cdh: support to encrypt block device

Support to encrypt block device in cdh.

Fixed: confidential-containers#540 -- part II

Signed-off-by: ChengyuZhu6 <[email protected]>

confidential-data-hub/storage/src/error.rs

@@ -15,6 +15,9 @@ pub enum Error {
     #[error("Error when mounting Aliyun OSS")]
     AliyunOssError(#[from] volume_type::aliyun::error::AliyunError),
 
+    #[error("Error when mounting Block device")]
+    RbdError(#[from] volume_type::rbd::error::RbdError),
+
     #[error("Failed to recognize the storage type")]
     StorageTypeNotRecognized(#[from] strum::ParseError),
 }

confidential-data-hub/storage/src/volume_type/mod.rs

@@ -5,7 +5,7 @@
 
 #[cfg(feature = "aliyun")]
 pub mod aliyun;
-
+pub mod rbd;
 use std::{collections::HashMap, str::FromStr};
 
 use crate::Result;
@@ -20,6 +20,7 @@ pub enum Volume {
     #[cfg(feature = "aliyun")]
     #[strum(serialize = "alibaba-cloud-oss")]
     AliOss,
+    Rbd,
 }
 
 /// Indicating a mount point and its parameters.
@@ -61,6 +62,12 @@ impl Storage {
                     .await?;
                 Ok(self.mount_point.clone())
             }
+            Volume::Rbd => {
+                let rbd = rbd::Rbd {};
+                rbd.mount(&self.options, &self.flags, &self.mount_point)
+                    .await?;
+                Ok(self.mount_point.clone())
+            }
         }
     }
 }

confidential-data-hub/storage/src/volume_type/rbd/error.rs

@@ -0,0 +1,29 @@
+// Copyright (c) 2024 Intel
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use thiserror::Error;
+
+pub type Result<T> = std::result::Result<T, RbdError>;
+
+#[derive(Error, Debug)]
+pub enum RbdError {
+    #[error("Error when getting encrypt/decrypt keys")]
+    GetKeysFaile(#[from] anyhow::Error),
+
+    #[error("LUKSfs decryption mount failed")]
+    LUKSfsMountFailed,
+
+    #[error("I/O error")]
+    IOError(#[from] std::io::Error),
+
+    #[error("Failed to mount block device")]
+    BlockDeviceMountFailed,
+
+    #[error("Serialize/Deserialize failed")]
+    SerdeError(#[from] serde_json::Error),
+
+    #[error("Failed to recognize the storage type")]
+    StorageTypeNotRecognized(#[from] strum::ParseError),
+}

