Path pattern matching is implemented via the doublestar package, which
emulates bash's globstar matching. Patterns may include '*' wildcard
characters (which match any number of non-separator characters), '**'
doublestars (which match zero or more subdirectories), '?' wildcard
characters (which match exactly one non-separator character), and nested
groups delimited by '{' and '}'. Notably, path patterns are *not* allowed
to have character classes delimited by '[' and ']', nor inverted
classes of the form "[^abc]".
There is a limit on the number of groups allowed in path patterns, but
up to that limit, groups may be arbitrarily nested or sequential.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
i/prompting: fix typo and add notes to remove test boilerplate
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
i/prompting: use separate test suite for patterns
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
i/prompting: improve unit test coverage
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* i/prompting: count and validate true number of expanded patterns
Rather than counting the number of groups and using it as a heuristic
for the number of patterns into which a given path pattern will expand,
instead compute the true number of expanded patterns and compare it
against a set limit.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* i/prompting: implement path pattern checks in constraints
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* i/prompting: throw error if group depth exceeds maximum expanded patterns
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* packaging: add doublestar dependency for prompting pattern matching
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* i/prompting: remove standalone path pattern validation
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---------
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* boot: added function to set EFI variables
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: renamed trustedShimFallbackBinary to seedShimPath
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: refactored setting EFI boot variables at install
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: adjusted variable names and fixed variable initialization
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: improve setting Boot#### EFI variable
Notably, splits off the process of reading a Boot#### variable and
extracting its DevicePath into its own function `readBootVariable` which
can be mocked and otherwise simplifies the `setBootNumberVariable`
function.
Also, fixes behavior around the final BootFFFF variable. Previously, it
was not possible to select the BootFFFF variable if it was unused, due
to overflow concerns on uint16. Now, the behavior around BootFFFF is
identical to that of any other boot variable, by using an int internally
instead of uint16, which also allows a more robust check for whether
there were no matching variables.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: added unit tests for setting EFI Boot#### variable
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: refactored setting EFI boot variables
Rewrote EFI boot variable functions to more closely match the behavior
of shim fallback: https://github.com/rhboot/shim/blob/main/fallback.c
In particular, the following have changed:
1. Existing Boot#### variables must fully match the new load option to
be considered a match. In particular, the load option attributes,
label, and device path must all be byte-for-byte identical.
Previously, only the device paths were compared.
2. Matching Boot#### variables are no longer overwritten. Since the
variable data must now byte-for-byte match the new load option, there
is no need to overwrite the existing variable.
3. Since existing Boot#### variables are no longer overwritten, the
variable attributes are no longer checked for those variables.
Instead, it is assumed that the Boot#### variable attributes are
viable for it to be used as a boot option. This matches the behavior
of `rhboot/shim/fallback.c`, for better or for worse.
4. When modifying the BootOrder variable, boot option numbers are no
longer pruned if there is no matching Boot#### variable.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot,bootloader: introduce UefiBootloader to build EFI load options
Previously, the path of the shim binary relative to the EFI partition
was passed into `SetEfiBootVariables`. However, different bootloaders
may wish to set up `OptionalData` in the load option.
Additionally, not all `TrustedAssetBootloaders` will attempt to set
EFI boot variables, and not all bootloaders which should set EFI boot
variables necessarily support secure boot. Thus, these should be
decoupled.
This commit adds a new `UefiBootloader` interface with the
`ConstructShimEfiLoadOption` method, which builds an EFI load option
from the shim path for the given bootloader.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot,bootloader: fixed linting errors and improved EFI boot variable test clarity
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
bootloader: improved unit test for grub EFI load option creation
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: set EFI boot variables in `MakeRunnableSystem`
Previously, attempted to set boot variables in
`MakeRecoverySystemBootable`, which is called by `MakeBootableImage`,
which is called when building the image file, rather than during install
mode.
`MakeRunnableSystem` is called on first boot during install mode, and
thus should be responsible for setting EFI boot variables.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: use seed bootloader when setting EFI variables
In install mode, the bootloader located in ubuntu-seed should be used
when setting the EFI boot variables. Previously, the bootloader in
ubuntu-boot was accidentally re-used.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: added simple test to execute setefibootvar.go code
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: fixed standalone set EFI vars code test to work with different layouts
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: moved simple setefibootvar.go check to nested test
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: added check for idempotence when setting EFI boot variables
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
bootloader: adjust comments, organization, and add TODO
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot,bootloader: fix setting EFI boot variables
Make function to search for EFI asset device path and construct load
option common so each UefiBootloader does not have to re-implement it.
Instead, the bootloader returns the description, asset file path, and
optional data, which can then be used to create the EFI load option.
