From: Dov Murik <dovmurik@linux.ibm.com>
To: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>,
James Bottomley <jejb@linux.ibm.com>
Cc: thomas.lendacky@amd.com, ashish.kalra@amd.com,
brijesh.singh@amd.com, david.kaplan@amd.com, jon.grimm@amd.com,
tobin@ibm.com, frankeh@us.ibm.com,
Dr David Alan Gilbert <dgilbert@redhat.com>,
dovmurik@linux.vnet.ibm.com, Dov.Murik1@il.ibm.com,
Javier Martinez Canillas <javierm@redhat.com>,
GNUtoo@cyberdimension.org, ps@pks.im,
development@efficientek.com, Daniel Kiper <dkiper@net-space.pl>,
The development of GNU GRUB <grub-devel@gnu.org>,
Dov Murik <dovmurik@linux.ibm.com>
Subject: Re: [PATCH v4 0/2] use confidential computing provisioned secrets for disk decryption
Date: Sun, 27 Feb 2022 16:12:52 +0200 [thread overview]
Message-ID: <209199d1-1d7d-cc31-e352-148f0a3fcf80@linux.ibm.com> (raw)
In-Reply-To: <df7c403a-815f-7be7-b125-1f67c2baf85d@canonical.com>
On 26/02/2022 10:04, Heinrich Schuchardt wrote:
> On 2/7/22 16:29, James Bottomley wrote:
>> From: James Bottomley <James.Bottomley@HansenPartnership.com>
>>
>> v4: Update to new password passing API and fold in review comments
>> original patch 1 (which contained a password passing API) is
>> removed and patch 2 is updated and patch 3 largely unchanged.
>>
>> v3: make password getter specify prompt requirement. Update for TDX:
>> Make name more generic and expand size of secret area
>>
>>
>> https://github.com/tianocore/edk2/commit/96201ae7bf97c3a2c0ef386110bb93d25e9af1ba
>>
>>
>> https://github.com/tianocore/edk2/commit/caf8b3872ae2ac961c9fdf4d1d2c5d072c207299
>>
>>
>> Redo the cryptodisk secret handler to make it completely generic
>> and pluggable using a list of named secret providers. Also allow
>> an optional additional argument for secret providers that may have
>> more than one secret.
>>
>> v2: update geli.c to use conditional prompt and add callback for
>> variable message printing and secret destruction
>>
>> To achieve encrypted disk images in the AMD SEV and other confidential
>> computing encrypted virtual machines, we need to add the ability for
>> grub to retrieve the disk passphrase from an OVMF provisioned
>> configuration table.
>>
>> https://github.com/tianocore/edk2/commit/01726b6d23d4c8a870dbd5b96c0b9e3caf38ef3c
>>
>>
>> (this now needs additional patches to update for the change in flow in
>> v4)
>>
>> The patches in this series modify grub to look for the disk passphrase
>> in the secret configuration table and use it to decrypt any disks in
>> the system if they are found. This is so an encrypted image with a
>> properly injected password will boot without any user intervention.
>>
>> The three patches firstly modify the cryptodisk consumers to allow
>> arbitrary password getters instead of the current console based one.
>> The next patch adds a '-s module [id]' option to cryptodisk to allow
>> it to use plugin provided passwords and the final one adds a sevsecret
>> command to check for the secrets configuration table and provision the
>> disk passphrase from it if an entry is found. With all this in place,
>> the sequence to boot an encrypted volume without user intervention is:
>>
>> cryptomount -s efisecret -a
>> source (crypto0)/boot/grub.cfg
>>
>> Assuming there's a standard Linux root partition.
>>
>> James
>
> Is there a text document that defines the EFI secret table and its
> contents?
>
Such documentation appears in the kernel driver we're proposing [1] to
allow userspace programs to read secrets from the same area (similarly
to how grub can read a secret from it).
In that patch [1], look for "Structure of the EFI secret area" in efi_secret.c.
