[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/3] Add ability to use SEV provisioned secrets for disk decr
From: |
Dr. David Alan Gilbert |
Subject: |
Re: [PATCH 0/3] Add ability to use SEV provisioned secrets for disk decryption |
Date: |
Fri, 13 Nov 2020 17:50:15 +0000 |
User-agent: |
Mutt/1.14.6 (2020-07-11) |
* James Bottomley (jejb@linux.ibm.com) wrote:
> To achieve encrypted disk images in the AMD SEV encrypted virtual
> machine, we need to add the ability for grub to retrieve the disk
> passphrase from the SEV launch secret. To do this, we've modified
> OVMF to set aside an area for the injected secret and pass up a
> configuration table for it:
>
> https://edk2.groups.io/g/devel/topic/78198617#67339
>
> The patches in this series modify grub to look for the disk passphrase
> in the secret configuration table and use it to decrypt any disks in
> the system if they are found. This is so an encrypted image with a
> properly injected password will boot without any user intervention.
>
> The three patches firstly modify the cryptodisk consumers to allow
> arbitrary password getters instead of the current console based one.
> The next patch adds a '-s' option to cryptodisk to allow it to use a
> saved password and the final one adds a sevsecret command to check for
> the secrets configuration table and provision the disk passphrase from
> it if an entry is found. With all this in place, the sequence to boot
> an encrypted volume without user intervention is:
>
> sevsecret
> cryptomount -s
> source (crypto0)/boot/grub.cfg
I was thinking what happens if the evil admin adds an extra disc; I
guess the argument here is that:
a) Since you specify (crypto0) it can only be a decrypted disc
b) And since only the guest owner can supply the keys, it can only be
there disc image that can be decrypted.
Right?
Dave
> Assuming there's a standard Linux root partition.
>
> James
>
> ---
>
> James Bottomley (3):
> cryptodisk: make the password getter and additional argument to
> recover_key
> cryptodisk: add OS provided secret support
> efi: Add API for retrieving the AMD SEV injected secret for cryptodisk
>
> grub-core/Makefile.core.def | 8 +++
> grub-core/disk/cryptodisk.c | 60 +++++++++++++++--
> grub-core/disk/efi/sevsecret.c | 118 +++++++++++++++++++++++++++++++++
> grub-core/disk/geli.c | 5 +-
> grub-core/disk/luks.c | 12 ++--
> grub-core/disk/luks2.c | 12 ++--
> include/grub/cryptodisk.h | 8 ++-
> include/grub/efi/api.h | 15 +++++
> 8 files changed, 221 insertions(+), 17 deletions(-)
> create mode 100644 grub-core/disk/efi/sevsecret.c
>
> --
> 2.26.2
>
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK