canonical · sespiros · Mar 14, 2024 · Mar 14, 2024 · Mar 14, 2024 · Mar 22, 2024
diff --git a/argon2.go b/argon2.go
@@ -21,12 +21,11 @@ package secboot
 
 import (
 	"errors"
+	"fmt"
 	"runtime"
 	"sync"
 	"time"
 
-	"golang.org/x/xerrors"
-
 	"github.com/snapcore/secboot/internal/argon2"
 )
 
@@ -136,7 +135,7 @@ func (o *Argon2Options) deriveCostParams(keyLen int) (*Argon2CostParams, error)
 				Threads:   params.Threads})
 		})
 		if err != nil {
-			return nil, xerrors.Errorf("cannot benchmark KDF: %w", err)
+			return nil, fmt.Errorf("cannot benchmark KDF: %w", err)
 		}
 
 		return &Argon2CostParams{

diff --git a/auth_requestor_systemd.go b/auth_requestor_systemd.go
@@ -22,13 +22,12 @@ package secboot
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
 	"text/template"
-
-	"golang.org/x/xerrors"
 )
 
 type askPasswordMsgParams struct {
@@ -53,7 +52,7 @@ func (r *systemdAuthRequestor) askPassword(sourceDevicePath, msg string) (string
 	cmd.Stdout = out
 	cmd.Stdin = os.Stdin
 	if err := cmd.Run(); err != nil {
-		return "", xerrors.Errorf("cannot execute systemd-ask-password: %v", err)
+		return "", fmt.Errorf("cannot execute systemd-ask-password: %v", err)
 	}
 	result, err := out.ReadString('\n')
 	if err != nil {
@@ -70,7 +69,7 @@ func (r *systemdAuthRequestor) RequestPassphrase(volumeName, sourceDevicePath st
 
 	msg := new(bytes.Buffer)
 	if err := r.passphraseTmpl.Execute(msg, params); err != nil {
-		return "", xerrors.Errorf("cannot execute message template: %w", err)
+		return "", fmt.Errorf("cannot execute message template: %w", err)
 	}
 
 	return r.askPassword(sourceDevicePath, msg.String())
@@ -83,7 +82,7 @@ func (r *systemdAuthRequestor) RequestRecoveryKey(volumeName, sourceDevicePath s
 
 	msg := new(bytes.Buffer)
 	if err := r.recoveryKeyTmpl.Execute(msg, params); err != nil {
-		return RecoveryKey{}, xerrors.Errorf("cannot execute message template: %w", err)
+		return RecoveryKey{}, fmt.Errorf("cannot execute message template: %w", err)
 	}
 
 	passphrase, err := r.askPassword(sourceDevicePath, msg.String())
@@ -93,7 +92,7 @@ func (r *systemdAuthRequestor) RequestRecoveryKey(volumeName, sourceDevicePath s
 
 	key, err := ParseRecoveryKey(passphrase)
 	if err != nil {
-		return RecoveryKey{}, xerrors.Errorf("cannot parse recovery key: %w", err)
+		return RecoveryKey{}, fmt.Errorf("cannot parse recovery key: %w", err)
 	}
 
 	return key, nil
@@ -108,12 +107,12 @@ func (r *systemdAuthRequestor) RequestRecoveryKey(volumeName, sourceDevicePath s
 func NewSystemdAuthRequestor(passphraseTmpl, recoveryKeyTmpl string) (AuthRequestor, error) {
 	pt, err := template.New("passphraseMsg").Parse(passphraseTmpl)
 	if err != nil {
-		return nil, xerrors.Errorf("cannot parse passphrase message template: %w", err)
+		return nil, fmt.Errorf("cannot parse passphrase message template: %w", err)
 	}
 
 	rkt, err := template.New("recoveryKeyMsg").Parse(recoveryKeyTmpl)
 	if err != nil {
-		return nil, xerrors.Errorf("cannot parse recovery key message template: %w", err)
+		return nil, fmt.Errorf("cannot parse recovery key message template: %w", err)
 	}
 
