grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/3] Add ability to use SEV provisioned secrets for disk decr

From: Dr. David Alan Gilbert
Subject: Re: [PATCH 0/3] Add ability to use SEV provisioned secrets for disk decryption
Date: Fri, 13 Nov 2020 17:50:15 +0000
User-agent: Mutt/1.14.6 (2020-07-11) 
* James Bottomley (jejb@linux.ibm.com) wrote:
> To achieve encrypted disk images in the AMD SEV encrypted virtual
> machine, we need to add the ability for grub to retrieve the disk
> passphrase from the SEV launch secret.  To do this, we've modified
> OVMF to set aside an area for the injected secret and pass up a
> configuration table for it:
> 
> https://edk2.groups.io/g/devel/topic/78198617#67339
> 
> The patches in this series modify grub to look for the disk passphrase
> in the secret configuration table and use it to decrypt any disks in
> the system if they are found.  This is so an encrypted image with a
> properly injected password will boot without any user intervention.
> 
> The three patches firstly modify the cryptodisk consumers to allow
> arbitrary password getters instead of the current console based one.
> The next patch adds a '-s' option to cryptodisk to allow it to use a
> saved password and the final one adds a sevsecret command to check for
> the secrets configuration table and provision the disk passphrase from
> it if an entry is found.  With all this in place, the sequence to boot
> an encrypted volume without user intervention is:
> 
> sevsecret
> cryptomount -s
> source (crypto0)/boot/grub.cfg

I was thinking what happens if the evil admin adds an extra disc; I
guess the argument here is that:
  a) Since you specify (crypto0) it can only be a decrypted disc
  b) And since only the guest owner can supply the keys, it can only be
there disc image that can be decrypted.

Right?

Dave

> Assuming there's a standard Linux root partition.
> 
> James
> 
> ---
> 
> James Bottomley (3):
>   cryptodisk: make the password getter and additional argument to
>     recover_key
>   cryptodisk: add OS provided secret support
>   efi: Add API for retrieving the AMD SEV injected secret for cryptodisk
> 
>  grub-core/Makefile.core.def    |   8 +++
>  grub-core/disk/cryptodisk.c    |  60 +++++++++++++++--
>  grub-core/disk/efi/sevsecret.c | 118 +++++++++++++++++++++++++++++++++
>  grub-core/disk/geli.c          |   5 +-
>  grub-core/disk/luks.c          |  12 ++--
>  grub-core/disk/luks2.c         |  12 ++--
>  include/grub/cryptodisk.h      |   8 ++-
>  include/grub/efi/api.h         |  15 +++++
>  8 files changed, 221 insertions(+), 17 deletions(-)
>  create mode 100644 grub-core/disk/efi/sevsecret.c
> 
> -- 
> 2.26.2
> 
-- 
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
reply via email to
[Prev in Thread] Current Thread [Next in Thread]