snapcore
secboot,fdestate: use boot mode for FDE hooks
2 commits:
- secboot,overlord/fdestate: seal with boot mode for FDE hooks
Set the authorized boot modes for FDE hook keys. For now the run+recover key allows "run" and "recover", while the recover key allows "recover" and "factory-reset".
- overlord/fdestate/backend: split profiles for data and save partitions
There should be 3 different keys for FDE hooks. The run+recover key should be allowed for boot modes "run" and "recover". While recover key on data disk should be allowed on "recover". And finally recovery on save disk should be allowed in "recover" and "factory-reset". Here we split the profiles for "recover" for disks "data" and "save", so that we can set different authorized boot modes.
Wed Feb 26 10:10:42 UTC 2025 The following results are from: https://github.com/canonical/snapd/actions/runs/13523876816
Failures:
Preparing:
- openstack:opensuse-15.6-64:tests/main/auto-refresh-gating-from-snap
Executing:
- google-distro-1:amazon-linux-2-64:tests/main/progress
- google-distro-1:amazon-linux-2023-64:tests/main/snap-confine-undesired-mode-group
- openstack:debian-12-64:tests/main/progress
- google:ubuntu-25.04-64:tests/main/security-device-cgroups-serial-port
- google:ubuntu-25.04-64:tests/main/security-device-cgroups-helper
- google:ubuntu-25.04-64:tests/main/snap-user-service-socket-activation
- google:ubuntu-25.04-64:tests/main/snap-ns-forward-compat
- google:ubuntu-25.04-64:tests/main/cgroup-devices-v2
- google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced
- google:ubuntu-25.04-64:tests/main/security-device-cgroups-self-manage
- google:ubuntu-25.04-64:tests/main/security-device-cgroups-required-or-optional
- google:ubuntu-25.04-64:tests/main/security-device-cgroups:uinput
- google:ubuntu-25.04-64:tests/main/security-device-cgroups:kmsg
- google:ubuntu-16.04-64:tests/main/microk8s-smoke:edge
Restoring:
- google:ubuntu-25.04-64:tests/main/security-device-cgroups-strict-enforced
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
Attention: Patch coverage is 77.02703% with 17 lines in your changes missing coverage. Please review.
Project coverage is 78.07%. Comparing base (
a272aac) to head (d667b5c). Report is 70 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #15049 +/- ##
==========================================
- Coverage 78.07% 78.07% -0.01%
==========================================
Files 1182 1182
Lines 157743 157970 +227
==========================================
+ Hits 123154 123331 +177
- Misses 26943 26976 +33
- Partials 7646 7663 +17
| Flag | Coverage Δ | |
|---|---|---|
| unittests | 78.07% <77.02%> (-0.01%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
I removed the 2.68 milestone, we do not strictly need it, just https://github.com/canonical/snapd/pull/15057
@valentindavid also do we need somehow to clean up the entries for containerRole "all"
@valentindavid also do we need somehow to clean up the entries for containerRole "all"
No, I do not think so. It is in the specs. If there is no different depending on the key, we are supposed to use "all".
did a first pass. Do we need an explicit test about the transition for what we are storing currently in the state and what we will store after?
The transition will happen on reseal. But it is almost of the same as resealing from a fresh install. The only thing here is that we leave out some state that is not in used any more, the "all" disk role for "recover". That said, I think cleaning up states that are not in use any more should be done, but in a different PR. I will add a task for it.