 	return &systemdAuthRequestor{

diff --git a/bootscope/keydata.go b/bootscope/keydata.go
@@ -37,7 +37,6 @@ import (
 	"golang.org/x/crypto/cryptobyte"
 	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
 	"golang.org/x/crypto/hkdf"
-	"golang.org/x/xerrors"
 )
 
 const (
@@ -254,7 +253,7 @@ func (d *KeyDataScope) authorize(key secboot.PrimaryKey, role string) error {
 	d.data.Params.marshalASN1(builder)
 	scope, err := builder.Bytes()
 	if err != nil {
-		return xerrors.Errorf("cannot serialize scope: %w", err)
+		return fmt.Errorf("cannot serialize scope: %w", err)
 	}
 
 	alg := d.data.MDAlg
@@ -419,7 +418,7 @@ func (d *KeyDataScope) MakeAEADAdditionalData(generation int, kdfAlg crypto.Hash
 
 	der, err := x509.MarshalPKIXPublicKey(d.data.PublicKey.PublicKey)
 	if err != nil {
-		return nil, xerrors.Errorf("cannot marshal public key: %w", err)
+		return nil, fmt.Errorf("cannot marshal public key: %w", err)
 	}
 
 	h := alg.New()

diff --git a/bootscope/keydata_test.go b/bootscope/keydata_test.go
@@ -33,7 +33,6 @@ import (
 	"fmt"
 	"hash"
 
-	"golang.org/x/xerrors"
 	. "gopkg.in/check.v1"
 
 	"github.com/snapcore/secboot"
@@ -897,7 +896,7 @@ func (h *mockPlatformKeyDataHandler) checkState() error {
 func (h *mockPlatformKeyDataHandler) unmarshalHandle(data *PlatformKeyData) (*mockPlatformKeyDataHandle, error) {
 	var handle mockPlatformKeyDataHandle
 	if err := json.Unmarshal(data.EncodedHandle, &handle); err != nil {
-		return nil, &PlatformHandlerError{Type: PlatformHandlerErrorInvalidData, Err: xerrors.Errorf("JSON decode error: %w", err)}
+		return nil, &PlatformHandlerError{Type: PlatformHandlerErrorInvalidData, Err: fmt.Errorf("JSON decode error: %w", err)}
 	}
 	return &handle, nil
 }
@@ -929,7 +928,7 @@ func (h *mockPlatformKeyDataHandler) recoverKeys(handle *mockPlatformKeyDataHand
 
 	b, err := aes.NewCipher(handle.Key)
 	if err != nil {
-		return nil, xerrors.Errorf("cannot create cipher: %w", err)
+		return nil, fmt.Errorf("cannot create cipher: %w", err)
 	}
 
 	s := cipher.NewCFBDecrypter(b, handle.IV)

diff --git a/bootscope/snap.go b/bootscope/snap.go
@@ -23,19 +23,19 @@ import (
 	"crypto"
 	"encoding/asn1"
 	"encoding/base64"
+	"fmt"
 
 	"github.com/snapcore/secboot"
 	"golang.org/x/crypto/cryptobyte"
 	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
-	"golang.org/x/xerrors"
 )
 
 var sha3_384oid = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 9}
 
 func computeSnapModelHash(alg crypto.Hash, model secboot.SnapModel) ([]byte, error) {
 	signKeyId, err := base64.RawURLEncoding.DecodeString(model.SignKeyID())
 	if err != nil {
-		return nil, xerrors.Errorf("cannot decode signing key ID: %w", err)
+		return nil, fmt.Errorf("cannot decode signing key ID: %w", err)
 	}
 
 	builder := cryptobyte.NewBuilder(nil)
@@ -62,9 +62,8 @@ func computeSnapModelHash(alg crypto.Hash, model secboot.SnapModel) ([]byte, err
 
 	b, err := builder.Bytes()
 	if err != nil {
-		return nil, xerrors.Errorf("cannot serialize model properties: %w", err)
+		return nil, fmt.Errorf("cannot serialize model properties: %w", err)
 	}
-
 	h := alg.New()
 	h.Write(b)
 	return h.Sum(nil), nil

diff --git a/crypt.go b/crypt.go
@@ -30,8 +30,6 @@ import (
 
 	"github.com/snapcore/snapd/asserts"
 
