fscrypt: Unlock: Fetch keys early

Fetch keys from KMS before doing anything else. This will catch KMS
errors before setting up any fscrypt metadata.

Signed-off-by: Marcel Lauhoff <marcel.lauhoff@suse.com>
This commit is contained in:
Marcel Lauhoff 2022-07-19 16:31:35 +02:00 committed by mergify[bot]
parent f8faffac89
commit a6a4282493

View File

@ -294,9 +294,17 @@ func Unlock(
volEncryption *util.VolumeEncryption, volEncryption *util.VolumeEncryption,
stagingTargetPath string, volID string, stagingTargetPath string, volID string,
) error { ) error {
// Fetches keys from KMS. Do this first to catch KMS errors before setting up anything.
keyFn, err := createKeyFuncFromVolumeEncryption(ctx, *volEncryption, volID)
if err != nil {
log.ErrorLog(ctx, "fscrypt: could not create key function: %v", err)
return err
}
fscryptContext, err := fscryptactions.NewContextFromMountpoint(stagingTargetPath, nil) fscryptContext, err := fscryptactions.NewContextFromMountpoint(stagingTargetPath, nil)
if err != nil { if err != nil {
log.ErrorLog(ctx, "fscrypt: failed to create context from mountpoint %v: %w", stagingTargetPath) log.ErrorLog(ctx, "fscrypt: failed to create context from mountpoint %v: %w", stagingTargetPath, err)
return err return err
} }
@ -318,7 +326,7 @@ func Unlock(
if err = fscryptContext.Mount.Setup(0o755); err != nil { if err = fscryptContext.Mount.Setup(0o755); err != nil {
alreadySetupErr := &fscryptfilesystem.ErrAlreadySetup{} alreadySetupErr := &fscryptfilesystem.ErrAlreadySetup{}
if errors.As(err, &alreadySetupErr) { if errors.As(err, &alreadySetupErr) {
log.DebugLog(ctx, "fscrypt: metadata directory %q already set up", alreadySetupErr.Mount.Path) log.DebugLog(ctx, "fscrypt: metadata directory in %q already set up", alreadySetupErr.Mount.Path)
metadataDirExists = true metadataDirExists = true
} else { } else {
log.ErrorLog(ctx, "fscrypt: mount setup failed: %v", err) log.ErrorLog(ctx, "fscrypt: mount setup failed: %v", err)
@ -339,13 +347,6 @@ func Unlock(
metadataDirExists, kernelPolicyExists) metadataDirExists, kernelPolicyExists)
} }
keyFn, err := createKeyFuncFromVolumeEncryption(ctx, *volEncryption, volID)
if err != nil {
log.ErrorLog(ctx, "fscrypt: could not create key function: %v", err)
return err
}
protectorName := fmt.Sprintf("%s-%s", FscryptProtectorPrefix, volEncryption.GetID()) protectorName := fmt.Sprintf("%s-%s", FscryptProtectorPrefix, volEncryption.GetID())
switch volEncryption.KMS.RequiresDEKStore() { switch volEncryption.KMS.RequiresDEKStore() {