secboot: indicate when unlock status is unknown

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
olivercalder · Nov 6, 2020 · f968bb3 · f968bb3
1 parent 35a2a99
commit f968bb3
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/secboot/secboot.go b/secboot/secboot.go
@@ -120,6 +120,8 @@ const (
 	// UnlockedWithRecoveryKey indicates that the device was unlocked by the
 	// user providing the recovery key at the prompt.
 	UnlockedWithRecoveryKey
+	// UnlockStatusUnknown indicates that the unlock status of the device is not clear.
+	UnlockStatusUnknown
 )
 
 // UnlockResult is the result of trying to unlock a volume.

diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go
@@ -325,11 +325,8 @@ func UnlockVolumeUsingSealedKeyIfEncrypted(
 		// otherwise we have a tpm and we should use the sealed key first, but
 		// this method will fallback to using the recovery key if enabled
 		method, err := unlockEncryptedPartitionWithSealedKey(tpm, mapperName, res.Device, sealedEncryptionKeyFile, "", opts.AllowRecoveryKey)
-		if err != nil {
-			return err
-		}
 		res.UnlockMethod = method
-		return nil
+		return err
 	}()
 	if err != nil {
 		return res, err
@@ -428,7 +425,7 @@ func unlockEncryptedPartitionWithSealedKey(tpm *sb.TPMConnection, name, device,
 			return UnlockedWithRecoveryKey, nil
 		}
 		// no other error is possible when activation succeeded
-		return NotUnlocked, fmt.Errorf("internal error: volume activated with unexpected error: %v", err)
+		return UnlockStatusUnknown, fmt.Errorf("internal error: volume activated with unexpected error: %v", err)
 	}
 	// ActivateVolumeWithTPMSealedKey should always return an error if activated == false
 	return NotUnlocked, fmt.Errorf("cannot activate encrypted device %q: %v", device, err)

diff --git a/secboot/secboot_tpm_test.go b/secboot/secboot_tpm_test.go
@@ -408,8 +408,9 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) {
 			activateErr: &sb.ActivateWithTPMSealedKeyError{
 				RecoveryKeyUsageErr: fmt.Errorf("unexpected"),
 			},
-			err:  `internal error: volume activated with unexpected error: .* \(unexpected\)`,
-			disk: mockDiskWithEncDev,
+			expUnlockMethod: secboot.UnlockStatusUnknown,
+			err:             `internal error: volume activated with unexpected error: .* \(unexpected\)`,
+			disk:            mockDiskWithEncDev,
 		}, {
 			// activation works but lock fails, without encrypted device (lock requested)
 			tpmEnabled: true, lockRequest: true, activated: true,