secboot: port to snapcore/secboot/efi

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
canonical · Sep 7, 2021 · 3376b19 · 3376b19
1 parent ce472d8
commit 3376b19
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 67 deletions.
diff --git a/secboot/export_sb_test.go b/secboot/export_sb_test.go
@@ -24,6 +24,7 @@ import (
 	"io"
 
 	sb "github.com/snapcore/secboot"
+	sb_efi "github.com/snapcore/secboot/efi"
 )
 
 var (
@@ -47,27 +48,27 @@ func MockProvisionTPM(f func(tpm *sb.TPMConnection, mode sb.ProvisionMode, newLo
 	}
 }
 
-func MockSbAddEFISecureBootPolicyProfile(f func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error) (restore func()) {
-	old := sbAddEFISecureBootPolicyProfile
-	sbAddEFISecureBootPolicyProfile = f
+func MockSbEfiAddSecureBootPolicyProfile(f func(profile *sb.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error) (restore func()) {
+	old := sbefiAddSecureBootPolicyProfile
+	sbefiAddSecureBootPolicyProfile = f
 	return func() {
-		sbAddEFISecureBootPolicyProfile = old
+		sbefiAddSecureBootPolicyProfile = old
 	}
 }
 
-func MockSbAddEFIBootManagerProfile(f func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error) (restore func()) {
-	old := sbAddEFIBootManagerProfile
-	sbAddEFIBootManagerProfile = f
+func MockSbEfiAddBootManagerProfile(f func(profile *sb.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error) (restore func()) {
+	old := sbefiAddBootManagerProfile
+	sbefiAddBootManagerProfile = f
 	return func() {
-		sbAddEFIBootManagerProfile = old
+		sbefiAddBootManagerProfile = old
 	}
 }
 
-func MockSbAddSystemdEFIStubProfile(f func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error) (restore func()) {
-	old := sbAddSystemdEFIStubProfile
-	sbAddSystemdEFIStubProfile = f
+func MockSbEfiAddSystemdStubProfile(f func(profile *sb.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error) (restore func()) {
+	old := sbefiAddSystemdStubProfile
+	sbefiAddSystemdStubProfile = f
 	return func() {
-		sbAddSystemdEFIStubProfile = old
+		sbefiAddSystemdStubProfile = old
 	}
 }
 

diff --git a/secboot/secboot_sb_test.go b/secboot/secboot_sb_test.go
@@ -34,6 +34,7 @@ import (
 
 	"github.com/canonical/go-tpm2"
 	sb "github.com/snapcore/secboot"
+	sb_efi "github.com/snapcore/secboot/efi"
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/snapd/asserts"
@@ -570,13 +571,13 @@ func (s *secbootSuite) TestEFIImageFromBootFile(c *C) {
 
 	for _, tc := range []struct {
 		bootFile bootloader.BootFile
-		efiImage sb.EFIImage
+		efiImage sb_efi.Image
 		err      string
 	}{
 		{
 			// happy case for EFI image
 			bootFile: bootloader.NewBootFile("", existingFile, bootloader.RoleRecovery),
-			efiImage: sb.FileEFIImage(existingFile),
+			efiImage: sb_efi.FileImage(existingFile),
 		},
 		{
 			// missing EFI image
@@ -586,7 +587,7 @@ func (s *secbootSuite) TestEFIImageFromBootFile(c *C) {
 		{
 			// happy case for snap file
 			bootFile: bootloader.NewBootFile(snapFile, "rel", bootloader.RoleRecovery),
-			efiImage: sb.SnapFileEFIImage{Container: snapf, FileName: "rel"},
+			efiImage: sb_efi.SnapFileImage{Container: snapf, FileName: "rel"},
 		},
 		{
 			// invalid snap file
@@ -723,14 +724,14 @@ func (s *secbootSuite) TestSealKey(c *C) {
 