-	"golang.org/x/xerrors"
-
 	"github.com/snapcore/secboot/internal/keyring"
 	"github.com/snapcore/secboot/internal/luks2"
 	"github.com/snapcore/secboot/internal/luksview"
@@ -87,7 +85,7 @@ func ParseRecoveryKey(s string) (out RecoveryKey, err error) {
 		}
 		x, err := strconv.ParseUint(s[0:5], 10, 16)
 		if err != nil {
-			return RecoveryKey{}, xerrors.Errorf("incorrectly formatted: %w", err)
+			return RecoveryKey{}, fmt.Errorf("incorrectly formatted: %w", err)
 		}
 		binary.LittleEndian.PutUint16(out[i*2:], uint16(x))
 
@@ -167,14 +165,14 @@ func (s *activateWithKeyDataState) tryActivateWithRecoveredKey(key DiskUnlockKey
 		authorized, err := keyData.IsSnapModelAuthorized(auxKey, model)
 		switch {
 		case err != nil:
-			return xerrors.Errorf("cannot check if snap model is authorized: %w", err)
+			return fmt.Errorf("cannot check if snap model is authorized: %w", err)
 		case !authorized:
 			return errors.New("snap model is not authorized")
 		}
 	}
 
 	if err := luks2Activate(s.volumeName, s.sourceDevicePath, key, slot); err != nil {
-		return xerrors.Errorf("cannot activate volume: %w", err)
+		return fmt.Errorf("cannot activate volume: %w", err)
 	}
 
 	if err := keyring.AddKeyToUserKeyring(key, s.sourceDevicePath, keyringPurposeDiskUnlock, s.keyringPrefix); err != nil {
@@ -191,7 +189,7 @@ func (s *activateWithKeyDataState) tryActivateWithRecoveredKey(key DiskUnlockKey
 func (s *activateWithKeyDataState) tryKeyDataAuthModeNone(k *KeyData, slot int) error {
 	key, auxKey, err := k.RecoverKeys()
 	if err != nil {
-		return xerrors.Errorf("cannot recover key: %w", err)
+		return fmt.Errorf("cannot recover key: %w", err)
 	}
 
 	return s.tryActivateWithRecoveredKey(key, slot, k, auxKey)
@@ -200,7 +198,7 @@ func (s *activateWithKeyDataState) tryKeyDataAuthModeNone(k *KeyData, slot int)
 func (s *activateWithKeyDataState) tryKeyDataAuthModePassphrase(k *KeyData, slot int, passphrase string) error {
 	key, auxKey, err := k.RecoverKeysWithPassphrase(passphrase)
 	if err != nil {
-		return xerrors.Errorf("cannot recover key: %w", err)
+		return fmt.Errorf("cannot recover key: %w", err)
 	}
 
 	return s.tryActivateWithRecoveredKey(key, slot, k, auxKey)
@@ -244,7 +242,7 @@ func (s *activateWithKeyDataState) run() (success bool, err error) {
 		// ubuntu-data).
 		passphrase, err := s.authRequestor.RequestPassphrase(s.volumeName, s.sourceDevicePath)
 		if err != nil {
-			passphraseErr = xerrors.Errorf("cannot obtain passphrase: %w", err)
+			passphraseErr = fmt.Errorf("cannot obtain passphrase: %w", err)
 			continue
 		}
 
@@ -253,13 +251,13 @@ func (s *activateWithKeyDataState) run() (success bool, err error) {
 				continue
 			}
 
