *DeviceUnlockParams) (err error)
- func DeviceUnlockKernelHookDeviceMapperBackResolver(dmUUID, dmName []byte) (dev string, ok bool)
- func EncryptedDeviceMapperName(name string) string
- func HasDeviceUnlock() bool
- func HasRevealKey() bool
- func IsHardwareEncryptedDeviceMapperName(dmName string) bool
- func LockSealedKeys() error
- func MockRunFDEDeviceUnlock(mock func(*DeviceUnlockRequest) ([]byte, error)) (restore func())
- func MockRunFDERevealKey(mock func(*RevealKeyRequest) ([]byte, error)) (restore func())
- func Reveal(params *RevealParams) (payload []byte, err error)
- type DeviceSetupParams
- type DeviceUnlockParams
- type DeviceUnlockRequest
- type InitialSetupParams
- type InitialSetupResult
- type RevealKeyRequest
- type RevealParams
- type RunSetupHookFunc
- type SetupRequest
Constants ¶
const DeviceSetupHookPartitionOffset = uint64(1 * 1024 * 1024)
DeviceSetupHookPartitionOffset defines the free space that is reserved at the start of a device-setup based partition for future use (like to simulate LUKS keyslot like setup).
Variables ¶
This section is empty.
Functions ¶
func CheckFeatures ¶
func CheckFeatures(runSetupHook RunSetupHookFunc) ([]string, error)
CheckFeatures returns the features of fde-setup hook.
func DeviceSetup ¶
func DeviceSetup(runSetupHook RunSetupHookFunc, params *DeviceSetupParams) error
DeviceSetup invokes the "device-setup" op running the fde-setup hook via runSetupHook. This can be used to e.g. initialize inline crypto hardware.
func DeviceUnlock ¶
func DeviceUnlock(params *DeviceUnlockParams) (err error)
DeviceUnlock invokes the "fde-device-unlock" helper with the "device-unlock" operation.
func DeviceUnlockKernelHookDeviceMapperBackResolver ¶
DeviceUnlockKernelHookDeviceMapperBackResolver is a back resolver to be used with disks.RegisterDeviceMapperBackResolver for devices that implement full disk encryption via hardware devices with kernel snap hooks.
func EncryptedDeviceMapperName ¶
EncryptedDeviceMapperName returns the name to use in device mapper for a device that is encrypted using FDE hooks
func HasDeviceUnlock ¶
func HasDeviceUnlock() bool
HasDeviceUnlock returns true if the current system has a "fde-device-unlock" binary (usually used in the initrd).
This will be used by the initrd to determine if cryptsetup is skipped and a hook needs to be used to unlock individual device.
func HasRevealKey ¶
func HasRevealKey() bool
HasRevealKey return true if the current system has a "fde-reveal-key" binary (usually used in the initrd).
This will be setup by devicestate to support device-specific full disk encryption implementations.
func IsHardwareEncryptedDeviceMapperName ¶
IsEncryptedDevice returns true when the provided device mapper name indicates that it is encrypted using FDE hooks.
func LockSealedKeys ¶
func LockSealedKeys() error
func MockRunFDEDeviceUnlock ¶
func MockRunFDEDeviceUnlock(mock func(*DeviceUnlockRequest) ([]byte, error)) (restore func())
func MockRunFDERevealKey ¶
func MockRunFDERevealKey(mock func(*RevealKeyRequest) ([]byte, error)) (restore func())
func Reveal ¶
func Reveal(params *RevealParams) (payload []byte, err error)
Reveal invokes the fde-reveal-key reveal operation.
Types ¶
type DeviceSetupParams ¶
DeviceSetupParams contains the inputs for the fde-setup hook. The encryption key and the device (partition) are passed in.
type DeviceUnlockParams ¶
type DeviceUnlockParams struct { Key []byte Device string // Name of the partition PartitionName string }
DeviceUnlockParams contains the parameters for fde-device-unlock "device-unlock" operation.
type DeviceUnlockRequest ¶
type DeviceUnlockRequest struct { Op string `json:"op"` Key []byte `json:"key,omitempty"` // Device is the device to unlock in /dev/ somewhere such as // /dev/disk/by-partuuid/foo. Device string `json:"device,omitempty"` PartitionName string `json:"partition-name,omitempty"` }
DeviceUnlockRequest carries the operation and parameters for the fde-device-unlock hook that receives them serialized over stdin.
type InitialSetupParams ¶
InitialSetupParams contains the inputs for the fde-setup hook
type InitialSetupResult ¶
type InitialSetupResult struct { // result when called with "initial-setup" // XXX call this encrypted-key if possible? EncryptedKey []byte `json:"sealed-key"` Handle *json.RawMessage `json:"handle"` }
InitalSetupResult contains the outputs of the fde-setup hook
func InitialSetup ¶
func InitialSetup(runSetupHook RunSetupHookFunc, params *InitialSetupParams) (*InitialSetupResult, error)
InitialSetup invokes the initial-setup op running the kernel hook via runSetupHook.
type RevealKeyRequest ¶
type RevealKeyRequest struct { Op string `json:"op"` SealedKey []byte `json:"sealed-key,omitempty"` Handle *json.RawMessage `json:"handle,omitempty"` // deprecated for v1 KeyName string `json:"key-name,omitempty"` }
RevealKeyRequest carries the operation parameters to the fde-reavel-key helper that receives them serialized over stdin.
type RevealParams ¶
type RevealParams struct { SealedKey []byte Handle *json.RawMessage // V2Payload is set true if SealedKey is expected to contain a v2 payload // (disk key + aux key) V2Payload bool }
RevealParams contains the parameters for fde-reveal-key reveal operation.
type RunSetupHookFunc ¶
type RunSetupHookFunc func(req *SetupRequest) ([]byte, error)
A RunSetupHookFunc implements running the fde-setup kernel hook.
type SetupRequest ¶
type SetupRequest struct { Op string `json:"op"` // This needs to be a []byte so that Go's standard library will base64 // encode it automatically for us Key []byte `json:"key,omitempty"` // Only used when called with "initial-setup" KeyName string `json:"key-name,omitempty"` // The part of the device kernel path for a "setup-device" call. // Only used when called with "device-setup" Device string `json:"device,omitempty"` // Name of the partition PartitionName string `json:"partition-name,omitempty"` }
TODO: unexport this because how the hook is driven is an implemenation
detail. It creates quite a bit of churn unfortunately, see https://github.com/snapcore/snapd/compare/master...mvo5:ice/refactor-fde?expand=1
SetupRequest carries the operation and parameters for the fde-setup hooks made available to them via the snapctl fde-setup-request command.