overlord/devicestate,secboot: fix factory reset on older versions

go.mod

@@ -7,9 +7,9 @@ replace maze.io/x/crypto => github.com/snapcore/maze.io-x-crypto v0.0.0-20190131
 
 require (
 	github.com/bmatcuk/doublestar/v4 v4.6.1
-	github.com/canonical/go-efilib v1.3.1
+	github.com/canonical/go-efilib v1.4.1
 	github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 // indirect
-	github.com/canonical/go-tpm2 v1.7.6
+	github.com/canonical/go-tpm2 v1.11.1
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2
 	github.com/gorilla/mux v1.8.0
@@ -21,11 +21,11 @@ require (
 	github.com/mvo5/libseccomp-golang v0.9.1-0.20180308152521-f4de83b52afb // old trusty builds only
 	github.com/seccomp/libseccomp-golang v0.9.2-0.20220502024300-f57e1d55ea18
 	github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785
-	github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b
-	golang.org/x/crypto v0.21.0
+	github.com/snapcore/secboot v0.0.0-20250124132100-452552189677
+	golang.org/x/crypto v0.23.0
 	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/sys v0.19.0
-	golang.org/x/text v0.14.0
+	golang.org/x/sys v0.21.0
+	golang.org/x/text v0.15.0
 	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/macaroon.v1 v1.0.0
@@ -39,11 +39,11 @@ require go.etcd.io/bbolt v1.3.9
 
 require (
 	github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb // indirect
-	github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 // indirect
+	github.com/canonical/go-kbkdf v0.0.0-20250104172618-3b1308f9acf9 // indirect
 	github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 // indirect
 	github.com/kr/pretty v0.2.2-0.20200810074440-814ac30b4b18 // indirect
 	github.com/kr/text v0.1.0 // indirect
 	golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f // indirect
-	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
 	maze.io/x/crypto v0.0.0-20190131090603-9b94c9afe066 // indirect
 )

