fde: add new inline-crypto-hw setup supportice/fde-setup-1

This adds support for inline cryto hardware like Qualcomm ICE to the fde-setup binary. A new `op:inline-crypto-hw-setup` is used for this. 

2 files changed, 78 insertions, 2 deletions

diff --git a/kernel/fde/fde.go b/kernel/fde/fde.go
index 65e96679f4..fc9cac0aad 100644
--- a/kernel/fde/fde.go
+++ b/kernel/fde/fde.go
@@ -29,6 +29,8 @@ import (
	"encoding/json"
	"fmt"
	"os/exec"
+
+	"github.com/snapcore/snapd/osutil"
 )
 
 // HasRevealKey return true if the current system has a "fde-reveal-key"
@@ -73,13 +75,17 @@ func unmarshalInitialSetupResult(hookOutput []byte) (*InitialSetupResult, error)
 // SetupRequest carries the operation and parameters for the fde-setup hooks
 // made available to them via the snapctl fde-setup-request command.
 type SetupRequest struct {
-	// XXX: make "op" a type: "features", "initial-setup", "update" ?
	Op string `json:"op"`
 
	// This needs to be a []byte so that Go's standard library will base64
	// encode it automatically for us
-	Key []byte `json:"key,omitempty"`
+	Key []byte `json:"key,omitempty"`
+
+	// Only used when called with "initial-setup"
	KeyName string `json:"key-name,omitempty"`
+
+	// Only used when called with "hw-inline-setup"
+	Device string `json:"device,omitempty"`
 }
 
 // A RunSetupHookFunc implements running the fde-setup kernel hook.
@@ -116,3 +122,27 @@ func InitialSetup(runSetupHook RunSetupHookFunc, params *InitialSetupParams) (*I
	}
	return res, nil
 }
+
+// InlineCryptoHwSetupParams contains the inputs for the fde-setp hook.
+// The encryption key and the device (partition) are passed in.
+type InlineCryptoHwSetupParams struct {
+	Key []byte
+	Device string
+}
+
+// InlineCryptoHwSetup invokes the inline-crypto-hw-setup op running the kernel
+// hook via runSetupHook. This is used to initializes inline crypto
+// hardware.
+func InlineCryptoHwSetup(runSetupHook RunSetupHookFunc, params *InlineCryptoHwSetupParams) error {
+	req := &SetupRequest{
+	Op: "inline-crypto-hw-setup",
+	Key: params.Key,
+	Device: params.Device,
+	}
+	hookOutput, err := runSetupHook(req)
+	if err != nil {
+	return fmt.Errorf("inline crypto hw setup failed with: %v", osutil.OutputErr(hookOutput, err))
+	}
+
+	return nil
+}
diff --git a/kernel/fde/fde_test.go b/kernel/fde/fde_test.go
index dad1f0c373..1f46f19f84 100644
--- a/kernel/fde/fde_test.go
+++ b/kernel/fde/fde_test.go
@@ -513,3 +513,49 @@ service result: exit-code
	// ensure no tmp files are left behind
	c.Check(osutil.FileExists(filepath.Join(dirs.GlobalRootDir, "/run/fde-reveal-key")), Equals, false)
 }
+
+func (s *fdeSuite) TestInlineCryptHwSetupHappy(c *C) {
+	mockKey := []byte{1, 2, 3, 4}
+	mockDevice := "/dev/sda2"
+
+	runSetupHook := func(req *fde.SetupRequest) ([]byte, error) {
+	c.Check(req, DeepEquals, &fde.SetupRequest{
+	Op: "inline-crypto-hw-setup",
+	Key: mockKey,
+	Device: mockDevice,
+	})
+	// empty reply: no error
+	mockJSON := `{}`
+	return []byte(mockJSON), nil
+	}
+
+	params := &fde.InlineCryptoHwSetupParams{
+	Key: mockKey,
+	Device: mockDevice,
+	}
+	err := fde.InlineCryptoHwSetup(runSetupHook, params)
+	c.Assert(err, IsNil)
+}
+
+func (s *fdeSuite) TestInlineCryptHwSetupError(c *C) {
+	mockKey := []byte{1, 2, 3, 4}
+	mockDevice := "/dev/sda2"
+
+	runSetupHook := func(req *fde.SetupRequest) ([]byte, error) {
+	c.Check(req, DeepEquals, &fde.SetupRequest{
+	Op: "inline-crypto-hw-setup",
+	Key: mockKey,
+	Device: mockDevice,
+	})
+	// empty reply: no error
+	mockJSON := `something failed badly`
+	return []byte(mockJSON), fmt.Errorf("exit status 1")
+	}
+
+	params := &fde.InlineCryptoHwSetupParams{
+	Key: mockKey,
+	Device: mockDevice,
+	}
+	err := fde.InlineCryptoHwSetup(runSetupHook, params)
+	c.Check(err, ErrorMatches, "inline crypto hw setup failed with: something failed badly")
+}