preinstall: Reverse the logic of the *SupportRequired flags.

Every other flag works in reverse and has to be specified in order to
permit an error condition as ok. Reverse the logic in these flags so
that they also have to be specified in order to permit support for
specific PCRs to be missing.

Author: chrisccoulson

efi/preinstall/checks.go

@@ -33,46 +33,46 @@ import (
 type CheckFlags int
 
 const (
-	// PlatformFirmwareProfileSupportRequired indicates that support for
+	// PermitNoPlatformFirmwareProfileSupport indicates that support for
 	// [secboot_efi.WithPlatformFirmwareProfile] to generate profiles for
-	// PCR 0 is not optional.
-	PlatformFirmwareProfileSupportRequired CheckFlags = 1 << iota
+	// PCR 0 is optional.
+	PermitNoPlatformFirmwareProfileSupport CheckFlags = 1 << iota
 
-	// PlatformConfigProfileSupportRequired indicates that support for
+	// PermitNoPlatformConfigProfileSupportd indicates that support for
 	// generating profiles for PCR 1 is not optional.
 	//
-	// Note that this currently is not supported by the
-	// [github.com/snapcore/secboot/efi] package.
-	PlatformConfigProfileSupportRequired
+	// Note that this is currently mandatory because this profile is not
+	// supported by the [github.com/snapcore/secboot/efi] package.
+	PermitNoPlatformConfigProfileSupport
 
-	// DriversAndAppsProfileSupportRequired indicates that support for
+	// PermitNoDriversAndAppsProfileSupport indicates that support for
 	// [secboot_efi.WithDriversAndAppsProfile] to generate profiles for
-	// PCR 2 is not optional.
-	DriversAndAppsProfileSupportRequired
+	// PCR 2 is optional.
+	PermitNoDriversAndAppsProfileSupport
 
-	// DriversAndAppsConfigProfileSupportRequired indicates that support
-	// for generating profiles for PCR 3 is not optional.
+	// PermitNoDriversAndAppsConfigProfileSupport indicates that support
+	// for generating profiles for PCR 3 is optional.
 	//
-	// Note that this currently is not supported by the
-	// [github.com/snapcore/secboot/efi] package.
-	DriversAndAppsConfigProfileSupportRequired
+	// Note that this is currently mandatory because this profile is not
+	// supported by the [github.com/snapcore/secboot/efi] package.
+	PermitNoDriversAndAppsConfigProfileSupport
 
-	// BootManagerCodeProfileSupportRequired indicates that support for
+	// PermitNoBootManagerCodeProfileSupport indicates that support for
 	// [secboot_efi.WithBootManagerCodeProfile] to generate profiles for
-	// PCR 4 is not optional.
-	BootManagerCodeProfileSupportRequired
+	// PCR 4 is optional.
+	PermitNoBootManagerCodeProfileSupport
 
-	// BootManagerConfigProfileSupportRequired indicates that support
-	// for generating profiles for PCR 5 is not optional.
+	// PermitNoBootManagerConfigProfileSupport indicates that support
+	// for generating profiles for PCR 5 is optional.
 	//
-	// Note that this currently is not supported by the
-	// [github.com/snapcore/secboot/efi] package.
-	BootManagerConfigProfileSupportRequired
+	// Note that this is currently mandatory because this profile is not
+	// supported by the [github.com/snapcore/secboot/efi] package.
+	PermitNoBootManagerConfigProfileSupport
 
-	// SecureBootPolicyProfileSupportRequired indicates that support for
+	// PermitNoSecureBootPolicyProfileSupport indicates that support for
 	// [secboot_efi.WithSecureBootPolicyProfile] to generate profiles for
-	// PCR 7 is not optional.
-	SecureBootPolicyProfileSupportRequired
+	// PCR 7 is optional.
+	PermitNoSecureBootPolicyProfileSupport
 
