File: params.go

package info (click to toggle)
snapd 2.72-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 80,412 kB
  • sloc: sh: 16,506; ansic: 16,211; python: 11,213; makefile: 1,919; exp: 190; awk: 58; xml: 22
file content (139 lines) | stat: -rw-r--r-- 4,711 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
// -*- Mode: Go; indent-tabs-mode: t -*-

/*
 * Copyright (C) 2019-2022 Canonical Ltd
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3 as
 * published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

package install

import (
	"github.com/snapcore/snapd/gadget"
	"github.com/snapcore/snapd/gadget/device"
	"github.com/snapcore/snapd/gadget/quantity"
	"github.com/snapcore/snapd/secboot"
)

type Options struct {
	// Also mount the filesystems after creation
	Mount bool
	// Encrypt the data/save partitions
	EncryptionType device.EncryptionType
}

// InstalledSystemSideData carries side data of an installed system, eg. secrets
// to access its partitions.
type InstalledSystemSideData struct {
	// KeysForRoles contains key sets for the relevant structure roles.
	BootstrappedContainerForRole map[string]secboot.BootstrappedContainer
	// DeviceForRole maps a roles to their corresponding device nodes. For
	// structures with roles that require data to be encrypted, the device
	// is the raw encrypted device node (eg. /dev/mmcblk0p1).
	DeviceForRole map[string]string
}

// partEncryptionData contains meta-data for an encrypted partition.
type partEncryptionData struct {
	role            string
	device          string
	encryptedDevice string

	volName    string
	installKey secboot.BootstrappedContainer
	// TODO: this is currently not used
	encryptedSectorSize quantity.Size
	encryptionParams    gadget.StructureEncryptionParameters
}

// EncryptionSetupData stores information needed across install
// API calls.
type EncryptionSetupData struct {
	// maps from partition label to data
	parts map[string]partEncryptionData
	// optional volume authentication options
	volumesAuth *device.VolumesAuthOptions
	// optional recovery key id. if set, it indicates that the
	// corresponding recovery key should be used for all relevant
	// volumes during installation.
	recoveryKeyID string
	// optional preinstall check context that includes the check result that
	// reflects the outcome of the most recent check and contains information
	// required for optimum PCR configuration and reseal post install
	preinstallCheckContext *secboot.PreinstallCheckContext
}

// EncryptedDevices returns a map partition role -> LUKS mapper device.
func (esd *EncryptionSetupData) EncryptedDevices() map[string]string {
	m := make(map[string]string, len(esd.parts))
	for _, p := range esd.parts {
		m[p.role] = p.encryptedDevice
	}
	return m
}

// VolumesAuth returns attached volumes authentication options if any.
func (esd *EncryptionSetupData) VolumesAuth() *device.VolumesAuthOptions {
	return esd.volumesAuth
}

func (esd *EncryptionSetupData) SetRecoveryKeyID(keyID string) {
	esd.recoveryKeyID = keyID
}

func (esd *EncryptionSetupData) RecoveryKeyID() string {
	return esd.recoveryKeyID
}

func (esd *EncryptionSetupData) PreinstallCheckContext() *secboot.PreinstallCheckContext {
	return esd.preinstallCheckContext
}

// MockEncryptedDeviceAndRole is meant to be used for unit tests from other
// packages.
type MockEncryptedDeviceAndRole struct {
	Role            string
	EncryptedDevice string
}

// MockEncryptionSetupData is meant to be used for unit tests from other
// packages.
func MockEncryptionSetupData(
	labelToEncDevice map[string]*MockEncryptedDeviceAndRole,
	recoveryKeyID string,
	volumesAuth *device.VolumesAuthOptions,
	checkContext *secboot.PreinstallCheckContext,
) *EncryptionSetupData {
	esd := &EncryptionSetupData{
		parts:                  map[string]partEncryptionData{},
		volumesAuth:            volumesAuth,
		recoveryKeyID:          recoveryKeyID,
		preinstallCheckContext: checkContext,
	}
	for label, encryptData := range labelToEncDevice {
		//TODO:FDEM: we should use a mock for the bootstrap key. However,
		//this is still used in place where LegacyKeptKey will be
		//called to write the save key to a file in
		//overlord/install/install.go. Once we have removed that call,
		// we can use mock object instead.
		bootstrapKey := secboot.CreateMockBootstrappedContainer()
		esd.parts[label] = partEncryptionData{
			role:                encryptData.Role,
			encryptedDevice:     encryptData.EncryptedDevice,
			installKey:          bootstrapKey,
			encryptedSectorSize: 512,
		}
	}
	return esd
}