Here's the relevant part:
+/*
+ * Structure of the EFI secret area
+ *
+ * Offset Length
+ * (bytes) (bytes) Usage
+ * ------- ------- -----
+ * 0 16 Secret table header GUID (must be 1e74f542-71dd-4d66-963e-ef4287ff173b)
+ * 16 4 Length of bytes of the entire secret area
+ *
+ * 20 16 First secret entry's GUID
+ * 36 4 First secret entry's length in bytes (= 16 + 4 + x)
+ * 40 x First secret entry's data
+ *
+ * 40+x 16 Second secret entry's GUID
+ * 56+x 4 Second secret entry's length in bytes (= 16 + 4 + y)
+ * 60+x y Second secret entry's data
+ *
+ * (... and so on for additional entries)
+ *
+ * The GUID of each secret entry designates the usage of the secret data.
+ */
Note that grub is looking for one entry from this table: an entry with
GUID 736870e5-84f0-4973-92ec-06879ce3da0b (GRUB_EFI_DISKPASSWD_GUID).
We'll also add similar documentation to kbs-rs [2] (Key Broker Service) which is
one of the options for the Guest Owner server that generates this secret area
(to be securely injected into the guest).
[1] https://lore.kernel.org/linux-coco/20220201124413.1093099-4-dovmurik@linux.ibm.com/#Z31drivers:virt:coco:efi_secret:efi_secret.c
[2] https://github.com/confidential-containers/kbs-rs
-Dov
> Best regards
>
> Heinrich
>
>>
>> ---
>>
>> James Bottomley (2):
>> cryptodisk: add OS provided secret support
>> efi: Add API for retrieving the EFI secret for cryptodisk
>>
>> grub-core/Makefile.core.def | 8 ++
>> grub-core/disk/cryptodisk.c | 56 +++++++++++++-
>> grub-core/disk/efi/efisecret.c | 129 +++++++++++++++++++++++++++++++++
>> include/grub/cryptodisk.h | 14 ++++
>> include/grub/efi/api.h | 15 ++++
>> 5 files changed, 220 insertions(+), 2 deletions(-)
>> create mode 100644 grub-core/disk/efi/efisecret.c
>>
>
prev parent reply other threads:[~2022-02-27 14:13 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-07 15:29 [PATCH v4 0/2] use confidential computing provisioned secrets for disk decryption James Bottomley
2022-02-07 15:29 ` [PATCH v4 1/2] cryptodisk: add OS provided secret support James Bottomley
2022-02-14 22:18 ` Glenn Washburn
2022-02-17 22:18 ` James Bottomley
2022-02-26 0:50 ` Glenn Washburn
2022-02-07 15:29 ` [PATCH v4 2/2] efi: Add API for retrieving the EFI secret for cryptodisk James Bottomley
2022-02-07 17:00 ` Dr. David Alan Gilbert
2022-02-07 20:16 ` James Bottomley
2022-02-14 22:20 ` Glenn Washburn
2022-02-26 8:04 ` [PATCH v4 0/2] use confidential computing provisioned secrets for disk decryption Heinrich Schuchardt
2022-02-27 14:12 ` Dov Murik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=209199d1-1d7d-cc31-e352-148f0a3fcf80@linux.ibm.com \
--to=dovmurik@linux.ibm.com \
--cc=Dov.Murik1@il.ibm.com \
--cc=GNUtoo@cyberdimension.org \
--cc=ashish.kalra@amd.com \
--cc=brijesh.singh@amd.com \
--cc=david.kaplan@amd.com \
--cc=development@efficientek.com \
--cc=dgilbert@redhat.com \
--cc=dkiper@net-space.pl \
--cc=dovmurik@linux.vnet.ibm.com \
--cc=frankeh@us.ibm.com \
--cc=grub-devel@gnu.org \
--cc=heinrich.schuchardt@canonical.com \
--cc=javierm@redhat.com \
--cc=jejb@linux.ibm.com \
--cc=jon.grimm@amd.com \
--cc=ps@pks.im \
--cc=thomas.lendacky@amd.com \
--cc=tobin@ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.