Add some example binaries

This adds some example binaries which are useful for manual testing:

- activate-volume: An example that makes use of ActivateVolumeWithTPMSealedKey
and ActivateVolumeWithRecoveryKey.
- change-pin: An example that makes use of ChangePIN.
- provision-status: An example that makes use of ProvisionStatus.
- provision-tpm: An example that makes use of ProvistionTPM.
- seal-key: An example that makes use of SealKeyToTPM to seal a key to PCR7
on Ubuntu classic systems.
- unseal-key: An example that makes use of SealedKeyObject.UnsealFromTPM.

.gitignore

@@ -1 +1,7 @@
+examples/activate-volume/activate-volume
+examples/change-pin/change-pin
+examples/provision-status/provision-status
+examples/provision-tpm/provision-tpm
+examples/seal-key/seal-key
+examples/unseal-key/unseal-key
 vendor/*/

crypt_test.go

@@ -846,7 +846,7 @@ func (s *cryptSuite) testActivateVolumeWithRecoveryKeyUsingKeyReader(c *C, data
 func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader1(c *C) {
 	// Test with the correct recovery key supplied via a io.Reader, with a hyphen separating each group of 5 digits.
 	s.testActivateVolumeWithRecoveryKeyUsingKeyReader(c, &testActivateVolumeWithRecoveryKeyUsingKeyReaderData{
-		tries: 1,
+		tries:                   1,
 		recoveryKeyFileContents: strings.Join(s.recoveryKeyAscii, "-") + "\n",
 		sdCryptsetupCalls:       1,
 	})
@@ -855,7 +855,7 @@ func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader1(c *C) {
 func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader2(c *C) {
 	// Test with the correct recovery key supplied via a io.Reader, without a hyphen separating each group of 5 digits.
 	s.testActivateVolumeWithRecoveryKeyUsingKeyReader(c, &testActivateVolumeWithRecoveryKeyUsingKeyReaderData{
-		tries: 1,
+		tries:                   1,
 		recoveryKeyFileContents: strings.Join(s.recoveryKeyAscii, "") + "\n",
 		sdCryptsetupCalls:       1,
 	})
@@ -864,7 +864,7 @@ func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader2(c *C) {
 func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader3(c *C) {
 	// Test with the correct recovery key supplied via a io.Reader when the key doesn't end in a newline.
 	s.testActivateVolumeWithRecoveryKeyUsingKeyReader(c, &testActivateVolumeWithRecoveryKeyUsingKeyReaderData{
-		tries: 1,
+		tries:                   1,
 		recoveryKeyFileContents: strings.Join(s.recoveryKeyAscii, "-"),
 		sdCryptsetupCalls:       1,
 	})
@@ -873,7 +873,7 @@ func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader3(c *C) {
 func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader4(c *C) {
 	// Test that falling back to requesting a recovery key works if the one provided by the io.Reader is incorrect.
 	s.testActivateVolumeWithRecoveryKeyUsingKeyReader(c, &testActivateVolumeWithRecoveryKeyUsingKeyReaderData{
-		tries: 2,
+		tries:                   2,
 		recoveryKeyFileContents: "00000-00000-00000-00000-00000-00000-00000-00000\n",
 		recoveryPassphrases:     []string{strings.Join(s.recoveryKeyAscii, "-")},
 		sdCryptsetupCalls:       2,
@@ -883,7 +883,7 @@ func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader4(c *C) {
 func (s *cryptSuite) TestActivateVolumeWithRecoveryKeyUsingKeyReader5(c *C) {
 	// Test that falling back to requesting a recovery key works if the one provided by the io.Reader is badly formatted.
 	s.testActivateVolumeWithRecoveryKeyUsingKeyReader(c, &testActivateVolumeWithRecoveryKeyUsingKeyReaderData{
-		tries: 2,
+		tries:                   2,
 		recoveryKeyFileContents: "5678\n",
 		recoveryPassphrases:     []string{strings.Join(s.recoveryKeyAscii, "-")},
 		sdCryptsetupCalls:       1,