go.sum

@@ -2,14 +2,14 @@ github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwN
 github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb h1:+kA/9oHTqUx4P08ywKvmd7a1wOL3RLTrE0K958C15x8=
 github.com/canonical/cpuid v0.0.0-20220614022739-219e067757cb/go.mod h1:6j8Sw3dwYVcBXltEeGklDoK/8UJVJNQPUkg1ZdQUgbk=
-github.com/canonical/go-efilib v1.3.1 h1:KnVlqrKn0ZDGAbgQt9tke5cvtqNRCmpEp0v7RGUVpqs=
-github.com/canonical/go-efilib v1.3.1/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ=
-github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0 h1:ZE2XMRFHcwlib3uU9is37+pKkkMloVoEPWmgQ6GK1yo=
-github.com/canonical/go-sp800.108-kdf v0.0.0-20210315104021-ead800bbf9a0/go.mod h1:Zrs3YjJr+w51u0R/dyLh/oWt/EcBVdLPCVFYC4daW5s=
+github.com/canonical/go-efilib v1.4.1 h1:/VMNCypz+iVmnNuMcsm7WvmDMI1ObkEP2W1h8Ls7OyM=
+github.com/canonical/go-efilib v1.4.1/go.mod h1:n0Ttsy1JuHAvqaFbZBs6PAzoiiJdfkHsAmDOEbexYEQ=
+github.com/canonical/go-kbkdf v0.0.0-20250104172618-3b1308f9acf9 h1:Twk1ZSTWRClfGShP16ePf2JIiayqWS4ix1rkAR6baag=
+github.com/canonical/go-kbkdf v0.0.0-20250104172618-3b1308f9acf9/go.mod h1:IneQ5/yQcfPXrGekEXpR6yeea55ZD24N5+kHzeDseOM=
 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 h1:oe6fCvaEpkhyW3qAicT0TnGtyht/UrgvOwMcEgLb7Aw=
 github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3/go.mod h1:qdP0gaj0QtgX2RUZhnlVrceJ+Qln8aSlDyJwelLLFeM=
-github.com/canonical/go-tpm2 v1.7.6 h1:9k9OAEEp9xKp4h2WJwfTUNivblJi4L5Wjx7Q/LkSTSQ=
-github.com/canonical/go-tpm2 v1.7.6/go.mod h1:Dz0PQRmoYrmk/4BLILjRA+SFzuqEo1etAvYeAJiMhYU=
+github.com/canonical/go-tpm2 v1.11.1 h1:RivdSXfBWWW+eFaFNYQby5+kVgY4km9eEayot1wX/qU=
+github.com/canonical/go-tpm2 v1.11.1/go.mod h1:zK+qESVwu78XyX+NPhiBdN+zwPPDoKk4rYlQ7VUsRp4=
 github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981 h1:vrUzSfbhl8mzdXPzjxq4jXZPCCNLv18jy6S7aVTS2tI=
 github.com/canonical/tcglog-parser v0.0.0-20240924110432-d15eaf652981/go.mod h1:ywdPBqUGkuuiitPpVWCfilf2/gq+frhq4CNiNs9KyHU=
 github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
@@ -49,15 +49,15 @@ github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 h1:PaunR+BhraK
 github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785/go.mod h1:D3SsWAXK7wCCBZu+Vk5hc1EuKj/L3XN1puEMXTU4LrQ=
 github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066 h1:InG0EmriMOiI4YgtQNOo+6fNxzLCYioo3Q3BCVLdMCE=
 github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066/go.mod h1:VuAdaITF1MrGzxPU+8GxagM1HW2vg7QhEFEeGHbmEMU=
-github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b h1:ywW6AgHzAVjJIlkDLb+52IgEXVFYxG2rzjP34khWbow=
-github.com/snapcore/secboot v0.0.0-20241115151056-b3ae5175dc9b/go.mod h1:Tw/DK06oyO+lFvAQxmNPzXRlSWGk9vZlS2eNx4riAHo=
+github.com/snapcore/secboot v0.0.0-20250124132100-452552189677 h1:B2Bf7T1aBXOgkwAEFnR/g8d2l9hjrzS/X6BsnVrBNI4=
+github.com/snapcore/secboot v0.0.0-20250124132100-452552189677/go.mod h1:2cqUsx8AzOpyo7IAkeAln8SEr9ymC/GVOrFEYNL0RrI=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
 go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f h1:99ci1mjWVBWwJiEKYY6jWa4d2nTQVIEhZIptnrVb1XY=
 golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -67,13 +67,13 @@ golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=

overlord/devicestate/devicestate_install_mode_test.go

@@ -2333,8 +2333,9 @@ func (s *deviceMgrInstallModeSuite) doRunFactoryResetChange(c *C, model *asserts
 		return fmt.Errorf("unexpected call")
 	})()
 
-	defer devicestate.MockSecbootRenameOrDeleteKeys(func(node string, renames map[string]string) error {
+	defer devicestate.MockSecbootRenameKeys(func(nonAtomic *secboot.NonAtomicOperationAllowedFlag, node string, renames map[string]string) error {
 		if tc.encrypt {
+			c.Check(nonAtomic, NotNil)
 			c.Check(node, Equals, "/dev/disk/by-uuid/570faa3d-e3bc-49db-979b-e7814b6bd390")
 			c.Check(renames, DeepEquals, map[string]string{
 				"default":          "factory-reset-old",
@@ -2345,6 +2346,14 @@ func (s *deviceMgrInstallModeSuite) doRunFactoryResetChange(c *C, model *asserts
 		c.Errorf("unexpected call")
 		return fmt.Errorf("unexpected call")
 	})()
+	defer devicestate.MockSecbootConvertOldDisk(func(devicePath string) error {
+		if tc.encrypt {
+			c.Check(devicePath, Equals, "/dev/disk/by-uuid/570faa3d-e3bc-49db-979b-e7814b6bd390")
+			return nil
+		}
+		c.Errorf("unexpected call")
+		return fmt.Errorf("unexpected call")
+	})()
 
