cdh: support to encrypt block device #617
Conversation
| pub(crate) struct Rbd; | ||
|
|
||
| async fn random_encrypt_key() -> anyhow::Result<String> { | ||
| let storage_key_path = "/tmp/random_encrypt_rbd.key"; |
There was a problem hiding this comment.
Do we support multiple multiple encrypted rbd mounts? If so, do we need different keys?
|
Can we make sure we have proper documentation about this feature? Issues, PRs and discussions are easily consumed by developers, end users need a concise way of consuming such cool features without digging through github. |
Of course we should have a good document about it! |
ChengyuZhu6
force-pushed
the
encrypt-device
branch
8 times, most recently
from
4199ece to
dffc94c
Compare
| Ok(base64::engine::general_purpose::STANDARD.encode(&buffer)) | ||
| } | ||
|
|
||
| async fn get_plaintext_secret(secret: &str) -> anyhow::Result<String> { |
There was a problem hiding this comment.
I think I was expecting the encryption key to be a resource uri. Maybe having it be a sealed secret is better because that contains info about the KBS/HSM, integrity protection, etc., but so far we haven't used a sealed secret this way in any other parts of the CDH. Are we planning to adopt sealed secret format as a general wrapper around a resource uri?
cc: @Xynnn007
There was a problem hiding this comment.
I think they are for different scenarios. Given that we now support both KMS as a KBS backend (use KBS URI to index a key) and KMS as a CDH plugin (use Sealed Secret to index a key), we might need to support both. We can add a condition judgement here, if with kbs:// prefix, use
new_getter("kbs", ProviderSettings::default()).await?.get_secret(&secret, &Annotations::default())if with sealed. prefix, use
secret::unseal_secret(secret.as_bytes()).await?else, raise an error saying that illegal keyid format.
Thus we could support both inside CDH code. The consequence is both deploy model / solution could be used and the user does need to worry about underlying logic.
There was a problem hiding this comment.
Ok, I think supporting both makes sense. Each scheme has some pros/cons. I wonder if we should do something similar for other features.
| let rbd_parameter: RbdParameters = serde_json::from_str(¶meters)?; | ||
|
|
||
| if rbd_parameter.encrypt_type == RbdEncryptType::LUKS { | ||
| let storage_key_path = create_storage_key_file(&rbd_parameter).await?; |
There was a problem hiding this comment.
should we delete this file at some point?
There was a problem hiding this comment.
It would be removed in the binary luks-encrypt-storage
| @@ -61,6 +62,12 @@ impl Storage { | |||
| .await?; | |||
| Ok(self.mount_point.clone()) | |||
| } | |||
| Volume::Rbd => { | |||
There was a problem hiding this comment.
Rbd = rados block device? I don't see anything in this PR that is specific to RBD. Maybe this should just be called Volume::Luks or Volume::Encrypted in case we support gocryptfs in the future.
It's also interesting to note that a number of storage implementations might share the same encryption scheme but have different ways to mount the volume. I wonder if at some point we should refactor the storage design to have two phases (setup device and decrypt volume) so that some of the code could be shared. In this case we aren't doing anything to setup the device so we can probably worry about it later.
There was a problem hiding this comment.
Ah, I mean RBD = raw block device. To avoid any ambiguity, we may consider coming up with a better name.
There was a problem hiding this comment.
Maybe we should add some document for this. I think the RBD plugin here would mean "given a raw block device, mount it to the target path and decrypt it with given/ephemeral key".
The initial code does not care about the device setup. This also raises some open question. If CDH cares about the setup of the device, how to ensure the availability? I am not sure how kata now handles volumes if volumes are broken during runtime. Maybe we can learn something from kata.
There was a problem hiding this comment.
Maybe spell it out as RawBlockDevice or just call it something else to avoid confusion.
Provisioning the device can involve operations by the kata agent (i.e. mounting something from the host) and/or operations by the CDH (i.e. pulling data from cloud storage). In the first case (this PR) I think we basically have to assume that the kata agent (or more generally the caller of the CDH) has set things up correctly.
When we start implementing more sophisticated storage backends maybe it will make sense to make things a little bit more modular.
ChengyuZhu6
force-pushed
the
encrypt-device
branch
17 times, most recently
from
a0b9eac to
f35dc71
Compare
ChengyuZhu6
force-pushed
the
encrypt-device
branch
6 times, most recently
from
6978b62 to
d25571a
Compare
confidential-data-hub/storage/src/volume_type/blockdevice/luks/mod.rs
Outdated
Show resolved
Hide resolved
confidential-data-hub/storage/src/volume_type/blockdevice/mod.rs
Outdated
Show resolved
Hide resolved
ChengyuZhu6
force-pushed
the
encrypt-device
branch
3 times, most recently
from
f5eea20 to
d96113f
Compare
| A[Block Device] -- mount --> B[Block Device] | ||
| subgraph TEE Guest | ||
| B -- encrypt by cryptsetup --> C[LUKS Block Device] | ||
| C -- mount --> D[Target Path] |
There was a problem hiding this comment.
Could we mark which devices are encrypted, and which are plaintext?
|
|
||
| 2. Install `luks-encrypt-storage` | ||
|
|
||
| Install [luks-encrypt-storage](../../storage/scripts/luks-encrypt-storage) into `/usr/local/bin` |
There was a problem hiding this comment.
As a separate service, CDH could require install extra things. I am thinking about whether we can integrate the installations of luks-encrypt-storage, cachefs and ossfs binaries/scripts in CDH's Makefile. In CCv0, we explicit install them in kata scripts. This would bring extra maintaining cost for kata. cc @fitzthum @fidencio
There was a problem hiding this comment.
I agree that we can move the tasks of installing binaries or scripts to CDH, as they are only used in the CDH. CDH is responsible for installing them, and we can simplify the code in kata.
ChengyuZhu6
force-pushed
the
encrypt-device
branch
2 times, most recently
from
7509271 to
7f9554d
Compare
| pub(crate) struct BlockDevice; | ||
|
|
||
| #[async_trait] | ||
| pub trait Encryptor { |
There was a problem hiding this comment.
should this be encryptor or decryptor?
There was a problem hiding this comment.
For trusted storage, this should be encryptor. The guest will need to follow three steps: encrypt the block device from the host as a LUKS-encrypted block device, open the encrypted device with the key, and mount it. However, for secure storage, the guest will only need to perform the latter two steps. Overall, I think encryptor or decryptor are not suitable names for it. Therefore, I have renamed it to Interpreter.
|
@zvonkok Does the documentation make sense to you? Is there anything else that needs to be added or clarified? |
Sounds like a good idea for the future. I’ll keep that in mind and we can revisit it later. |
ChengyuZhu6
force-pushed
the
encrypt-device
branch
2 times, most recently
from
3b0a06f to
5178802
Compare
Add secure mount interface for block device. Fixed: confidential-containers#540 -- part II Signed-off-by: ChengyuZhu6 <[email protected]>
Mount block device encrypted by LUKS. Signed-off-by: ChengyuZhu6 <[email protected]>
add document for secure mount with block devices. Signed-off-by: ChengyuZhu6 <[email protected]>
ChengyuZhu6
force-pushed
the
encrypt-device
branch
from
5178802 to
de91150
Compare
Support to encrypt block device in cdh.
Fixed: #540 -- part II