登录 注册
开源 企业版 高校版 私有云 模力方舟 模力方舟 AI 队友
扫描微信二维码支付
取消
支付完成
Ai
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 1

mysnapcore/mysnapd

forked from tupelo-shen/mysnapd 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
克隆/下载
secboot_sb.go 6.13 KB
一键复制 编辑 原始数据 按行查看 历史
tupelo-shen 提交于 2022-11-09 15:26 +08:00 . fix: secboot commit
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
// -*- Mode: Go; indent-tabs-mode: t -*-

//go:build !nosecboot

// +build !nosecboot



/*

 * Copyright (C) 2021 Canonical Ltd

 *

 * This program is free software: you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 3 as

 * published by the Free Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.  If not, see <http://www.gnu.org/licenses/>.

 *

 */



package secboot



import (

	"fmt"

	"path/filepath"



	sb "gitee.com/mysnapcore/mysecboot"

	"golang.org/x/xerrors"



	"gitee.com/mysnapcore/mysnapd/kernel/fde"

	"gitee.com/mysnapcore/mysnapd/logger"

	"gitee.com/mysnapcore/mysnapd/osutil/disks"

)



var (

	sbActivateVolumeWithKey         = sb.ActivateVolumeWithKey

	sbActivateVolumeWithKeyData     = sb.ActivateVolumeWithKeyData

	sbActivateVolumeWithRecoveryKey = sb.ActivateVolumeWithRecoveryKey

	sbDeactivateVolume              = sb.DeactivateVolume

)



func init() {

	WithSecbootSupport = true

}



// LockSealedKeys manually locks access to the sealed keys. Meant to be

// called in place of passing lockKeysOnFinish as true to

// UnlockVolumeUsingSealedKeyIfEncrypted for cases where we don't know if a

// given call is the last one to unlock a volume like in degraded recover mode.

func LockSealedKeys() error {

	if fdeHasRevealKey() {

		return fde.LockSealedKeys()

	}

	return lockTPMSealedKeys()

}



// UnlockVolumeUsingSealedKeyIfEncrypted verifies whether an encrypted volume

// with the specified name exists and unlocks it using a sealed key in a file

// with a corresponding name. The options control activation with the

// recovery key will be attempted if a prior activation attempt with

// the sealed key fails.

//

// Note that if the function proceeds to the point where it knows definitely

// whether there is an encrypted device or not, IsEncrypted on the return

// value will be true, even if error is non-nil. This is so that callers can be

// robust and try unlocking using another method for example.

func UnlockVolumeUsingSealedKeyIfEncrypted(disk disks.Disk, name string, sealedEncryptionKeyFile string, opts *UnlockVolumeUsingSealedKeyOptions) (UnlockResult, error) {

	res := UnlockResult{}



	// find the encrypted device using the disk we were provided - note that

	// we do not specify IsDecryptedDevice in opts because here we are

	// looking for the encrypted device to unlock, later on in the boot

	// process we will look for the decrypted device to ensure it matches

	// what we expected

	partUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(EncryptedPartitionName(name))

	if err == nil {

		res.IsEncrypted = true

	} else {

		var errNotFound disks.PartitionNotFoundError

		if !xerrors.As(err, &errNotFound) {

			// some other kind of catastrophic error searching

			return res, fmt.Errorf("error enumerating partitions for disk to find encrypted device %q: %v", name, err)

		}

		// otherwise it is an error not found and we should search for the

		// unencrypted device

		partUUID, err = disk.FindMatchingPartitionUUIDWithFsLabel(name)

		if err != nil {

			return res, fmt.Errorf("error enumerating partitions for disk to find unencrypted device %q: %v", name, err)

		}

	}



	partDevice := filepath.Join("/dev/disk/by-partuuid", partUUID)



	if !res.IsEncrypted {

		// if we didn't find an encrypted device just return, don't try to

		// unlock it

		// the filesystem device for the unencrypted case is the same as the

		// partition device

		res.PartDevice = partDevice

		res.FsDevice = res.PartDevice

		return res, nil

	}



	mapperName := name + "-" + randutilRandomKernelUUID()

	sourceDevice := partDevice

	targetDevice := filepath.Join("/dev/mapper", mapperName)



	if fdeHasRevealKey() {

		return unlockVolumeUsingSealedKeyFDERevealKey(sealedEncryptionKeyFile, sourceDevice, targetDevice, mapperName, opts)

	} else {

		return unlockVolumeUsingSealedKeyTPM(name, sealedEncryptionKeyFile, sourceDevice, targetDevice, mapperName, opts)

	}

}



// UnlockEncryptedVolumeUsingKey unlocks an existing volume using the provided key.

func UnlockEncryptedVolumeUsingKey(disk disks.Disk, name string, key []byte) (UnlockResult, error) {

	unlockRes := UnlockResult{

		UnlockMethod: NotUnlocked,

	}

	// find the encrypted device using the disk we were provided - note that

	// we do not specify IsDecryptedDevice in opts because here we are

	// looking for the encrypted device to unlock, later on in the boot

	// process we will look for the decrypted device to ensure it matches

	// what we expected

	partUUID, err := disk.FindMatchingPartitionUUIDWithFsLabel(EncryptedPartitionName(name))

	if err != nil {

		return unlockRes, err

	}

	unlockRes.IsEncrypted = true

	// we have a device

	encdev := filepath.Join("/dev/disk/by-partuuid", partUUID)

	unlockRes.PartDevice = encdev

	// make up a new name for the mapped device

	mapperName := name + "-" + randutilRandomKernelUUID()

	if err := unlockEncryptedPartitionWithKey(mapperName, encdev, key); err != nil {

		return unlockRes, err

	}



	unlockRes.FsDevice = filepath.Join("/dev/mapper/", mapperName)

	unlockRes.UnlockMethod = UnlockedWithKey

	return unlockRes, nil

}



// unlockEncryptedPartitionWithKey unlocks encrypted partition with the provided

// key.

func unlockEncryptedPartitionWithKey(name, device string, key []byte) error {

	// no special options set

	options := sb.ActivateVolumeOptions{}

	err := sbActivateVolumeWithKey(name, device, key, &options)

	if err == nil {

		logger.Noticef("successfully activated encrypted device %v using a key", device)

	}

	return err

}



// UnlockEncryptedVolumeWithRecoveryKey prompts for the recovery key and uses it

// to open an encrypted device.

func UnlockEncryptedVolumeWithRecoveryKey(name, device string) error {

	options := sb.ActivateVolumeOptions{

		RecoveryKeyTries: 3,

		KeyringPrefix:    keyringPrefix,

	}



	if err := sbActivateVolumeWithRecoveryKey(name, device, nil, &options); err != nil {

		return fmt.Errorf("cannot unlock encrypted device %q: %v", device, err)

	}



	return nil

}
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/mysnapcore/mysnapd.git
git@gitee.com:mysnapcore/mysnapd.git
mysnapcore
mysnapd
mysnapd
v0.1.0
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部