 	// PermitWeakPCRBanks permits selecting a weak PCR algorithm if
 	// no other valid ones are available. This currently only includes
@@ -234,25 +234,25 @@ func RunChecks(ctx context.Context, flags CheckFlags, loadedImages []secboot_efi
 	// checkFirmwareLogAndChoosePCRBank will return an error if any of these PCRs
 	// are inconsistent with the reconstructed log.
 	var mandatoryPcrs tpm2.HandleList
-	if flags&PlatformFirmwareProfileSupportRequired > 0 {
+	if flags&PermitNoPlatformFirmwareProfileSupport == 0 {
 		mandatoryPcrs = append(mandatoryPcrs, internal_efi.PlatformFirmwarePCR)
 	}
-	if flags&PlatformConfigProfileSupportRequired > 0 {
+	if flags&PermitNoPlatformConfigProfileSupport == 0 {
 		mandatoryPcrs = append(mandatoryPcrs, internal_efi.PlatformConfigPCR)
 	}
-	if flags&DriversAndAppsProfileSupportRequired > 0 {
+	if flags&PermitNoDriversAndAppsProfileSupport == 0 {
 		mandatoryPcrs = append(mandatoryPcrs, internal_efi.DriversAndAppsPCR)
 	}
-	if flags&DriversAndAppsConfigProfileSupportRequired > 0 {
+	if flags&PermitNoDriversAndAppsConfigProfileSupport == 0 {
 		mandatoryPcrs = append(mandatoryPcrs, internal_efi.DriversAndAppsConfigPCR)
 	}
-	if flags&BootManagerCodeProfileSupportRequired > 0 {
+	if flags&PermitNoBootManagerCodeProfileSupport == 0 {
 		mandatoryPcrs = append(mandatoryPcrs, internal_efi.BootManagerCodePCR)
 	}
-	if flags&BootManagerConfigProfileSupportRequired > 0 {
+	if flags&PermitNoBootManagerConfigProfileSupport == 0 {
 		mandatoryPcrs = append(mandatoryPcrs, internal_efi.BootManagerConfigPCR)
 	}
-	if flags&SecureBootPolicyProfileSupportRequired > 0 {
+	if flags&PermitNoSecureBootPolicyProfileSupport == 0 {
 		mandatoryPcrs = append(mandatoryPcrs, internal_efi.SecureBootPolicyPCR)
 	}
 
@@ -368,7 +368,7 @@ func RunChecks(ctx context.Context, flags CheckFlags, loadedImages []secboot_efi
 		// PCR1 profiles are not supported yet.
 		err := &PlatformConfigPCRError{errors.New("generating profiles for PCR 1 is not supported yet")}
 		switch {
-		case flags&PlatformConfigProfileSupportRequired > 0:
+		case flags&PermitNoPlatformConfigProfileSupport == 0:
 			deferredErrs = append(deferredErrs, err)
 		default:
 			result.Flags |= NoPlatformConfigProfileSupport
@@ -392,7 +392,7 @@ func RunChecks(ctx context.Context, flags CheckFlags, loadedImages []secboot_efi
 		// PCR3 profiles are not supported yet
 		err := &DriversAndAppsConfigPCRError{errors.New("generating profiles for PCR 3 is not supported yet")}
 		switch {
-		case flags&DriversAndAppsConfigProfileSupportRequired > 0:
+		case flags&PermitNoDriversAndAppsConfigProfileSupport == 0:
 			deferredErrs = append(deferredErrs, err)
 		default:
 			result.Flags |= NoDriversAndAppsConfigProfileSupport
@@ -405,7 +405,7 @@ func RunChecks(ctx context.Context, flags CheckFlags, loadedImages []secboot_efi
 		// the reconstructed log value.
 		pcr4Result, err := checkBootManagerCodeMeasurements(ctx, runChecksEnv, log, result.PCRAlg, loadedImages)
 		switch {
-		case err != nil && flags&BootManagerCodeProfileSupportRequired > 0:
+		case err != nil && flags&PermitNoBootManagerCodeProfileSupport == 0:
 			deferredErrs = append(deferredErrs, &BootManagerCodePCRError{err})
 		case err != nil:
 			result.Flags |= NoBootManagerCodeProfileSupport
@@ -441,7 +441,7 @@ func RunChecks(ctx context.Context, flags CheckFlags, loadedImages []secboot_efi
 		// PCR5 profiles are not supported yet
 		err := &BootManagerConfigPCRError{errors.New("generating profiles for PCR 5 is not supported yet")}
 		switch {
-		case flags&BootManagerConfigProfileSupportRequired > 0:
+		case flags&PermitNoBootManagerConfigProfileSupport == 0:
 			deferredErrs = append(deferredErrs, err)
 		default:
 			result.Flags |= NoBootManagerConfigProfileSupport
@@ -458,7 +458,7 @@ func RunChecks(ctx context.Context, flags CheckFlags, loadedImages []secboot_efi
 		}
 		pcr7Result, err := checkSecureBootPolicyMeasurementsAndObtainAuthorities(ctx, runChecksEnv, log, result.PCRAlg, iblImage)
 		switch {
-		case err != nil && flags&SecureBootPolicyProfileSupportRequired > 0:
+		case err != nil && flags&PermitNoSecureBootPolicyProfileSupport == 0:
 			deferredErrs = append(deferredErrs, &SecureBootPolicyPCRError{err})
 		case err != nil:
 			result.Flags |= NoSecureBootPolicyProfileSupport