examples/activate-volume/main.go

@@ -0,0 +1,139 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2019 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+
+	"github.com/snapcore/secboot"
+)
+
+func run() int {
+	args := flag.Args()
+	if len(args) == 0 {
+		fmt.Printf("Usage: activate-volume VOLUME SOURCE-DEVICE SEALED-KEY-FILE [AUTH-FILE] [OPTIONS]\n")
+		return 0
+	}
+
+	if len(args) < 3 {
+		fmt.Fprintf(os.Stderr, "Cannot activate device: insufficient arguments\n")
+		return 1
+	}
+
+	volume := args[0]
+	sourceDevice := args[1]
+
+	var keyFilePath string
+	if args[2] != "" && args[2] != "-" && args[2] != "none" {
+		keyFilePath = args[2]
+	}
+
+	var authFilePath string
+	if len(args) >= 4 && args[3] != "" && args[3] != "-" && args[3] != "none" {
+		authFilePath = args[3]
+	}
+
+	var lock bool
+	var forceRecovery bool
+	pinTries := 1
+	recoveryTries := 1
+	var activateOptions []string
+
+	if len(args) >= 5 && args[4] != "" && args[4] != "-" && args[4] != "none" {
+		opts := strings.Split(args[4], ",")
+		for _, opt := range opts {
+			switch {
+			case opt == "lock":
+				lock = true
+			case opt == "force-recovery":
+				forceRecovery = true
+			case strings.HasPrefix(opt, "pin-tries="):
+				u, err := strconv.ParseUint(strings.TrimPrefix(opt, "pin-tries="), 10, 8)
+				if err != nil {
+					fmt.Fprintf(os.Stderr, "Cannot activate device %s: invalid value for \"recovery-tries=\"\n", sourceDevice)
+					return 1
+				}
+				pinTries = int(u)
+			case strings.HasPrefix(opt, "recovery-tries="):
+				u, err := strconv.ParseUint(strings.TrimPrefix(opt, "recovery-tries="), 10, 8)
+				if err != nil {
+					fmt.Fprintf(os.Stderr, "Cannot activate device %s: invalid value for \"recovery-tries=\"\n", sourceDevice)
+					return 1
+				}
+				recoveryTries = int(u)
+			default:
+				activateOptions = append(activateOptions, opt)
+			}
+		}
+	}
+
+	var authReader io.Reader
+	if authFilePath != "" {
+		f, err := os.Open(authFilePath)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Cannot open auth file: %v\n", err)
+			return 1
+		}
+		defer f.Close()
+		authReader = f
+	}
+
+	if !forceRecovery {
+		tpm, err := secboot.ConnectToDefaultTPM()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Cannot connect to TPM: %v\n", err)
+			return 1
+		}
+		defer tpm.Close()
+
+		options := secboot.ActivateWithTPMSealedKeyOptions{
+			PINTries:            pinTries,
+			RecoveryKeyTries:    recoveryTries,
+			ActivateOptions:     activateOptions,
+			LockSealedKeyAccess: lock}
+		if success, err := secboot.ActivateVolumeWithTPMSealedKey(tpm, volume, sourceDevice, keyFilePath, authReader, &options); err != nil {
+			if !success {
+				fmt.Fprintf(os.Stderr, "Activation failed: %v\n", err)
+				return 1
+			}
+			fmt.Printf("Activation succeeded with fallback recovery key: %v\n", err)
+		}
+	} else {
+		options := secboot.ActivateWithRecoveryKeyOptions{
+			Tries:           recoveryTries,
+			ActivateOptions: activateOptions}
+		if err := secboot.ActivateVolumeWithRecoveryKey(volume, sourceDevice, authReader, &options); err != nil {
+			fmt.Fprintf(os.Stderr, "Activation with recovery key failed: %v\n", err)
+			return 1
+		}
+	}
+
+	return 0
+}
+
+func main() {
+	flag.Parse()
+	os.Exit(run())
+}

examples/change-pin/main.go

@@ -0,0 +1,68 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2019 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/snapcore/secboot"
+)
+
+var keyFile string
+var currentPin string
+
+func init() {
+	flag.StringVar(&currentPin, "current-pin", "", "")
+	flag.StringVar(&keyFile, "key-file", "", "")
+}
+
+func run() int {
+	if keyFile == "" {
+		fmt.Fprintf(os.Stderr, "Cannot change PIN: missing -key-file\n")
+		return 1
+	}
+
+	args := flag.Args()
+	var pin string
+	if len(args) > 0 {
+		pin = args[0]
+	}
+
+	tpm, err := secboot.ConnectToDefaultTPM()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Cannot connect to TPM: %v\n", err)
+		return 1
+	}
+	defer tpm.Close()
+
+	if err := secboot.ChangePIN(tpm, keyFile, currentPin, pin); err != nil {
+		fmt.Fprintf(os.Stderr, "Cannot change PIN: %v\n", err)
+		return 1
+	}
+
+	return 0
+}
+
+func main() {
+	flag.Parse()
+	os.Exit(run())
+}

examples/provision-status/main.go

@@ -0,0 +1,84 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2019 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/snapcore/secboot"
+)
+
+func run() int {
+	tpm, err := secboot.ConnectToDefaultTPM()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Cannot connect to TPM: %v\n", err)
+		return 1
+	}
+	defer tpm.Close()
+
+	status, err := secboot.ProvisionStatus(tpm)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Cannot determine status: %v\n", err)
+		return 1
+	}
+
+	if status&secboot.AttrValidSRK > 0 {
+		fmt.Println("Valid SRK found in TPM")
+	} else {
+		fmt.Println("** ERROR: TPM does not have a valid SRK **")
+	}
+
+	if status&secboot.AttrValidEK > 0 {
+		fmt.Println("Valid EK found in TPM")
+	} else {
+		fmt.Println("** ERROR: TPM does not have a valid EK **")
+	}
+
+	if status&secboot.AttrDAParamsOK > 0 {
+		fmt.Println("TPM's DA parameters are correct")
+	} else {
+		fmt.Println("** ERROR: TPM's DA parameters are not the values set during provisioning **")
+	}
+
+	if status&secboot.AttrOwnerClearDisabled > 0 {
+		fmt.Println("TPM does not allow clearing with the lockout hierarchy authorization")
+	} else {
+		fmt.Println("** ERROR: TPM allows clearing with the lockout hierarchy authorization **")
+	}
+
+	if status&secboot.AttrLockoutAuthSet > 0 {
+		fmt.Println("The lockout hierarchy authorization is set")
+	} else {
+		fmt.Println("** ERROR: The lockout hierarchy authorization is not set **")
+	}
+
+	if status&secboot.AttrValidLockNVIndex > 0 {
+		fmt.Println("Valid lock NV index found in TPM")
+	} else {
+		fmt.Println("** ERROR: TPM does not have a valid lock NV index **")
+	}
+
+	return 0
+}
+
+func main() {
+	os.Exit(run())
+}