This commit adds a new `systemd.Run()` function that implements
a wrapper around `systemd-run`. This will be used to spawn
commands that use the `--keyring-mode=inherit` when interacting
with the kernel keyring.
EncryptedDeviceMapperName is used to generate the name when installed a device
with ICE.
The DeviceSetupHookPartitionOffset is used to mount a mapper device of the
partition offset to create a header in the offset on the physical partition.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
We need to specify the PartitionName for ICE decryption since it is currently
based on partition name as well as the mapper device provided in Device.
Also allow mocking the actual call to runFDEDeviceUnlockCommand from other
packages without all the complexity of creating hook scripts and such, and add
some more debug logging.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Eliminate the confusion around whether we are mocking systemd-run here, because
we are not mocking systemd-run, we are mocking the hook which systemd-run
executes.
Also check calls to the hook in one of the unit tests which was not doing this.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Add two new functions, IsEncryptedDeviceMapperName to identify if a device
mapper node is with a device-unlock encrypted mapper name device, and
DeviceUnlockKernelHookDeviceMapperHandler to combine the identification with
the task of "un-mapping" the device mapper to the original source disk. Also
register this with the disks package so users of the disks package will get
this built-in when they also import the fde package.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
This test has been occasionally failing under spread:
```
FAIL: fde_test.go:492: fdeSuite.TestRevealErr
using shellcheck: ""
fde_test.go:508:
c.Assert(err, ErrorMatches, `(?s)cannot run fde-reveal-key "reveal":
-----
failed
service result: exit-code
-----`)
... error string = "cannot run fde-reveal-key \"reveal\": exit status 1"
... regex string = "" +
... "(?s)cannot run fde-reveal-key \"reveal\": \n" +
... "-----\n" +
... "failed\n" +
... "service result: exit-code\n" +
... "-----"
OOPS: 9 passed, 5 skipped, 1 FAILED
```
While we couldn't yet reproduce it locally and find what exactly
triggers it, it makes sense to exclude systemd-run from the picture by
mocking it. We now simply check that it was invoked with the right
parameters and that its output is captured correctly.
