boot: unlock snapd state when sealing keys

boot/makebootable.go

@@ -326,6 +326,7 @@ type makeRunnableOptions struct {
 	Standalone     bool
 	AfterDataReset bool
 	SeedDir        string
+	StateUnlocker  Unlocker
 }
 
 func copyBootSnap(orig string, dstInfo *snap.Info, dstSnapBlobDir string) error {
@@ -529,6 +530,7 @@ func makeRunnableSystem(model *asserts.Model, bootWith *BootableSet, sealer *Tru
 			HasFDESetupHook: hasHook,
 			FactoryReset:    makeOpts.AfterDataReset,
 			SeedDir:         makeOpts.SeedDir,
+			StateUnlocker:   makeOpts.StateUnlocker,
 		}
 		if makeOpts.Standalone {
 			flags.SnapsDir = snapBlobDir
@@ -607,12 +609,13 @@ func MakeRunnableSystem(model *asserts.Model, bootWith *BootableSet, sealer *Tru
 // MakeRunnableStandaloneSystem operates like MakeRunnableSystem but does
 // not assume that the run system being set up is related to the current
 // system. This is appropriate e.g when installing from a classic installer.
-func MakeRunnableStandaloneSystem(model *asserts.Model, bootWith *BootableSet, sealer *TrustedAssetsInstallObserver) error {
+func MakeRunnableStandaloneSystem(model *asserts.Model, bootWith *BootableSet, sealer *TrustedAssetsInstallObserver, unlocker Unlocker) error {
 	// TODO consider merging this back into MakeRunnableSystem but need
 	// to consider the properties of the different input used for sealing
 	return makeRunnableSystem(model, bootWith, sealer, makeRunnableOptions{
-		Standalone: true,
-		SeedDir:    dirs.SnapSeedDir,
+		Standalone:    true,
+		SeedDir:       dirs.SnapSeedDir,
+		StateUnlocker: unlocker,
 	})
 }
 

boot/makebootable_test.go

@@ -769,7 +769,9 @@ version: 5.0
 	case standalone && fromInitrd:
 		err = boot.MakeRunnableStandaloneSystemFromInitrd(model, bootWith, obs)
 	case standalone && !fromInitrd:
-		err = boot.MakeRunnableStandaloneSystem(model, bootWith, obs)
+		u := mockUnlocker{}
+		err = boot.MakeRunnableStandaloneSystem(model, bootWith, obs, u.unlocker)
+		c.Check(u.unlocked, Equals, 1)
 	case factoryReset && !fromInitrd:
 		err = boot.MakeRunnableSystemAfterDataReset(model, bootWith, obs)
 	default:

boot/seal.go

@@ -122,6 +122,8 @@ type sealKeyToModeenvFlags struct {
 	// SeedDir is the path where to find mounted seed with
 	// essential snaps.
 	SeedDir string
+	// Unlocker is used unlock the snapd state for long operations
+	StateUnlocker Unlocker
 }
 
 // sealKeyToModeenvImpl seals the supplied keys to the parameters specified
@@ -149,6 +151,10 @@ func sealKeyToModeenvImpl(key, saveKey keys.EncryptionKey, model *asserts.Model,
 		return sealKeyToModeenvUsingFDESetupHook(key, saveKey, model, modeenv, flags)
 	}
 
+	if flags.StateUnlocker != nil {
+		relock := flags.StateUnlocker()
+		defer relock()
+	}
 	return sealKeyToModeenvUsingSecboot(key, saveKey, model, modeenv, flags)
 }
 

boot/seal_test.go

@@ -317,9 +317,12 @@ func (s *sealSuite) TestSealKeyToModeenv(c *C) {
 		})
 		defer restore()
 
+		u := mockUnlocker{}
 		err = boot.SealKeyToModeenv(myKey, myKey2, model, modeenv, boot.MockSealKeyToModeenvFlags{
-			FactoryReset: tc.factoryReset,
+			FactoryReset:  tc.factoryReset,
+			StateUnlocker: u.unlocker,
 		})
+		c.Check(u.unlocked, Equals, 1)
 		c.Check(pcrHandleOfKeyCalls, Equals, tc.expPCRHandleOfKeyCalls)
 		c.Check(provisionCalls, Equals, tc.expProvisionCalls)
 		c.Check(sealKeysCalls, Equals, tc.expSealCalls)

overlord/devicestate/handlers_install.go

@@ -1052,7 +1052,7 @@ func (m *DeviceManager) doInstallFinish(t *state.Task, _ *tomb.Tomb) error {
 	}
 
 	logger.Debugf("making the installed system runnable for system label %s", systemLabel)
-	if err := bootMakeRunnableStandalone(sys.Model, bootWith, trustedInstallObserver); err != nil {
+	if err := bootMakeRunnableStandalone(sys.Model, bootWith, trustedInstallObserver, st.Unlocker()); err != nil {
 		return err
 	}