 		// events for
 		// a -> kernel
-		sequences1 := []*sb.EFIImageLoadEvent{
+		sequences1 := []*sb_efi.ImageLoadEvent{
 			{
-				Source: sb.Firmware,
-				Image:  sb.FileEFIImage(mockBF[0].Path),
-				Next: []*sb.EFIImageLoadEvent{
+				Source: sb_efi.Firmware,
+				Image:  sb_efi.FileImage(mockBF[0].Path),
+				Next: []*sb_efi.ImageLoadEvent{
 					{
-						Source: sb.Shim,
-						Image: sb.SnapFileEFIImage{
+						Source: sb_efi.Shim,
+						Image: sb_efi.SnapFileImage{
 							Container: kernelSnap,
 							FileName:  "kernel.efi",
 						},
@@ -742,27 +743,27 @@ func (s *secbootSuite) TestSealKey(c *C) {
 		// "cdk" events for
 		// c -> kernel OR
 		// d -> kernel
-		cdk := []*sb.EFIImageLoadEvent{
+		cdk := []*sb_efi.ImageLoadEvent{
 			{
-				Source: sb.Shim,
-				Image:  sb.FileEFIImage(mockBF[2].Path),
-				Next: []*sb.EFIImageLoadEvent{
+				Source: sb_efi.Shim,
+				Image:  sb_efi.FileImage(mockBF[2].Path),
+				Next: []*sb_efi.ImageLoadEvent{
 					{
-						Source: sb.Shim,
-						Image: sb.SnapFileEFIImage{
+						Source: sb_efi.Shim,
+						Image: sb_efi.SnapFileImage{
 							Container: kernelSnap,
 							FileName:  "kernel.efi",
 						},
 					},
 				},
 			},
 			{
-				Source: sb.Shim,
-				Image:  sb.FileEFIImage(mockBF[3].Path),
-				Next: []*sb.EFIImageLoadEvent{
+				Source: sb_efi.Shim,
+				Image:  sb_efi.FileImage(mockBF[3].Path),
+				Next: []*sb_efi.ImageLoadEvent{
 					{
-						Source: sb.Shim,
-						Image: sb.SnapFileEFIImage{
+						Source: sb_efi.Shim,
+						Image: sb_efi.SnapFileImage{
 							Container: kernelSnap,
 							FileName:  "kernel.efi",
 						},
@@ -774,15 +775,15 @@ func (s *secbootSuite) TestSealKey(c *C) {
 		// events for
 		// a -> "cdk"
 		// b -> "cdk"
-		sequences2 := []*sb.EFIImageLoadEvent{
+		sequences2 := []*sb_efi.ImageLoadEvent{
 			{
-				Source: sb.Firmware,
-				Image:  sb.FileEFIImage(mockBF[0].Path),
+				Source: sb_efi.Firmware,
+				Image:  sb_efi.FileImage(mockBF[0].Path),
 				Next:   cdk,
 			},
 			{
-				Source: sb.Firmware,
-				Image:  sb.FileEFIImage(mockBF[1].Path),
+				Source: sb_efi.Firmware,
+				Image:  sb_efi.FileImage(mockBF[1].Path),
 				Next:   cdk,
 			},
 		}
@@ -793,7 +794,7 @@ func (s *secbootSuite) TestSealKey(c *C) {
 		// mock adding EFI secure boot policy profile
 		var pcrProfile *sb.PCRProtectionProfile
 		addEFISbPolicyCalls := 0
-		restore = secboot.MockSbAddEFISecureBootPolicyProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error {
+		restore = secboot.MockSbEfiAddSecureBootPolicyProfile(func(profile *sb.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error {
 			addEFISbPolicyCalls++
 			pcrProfile = profile
 			c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256)
@@ -803,15 +804,15 @@ func (s *secbootSuite) TestSealKey(c *C) {
 			case 2:
 				c.Assert(params.LoadSequences, DeepEquals, sequences2)
 			default:
-				c.Error("AddEFISecureBootPolicyProfile shouldn't be called a third time")
+				c.Error("AddSecureBootPolicyProfile shouldn't be called a third time")
 			}
 			return tc.addEFISbPolicyErr
 		})
 		defer restore()
 
 		// mock adding EFI boot manager profile
 		addEFIBootManagerCalls := 0
-		restore = secboot.MockSbAddEFIBootManagerProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error {
+		restore = secboot.MockSbEfiAddBootManagerProfile(func(profile *sb.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error {
 			addEFIBootManagerCalls++
 			c.Assert(profile, Equals, pcrProfile)
 			c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256)
@@ -821,15 +822,15 @@ func (s *secbootSuite) TestSealKey(c *C) {
 			case 2:
 				c.Assert(params.LoadSequences, DeepEquals, sequences2)
 			default:
-				c.Error("AddEFIBootManagerProfile shouldn't be called a third time")
+				c.Error("AddBootManagerProfile shouldn't be called a third time")
 			}
 			return tc.addEFIBootManagerErr
 		})
 		defer restore()
 