 	var bootstrapContainer *secboot.MockBootstrappedContainer
 	defer devicestate.MockSecbootCreateBootstrappedContainer(func(key secboot.DiskUnlockKey, devicePath string) secboot.BootstrappedContainer {
@@ -2691,6 +2700,19 @@ echo "mock output of: $(basename "$0") $*"
 			"ID_FS_UUID": "570faa3d-e3bc-49db-979b-e7814b6bd390",
 		}, nil
 	})()
+	defer devicestate.MockSecbootRenameKeys(func(nonAtomic *secboot.NonAtomicOperationAllowedFlag, node string, renames map[string]string) error {
+		c.Check(nonAtomic, NotNil)
+		c.Check(node, Equals, "foo")
+		c.Check(renames, DeepEquals, map[string]string{
+			"default":          "factory-reset-old",
+			"default-fallback": "factory-reset-old-fallback",
+		})
+		return nil
+	})()
+	defer devicestate.MockSecbootConvertOldDisk(func(devicePath string) error {
+		c.Check(devicePath, Equals, "/dev/disk/by-uuid/FOOUUID")
+		return nil
+	})()
 
 	err = s.doRunFactoryResetChange(c, model, resetTestCase{
 		tpm: true, encrypt: true, trustedBootloader: true,
@@ -2773,6 +2795,19 @@ echo "mock output of: $(basename "$0") $*"
 			"ID_FS_UUID": "570faa3d-e3bc-49db-979b-e7814b6bd390",
 		}, nil
 	})()
+	defer devicestate.MockSecbootRenameKeys(func(nonAtomic *secboot.NonAtomicOperationAllowedFlag, node string, renames map[string]string) error {
+		c.Check(nonAtomic, NotNil)
+		c.Check(node, Equals, "foo")
+		c.Check(renames, DeepEquals, map[string]string{
+			"default":          "factory-reset-old",
+			"default-fallback": "factory-reset-old-fallback",
+		})
+		return nil
+	})()
+	defer devicestate.MockSecbootConvertOldDisk(func(devicePath string) error {
+		c.Check(devicePath, Equals, "/dev/disk/by-uuid/FOOUUID")
+		return nil
+	})()
 
 	err = s.doRunFactoryResetChange(c, model, resetTestCase{
 		tpm: true, encrypt: true, trustedBootloader: true,

overlord/devicestate/devicestate_test.go

@@ -2263,19 +2263,29 @@ func (s *deviceMgrSuite) TestDeviceManagerEnsurePostFactoryResetEncrypted(c *C)
 	})
 	defer restore()
 
+	removeOldDiskKeys := 0
+	restore = devicestate.MockSecbootRemoveOldDiskKeys(func(devicePath string) error {
+		c.Check(devicePath, Equals, "/dev/disk/by-uuid/FOOUUID")
+		removeOldDiskKeys++
+		return nil
+	})
+	defer restore()
+
 	err = s.mgr.Ensure()
 	c.Assert(err, IsNil)
 
 	c.Check(completeCalls, Equals, 1)
 	c.Check(transitionCalls, Equals, 0)
 	c.Check(deleteOldSaveKey, Equals, 1)
+	c.Check(removeOldDiskKeys, Equals, 1)
 	// factory reset marker is gone, the key was verified successfully
 	c.Check(filepath.Join(dirs.SnapDeviceDir, "factory-reset"), testutil.FileAbsent)
 	c.Check(filepath.Join(dirs.SnapFDEDir, "marker"), testutil.FilePresent)
 
 	completeCalls = 0
 	transitionCalls = 0
 	deleteOldSaveKey = 0
+	removeOldDiskKeys = 0
 	// try again, no marker, nothing should happen
 	devicestate.SetPostFactoryResetRan(s.mgr, false)
 	err = s.mgr.Ensure()
@@ -2284,6 +2294,7 @@ func (s *deviceMgrSuite) TestDeviceManagerEnsurePostFactoryResetEncrypted(c *C)
 	c.Check(completeCalls, Equals, 0)
 	c.Check(transitionCalls, Equals, 0)
 	c.Check(deleteOldSaveKey, Equals, 0)
+	c.Check(removeOldDiskKeys, Equals, 0)
 
