snapcore
many: add reseal API/command
Codecov Report
Attention: 100 lines in your changes are missing coverage. Please review.
Comparison is base (
62aee2b) 78.91% compared to head (d1b3ad8) 78.87%. Report is 3 commits behind head on master.
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files
@@ Coverage Diff @@
## master #13483 +/- ##
==========================================
- Coverage 78.91% 78.87% -0.04%
==========================================
Files 1034 1039 +5
Lines 131722 131977 +255
==========================================
+ Hits 103942 104096 +154
- Misses 21311 21382 +71
- Partials 6469 6499 +30
| Flag | Coverage Δ | |
|---|---|---|
| unittests | 78.87% <65.75%> (-0.04%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
@pedronis this is the minimal implementation. I have only done manual tests. I will write tests now. But it would be nice if you could go through this minimal change and tell me if things should be moved, or if there is anything missing (like for instance what @bboozzoo suggested).
I have managed to get it to work on classic. However there are some manual steps required:
- Boot with recovery keys
- Remove
/var/lib/snapd/save/device/fde/tpm-lockout-auth - Write
5to/sys/class/tpm/tpm0/ppi/request. - Reboot, confirm the reset, then unlock with recovery keys
- Run
snap reboot --reset, it will reboot - Your system is fixed.
@pedronis I wonder if we can make changes across multiple boot. That is request a reboot and then continue resetting, then request another reboot.
It feels to me that the locking of tpm when booting with recovery keys is a bug. We should not try to call MarkBootSuccess when we have used recovery keys.