Skip to content

Commit 4fc4cfa

Browse files
ernestlernestl
authored
many: pass preinstall check result to where sealing happens (#16354)
* overlord/install: make check result available to sealing logic as a trusted install observer param * many: pass on preinstall check result to where sealing happens
1 parent 17a75f2 commit 4fc4cfa

File tree

16 files changed

+186
-48
lines changed

16 files changed

+186
-48
lines changed

boot/assets.go

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -258,7 +258,12 @@ type TrustedAssetsInstallObserver interface {
258258
ObserveExistingTrustedRecoveryAssets(recoveryRootDir string) error
259259
// FIXME: Combine relevant FDE params into some FDE context that can be
260260
// passed around instead of passing around many params.
261-
SetEncryptionParams(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions)
261+
SetEncryptionParams(
262+
key, saveKey secboot.BootstrappedContainer,
263+
primaryKey []byte,
264+
volumesAuth *device.VolumesAuthOptions,
265+
checkResult *secboot.PreinstallCheckResult,
266+
)
262267
UpdateBootEntry() error
263268
Observe(op gadget.ContentOperation, partRole, root, relativeTarget string, data *gadget.ContentChange) (gadget.ContentChangeAction, error)
264269
}
@@ -290,6 +295,10 @@ type trustedAssetsInstallObserverImpl struct {
290295
primaryKey []byte
291296

292297
volumesAuth *device.VolumesAuthOptions
298+
299+
// checkResult contains information required during and post install
300+
// for optimum PCR configuration and resealing.
301+
checkResult *secboot.PreinstallCheckResult
293302
}
294303

295304
func (o *trustedAssetsInstallObserverImpl) BootLoaderSupportsEfiVariables() bool {
@@ -374,12 +383,18 @@ func (o *trustedAssetsInstallObserverImpl) currentTrustedRecoveryBootAssetsMap()
374383
return o.trackedRecoveryAssets
375384
}
376385

377-
func (o *trustedAssetsInstallObserverImpl) SetEncryptionParams(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions) {
386+
func (o *trustedAssetsInstallObserverImpl) SetEncryptionParams(
387+
key, saveKey secboot.BootstrappedContainer,
388+
primaryKey []byte,
389+
volumesAuth *device.VolumesAuthOptions,
390+
checkResult *secboot.PreinstallCheckResult,
391+
) {
378392
o.useEncryption = true
379393
o.dataBootstrappedContainer = key
380394
o.saveBootstrappedContainer = saveKey
381395
o.primaryKey = primaryKey
382396
o.volumesAuth = volumesAuth
397+
o.checkResult = checkResult
383398
}
384399

385400
func (o *trustedAssetsInstallObserverImpl) UpdateBootEntry() error {

boot/assets_test.go

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -481,14 +481,16 @@ func (s *assetsSuite) TestInstallObserverNonTrustedBootloader(c *C) {
481481
saveBootstrappedContainer := secboot.CreateMockBootstrappedContainer()
482482
c.Assert(dataBootstrappedContainer, Not(Equals), saveBootstrappedContainer)
483483
volumesAuth := &device.VolumesAuthOptions{Mode: device.AuthModePassphrase, Passphrase: "test"}
484-
obs.SetEncryptionParams(dataBootstrappedContainer, saveBootstrappedContainer, nil, volumesAuth)
484+
checkResult := &secboot.PreinstallCheckResult{}
485+
obs.SetEncryptionParams(dataBootstrappedContainer, saveBootstrappedContainer, nil, volumesAuth, checkResult)
485486

486487
observerImpl, ok := obs.(*boot.TrustedAssetsInstallObserverImpl)
487488
c.Assert(ok, Equals, true)
488489

