secboot: port the simple API changes

3 files changed, 28 insertions, 24 deletions

diff --git a/secboot/encrypt_sb.go b/secboot/encrypt_sb.go
index 88fa512ebb..0b153d521c 100644
--- a/secboot/encrypt_sb.go
+++ b/secboot/encrypt_sb.go
@@ -40,7 +40,7 @@ import (
 
 var (
	sbInitializeLUKS2Container = sb.InitializeLUKS2Container
-	sbAddRecoveryKeyToLUKS2Container = sb.AddRecoveryKeyToLUKS2Container
+	sbAddRecoveryKeyToLUKS2Container = sb.AddLUKS2ContainerRecoveryKey
 )
 
 const keyslotsAreaKiBSize = 2560 // 2.5MB
@@ -72,7 +72,7 @@ func FormatEncryptedDevice(key keys.EncryptionKey, encType EncryptionType, label
	},
	InlineCryptoEngine: useICE,
	}
-	return sbInitializeLUKS2Container(node, label, key[:], opts)
+	return sbInitializeLUKS2Container(node, label, sb.DiskUnlockKey(key), opts)
 }
 
 // AddRecoveryKey adds a fallback recovery key rkey to the existing encrypted
diff --git a/secboot/secboot_hooks.go b/secboot/secboot_hooks.go
index baaa39eee5..bcdefa3636 100644
--- a/secboot/secboot_hooks.go
+++ b/secboot/secboot_hooks.go
@@ -83,11 +83,10 @@ func writeKeyData(path string, keySetup *fde.InitialSetupResult, auxKey []byte,
	} else {
	handle = *keySetup.Handle
	}
-	kd, err := sb.NewKeyData(&sb.KeyCreationData{
-	PlatformKeyData: sb.PlatformKeyData{
-	EncryptedPayload: keySetup.EncryptedKey,
-	Handle: handle,
-	},
+	kd, err := sb.NewKeyData(&sb.KeyParams{
+	EncryptedPayload: keySetup.EncryptedKey,
+	Handle: handle,
+
	PlatformName: fdeHooksPlatformName,
	AuxiliaryKey: auxKey,
	SnapModelAuthHash: crypto.SHA256,
@@ -174,9 +173,17 @@ func unlockVolumeUsingSealedKeyFDERevealKeyV2(sealedEncryptionKeyFile, sourceDev
	return res, xerrors.Errorf(fmt, err)
	}
 
+	// ensure that the model is authorized to open the volume
+	model, err := opts.WhichModel()
+	if err != nil {
+	return res, fmt.Errorf("cannot retrieve which model to unlock for: %v", err)
+	}
+
	// the output of fde-reveal-key is the unsealed key
	options := activateVolOpts(opts.AllowRecoveryKey)
-	modChecker, err := sbActivateVolumeWithKeyData(mapperName, sourceDevice, keyData, options)
+	options.Model = model
+	// TODO: provide a AuthRequester, KDF here instead of "nil"
+	err = sbActivateVolumeWithKeyData(mapperName, sourceDevice, nil, nil, options, keyData)
	if err == sb.ErrRecoveryKeyUsed {
	logger.Noticef("successfully activated encrypted device %q using a fallback activation method", sourceDevice)
	res.FsDevice = targetDevice
@@ -194,18 +201,6 @@ func unlockVolumeUsingSealedKeyFDERevealKeyV2(sealedEncryptionKeyFile, sourceDev
	}
	}
	}()
-	// ensure that the model is authorized to open the volume
-	model, err := opts.WhichModel()
-	if err != nil {
-	return res, fmt.Errorf("cannot retrieve which model to unlock for: %v", err)
-	}
-	ok, err := modChecker.IsModelAuthorized(model)
-	if err != nil {
-	return res, fmt.Errorf("cannot check if model is authorized to unlock disk: %v", err)
-	}
-	if !ok {
-	return res, fmt.Errorf("cannot unlock volume: model %s/%s not authorized", model.BrandID(), model.Model())
-	}
 
	logger.Noticef("successfully activated encrypted device %q using FDE kernel hooks", sourceDevice)
	res.FsDevice = targetDevice
@@ -217,8 +212,8 @@ type fdeHookV2DataHandler struct{}
 
 func (fh *fdeHookV2DataHandler) RecoverKeys(data *sb.PlatformKeyData) (sb.KeyPayload, error) {
	var handle *json.RawMessage
-	if len(data.Handle) != 0 {
-	rawHandle := json.RawMessage(data.Handle)
+	if len(data.EncodedHandle) != 0 {
+	rawHandle := json.RawMessage(data.EncodedHandle)
	handle = &rawHandle
	}
	p := fde.RevealParams{
@@ -228,3 +223,11 @@ func (fh *fdeHookV2DataHandler) RecoverKeys(data *sb.PlatformKeyData) (sb.KeyPay
	}
	return fde.Reveal(&p)
 }
+
+func (fh *fdeHookV2DataHandler) ChangeAuthKey(handle, old, new []byte) ([]byte, error) {
+	return nil, fmt.Errorf("cannot change auth key yet")
+}
+
+func (fh *fdeHookV2DataHandler) RecoverKeysWithAuthKey(data *sb.PlatformKeyData, key []byte) (sb.KeyPayload, error) {
+	return nil, fmt.Errorf("cannot recover keys with auth keys yet")
+}
diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go
index 5e35a4af88..d0ce3b0dc1 100644
--- a/secboot/secboot_tpm.go
+++ b/secboot/secboot_tpm.go
@@ -283,7 +283,8 @@ func unlockEncryptedPartitionWithSealedKey(mapperName, sourceDevice, keyfile str
	}
	options := activateVolOpts(allowRecovery)
	// ignoring model checker as it doesn't work with tpm "legacy" platform key data
-	_, err = sbActivateVolumeWithKeyData(mapperName, sourceDevice, keyData, options)
+	// TODO: provide AuthRequestor/KDF instead of nil
+	err = sbActivateVolumeWithKeyData(mapperName, sourceDevice, nil, nil, options, keyData)
	if err == sb.ErrRecoveryKeyUsed {
	logger.Noticef("successfully activated encrypted device %q using a fallback activation method", sourceDevice)
	return UnlockedWithRecoveryKey, nil
@@ -398,7 +399,7 @@ func SealKeys(keys []SealKeyRequest, params *SealKeysParams) error {
	sbKeys := make([]*sb_tpm2.SealKeyRequest, 0, len(keys))
	for i := range keys {
	sbKeys = append(sbKeys, &sb_tpm2.SealKeyRequest{
-	Key: keys[i].Key,
+	Key: sb.DiskUnlockKey(keys[i].Key),
	Path: keys[i].KeyFile,
	})
	}