 		// mock adding systemd EFI stub profile
 		addSystemdEfiStubCalls := 0
-		restore = secboot.MockSbAddSystemdEFIStubProfile(func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error {
+		restore = secboot.MockSbEfiAddSystemdStubProfile(func(profile *sb.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error {
 			addSystemdEfiStubCalls++
 			c.Assert(profile, Equals, pcrProfile)
 			c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256)
@@ -840,7 +841,7 @@ func (s *secbootSuite) TestSealKey(c *C) {
 			case 2:
 				c.Assert(params.KernelCmdlines, DeepEquals, myParams.ModelParams[1].KernelCmdlines)
 			default:
-				c.Error("AddSystemdEFIStubProfile shouldn't be called a third time")
+				c.Error("AddSystemdStubProfile shouldn't be called a third time")
 			}
 			return tc.addSystemdEFIStubErr
 		})
@@ -962,10 +963,10 @@ func (s *secbootSuite) TestResealKey(c *C) {
 			TPMPolicyAuthKeyFile: mockTPMPolicyAuthKeyFile,
 		}
 
-		sequences := []*sb.EFIImageLoadEvent{
+		sequences := []*sb_efi.ImageLoadEvent{
 			{
-				Source: sb.Firmware,
-				Image:  sb.FileEFIImage(mockEFI.Path),
+				Source: sb_efi.Firmware,
+				Image:  sb_efi.FileImage(mockEFI.Path),
 			},
 		}
 
@@ -982,7 +983,7 @@ func (s *secbootSuite) TestResealKey(c *C) {
 		// mock adding EFI secure boot policy profile
 		var pcrProfile *sb.PCRProtectionProfile
 		addEFISbPolicyCalls := 0
-		restore = secboot.MockSbAddEFISecureBootPolicyProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error {
+		restore = secboot.MockSbEfiAddSecureBootPolicyProfile(func(profile *sb.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error {
 			addEFISbPolicyCalls++
 			pcrProfile = profile
 			c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256)
@@ -993,7 +994,7 @@ func (s *secbootSuite) TestResealKey(c *C) {
 
 		// mock adding EFI boot manager profile
 		addEFIBootManagerCalls := 0
-		restore = secboot.MockSbAddEFIBootManagerProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error {
+		restore = secboot.MockSbEfiAddBootManagerProfile(func(profile *sb.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error {
 			addEFIBootManagerCalls++
 			c.Assert(profile, Equals, pcrProfile)
 			c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256)
@@ -1004,7 +1005,7 @@ func (s *secbootSuite) TestResealKey(c *C) {
 
 		// mock adding systemd EFI stub profile
 		addSystemdEfiStubCalls := 0
-		restore = secboot.MockSbAddSystemdEFIStubProfile(func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error {
+		restore = secboot.MockSbEfiAddSystemdStubProfile(func(profile *sb.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error {
 			addSystemdEfiStubCalls++
 			c.Assert(profile, Equals, pcrProfile)
 			c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256)

diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go
@@ -28,6 +28,7 @@ import (
 
 	"github.com/canonical/go-tpm2"
 	sb "github.com/snapcore/secboot"
+	sb_efi "github.com/snapcore/secboot/efi"
 	"golang.org/x/xerrors"
 
 	"github.com/snapcore/snapd/asserts"
@@ -49,9 +50,9 @@ var (
 	sbMeasureSnapModelToTPM                = sb.MeasureSnapModelToTPM
 	sbBlockPCRProtectionPolicies           = sb.BlockPCRProtectionPolicies
 	sbActivateVolumeWithTPMSealedKey       = sb.ActivateVolumeWithTPMSealedKey
-	sbAddEFISecureBootPolicyProfile        = sb.AddEFISecureBootPolicyProfile
-	sbAddEFIBootManagerProfile             = sb.AddEFIBootManagerProfile
-	sbAddSystemdEFIStubProfile             = sb.AddSystemdEFIStubProfile
+	sbefiAddSecureBootPolicyProfile        = sb_efi.AddSecureBootPolicyProfile
+	sbefiAddBootManagerProfile             = sb_efi.AddBootManagerProfile
+	sbefiAddSystemdStubProfile             = sb_efi.AddSystemdStubProfile
 	sbAddSnapModelProfile                  = sb.AddSnapModelProfile
 	sbSealKeyToTPMMultiple                 = sb.SealKeyToTPMMultiple
 	sbUpdateKeyPCRProtectionPolicyMultiple = sb.UpdateKeyPCRProtectionPolicyMultiple
@@ -395,7 +396,7 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec
 		}
 
 		// Add EFI secure boot policy profile
-		policyParams := sb.EFISecureBootPolicyProfileParams{
+		policyParams := sb_efi.SecureBootPolicyProfileParams{
 			PCRAlgorithm:  tpm2.HashAlgorithmSHA256,
 			LoadSequences: loadSequences,
 			// TODO:UC20: set SignatureDbUpdateKeystore to support applying forbidden
@@ -404,27 +405,27 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec
 			//            ensure that the PCR profile is updated before/after sbkeysync executes.
 		}
 