489490
c.Check(observerImpl.CurrentDataBootstrappedContainer(), DeepEquals, dataBootstrappedContainer)
490491
c.Check(observerImpl.CurrentSaveBootstrappedContainer(), DeepEquals, saveBootstrappedContainer)
491492
c.Check(observerImpl.CurrentVolumesAuth(), Equals, volumesAuth)
493+
c.Check(observerImpl.CurrentCheckResult(), Equals, checkResult)
492494
}
493495

494496
func (s *assetsSuite) TestInstallObserverTrustedButNoAssets(c *C) {
@@ -509,13 +511,14 @@ func (s *assetsSuite) TestInstallObserverTrustedButNoAssets(c *C) {
509511
c.Assert(obs, NotNil)
510512
dataBootstrappedContainer := secboot.CreateMockBootstrappedContainer()
511513
saveBootstrappedContainer := secboot.CreateMockBootstrappedContainer()
512-
obs.SetEncryptionParams(dataBootstrappedContainer, saveBootstrappedContainer, nil, nil)
514+
obs.SetEncryptionParams(dataBootstrappedContainer, saveBootstrappedContainer, nil, nil, nil)
513515

514516
observerImpl, ok := obs.(*boot.TrustedAssetsInstallObserverImpl)
515517
c.Assert(ok, Equals, true)
516518

517519
c.Check(observerImpl.CurrentDataBootstrappedContainer(), DeepEquals, dataBootstrappedContainer)
518520
c.Check(observerImpl.CurrentSaveBootstrappedContainer(), DeepEquals, saveBootstrappedContainer)
521+
c.Check(observerImpl.CurrentCheckResult(), IsNil)
519522
}
520523

521524
func (s *assetsSuite) TestInstallObserverTrustedReuseNameErr(c *C) {

boot/export_test.go

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,10 @@ func (o *trustedAssetsInstallObserverImpl) CurrentVolumesAuth() *device.VolumesA
118118
return o.volumesAuth
119119
}
120120

121+
func (o *trustedAssetsInstallObserverImpl) CurrentCheckResult() *secboot.PreinstallCheckResult {
122+
return o.checkResult
123+
}
124+
121125
func (o *TrustedAssetsUpdateObserver) InjectChangedAsset(blName, assetName, hash string, recovery bool) {
122126
ta := &trackedAsset{
123127
blName: blName,
@@ -241,7 +245,7 @@ func MockResealKeyForBootChains(f func(unlocker Unlocker, method device.SealingM
241245
}
242246
}
243247

244-
func MockSealKeyForBootChains(f func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, params *SealKeyForBootChainsParams) error) (restore func()) {
248+
func MockSealKeyForBootChains(f func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult, params *SealKeyForBootChainsParams) error) (restore func()) {
245249
old := SealKeyForBootChains
246250
SealKeyForBootChains = f
247251
return func() {

boot/makebootable.go

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -660,8 +660,19 @@ func makeRunnableSystem(model *asserts.Model, bootWith *BootableSet, observer Tr
660660
if makeOpts.Standalone {
661661
flags.SnapsDir = snapBlobDir
662662
}
663-
// seal the encryption key to the parameters specified in modeenv
664-
if err := sealKeyToModeenv(observerImpl.dataBootstrappedContainer, observerImpl.saveBootstrappedContainer, observerImpl.primaryKey, observerImpl.volumesAuth, model, modeenv, flags); err != nil {
663+
// seal the encryption key to the parameters specified in
664+
// modeenv as well as optimum PCR configuration specified in the
665+
// check result (when available)
666+
if err := sealKeyToModeenv(
667+
observerImpl.dataBootstrappedContainer,
668+
observerImpl.saveBootstrappedContainer,
669+
observerImpl.primaryKey,
670+
observerImpl.volumesAuth,
671+
observerImpl.checkResult,
672+
model,
673+
modeenv,
674+
flags,
675+
); err != nil {
665676
return err
666677
}
667678
}

