mirror of
https://github.com/token2/snapd.git
synced 2026-03-13 11:15:47 -07:00
caf7a137ae
* gadget/device: introduce package which provides helpers for locations of things Various helpers for getting location of things were spread out or doubled in the code base. This package aggregates them in one place. Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com> * boot,secboot: reset DA lockout counter after successful boot The TPM DictionaryAttack lockout counter is incremented after each unclean shutdown according to Chris Coulson in LP:1979185. This means that eventually enough unclean shutdowns the system fails to boot and asks for the recovery key. To fix this snapd needs to clean the DA lockout counter after each successful run. * device: add missing doc string for TpmLockoutAuthUnder * secboot: add missing tests around MarkSuccessful * tests: add nested core20-da-lockout test This commits adds a nested core20 test that triggers a bunch of unclean shutdowns in a nested VM. On a system that does not have the new `secboot.MarkSuccessful()` code this will eventually trigger a recovery key prompt as each unclean reboot increases the DA lockout counter by one. ``` google-nested:ubuntu-20.04-64 /tmp/work-dir/logs# tail -n1 /tmp/work-dir/logs/serial.log Please enter the recovery key for disk /dev/disk/by-partuuid/3a1bacae-5d46-ce4b-960a-4074d18a8c05: (press TAB for no echo) ``` * devicestate: fix go fmt error * tests: set nested/manual/core20-da-lockout to manual and improve comment/description * secboot: improve docstrings * secboot: shuffle code around so that tests with `-tags nosecboot` work correctly * boot,device: extract StampSealedKeys,SealedKeysMethod from boot to device * secboot: use new device.SealedKeysMethod() * tests: make core20-da-lockout faster by reading the da lockout counter directly (thanks to Chris Coulson) * tests: add new 'test.nested vm unclean-reboot` and use in da lockout test * tests: retry on lockout counter reading The lockout counter is cleared during snapd startup so we need to retry for a bit to see it cleared. * tests: fix whitespace * secboot: improve test around testMarkSuccessfulEncrypted and also check authValue * secboot: fix silly typo (thanks to Samuele) Co-authored-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>