-			if k.err != nil && !xerrors.Is(k.err, ErrInvalidPassphrase) {
+			if k.err != nil && !errors.Is(k.err, ErrInvalidPassphrase) {
 				// Skip keys that failed for anything other than an invalid passphrase.
 				continue
 			}
 
 			if err := s.tryKeyDataAuthModePassphrase(k.KeyData, k.slot, passphrase); err != nil {
-				if !xerrors.Is(err, ErrInvalidPassphrase) {
+				if !errors.Is(err, ErrInvalidPassphrase) {
 					numPassphraseKeys -= 1
 				}
 				k.err = err
@@ -297,12 +295,12 @@ func activateWithRecoveryKey(volumeName, sourceDevicePath string, authRequestor
 
 		key, err := authRequestor.RequestRecoveryKey(volumeName, sourceDevicePath)
 		if err != nil {
-			lastErr = xerrors.Errorf("cannot obtain recovery key: %w", err)
+			lastErr = fmt.Errorf("cannot obtain recovery key: %w", err)
 			continue
 		}
 
 		if err := luks2Activate(volumeName, sourceDevicePath, key[:], luks2.AnySlot); err != nil {
-			lastErr = xerrors.Errorf("cannot activate volume: %w", err)
+			lastErr = fmt.Errorf("cannot activate volume: %w", err)
 			continue
 		}
 
@@ -629,19 +627,19 @@ func InitializeLUKS2Container(devicePath, label string, key DiskUnlockKey, optio
 	}
 
 	if err := luks2Format(devicePath, label, key, options.formatOpts()); err != nil {
-		return xerrors.Errorf("cannot format: %w", err)
+		return fmt.Errorf("cannot format: %w", err)
 	}
 
 	token := luksview.KeyDataToken{
 		TokenBase: luksview.TokenBase{
 			TokenKeyslot: 0,
 			TokenName:    initialKeyslotName}}
 	if err := luks2ImportToken(devicePath, &token, nil); err != nil {
-		return xerrors.Errorf("cannot import token: %w", err)
+		return fmt.Errorf("cannot import token: %w", err)
 	}
 
 	if err := luks2SetSlotPriority(devicePath, 0, luks2.SlotPriorityHigh); err != nil {
-		return xerrors.Errorf("cannot change keyslot priority: %w", err)
+		return fmt.Errorf("cannot change keyslot priority: %w", err)
 	}
 
 	return nil
@@ -657,7 +655,7 @@ func addLUKS2ContainerKey(devicePath, keyslotName string, existingKey, newKey Di
 	newToken func(base *luksview.TokenBase) luks2.Token, priority luks2.SlotPriority) error {
 	view, err := newLUKSView(devicePath, luks2.LockModeBlocking)
 	if err != nil {
-		return xerrors.Errorf("cannot obtain LUKS header view: %w", err)
+		return fmt.Errorf("cannot obtain LUKS header view: %w", err)
 	}
 
 	if _, _, exists := view.TokenByName(keyslotName); exists {
@@ -675,7 +673,7 @@ func addLUKS2ContainerKey(devicePath, keyslotName string, existingKey, newKey Di
 	}
 
 	if err := luks2AddKey(devicePath, existingKey, newKey, &luks2.AddKeyOptions{KDFOptions: *options, Slot: freeSlot}); err != nil {
-		return xerrors.Errorf("cannot add key: %w", err)
+		return fmt.Errorf("cannot add key: %w", err)
 	}
 
 	// XXX: If we fail between AddKey and ImportToken, then we end up with a
@@ -713,11 +711,11 @@ func addLUKS2ContainerKey(devicePath, keyslotName string, existingKey, newKey Di
 		TokenName:    keyslotName,
 		TokenKeyslot: freeSlot}
 	if err := luks2ImportToken(devicePath, newToken(&tokenBase), nil); err != nil {
-		return xerrors.Errorf("cannot import token: %w", err)
+		return fmt.Errorf("cannot import token: %w", err)
 	}
 
 	if err := luks2SetSlotPriority(devicePath, freeSlot, priority); err != nil {
-		return xerrors.Errorf("cannot change keyslot priority: %w", err)
+		return fmt.Errorf("cannot change keyslot priority: %w", err)
 	}
 
