-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
overlord/fdestate: keep FDE state up to date #14516
base: fde-manager-features
Are you sure you want to change the base?
overlord/fdestate: keep FDE state up to date #14516
Conversation
36f5c11
to
96fe3c2
Compare
2331c1f
to
728ff63
Compare
Ensure() initializes the empty profiles, and reseal updates them.
728ff63
to
14d22b2
Compare
} | ||
} | ||
|
||
type KeyDigest struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be a type that should be handled in secboot. And we just use json.RawMessage for it.
if !locked { | ||
m.state.Lock() | ||
defer m.state.Unlock() | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not elegant. But I am not sure how to handle it correctly. We do resealing sometimes locked, sometimes not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we know where is it called with the state really already unlocked?
dataUUID, dataErr := disksDmCryptUUIDFromMountPoint(dirs.GlobalRootDir) | ||
saveUUID, saveErr := disksDmCryptUUIDFromMountPoint(dirs.SnapSaveDir) | ||
if errors.Is(saveErr, &disks.ErrMountPointNotFound{}) { | ||
// TODO: do we need to care about old cases where there is no save partition? | ||
return nil | ||
} | ||
|
||
if errors.Is(dataErr, disks.ErrNoDmUUID) && errors.Is(saveErr, disks.ErrNoDmUUID) { | ||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should look at the sealing method with device.SealedKeysMethod
instead.
Ensure() initializes the empty profiles, and reseal updates them.
This is on top of #14400