boot/makebootable_test.go

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -549,6 +549,7 @@ func (s *makeBootable20Suite) TestMakeSystemRunnableSealWithHookKeyProtector(c *
549549
key, saveKey secboot.BootstrappedContainer,
550550
primaryKey []byte,
551551
volumesAuth *device.VolumesAuthOptions,
552+
checkResult *secboot.PreinstallCheckResult,
552553
model *asserts.Model,
553554
modeenv *boot.Modeenv,
554555
flags boot.MockSealKeyToModeenvFlags,
@@ -746,8 +747,9 @@ version: 5.0
746747
myKey := secboot.CreateMockBootstrappedContainer()
747748
myKey2 := secboot.CreateMockBootstrappedContainer()
748749
chosenPrimaryKey := []byte("primarykey!")
749-
volumesAuth := &device.VolumesAuthOptions{Mode: device.AuthModePassphrase, Passphrase: "test"}
750-
obs.SetEncryptionParams(myKey, myKey2, chosenPrimaryKey, volumesAuth)
750+
myVolumesAuth := &device.VolumesAuthOptions{Mode: device.AuthModePassphrase, Passphrase: "test"}
751+
myCheckResult := &secboot.PreinstallCheckResult{}
752+
obs.SetEncryptionParams(myKey, myKey2, chosenPrimaryKey, myVolumesAuth, myCheckResult)
751753

752754
// set a mock recovery kernel
753755
readSystemEssentialCalls := 0
@@ -763,13 +765,14 @@ version: 5.0
763765
defer restore()
764766

765767
sealKeyForBootChainsCalled := 0
766-
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, params *boot.SealKeyForBootChainsParams) error {
768+
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult, params *boot.SealKeyForBootChainsParams) error {
767769
sealKeyForBootChainsCalled++
768770
c.Check(method, Equals, device.SealingMethodTPM)
769771
c.Check(key, Equals, myKey)
770772
c.Check(saveKey, Equals, myKey2)
771773
c.Check(primaryKey, DeepEquals, chosenPrimaryKey)
772-
c.Check(volumesAuth, Equals, volumesAuth)
774+
c.Check(volumesAuth, Equals, myVolumesAuth)
775+
c.Check(checkResult, Equals, myCheckResult)
773776

774777
recoveryBootLoader, hasRecovery := params.RoleToBlName[bootloader.RoleRecovery]
775778
c.Assert(hasRecovery, Equals, true)
@@ -1253,7 +1256,7 @@ version: 5.0
12531256
myKey := secboot.CreateMockBootstrappedContainer()
12541257
myKey2 := secboot.CreateMockBootstrappedContainer()
12551258
chosenPrimaryKey := []byte("primarykey!")
1256-
obs.SetEncryptionParams(myKey, myKey2, chosenPrimaryKey, nil)
1259+
obs.SetEncryptionParams(myKey, myKey2, chosenPrimaryKey, nil, nil)
12571260

12581261
// set a mock recovery kernel
12591262
readSystemEssentialCalls := 0
@@ -1264,7 +1267,7 @@ version: 5.0
12641267
defer restore()
12651268

12661269
sealKeyForBootChainsCalled := 0
1267-
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, params *boot.SealKeyForBootChainsParams) error {
1270+
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult, params *boot.SealKeyForBootChainsParams) error {
12681271
sealKeyForBootChainsCalled++
12691272
c.Check(method, Equals, device.SealingMethodTPM)
12701273
c.Check(key, Equals, myKey)
@@ -1448,7 +1451,7 @@ version: 5.0
14481451
myKey := secboot.CreateMockBootstrappedContainer()
14491452
myKey2 := secboot.CreateMockBootstrappedContainer()
14501453
chosenPrimaryKey := []byte("primarykey!")
1451-
obs.SetEncryptionParams(myKey, myKey2, chosenPrimaryKey, nil)
1454+
obs.SetEncryptionParams(myKey, myKey2, chosenPrimaryKey, nil, nil)
14521455

14531456
// set a mock recovery kernel
14541457
readSystemEssentialCalls := 0
@@ -1459,7 +1462,7 @@ version: 5.0
14591462
defer restore()
14601463

