snapcore
many: support sealing and resealing using check result
Modified how PCR protection profile is build for sealing and resealing to use information within the preinstall check result and also make use of the modern secboot API.
Sealing using optimal PCR configuration from preinstall check - Part 3:
- Support using check result to build PCR protection profile for sealing and resealing
- For install time sealing, the check result passed on from
doInstallFinishstep is used. - For resealing, the check result is loaded from file. Added
LoadCheckResultto support this. - Test coverage for changes
Testing
- Manually tested installation image with snapd updated to include this change. Install time sealing was confirmed to work.
Currently outstanding:
- Spread tests must be adapted
Wed Jan 7 03:47:33 UTC 2026 The following results are from: https://github.com/canonical/snapd/actions/runs/20752179952
Failures:
Preparing:
- openstack:debian-sid-64:
- openstack:debian-sid-64:
- openstack:debian-sid-64:
- openstack:debian-sid-64:
- openstack:debian-sid-64:
- openstack:debian-sid-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
Executing:
- openstack:ubuntu-26.04-64:tests/main/lxd:snapd_cgroup_just_outside
- openstack:ubuntu-26.04-64:tests/main/i18n
- openstack:ubuntu-26.04-64:tests/main/upgrade-from-release
- openstack:ubuntu-26.04-64:tests/main/docker-smoke
- openstack:ubuntu-26.04-64:tests/regression/lp-1910456
Restoring:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
- openstack:fedora-41-64:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
:x: Patch coverage is 86.29032% with 17 lines in your changes missing coverage. Please review.
:white_check_mark: Project coverage is 77.55%. Comparing base (cf468ef) to head (b5aacfb).
:warning: Report is 32 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #16360 +/- ##
==========================================
+ Coverage 77.48% 77.55% +0.07%
==========================================
Files 1339 1329 -10
Lines 182907 183095 +188
Branches 2438 2438
==========================================
+ Hits 141732 142007 +275
+ Misses 32587 32493 -94
- Partials 8588 8595 +7
| Flag | Coverage Δ | |
|---|---|---|
| unittests | 77.55% <86.29%> (+0.07%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Final manual verification:
Re-tested latest version using qemu. Could successfully create hybrid tpm fde install and verified the preinstall file with the preinstall check metadata required for resealing is where expected.
The followup PR https://github.com/canonical/snapd/pull/16399 will provide more detailed automated verification including resealing due to dbx update or remodeling.