Also, in `makeRunnableSystem`, the bootloader in ubuntu-seed must have
`NoSlashBoot` in order to correctly find the grub.cfg file and thus the
grub bootloader. This commit fixes this bug, and refactors a bit to
account for the changes in responsibilities between the bootloader and
the setefibootvars.go code.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
bootloader: fixed grub EFI load option test with tmp rootdir
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
go.mod: move golang.org/x/text import next to other golang.org/x/ imports
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: adjust opts to look for recovery bootloader when setting EFI variables
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: do not overwrite BootOrder if unchanged, and unexport EFI variable helper functions
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: unexport `setEfiBootOrderVariable`
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: move code to detect bootloader and set EFI variables accordingly into dedicated function
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: unexport `setUbuntuSeedEfiBootVariables` and accompanying error
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot,bootloader: ensure nil optionalData for EFI variable is equivalent to 0-length slice
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: handle empty boot order and other boot var improvements
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
boot: make setefibootvars functions linux-only
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* tests: add nested spread test for setting EFI vars
The test checks that EFI boot variables exist for the following:
1. A Boot#### variable pointing to the shim file path.
2. A BootOrder variable with the #### from the above Boot#### as first.
Since the layout of EFI assets is dependent on the gadget snap, the test
downloads and unpacks the gadget, then modifies the contents so that one
variant has the shim and grub binaries in `EFI/boot/` and another
variant has the shim and grub binaries in `EFI/ubuntu/` and the fallback
binary in `EFI/boot/`.
After building a core image around that modified gadget, the VM is
booted and the test checks that the EFI variables are set correctly.
Then, the test modifies the gadget to match the other variant's initial
layout, and then installs the newly modified gadget. This should trigger
re-setting EFI boot variables as well.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: fix problems in spread test for setting EFI boot variables
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: disabled TPM on EFI boot vars test and separated gadget script
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: fixed EFI vars test to use correct toolbox and include all EFI assets
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: modify-gadget.sh re-use existing gadget so edition is incremented
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: fix mangled EFI var search string and other improvements
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
tests: polish tests for setting EFI boot variables
Notably, allow tests/nested/core/core20-set-efi-boot-variables to run on
arm64 as well as amd64, simplify setefivars.go to search for multiple
assets on multiple architectures, and allow
tests/nested/manual/core20-set-efi-boot-vars to run on any ubuntu-2*.
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
* bootloader/grub.go: only consider new shim asset in boot entry for now
* tests/nested/core/core20-set-efi-boot-variables: fix details
* boot: update uefi variables on gadget update
* tests/nested/manual/core20-set-efi-boot-vars: work-around file not deleted
* tests/nested/manual/core20-set-efi-boot-vars: use fb.efi like other tests
* tests/nested/manual/core20-set-efi-boot-vars: drop use of toolbox snap
* tests/nested/manual/core20-set-efi-boot-vars: drop work-around for not deleted files
* tests/nested/manual/core20-set-efi-boot-vars: verify install does add a boot entry
* tests/nested/manual/core20-set-efi-boot-vars: run only on version that have UC
* tests/nested/manual/core20-set-efi-boot-vars: obey GADGET_CHANNEL
* tests/nested/manual/core20-set-efi-boot-vars: move get_boot_entry.py to libs
* tests/nested/manual/core20-set-efi-boot-vars: factorize copy of variables
... so we can reuse the script in other tests
* tests/nested/core/core20-set-efi-boot-variables: stop using toolbox snap
* tests/nested/core/core20-set-efi-boot-variables: only run on versions with UC available
* overlord/devicestate: test using EfiLoadOptionParameters
* boot: test that variables are set
* boot: test observers' UpdateBootEntry
* tests/nested/manual/core20-set-efi-boot-vars: also test without secure boot
* many: use trusted install observer when UEFI variables are supported
* boot/makebootable.go: rename sealer to observer
* boot/grub.go: fix function name in doc
* cmd/snap-bootstrap: verify that ObserveExistingTrustedRecoveryAssets is called
* boot: add tests for SetEfiBootVariables
* many: comment on calls to ObserveExistingTrustedRecoveryAssets
---------
Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
Co-authored-by: Oliver Calder <oliver.calder@canonical.com>
* tests/lib/fakestore/store: use graceful shutdown from net/http.Server
The race detector detected an issue with the 3rd party package we used:
```
==================
WARNING: DATA RACE
Read at 0x00c00024c7e0 by goroutine 484:
net/http.(*conn).setState()
/snap/go/10585/src/net/http/server.go:1840 +0x156
net/http.(*conn).serve.func1()
/snap/go/10585/src/net/http/server.go:1910 +0x374
runtime.deferreturn()
/snap/go/10585/src/runtime/panic.go:602 +0x5d
net/http.(*Server).Serve.gowrap3()
/snap/go/10585/src/net/http/server.go:3285 +0x4f
Previous write at 0x00c00024c7e0 by goroutine 475:
gopkg.in/tylerb/graceful%2ev1.(*Server).manageConnections()
/home/runner/work/snapd/snapd/src/github.com/snapcore/snapd/vendor/gopkg.in/tylerb/graceful.v1/graceful.go:399 +0x7d5
gopkg.in/tylerb/graceful%2ev1.(*Server).Serve.gowrap1()
/home/runner/work/snapd/snapd/src/github.com/snapcore/snapd/vendor/gopkg.in/tylerb/graceful.v1/graceful.go:297 +0x8f
```
Given that graceful shutdown has been in stdlib for a while now, replace the 3rd
part package with functionality provided by net/http.Server.