 	// have the marker, but migrate the key as if boot code would do it and
 	// try again, in this setup the marker hash matches the migrated key
@@ -2298,6 +2309,7 @@ func (s *deviceMgrSuite) TestDeviceManagerEnsurePostFactoryResetEncrypted(c *C)
 	c.Check(completeCalls, Equals, 1)
 	c.Check(transitionCalls, Equals, 0)
 	c.Check(deleteOldSaveKey, Equals, 1)
+	c.Check(removeOldDiskKeys, Equals, 1)
 	// the marker was again removed
 	c.Check(filepath.Join(dirs.SnapDeviceDir, "factory-reset"), testutil.FileAbsent)
 }

overlord/devicestate/export_test.go

@@ -610,11 +610,11 @@ func MockSecbootAddBootstrapKeyOnExistingDisk(f func(node string, newKey keys.En
 	}
 }
 
-func MockSecbootRenameOrDeleteKeys(f func(node string, renames map[string]string) error) (restore func()) {
-	old := secbootRenameOrDeleteKeys
-	secbootRenameOrDeleteKeys = f
+func MockSecbootRenameKeys(f func(nonAtomic *secboot.NonAtomicOperationAllowedFlag, node string, renames map[string]string) error) (restore func()) {
+	old := secbootRenameKeys
+	secbootRenameKeys = f
 	return func() {
-		secbootRenameOrDeleteKeys = old
+		secbootRenameKeys = old
 	}
 }
 
@@ -634,6 +634,22 @@ func MockSecbootDeleteKeys(f func(node string, matches map[string]bool) error) (
 	}
 }
 
+func MockSecbootRemoveOldDiskKeys(f func(devicePath string) error) (restore func()) {
+	old := secbootRemoveOldDiskKeys
+	secbootRemoveOldDiskKeys = f
+	return func() {
+		secbootRemoveOldDiskKeys = old
+	}
+}
+
+func MockSecbootConvertOldDisk(f func(devicePath string) error) (restore func()) {
+	old := secbootConvertOldDisk
+	secbootConvertOldDisk = f
+	return func() {
+		secbootConvertOldDisk = old
+	}
+}
+
 func MockDisksDMCryptUUIDFromMountPoint(f func(mountpoint string) (string, error)) (restore func()) {
 	old := disksDMCryptUUIDFromMountPoint
 	disksDMCryptUUIDFromMountPoint = f

overlord/devicestate/handlers_install.go

@@ -76,6 +76,7 @@
 	installMatchDisksToGadgetVolumes     = install.MatchDisksToGadgetVolumes
 	secbootStageEncryptionKeyChange      = secboot.StageEncryptionKeyChange
 	secbootTransitionEncryptionKeyChange = secboot.TransitionEncryptionKeyChange
+	secbootConvertOldDisk                = secboot.ConvertOldDisk
 
 	installLogicPrepareRunSystemData = installLogic.PrepareRunSystemData
 )
@@ -626,7 +627,10 @@
 		}
 		saveNode = fmt.Sprintf("/dev/disk/by-uuid/%s", uuid)
 
-		saveBoostrapContainer, err := createSaveBootstrappedContainer(saveNode)
+		// We are in factory reset and we need to allow non
+		// atomic operations. Non atomic operations will be
+		// used only if cryptsetup is too old.
+		saveBoostrapContainer, err := createSaveBootstrappedContainer(secboot.AllowNonAtomicOperation(), saveNode)
 		if err != nil {
 			return err
 		}
@@ -1313,12 +1317,13 @@
 
 var (
 	secbootAddBootstrapKeyOnExistingDisk = secboot.AddBootstrapKeyOnExistingDisk
-	secbootRenameOrDeleteKeys            = secboot.RenameOrDeleteKeys
+	secbootRenameKeys                    = secboot.RenameKeys
 	secbootCreateBootstrappedContainer   = secboot.CreateBootstrappedContainer
 	secbootDeleteKeys                    = secboot.DeleteKeys
+	secbootRemoveOldDiskKeys             = secboot.RemoveOldDiskKeys
 )
 