14611464
sealKeyForBootChainsCalled := 0
1462-
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, params *boot.SealKeyForBootChainsParams) error {
1465+
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult, params *boot.SealKeyForBootChainsParams) error {
14631466
sealKeyForBootChainsCalled++
14641467
c.Check(method, Equals, device.SealingMethodTPM)
14651468
c.Check(key, DeepEquals, myKey)

boot/seal.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ func MockResealKeyToModeenv(f func(rootdir string, modeenv *Modeenv, opts Reseal
7676
type MockSealKeyToModeenvFlags = sealKeyToModeenvFlags
7777

7878
// MockSealKeyToModeenv is used for testing from other packages.
79-
func MockSealKeyToModeenv(f func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, model *asserts.Model, modeenv *Modeenv, flags MockSealKeyToModeenvFlags) error) (restore func()) {
79+
func MockSealKeyToModeenv(f func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult, model *asserts.Model, modeenv *Modeenv, flags MockSealKeyToModeenvFlags) error) (restore func()) {
8080
old := sealKeyToModeenv
8181
sealKeyToModeenv = f
8282
return func() {
@@ -112,6 +112,7 @@ func sealKeyToModeenvImpl(
112112
key, saveKey secboot.BootstrappedContainer,
113113
primaryKey []byte,
114114
volumesAuth *device.VolumesAuthOptions,
115+
checkResult *secboot.PreinstallCheckResult,
115116
model *asserts.Model,
116117
modeenv *Modeenv,
117118
flags sealKeyToModeenvFlags,
@@ -143,7 +144,7 @@ func sealKeyToModeenvImpl(
143144
defer relock()
144145
}
145146

146-
return sealKeyToModeenvForMethod(method, key, saveKey, primaryKey, volumesAuth, model, modeenv, flags)
147+
return sealKeyToModeenvForMethod(method, key, saveKey, primaryKey, volumesAuth, checkResult, model, modeenv, flags)
147148
}
148149

149150
type BootChains struct {
@@ -180,6 +181,7 @@ func sealKeyForBootChainsImpl(
180181
key, saveKey secboot.BootstrappedContainer,
181182
primaryKey []byte,
182183
volumesAuth *device.VolumesAuthOptions,
184+
checkResult *secboot.PreinstallCheckResult,
183185
params *SealKeyForBootChainsParams,
184186
) error {
185187
return fmt.Errorf("FDE manager backend was not built in")
@@ -192,6 +194,7 @@ func sealKeyToModeenvForMethod(
192194
key, saveKey secboot.BootstrappedContainer,
193195
primaryKey []byte,
194196
volumesAuth *device.VolumesAuthOptions,
197+
checkResult *secboot.PreinstallCheckResult,
195198
model *asserts.Model,
196199
modeenv *Modeenv,
197200
flags sealKeyToModeenvFlags,
@@ -261,7 +264,7 @@ func sealKeyToModeenvForMethod(
261264
params.RoleToBlName[bootloader.RoleRunMode] = bl.Name()
262265
}
263266

264-
return SealKeyForBootChains(method, key, saveKey, primaryKey, volumesAuth, params)
267+
return SealKeyForBootChains(method, key, saveKey, primaryKey, volumesAuth, checkResult, params)
265268
}
266269

267270
var resealKeyToModeenv = resealKeyToModeenvImpl

boot/seal_test.go

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,7 @@ func (s *sealSuite) TestSealKeyToModeenv(c *C) {
165165
myKey2 := secboot.CreateMockBootstrappedContainer()
166166
// and volumes authentication options
167167
myVolumesAuth := &device.VolumesAuthOptions{Mode: device.AuthModePassphrase, Passphrase: "test"}
168+
myCheckResult := &secboot.PreinstallCheckResult{}
168169