-		if err := sbAddEFISecureBootPolicyProfile(modelProfile, &policyParams); err != nil {
+		if err := sbefiAddSecureBootPolicyProfile(modelProfile, &policyParams); err != nil {
 			return nil, fmt.Errorf("cannot add EFI secure boot policy profile: %v", err)
 		}
 
 		// Add EFI boot manager profile
-		bootManagerParams := sb.EFIBootManagerProfileParams{
+		bootManagerParams := sb_efi.BootManagerProfileParams{
 			PCRAlgorithm:  tpm2.HashAlgorithmSHA256,
 			LoadSequences: loadSequences,
 		}
-		if err := sbAddEFIBootManagerProfile(modelProfile, &bootManagerParams); err != nil {
+		if err := sbefiAddBootManagerProfile(modelProfile, &bootManagerParams); err != nil {
 			return nil, fmt.Errorf("cannot add EFI boot manager profile: %v", err)
 		}
 
 		// Add systemd EFI stub profile
 		if len(mp.KernelCmdlines) != 0 {
-			systemdStubParams := sb.SystemdEFIStubProfileParams{
+			systemdStubParams := sb_efi.SystemdStubProfileParams{
 				PCRAlgorithm:   tpm2.HashAlgorithmSHA256,
 				PCRIndex:       initramfsPCR,
 				KernelCmdlines: mp.KernelCmdlines,
 			}
-			if err := sbAddSystemdEFIStubProfile(modelProfile, &systemdStubParams); err != nil {
+			if err := sbefiAddSystemdStubProfile(modelProfile, &systemdStubParams); err != nil {
 				return nil, fmt.Errorf("cannot add systemd EFI stub profile: %v", err)
 			}
 		}
@@ -483,7 +484,7 @@ func provisionTPMImpl(tpm *sb.TPMConnection, mode sb.ProvisionMode, lockoutAuth
 }
 
 // buildLoadSequences builds EFI load image event trees from this package LoadChains
-func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent, err error) {
+func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb_efi.ImageLoadEvent, err error) {
 	// this will build load event trees for the current
 	// device configuration, e.g. something like:
 	//
@@ -495,7 +496,7 @@ func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent,
 
 	for _, chain := range chains {
 		// root of load events has source Firmware
-		loadseq, err := chain.loadEvent(sb.Firmware)
+		loadseq, err := chain.loadEvent(sb_efi.Firmware)
 		if err != nil {
 			return nil, err
 		}
@@ -505,11 +506,11 @@ func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent,
 }
 
 // loadEvent builds the corresponding load event and its tree
-func (lc *LoadChain) loadEvent(source sb.EFIImageLoadEventSource) (*sb.EFIImageLoadEvent, error) {
-	var next []*sb.EFIImageLoadEvent
+func (lc *LoadChain) loadEvent(source sb_efi.ImageLoadEventSource) (*sb_efi.ImageLoadEvent, error) {
+	var next []*sb_efi.ImageLoadEvent
 	for _, nextChain := range lc.Next {
 		// everything that is not the root has source shim
-		ev, err := nextChain.loadEvent(sb.Shim)
+		ev, err := nextChain.loadEvent(sb_efi.Shim)
 		if err != nil {
 			return nil, err
 		}
@@ -519,26 +520,26 @@ func (lc *LoadChain) loadEvent(source sb.EFIImageLoadEventSource) (*sb.EFIImageL
 	if err != nil {
 		return nil, err
 	}
-	return &sb.EFIImageLoadEvent{
+	return &sb_efi.ImageLoadEvent{
 		Source: source,
 		Image:  image,
 		Next:   next,
 	}, nil
 }
 
-func efiImageFromBootFile(b *bootloader.BootFile) (sb.EFIImage, error) {
+func efiImageFromBootFile(b *bootloader.BootFile) (sb_efi.Image, error) {
 	if b.Snap == "" {
 		if !osutil.FileExists(b.Path) {
 			return nil, fmt.Errorf("file %s does not exist", b.Path)
 		}
-		return sb.FileEFIImage(b.Path), nil
+		return sb_efi.FileImage(b.Path), nil
 	}
 
 	snapf, err := snapfile.Open(b.Snap)
 	if err != nil {
 		return nil, err
 	}
-	return sb.SnapFileEFIImage{
+	return sb_efi.SnapFileImage{
 		Container: snapf,
 		FileName:  b.Path,
 	}, nil