-func createSaveBootstrappedContainer(saveNode string) (secboot.BootstrappedContainer, error) {
+func createSaveBootstrappedContainer(nonAtomic *secboot.NonAtomicOperationAllowedFlag, saveNode string) (secboot.BootstrappedContainer, error) {
 	// new encryption key for save
 	saveEncryptionKey, err := keys.NewEncryptionKey()
 	if err != nil {
@@ -1352,8 +1357,12 @@
 		"default":          "factory-reset-old",
 		"default-fallback": "factory-reset-old-fallback",
 	}
-	if err := secbootRenameOrDeleteKeys(saveNode, renames); err != nil {
-		return nil, err
+	if err := secbootRenameKeys(nonAtomic, saveNode, renames); err != nil {
+		return nil, fmt.Errorf("cannot rename existing keys: %w", err)
+	}
+
+	if err := secbootConvertOldDisk(saveNode); err != nil {
+		return nil, fmt.Errorf("cannot convert old keys: %w", err)
 	}
 
 	return secbootCreateBootstrappedContainer(secboot.DiskUnlockKey(saveEncryptionKey), saveNode), nil
@@ -1378,5 +1387,12 @@
 		"factory-reset-old-fallback": true,
 	}
 
-	return secbootDeleteKeys(diskPath, toDelete)
+
+	if err := secbootDeleteKeys(diskPath, toDelete); err != nil {
+		return fmt.Errorf("cannot delete previous keys: %w", err)
+	}
+	if err := secbootRemoveOldDiskKeys(diskPath); err != nil {
+		return fmt.Errorf("cannot remove old disk keys: %w", err)
+	}
+	return nil
 }

secboot/export_sb_test.go

@@ -330,6 +330,14 @@ func MockRenameLUKS2ContainerKey(f func(devicePath, keyslotName, renameTo string
 	}
 }
 
+func MockCopyAndRemoveLUKS2ContainerKey(f func(nonAtomic *NonAtomicOperationAllowedFlag, devicePath, keyslotName, renameTo string) error) (restore func()) {
+	old := sbCopyAndRemoveLUKS2ContainerKey
+	sbCopyAndRemoveLUKS2ContainerKey = f
+	return func() {
+		sbCopyAndRemoveLUKS2ContainerKey = old
+	}
+}
+
 func MockSbNewFileKeyDataReader(f func(path string) (*sb.FileKeyDataReader, error)) (restore func()) {
 	old := sbNewFileKeyDataReader
 	sbNewFileKeyDataReader = f

secboot/secboot.go

@@ -251,3 +251,14 @@ func MarkSuccessful() error {
 
 	return nil
 }
+
+type NonAtomicOperationAllowedFlag struct {
+}
+
+// AllowNonAtomicOperation gives a flag to allow some operations that
+// are not atomic. Those can be dangerous depending on usage context,
+// they should be used with care and intentionally (that's why the
+// extra hoops).
+func AllowNonAtomicOperation() *NonAtomicOperationAllowedFlag {
+       return &NonAtomicOperationAllowedFlag{}
+}

secboot/secboot_dummy.go

@@ -79,7 +79,7 @@ func AddBootstrapKeyOnExistingDisk(node string, newKey keys.EncryptionKey) error
 	return errBuildWithoutSecboot
 }
 
-func RenameOrDeleteKeys(node string, renames map[string]string) error {
+func RenameKeys(nonAtomic *NonAtomicOperationAllowedFlag, node string, renames map[string]string) error {
 	return errBuildWithoutSecboot
 }
 
@@ -112,3 +112,11 @@ func (ha HashAlg) MarshalJSON() ([]byte, error) {
 func (ha *HashAlg) UnmarshalJSON([]byte) error {
 	return errBuildWithoutSecboot
 }
+
+func ConvertOldDisk(devicePath string) error {
+	return errBuildWithoutSecboot
+}
+
+func RemoveOldDiskKeys(devicePath string) error {
+	return errBuildWithoutSecboot
+}