confidential-data-hub/storage/src/volume_type/rbd/mod.rs

@@ -0,0 +1,179 @@
+// Copyright (c) 2024 Intel
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+pub mod error;
+
+use super::SecureMount;
+use anyhow::Context;
+use async_trait::async_trait;
+use base64::Engine;
+use error::{RbdError, Result};
+use log::{debug, error};
+use rand::{distributions::Alphanumeric, Rng};
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use strum::{Display, EnumString};
+use tokio::{
+    fs,
+    io::{AsyncReadExt, AsyncWriteExt},
+    process::Command,
+};
+
+/// LUKS encrypt storage binary
+const LUKS_ENCRYPT_STORAGE_BIN: &str = "/usr/local/bin/luks-encrypt-storage";
+
+#[derive(EnumString, Serialize, Deserialize, Display, Debug, PartialEq, Eq)]
+pub enum RbdEncryptType {
+    #[strum(serialize = "luks")]
+    LUKS,
+}
+
+#[derive(Serialize, Deserialize, PartialEq, Debug)]
+struct RbdParameters {
+    /// The device number, formatted as "MAJ:MIN".
+    #[serde(rename = "deviceId")]
+    pub device_id: String,
+
+    /// The encryption type. Currently, only LUKS is supported.
+    #[serde(rename = "encryptType")]
+    pub encryption_type: RbdEncryptType,
+
+    /// Encryption key. If not set, generate a random 4096-byte key
+    #[serde(rename = "encryptKey")]
+    pub encryption_key: Option<String>,
+
+    /// Indicates whether to enable dm-integrity.
+    #[serde(rename = "dataIntegrity")]
+    pub data_integrity: String,
+}
+
+pub(crate) struct Rbd;
+
+struct Cleaner {
+    file_path: String,
+}
+
+impl Drop for Cleaner {
+    fn drop(&mut self) {
+        if let Err(e) = fs::remove_file(&self.file_path) {
+            eprintln!("Failed to remove file: {}", e);
+        } else {
+            println!("File removed successfully.");
+        }
+    }
+}
+
+async fn random_encrypt_key() -> anyhow::Result<String> {
+    let mut buffer = vec![0u8; 4096];
+    rand::thread_rng().fill(&mut buffer[..]);
+    Ok(base64::engine::general_purpose::STANDARD.encode(&buffer))
+}
+
+async fn get_plaintext_secret(secret: &str) -> anyhow::Result<String> {
+    if secret.starts_with("sealed.") {
+        debug!("detected sealed secret");
+        let unsealed = secret::unseal_secret(secret.as_bytes()).await?;
+
+        String::from_utf8(unsealed).context("convert to String failed")
+    } else {
+        Ok(secret.into())
+    }
+}
+
+async fn create_storage_key_file(
+    storage_key_path: String,
+    encrypt_key: Option<String>,
+) -> Result<()> {
+    let mut storage_key_file = fs::File::create(storage_key_path.clone()).await?;
+
+    let plain_key = match encrypt_key {
+        Some(encrypt_key) => get_plaintext_secret(&encrypt_key).await?,
+        None => random_encrypt_key().await?,
+    };
+
+    storage_key_file.write_all(plain_key.as_bytes()).await?;
+    storage_key_file.flush().await?;
+    Ok(())
+}
+
+impl Rbd {
+    async fn real_mount(
+        &self,
+        options: &HashMap<String, String>,
+        _flags: &[String],
+        mount_point: &str,
+    ) -> Result<()> {
+        // construct RbdParameters
+        let parameters = serde_json::to_string(options)?;
+        let rbd_parameter: RbdParameters = serde_json::from_str(&parameters)?;
+
+        if rbd_parameter.encryption_type == RbdEncryptType::LUKS {
+            let random_string: String = rand::thread_rng()
+                .sample_iter(&Alphanumeric)
+                .take(5)
+                .map(char::from)
+                .collect();
+            let storage_key_path = format!("/tmp/encrypted_storage_key_{}", random_string);
+            let _cleaner = Cleaner {
+                file_path: storage_key_path.clone(),
+            };
+            create_storage_key_file(storage_key_path.clone(), rbd_parameter.encryption_key).await?;
+
+            let parameters = vec![
+                rbd_parameter.device_id,
+                mount_point.to_string(),
+                storage_key_path.clone(),
+                rbd_parameter.data_integrity,
+            ];
+
+            let mut encrypt_device = Command::new(LUKS_ENCRYPT_STORAGE_BIN)
+                .args(parameters)
+                .spawn()
+                .map_err(|e| {
+                    error!("luks-encrypt-storage cmd fork failed: {e}");
+                    RbdError::BlockDeviceMountFailed
+                })?;
+
+            let rbd_res = encrypt_device.wait().await?;
+            // Remove the storage key file
+            fs::remove_file(storage_key_path.as_str()).await?;
+
+            if !rbd_res.success() {
+                {
+                    let mut stderr = String::new();
+                    if let Some(mut err) = encrypt_device.stderr {
+                        err.read_to_string(&mut stderr).await?;
+                        error!("RBD mount failed with stderr: {stderr}");
+                    } else {
+                        error!("RBD mount failed");
+                    }
+
+                    return Err(RbdError::BlockDeviceMountFailed);
+                }
+            }
+        };
+
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl SecureMount for Rbd {
+    /// Mount the block device to the given `mount_point``.
+    ///
+    /// If `rbd.encrypt_type` is set to `LUKS`, the device will be formated as a LUKS-encrypted device.
+    /// Then use cryptsetup open the device and mount it to `mount_point` as plaintext.
+    ///
+    /// This is a wrapper for inner function to convert error type.
+    async fn mount(
+        &self,
+        options: &HashMap<String, String>,
+        flags: &[String],
+        mount_point: &str,
+    ) -> super::Result<()> {
+        self.real_mount(options, flags, mount_point)
+            .await
+            .map_err(|e| e.into())
+    }
+}