efi/preinstall/checks_context.go

@@ -154,12 +154,19 @@ type RunChecksContext struct {
 // API [RunChecksContext] should be executed again with the new set of flags, should the user wish to
 // change them. In this case, the caller should pass the PostInstallChecks flag as an initial flag.
 //
-// There is no need for the caller to supply any of these *SupportRequired flags as the initial flags,
-// and this may have the effect of limiting the number of devices which pass the checks.
+// There is no need for the caller to specify any of the PermitNo*ProfileSupport flags as the initial
+// flags, and they will be ignored anyway.
 func NewRunChecksContext(initialFlags CheckFlags, loadedImages []secboot_efi.Image, profileOpts PCRProfileOptionsFlags) *RunChecksContext {
+	defaultFlags := PermitNoPlatformFirmwareProfileSupport |
+		PermitNoPlatformConfigProfileSupport |
+		PermitNoDriversAndAppsProfileSupport |
+		PermitNoDriversAndAppsConfigProfileSupport |
+		PermitNoBootManagerCodeProfileSupport |
+		PermitNoBootManagerConfigProfileSupport |
+		PermitNoSecureBootPolicyProfileSupport
 	return &RunChecksContext{
 		env:          runChecksEnv,
-		flags:        initialFlags,
+		flags:        initialFlags | defaultFlags,
 		loadedImages: loadedImages,
 		profileOpts:  profileOpts,
 		// Populate actions that are always available or available by default
@@ -560,19 +567,19 @@ func (c *RunChecksContext) Run(ctx context.Context, action Action, args ...any)
 		for _, pcr := range requiredPCRsErr.PCRs {
 			switch pcr {
 			case 0:
-				c.flags |= PlatformFirmwareProfileSupportRequired
+				c.flags &^= PermitNoPlatformFirmwareProfileSupport
 			case 1:
-				c.flags |= PlatformConfigProfileSupportRequired
+				c.flags &^= PermitNoPlatformConfigProfileSupport
 			case 2:
-				c.flags |= DriversAndAppsProfileSupportRequired
+				c.flags &^= PermitNoDriversAndAppsProfileSupport
 			case 3:
-				c.flags |= DriversAndAppsConfigProfileSupportRequired
+				c.flags &^= PermitNoDriversAndAppsConfigProfileSupport
 			case 4:
-				c.flags |= BootManagerCodeProfileSupportRequired
+				c.flags &^= PermitNoBootManagerCodeProfileSupport
 			case 5:
-				c.flags |= BootManagerConfigProfileSupportRequired
+				c.flags &^= PermitNoBootManagerConfigProfileSupport
 			case 7:
-				c.flags |= SecureBootPolicyProfileSupportRequired
+				c.flags &^= PermitNoSecureBootPolicyProfileSupport
 			}
 		}
 	}