tpm2: Add WithLockoutAuthValue and WithLockoutAuthData options for EnsureProvisioned#533
Merged
chrisccoulson merged 7 commits intocanonical:masterfrom Apr 22, 2026
Conversation
…sureProvisioned This adds new WithLockoutAuthValue and WithLockoutAuthData options for Connection.EnsureProvisioned. These are used to supply the current authorization parameters for the lockout hierarchy. WithLockoutAuthValue is used to supply the raw authorization value, supplied to current (but soon to be older) versions of Connection.EnsureProvisioned. WithLockoutAuthData will be used to supply authorization data that will be created by newer versions of Connection.EnsureProvisioned. These options replace the ProvisionModeWithoutLockout option. To prevent Connection.EnsureProvisioned from using the lockout hierarchy, just omit both of the new options.
pedronis
reviewed
Apr 2, 2026
Collaborator
pedronis
left a comment
pedronis
left a comment
There was a problem hiding this comment.
did a first pass, some comments/questions
| if err == nil { | ||
| return | ||
| } | ||
| t.FlushContext(sessionInternal) |
Collaborator
There was a problem hiding this comment.
we flush only on error now, does this need a comment?
Contributor
Author
There was a problem hiding this comment.
The session needs to live past the end of the function, so it returns a callback to flush the session in the non-error case.
| func (t *Connection) resetDictionaryAttackLockImpl(params *lockoutAuthParams) error { | ||
| if len(params.NewAuthValue) > 0 || params.NewAuthPolicy != nil { | ||
| return errors.New("lockout hierarchy auth value change not supported yet") | ||
| func (t *Connection) authorizeLockout(authParams *lockoutAuthParams, command tpm2.CommandCode) (session tpm2.SessionContext, lockoutAuthSet bool, done func(), err error) { |
Collaborator
There was a problem hiding this comment.
this probably needs a doc comment now to explain what done is for
|
|
||
| return session, lockoutAuthSet, func() { | ||
| if authParams.AuthPolicy != nil { | ||
| t.FlushContext(session) |
Collaborator
There was a problem hiding this comment.
this is the positive case flush now?
| switch { | ||
| case authSession.Handle().Type() == tpm2.HandleTypePolicySession: | ||
| // We're using policy auth so need to supply the HMAC session as an extra | ||
| // session for parameter encryption. |
Collaborator
There was a problem hiding this comment.
is session below the HMAC session?
| func WithLockoutAuthValue(authValue []byte) EnsureProvisionedOption { | ||
| return func(p *ensureProvisionedParams) { | ||
| if p.lockoutAuthParams != nil || p.lockoutAuthParamsErr != nil { | ||
| panic("WithLockoutAuthValue incompatible with WithLockoutAuthData") |
Member
There was a problem hiding this comment.
So I suppose on snapd side is that we will need to save the auth data in a different file, and only one of the 2 files should exist on any installation. Am I correct?
valentindavid
approved these changes
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds new
WithLockoutAuthValueandWithLockoutAuthDataoptions forConnection.EnsureProvisioned. These are used to supply the currentauthorization parameters for the lockout hierarchy.
WithLockoutAuthValueis used to supply the raw authorization value,supplied to current (but soon to be older) versions of
Connection.EnsureProvisioned.WithLockoutAuthDatawill be used to supply authorization data that willbe created by newer versions of
Connection.EnsureProvisioned.These options replace the
ProvisionModeWithoutLockoutoption. To preventConnection.EnsureProvisionedfrom using the lockout hierarchy, just omitboth of the new options.