169170
// set a mock recovery kernel
170171
readSystemEssentialCalls := 0
@@ -175,7 +176,7 @@ func (s *sealSuite) TestSealKeyToModeenv(c *C) {
175176
defer restore()
176177

177178
sealKeyForBootChainsCalled := 0
178-
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, params *boot.SealKeyForBootChainsParams) error {
179+
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult, params *boot.SealKeyForBootChainsParams) error {
179180
sealKeyForBootChainsCalled++
180181

181182
for _, d := range []string{boot.InitramfsSeedEncryptionKeyDir, filepath.Join(dirs.GlobalRootDir, "/run/mnt/ubuntu-data/system-data/var/lib/snapd/device/fde")} {
@@ -187,6 +188,7 @@ func (s *sealSuite) TestSealKeyToModeenv(c *C) {
187188
c.Check(key, DeepEquals, myKey)
188189
c.Check(saveKey, DeepEquals, myKey2)
189190
c.Check(volumesAuth, Equals, myVolumesAuth)
191+
c.Check(checkResult, Equals, myCheckResult)
190192

191193
recoveryBootLoader, hasRecovery := params.RoleToBlName[bootloader.RoleRecovery]
192194
c.Assert(hasRecovery, Equals, true)
@@ -236,7 +238,7 @@ func (s *sealSuite) TestSealKeyToModeenv(c *C) {
236238
defer restore()
237239

238240
u := mockUnlocker{}
239-
err = boot.SealKeyToModeenv(myKey, myKey2, nil, myVolumesAuth, model, modeenv, boot.MockSealKeyToModeenvFlags{
241+
err = boot.SealKeyToModeenv(myKey, myKey2, nil, myVolumesAuth, myCheckResult, model, modeenv, boot.MockSealKeyToModeenvFlags{
240242
FactoryReset: tc.factoryReset,
241243
StateUnlocker: u.unlocker,
242244
UseTokens: !tc.disableTokens,
@@ -1611,7 +1613,7 @@ func (s *sealSuite) TestSealToModeenvWithSecbootProtectorHappy(c *C) {
16111613
myKey2 := secboot.CreateMockBootstrappedContainer()
16121614

16131615
sealKeyForBootChainsCalled := 0
1614-
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, params *boot.SealKeyForBootChainsParams) error {
1616+
restore = boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult, params *boot.SealKeyForBootChainsParams) error {
16151617
sealKeyForBootChainsCalled++
16161618
c.Check(method, Equals, device.SealingMethodFDESetupHook)
16171619
c.Check(key, DeepEquals, myKey)
@@ -1640,7 +1642,7 @@ func (s *sealSuite) TestSealToModeenvWithSecbootProtectorHappy(c *C) {
16401642

16411643
defer boot.MockSealModeenvLocked()()
16421644

1643-
err := boot.SealKeyToModeenv(myKey, myKey2, nil, nil, model, modeenv, boot.MockSealKeyToModeenvFlags{HookKeyProtectorFactory: &fakeProtectorFactory{}, UseTokens: true})
1645+
err := boot.SealKeyToModeenv(myKey, myKey2, nil, nil, nil, model, modeenv, boot.MockSealKeyToModeenvFlags{HookKeyProtectorFactory: &fakeProtectorFactory{}, UseTokens: true})
16441646
c.Assert(err, IsNil)
16451647
c.Check(sealKeyForBootChainsCalled, Equals, 1)
16461648
}
@@ -1653,7 +1655,7 @@ func (s *sealSuite) TestSealToModeenvWithSecbootProtectorSad(c *C) {
16531655
model := boottest.MakeMockUC20Model()
16541656

16551657
sealKeyForBootChainsCalled := 0
1656-
restore := boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, params *boot.SealKeyForBootChainsParams) error {
1658+
restore := boot.MockSealKeyForBootChains(func(method device.SealingMethod, key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult, params *boot.SealKeyForBootChainsParams) error {
16571659
sealKeyForBootChainsCalled++
16581660