 	return nil
@@ -726,7 +724,7 @@ func addLUKS2ContainerKey(devicePath, keyslotName string, existingKey, newKey Di
 func listLUKS2ContainerKeyNames(devicePath string, tokenType luks2.TokenType) ([]string, error) {
 	view, err := newLUKSView(devicePath, luks2.LockModeBlocking)
 	if err != nil {
-		return nil, xerrors.Errorf("cannot obtain LUKS header view: %w", err)
+		return nil, fmt.Errorf("cannot obtain LUKS header view: %w", err)
 	}
 
 	var names []string
@@ -844,7 +842,7 @@ func ListLUKS2ContainerRecoveryKeyNames(devicePath string) ([]string, error) {
 func DeleteLUKS2ContainerKey(devicePath, keyslotName string) error {
 	view, err := newLUKSView(devicePath, luks2.LockModeBlocking)
 	if err != nil {
-		return xerrors.Errorf("cannot obtain LUKS header view: %w", err)
+		return fmt.Errorf("cannot obtain LUKS header view: %w", err)
 	}
 
 	token, id, exists := view.TokenByName(keyslotName)
@@ -864,15 +862,15 @@ func DeleteLUKS2ContainerKey(devicePath, keyslotName string) error {
 
 	slot := token.Keyslots()[0]
 	if err := luks2KillSlot(devicePath, slot); err != nil {
-		return xerrors.Errorf("cannot kill existing slot %d: %w", slot, err)
+		return fmt.Errorf("cannot kill existing slot %d: %w", slot, err)
 	}
 
 	// KillSlot will clear the keyslot field from the associated token so
 	// that we can identify it as orphaned and complete the transaction in
 	// the future if we are interrupted between KillSlot and RemoveToken.
 
 	if err := luks2RemoveToken(devicePath, id); err != nil {
-		return xerrors.Errorf("cannot remove existing token %d: %w", id, err)
+		return fmt.Errorf("cannot remove existing token %d: %w", id, err)
 	}
 
 	return nil
@@ -883,7 +881,7 @@ func DeleteLUKS2ContainerKey(devicePath, keyslotName string) error {
 func RenameLUKS2ContainerKey(devicePath, oldName, newName string) error {
 	view, err := newLUKSView(devicePath, luks2.LockModeBlocking)
 	if err != nil {
-		return xerrors.Errorf("cannot obtain LUKS header view: %w", err)
+		return fmt.Errorf("cannot obtain LUKS header view: %w", err)
 	}
 
 	removeOrphanedTokens(devicePath, view)
@@ -917,7 +915,7 @@ func RenameLUKS2ContainerKey(devicePath, oldName, newName string) error {
 	}
 
 	if err := luks2ImportToken(devicePath, newToken, &luks2.ImportTokenOptions{Id: id, Replace: true}); err != nil {
-		return xerrors.Errorf("cannot import new token: %w", err)
+		return fmt.Errorf("cannot import new token: %w", err)
 	}
 
 	return nil

diff --git a/efi/env.go b/efi/env.go
@@ -24,12 +24,12 @@ import (
 	"crypto"
 	"crypto/sha1"
 	"encoding/binary"
+	"fmt"
 	"io"
 	"sort"
 
 	efi "github.com/canonical/go-efilib"
 	"github.com/canonical/tcglog-parser"
-	"golang.org/x/xerrors"
 )
 
 // HostEnvironment is an interface that abstracts out an EFI environment, so that
@@ -261,7 +261,7 @@ func newRootVarsCollector(vars varReader) *rootVarsCollector {
 func (c *rootVarsCollector) registerUpdatesFor(initial *rootVarReader, updates *varUpdate) error {
 	newRoot := initial.Copy()
 	if err := newRoot.ApplyUpdates(updates); err != nil {
-		return xerrors.Errorf("cannot compute updated starting state: %w", err)
+		return fmt.Errorf("cannot compute updated starting state: %w", err)
 	}
 
 	key := newRoot.Key()