[PATCH v4 0/2] use confidential computing provisioned secrets for disk decryption

All of lore.kernel.org
 help / color / mirror / Atom feed

From: James Bottomley <jejb@linux.ibm.com>
To: grub-devel@gnu.org
Cc: thomas.lendacky@amd.com, ashish.kalra@amd.com,
	brijesh.singh@amd.com, david.kaplan@amd.com, jon.grimm@amd.com,
	tobin@ibm.com, frankeh@us.ibm.com,
	Dr David Alan Gilbert <dgilbert@redhat.com>,
	dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com,
	Javier Martinez Canillas <javierm@redhat.com>,
	GNUtoo@cyberdimension.org, ps@pks.im,
	development@efficientek.com, Daniel Kiper <dkiper@net-space.pl>
Subject: [PATCH v4 0/2] use confidential computing provisioned secrets for disk decryption
Date: Mon,  7 Feb 2022 10:29:42 -0500	[thread overview]
Message-ID: <20220207152944.27183-1-jejb@linux.ibm.com> (raw)

From: James Bottomley <James.Bottomley@HansenPartnership.com>

v4: Update to new password passing API and fold in review comments
    original patch 1 (which contained a password passing API) is
    removed and patch 2 is updated and patch 3 largely unchanged.

v3: make password getter specify prompt requirement.  Update for TDX:
    Make name more generic and expand size of secret area

    https://github.com/tianocore/edk2/commit/96201ae7bf97c3a2c0ef386110bb93d25e9af1ba
    https://github.com/tianocore/edk2/commit/caf8b3872ae2ac961c9fdf4d1d2c5d072c207299

    Redo the cryptodisk secret handler to make it completely generic
    and pluggable using a list of named secret providers.  Also allow
    an optional additional argument for secret providers that may have
    more than one secret.

v2: update geli.c to use conditional prompt and add callback for
    variable message printing and secret destruction

To achieve encrypted disk images in the AMD SEV and other confidential
computing encrypted virtual machines, we need to add the ability for
grub to retrieve the disk passphrase from an OVMF provisioned
configuration table.

https://github.com/tianocore/edk2/commit/01726b6d23d4c8a870dbd5b96c0b9e3caf38ef3c

(this now needs additional patches to update for the change in flow in v4)

The patches in this series modify grub to look for the disk passphrase
in the secret configuration table and use it to decrypt any disks in
the system if they are found.  This is so an encrypted image with a
properly injected password will boot without any user intervention.

The three patches firstly modify the cryptodisk consumers to allow
arbitrary password getters instead of the current console based one.
The next patch adds a '-s module [id]' option to cryptodisk to allow
it to use plugin provided passwords and the final one adds a sevsecret
command to check for the secrets configuration table and provision the
disk passphrase from it if an entry is found.  With all this in place,
the sequence to boot an encrypted volume without user intervention is:

cryptomount -s efisecret -a
source (crypto0)/boot/grub.cfg

Assuming there's a standard Linux root partition.

James

---

James Bottomley (2):
  cryptodisk: add OS provided secret support
  efi: Add API for retrieving the EFI secret for cryptodisk

 grub-core/Makefile.core.def    |   8 ++
 grub-core/disk/cryptodisk.c    |  56 +++++++++++++-
 grub-core/disk/efi/efisecret.c | 129 +++++++++++++++++++++++++++++++++
 include/grub/cryptodisk.h      |  14 ++++
 include/grub/efi/api.h         |  15 ++++
 5 files changed, 220 insertions(+), 2 deletions(-)
 create mode 100644 grub-core/disk/efi/efisecret.c

-- 
2.34.1

next             reply	other threads:[~2022-02-07 15:31 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-07 15:29 James Bottomley [this message]
2022-02-07 15:29 ` [PATCH v4 1/2] cryptodisk: add OS provided secret support James Bottomley
2022-02-14 22:18   ` Glenn Washburn
2022-02-17 22:18     ` James Bottomley
2022-02-26  0:50       ` Glenn Washburn
2022-02-07 15:29 ` [PATCH v4 2/2] efi: Add API for retrieving the EFI secret for cryptodisk James Bottomley
2022-02-07 17:00   ` Dr. David Alan Gilbert
2022-02-07 20:16     ` James Bottomley
2022-02-14 22:20   ` Glenn Washburn
2022-02-26  8:04 ` [PATCH v4 0/2] use confidential computing provisioned secrets for disk decryption Heinrich Schuchardt
2022-02-27 14:12   ` Dov Murik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220207152944.27183-1-jejb@linux.ibm.com \
    --to=jejb@linux.ibm.com \
    --cc=Dov.Murik1@il.ibm.com \
    --cc=GNUtoo@cyberdimension.org \
    --cc=ashish.kalra@amd.com \
    --cc=brijesh.singh@amd.com \
    --cc=david.kaplan@amd.com \
    --cc=development@efficientek.com \
    --cc=dgilbert@redhat.com \
    --cc=dkiper@net-space.pl \
    --cc=dovmurik@linux.vnet.ibm.com \
    --cc=frankeh@us.ibm.com \
    --cc=grub-devel@gnu.org \
    --cc=javierm@redhat.com \
    --cc=jon.grimm@amd.com \
    --cc=ps@pks.im \
    --cc=thomas.lendacky@amd.com \
    --cc=tobin@ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.