From f968bb3a1102162c72513b47757c156eee3957f8 Mon Sep 17 00:00:00 2001
From: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
Date: Fri, 6 Nov 2020 12:52:15 +0100
Subject: [PATCH] secboot: indicate when unlock status is unknown

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
---
 secboot/secboot.go          | 2 ++
 secboot/secboot_tpm.go      | 7 ++-----
 secboot/secboot_tpm_test.go | 5 +++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/secboot/secboot.go b/secboot/secboot.go
index 0ad26e4007e..813207142be 100644
--- a/secboot/secboot.go
+++ b/secboot/secboot.go
@@ -120,6 +120,8 @@ const (
 	// UnlockedWithRecoveryKey indicates that the device was unlocked by the
 	// user providing the recovery key at the prompt.
 	UnlockedWithRecoveryKey
+	// UnlockStatusUnknown indicates that the unlock status of the device is not clear.
+	UnlockStatusUnknown
 )
 
 // UnlockResult is the result of trying to unlock a volume.
diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go
index e468bfaad02..286643c486e 100644
--- a/secboot/secboot_tpm.go
+++ b/secboot/secboot_tpm.go
@@ -325,11 +325,8 @@ func UnlockVolumeUsingSealedKeyIfEncrypted(
 		// otherwise we have a tpm and we should use the sealed key first, but
 		// this method will fallback to using the recovery key if enabled
 		method, err := unlockEncryptedPartitionWithSealedKey(tpm, mapperName, res.Device, sealedEncryptionKeyFile, "", opts.AllowRecoveryKey)
-		if err != nil {
-			return err
-		}
 		res.UnlockMethod = method
-		return nil
+		return err
 	}()
 	if err != nil {
 		return res, err
@@ -428,7 +425,7 @@ func unlockEncryptedPartitionWithSealedKey(tpm *sb.TPMConnection, name, device,
 			return UnlockedWithRecoveryKey, nil
 		}
 		// no other error is possible when activation succeeded
-		return NotUnlocked, fmt.Errorf("internal error: volume activated with unexpected error: %v", err)
+		return UnlockStatusUnknown, fmt.Errorf("internal error: volume activated with unexpected error: %v", err)
 	}
 	// ActivateVolumeWithTPMSealedKey should always return an error if activated == false
 	return NotUnlocked, fmt.Errorf("cannot activate encrypted device %q: %v", device, err)
diff --git a/secboot/secboot_tpm_test.go b/secboot/secboot_tpm_test.go
index 32862e4c1db..b1dbbecfe5e 100644
--- a/secboot/secboot_tpm_test.go
+++ b/secboot/secboot_tpm_test.go
@@ -408,8 +408,9 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) {
 			activateErr: &sb.ActivateWithTPMSealedKeyError{
 				RecoveryKeyUsageErr: fmt.Errorf("unexpected"),
 			},
-			err:  `internal error: volume activated with unexpected error: .* \(unexpected\)`,
-			disk: mockDiskWithEncDev,
+			expUnlockMethod: secboot.UnlockStatusUnknown,
+			err:             `internal error: volume activated with unexpected error: .* \(unexpected\)`,
+			disk:            mockDiskWithEncDev,
 		}, {
 			// activation works but lock fails, without encrypted device (lock requested)
 			tpmEnabled: true, lockRequest: true, activated: true,