Version: v0.0.0-...-9e584df Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 27, 2021 License: GPL-3.0 Imports: 12 Imported by: 0



package fde implements helper used by low level parts like secboot in snap-bootstrap and high level parts like DeviceManager in snapd.

Note that it must never import anything overlord related itself to avoid increasing the size of snap-bootstrap.



This section is empty.


This section is empty.


func HasRevealKey

func HasRevealKey() bool

HasRevealKey return true if the current system has a "fde-reveal-key" binary (usually used in the initrd).

This will be setup by devicestate to support device-specific full disk encryption implementations.

func LockSealedKeys

func LockSealedKeys() error

func MockRunFDERevealKey

func MockRunFDERevealKey(mock func(*RevealKeyRequest) ([]byte, error)) (restore func())

func Reveal

func Reveal(params *RevealParams) (payload []byte, err error)

Reveal invokes the fde-reveal-key reveal operation.


type InitialSetupParams

type InitialSetupParams struct {
	Key     []byte
	KeyName string

InitialSetupParams contains the inputs for the fde-setup hook

type InitialSetupResult

type InitialSetupResult struct {
	// result when called with "initial-setup"
	// XXX call this encrypted-key if possible?
	EncryptedKey []byte           `json:"sealed-key"`
	Handle       *json.RawMessage `json:"handle"`

InitalSetupResult contains the outputs of the fde-setup hook

func InitialSetup

func InitialSetup(runSetupHook RunSetupHookFunc, params *InitialSetupParams) (*InitialSetupResult, error)

InitialSetup invokes the initial-setup op running the kernel hook via runSetupHook.

type RevealKeyRequest

type RevealKeyRequest struct {
	Op string `json:"op"`

	SealedKey []byte           `json:"sealed-key,omitempty"`
	Handle    *json.RawMessage `json:"handle,omitempty"`
	// deprecated for v1
	KeyName string `json:"key-name,omitempty"`

RevealKeyRequest carries the operation parameters to the fde-reavel-key helper that receives them serialized over stdin.

type RevealParams

type RevealParams struct {
	SealedKey []byte
	Handle    *json.RawMessage
	// V2Payload is set true if SealedKey is expected to contain a v2 payload
	// (disk key + aux key)
	V2Payload bool

RevealParams contains the parameters for fde-reveal-key reveal operation.

type RunSetupHookFunc

type RunSetupHookFunc func(req *SetupRequest) ([]byte, error)

A RunSetupHookFunc implements running the fde-setup kernel hook.

type SetupRequest

type SetupRequest struct {
	// XXX: make "op" a type: "features", "initial-setup", "update" ?
	Op string `json:"op"`

	// This needs to be a []byte so that Go's standard library will base64
	// encode it automatically for us
	Key     []byte `json:"key,omitempty"`
	KeyName string `json:"key-name,omitempty"`

SetupRequest carries the operation and parameters for the fde-setup hooks made available to them via the snapctl fde-setup-request command.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL