Using a fifo pipe and a goroutine with "cryptsetup luksAddKey" is
unnecessary, as both the existing key and the new key can be provided
via stdin to cryptsetup. Additionally, this add the --batch-mode
option when calling cryptsetup so warnings printed by cryptsetup in
23.10 do not mess the parsing of the returned message. Fixes
LP#2036631, being this an alternative solution to [1] (although the
latter would still need to use the --batch-mode option).
[1] https://github.com/snapcore/snapd/pull/12935
Replace ioutil.WriteFile with os.WriteFile since the former has been
deprecated since go1.16 and simply calls the latter.
Signed-off-by: Miguel Pires <miguel.pires@canonical.com>
The randutil.RandomKernelUUID() used to generate a panic on failure.
The process of consolidating common code used by Pebble and Snapd
(e.g. randutil) highlighted the fact that an error return, as relied on by
Pebble, is a more flexibie approach and allows application code to decide
the severity, instead of the library function.
- Make secboot unlock code to deal with an error that can now be returned
from the UUID generator.
- Add unit tests to cover the new error paths in the code.
Signed-off-by: Fred Lotter <fred.lotter@canonical.com>
* many: remove all `device-setup` fde-setup code
When we initially worked on the inline-cryto-engine (ICE) code we
had a design based on the fde-setup hook that would return a
`device-setup` feature as a hint that ICE should be used. It
turned out this design was impractical and we moved to a much
better approach that got merged in
https://github.com/snapcore/snapd/pull/12589
and relies on support for ICE in the kernel and cryptsetup.
With that new approach all the code that was supporting the
`device-setup` approach can be removed now.
* daemon: consider again the fde-setup hook case
* client: consider the ICE encryption type
* osu/disks,kernel: remove device-unlock support as well
---------
Co-authored-by: Samuele Pedroni <pedronis@lucediurna.net>
This commit updates the if/case statements that check for
secboot.EncryptionTypeLUKS to also deal with EncryptionTypeLUKSWithICE
and add some TODO:ICE: about cleanup we can do later.
This rework the ICE support to add a new secboot.EncryptionTypeLUKSWithICE
and the dections is done via a new "use-ice" flag in featues call of
the fde hook.