16591661
return fmt.Errorf("seal key failed")
@@ -1673,7 +1675,7 @@ func (s *sealSuite) TestSealToModeenvWithSecbootProtectorSad(c *C) {
16731675

16741676
defer boot.MockSealModeenvLocked()()
16751677

1676-
err := boot.SealKeyToModeenv(key, saveKey, nil, nil, model, modeenv, boot.MockSealKeyToModeenvFlags{HookKeyProtectorFactory: &fakeProtectorFactory{}})
1678+
err := boot.SealKeyToModeenv(key, saveKey, nil, nil, nil, model, modeenv, boot.MockSealKeyToModeenvFlags{HookKeyProtectorFactory: &fakeProtectorFactory{}})
16771679
c.Assert(err, ErrorMatches, `seal key failed`)
16781680
c.Check(sealKeyForBootChainsCalled, Equals, 1)
16791681
}

cmd/snap-bootstrap/cmd_initramfs_mounts_install_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -359,7 +359,7 @@ func (s *initramfsMountsSuite) testInitramfsMountsInstallModeWithCompsHappy(c *C
359359
observeExistingTrustedRecoveryAssetsCalled += 1
360360
return nil
361361
},
362-
SetEncryptionParamsFunc: func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions) {
362+
SetEncryptionParamsFunc: func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult) {
363363
},
364364
UpdateBootEntryFunc: func() error {
365365
return nil

cmd/snap-bootstrap/cmd_initramfs_mounts_installrun_test.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ import (
4343
type MockObserver struct {
4444
BootLoaderSupportsEfiVariablesFunc func() bool
4545
ObserveExistingTrustedRecoveryAssetsFunc func(recoveryRootDir string) error
46-
SetEncryptionParamsFunc func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions)
46+
SetEncryptionParamsFunc func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult)
4747
UpdateBootEntryFunc func() error
4848
ObserveFunc func(op gadget.ContentOperation, partRole, root, relativeTarget string, data *gadget.ContentChange) (gadget.ContentChangeAction, error)
4949
}
@@ -56,8 +56,8 @@ func (m *MockObserver) ObserveExistingTrustedRecoveryAssets(recoveryRootDir stri
5656
return m.ObserveExistingTrustedRecoveryAssetsFunc(recoveryRootDir)
5757
}
5858

59-
func (m *MockObserver) SetEncryptionParams(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions) {
60-
m.SetEncryptionParamsFunc(key, saveKey, primaryKey, volumesAuth)
59+
func (m *MockObserver) SetEncryptionParams(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult) {
60+
m.SetEncryptionParamsFunc(key, saveKey, primaryKey, volumesAuth, checkResult)
6161
}
6262

6363
func (m *MockObserver) UpdateBootEntry() error {
@@ -197,7 +197,7 @@ echo '{"features":[]}'
197197
observeExistingTrustedRecoveryAssetsCalled += 1
198198
return nil
199199
},
200-
SetEncryptionParamsFunc: func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions) {
200+
SetEncryptionParamsFunc: func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult) {
201201
setBootstrappedContainersCalled++
202202
c.Check(key, Equals, dataContainer)
203203
c.Check(saveKey, Equals, saveContainer)
@@ -364,7 +364,7 @@ func (s *initramfsMountsSuite) TestInitramfsMountsInstallAndRunFdeSetupNotPresen
364364
observeExistingTrustedRecoveryAssetsCalled += 1
365365
return nil
366366
},
367-
SetEncryptionParamsFunc: func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions) {
367+
SetEncryptionParamsFunc: func(key, saveKey secboot.BootstrappedContainer, primaryKey []byte, volumesAuth *device.VolumesAuthOptions, checkResult *secboot.PreinstallCheckResult) {
368368
c.Errorf("unexpected call")
369369
},
370370
UpdateBootEntryFunc: func() error {

0 commit comments

Comments
 (0)