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* go: drop gopkg.in/tylerb/graceful
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* tests/lib/fakestore/store: simplify Stop()
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
---------
Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
* go.mod: update secboot to latest uc22 branch
This updates the github.com/snapcore/secboot uc22 branch to contain
https://github.com/snapcore/secboot/pull/257 which will speed up
the I/O performence for full disk encrypted NXP i.MX7D armhf
devices significantly.
* go.mod: run go mod tidy (thanks to Miguel)
* packaging: update for go-1.18
* spread: remove opensuse-15.3-64, EOL was 2022-12-31
* tests: xenial needs the ppa:snappy-dev/image PPA to build now
* tests: on buster (Debian 10) only golang 1.19 is in -backports so use that
And only in buster-backports-sloppy right now
* tests: get go-1.18 from the xenial PPA
Debian 10 (buster) does no longer accept backports so we cannot
update golang there. In order to ensure snapd works on buster
we need to build it using a PPA with golang 1.18. This should
be okay as debian will re-exec into the new snapd on real
Debian 10 installs.
However eventually we will need to drop support for Debian 10
because of this limiation but for now it is okay to keep it a
bit longer until Debian 12 is really out.
* go: move go.mod to 1.18 and run `go mod {vendor,tidy}`
* workflow: get vendored dependencies in macos test
* workflow: get deps before mkversion.sh runs in "Build C" step
* vendor: drop including vendor/modules.txt in git again
* tests: get deps before installing the fakestore code (needed on debian-sid)
* Revert "tests: get deps before installing the fakestore code (needed on debian-sid)"
This reverts commit 8f215ee890de4aa401558b19847f07d358993358.
* tests: build test helpers before removing the vendoring
* tests: fix debian-sid build
* Revert "tests: build test helpers before removing the vendoring"
This reverts commit e7d8ba53a887955f573e1ddcac7e7e6beaea6585.
This commit fixes the issue that the detection of TPM key sealing
does not take into account if the system is already has the lockout
auth attribute set. If this is the case an install will not be
successful but currently this is detected very late.
Note that lockoutAuthSet() is exactly the same 5 lines of code like
https://github.com/snapcore/secboot/pull/220/files
Once we can use secboot master this can be removed and
`secboot.LockoutAuthSet()` can be used instead.
* devicestate: take tpm provision mode into account when checking for encryption
* devicestate: tweak MockSecbootCheckTPMKeySealingSupported() usage and tests
* secboot: improve test coverage for CheckTPMKeySealingSupported()
* secboot: use LockoutAuthSet from secboot
* devicestate: more mode->tpmMode
to have the information available when we seal capture classic in
modeenv and bootchains as we do for other mode characteristics
as for now we assume we don't want so support classic/core remodels
some things need to be tested but it's best if the tests are added
when we are actually looking at the full picture of installing classic
systems with modes
The repo for maze.io/x/crypto is no longer accessible directly
(The Google cache date is May 2022).
If GOPROXY is enabled, the repo can still be indirectly located
through the proxy cache.
It is sometimes useful to have the proxy disabled (GOPROXY=direct)
as any upstream repository changes can take time to propagate to
the proxy (https://github.com/golang/go/issues/42449).
The crypto packages are currently needed in the secboot codebase
TPM package (https://github.com/snapcore/secboot). The secboot
repository is not currently a go module (no go.mod/go.sum) and is
built as part of the snapd build process.
Update the snapd module dependencies to redirect the old URL to
point to the exact same version here:
github.com/snapcore/maze.io-x-crypto
Tested builds with Go v1.13 and v1.18.
Signed-off-by: Fred Lotter <fred.lotter@canonical.com>
this bumps the secboot version to the one with
tpm "legacy" platform key data support, this means using the
ActivateVolumeWithKeyData APIs even with TPM but still using
the non-JSON keys
v2 sealed keys use only when strictly necessary, otherwise
v1 keys are written
to prepare for this we reapply the changes from #10715 that were reverted in #10930
It is unknown if and when a trusty build may or may not be needed
again. Resurrect using the old forked libseccomp for trusty builds
only. Add a single file that will continue to keep old forked
libseccomp vendored for trusty builds.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
SRUs and ESM uploads of snapd in pure trusty archives are no longer
built. If builds on trusty are required new enough libseccomp is
available from trusty-backports. Or we can introduce trusty-only
packaging patches to use mvo5/libseccomp-golang, in a similar fashion
we currently patch mvo5->seccomp to use modern upstream
seccomp/libseccomp-golang in stable/recent distro builds.
Upgrade to upstream seccomp adds support for RISCV64 architecture.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
