1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
// -*- Mode: Go; indent-tabs-mode: t -*-
//go:build !nosecboot
/*
* Copyright (C) 2020 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package install
import (
"fmt"
"github.com/snapcore/snapd/gadget/device"
"github.com/snapcore/snapd/secboot"
)
var (
secbootFormatEncryptedDevice = secboot.FormatEncryptedDevice
)
// encryptedDeviceCryptsetup represents a encrypted block device.
type encryptedDevice interface {
Node() string
Close() error
}
// encryptedDeviceLUKS represents a LUKS-backed encrypted block device.
type encryptedDeviceLUKS struct {
parent string
name string
node string
}
// expected interface is implemented
var _ = encryptedDevice(&encryptedDeviceLUKS{})
// newEncryptedDeviceLUKS creates an encrypted device in the existing
// partition using the specified key with the LUKS backend.
func newEncryptedDeviceLUKS(devNode string, encType device.EncryptionType, key secboot.DiskUnlockKey, label, name string) (encryptedDevice, error) {
// on top of us expecting encrypted partitions to have -enc suffix, the
// label, specifically the one for "ubuntu-data", is important for fwupd
// auto detection of FDE, see
// https://github.com/fwupd/fwupd/blob/f958d13ab6a8d638a8f5693a34f69d1e2580798c/libfwupdplugin/fu-context.c#L1084
encLabel := label + "-enc"
if err := secbootFormatEncryptedDevice(key, encType, encLabel, devNode); err != nil {
return nil, fmt.Errorf("cannot format encrypted device: %v", err)
}
if err := cryptsetupOpen(key, devNode, name); err != nil {
return nil, fmt.Errorf("cannot open encrypted device on %s: %s", devNode, err)
}
dev := &encryptedDeviceLUKS{
parent: devNode,
name: name,
// A new block device is used to access the encrypted data. Note that
// you can't open an encrypted device under different names and a name
// can't be used in more than one device at the same time.
node: fmt.Sprintf("/dev/mapper/%s", name),
}
return dev, nil
}
func (dev *encryptedDeviceLUKS) Node() string {
return dev.node
}
func (dev *encryptedDeviceLUKS) Close() error {
return cryptsetupClose(dev.name)
}
func cryptsetupOpenImpl(key secboot.DiskUnlockKey, node, name string) error {
return secboot.ActivateVolumeWithKey(name, node, key, nil)
}
var cryptsetupOpen = cryptsetupOpenImpl
func cryptsetupCloseImpl(name string) error {
return secboot.DeactivateVolume(name)
}
var cryptsetupClose = cryptsetupCloseImpl
|
