Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add: Support LUKS encryption using IBM CEX secure keys on s390x #536

Merged
merged 3 commits into from
Nov 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions base/v0_6_exp/schema.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@

package v0_6_exp

type Cex struct {
Enabled *bool `yaml:"enabled"`
}

type Clevis struct {
Custom ClevisCustom `yaml:"custom"`
Tang []Tang `yaml:"tang"`
Expand Down Expand Up @@ -119,6 +123,7 @@ type Link struct {
}

type Luks struct {
Cex Cex `yaml:"cex"`
Clevis Clevis `yaml:"clevis"`
Device *string `yaml:"device"`
Discard *bool `yaml:"discard"`
Expand Down
2 changes: 2 additions & 0 deletions config/common/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ var (
ErrNoLuksBootDevice = errors.New("device is required for layouts: s390x-eckd, s390x-zfcp")
ErrMirrorNotSupport = errors.New("mirroring not supported on layouts: s390x-eckd, s390x-zfcp, s390x-virt")
ErrLuksBootDeviceBadName = errors.New("device name must start with /dev/dasd on s390x-eckd layout or /dev/sd on s390x-zfcp layout")
ErrCexArchitectureMismatch = errors.New("when using cex the targeted architecture must match s390x")
ErrCexNotSupported = errors.New("cex is not currently supported on the target platform")

// partition
ErrReuseByLabel = errors.New("partitions cannot be reused by label; number must be specified except on boot disk (/dev/disk/by-id/coreos-boot-disk) or when wipe_table is true")
Expand Down
1 change: 1 addition & 0 deletions config/fcos/v1_6_exp/schema.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ type BootDevice struct {
}

type BootDeviceLuks struct {
Cex base.Cex `yaml:"cex"`
Discard *bool `yaml:"discard"`
Device *string `yaml:"device"`
Tang []base.Tang `yaml:"tang"`
Expand Down
73 changes: 54 additions & 19 deletions config/fcos/v1_6_exp/translate.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
var r report.Report

// check for high-level features
wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0
wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0 || util.IsTrue(c.BootDevice.Luks.Cex.Enabled)
travier marked this conversation as resolved.
Show resolved Hide resolved
wantMirror := len(c.BootDevice.Mirror.Devices) > 0
if !wantLuks && !wantMirror {
return r
Expand Down Expand Up @@ -252,25 +252,47 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
default:
luksDevice = "/dev/disk/by-partlabel/root"
}
clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options)
rendered.Storage.Luks = []types.Luks{{
Clevis: clevis,
Device: &luksDevice,
Discard: c.BootDevice.Luks.Discard,
Label: util.StrToPtr("luks-root"),
Name: "root",
WipeVolume: util.BoolToPtr(true),
}}
lpath := path.New("yaml", "boot_device", "luks")
rpath := path.New("json", "storage", "luks", 0)
renderedTranslations.Merge(ts2.PrefixPaths(lpath, rpath.Append("clevis")))
renderedTranslations.AddTranslation(lpath.Append("discard"), rpath.Append("discard"))
for _, f := range []string{"device", "label", "name", "wipeVolume"} {
renderedTranslations.AddTranslation(lpath, rpath.Append(f))
if util.IsTrue(c.BootDevice.Luks.Cex.Enabled) {
cex, ts2, r2 := translateBootDeviceLuksCex(c.BootDevice.Luks, options)
rendered.Storage.Luks = []types.Luks{{
Cex: cex,
Device: &luksDevice,
Discard: c.BootDevice.Luks.Discard,
Label: util.StrToPtr("luks-root"),
Name: "root",
WipeVolume: util.BoolToPtr(true),
}}
lpath := path.New("yaml", "boot_device", "luks")
rpath := path.New("json", "storage", "luks", 0)
renderedTranslations.Merge(ts2.PrefixPaths(lpath, rpath.Append("cex")))
renderedTranslations.AddTranslation(lpath.Append("discard"), rpath.Append("discard"))
for _, f := range []string{"device", "label", "name", "wipeVolume"} {
renderedTranslations.AddTranslation(lpath, rpath.Append(f))
}
renderedTranslations.AddTranslation(lpath, rpath)
renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks"))
r.Merge(r2)
} else {
clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options)
rendered.Storage.Luks = []types.Luks{{
Clevis: clevis,
Device: &luksDevice,
Discard: c.BootDevice.Luks.Discard,
Label: util.StrToPtr("luks-root"),
Name: "root",
WipeVolume: util.BoolToPtr(true),
}}
lpath := path.New("yaml", "boot_device", "luks")
rpath := path.New("json", "storage", "luks", 0)
renderedTranslations.Merge(ts2.PrefixPaths(lpath, rpath.Append("clevis")))
renderedTranslations.AddTranslation(lpath.Append("discard"), rpath.Append("discard"))
for _, f := range []string{"device", "label", "name", "wipeVolume"} {
renderedTranslations.AddTranslation(lpath, rpath.Append(f))
}
renderedTranslations.AddTranslation(lpath, rpath)
renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks"))
r.Merge(r2)
}
renderedTranslations.AddTranslation(lpath, rpath)
renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks"))
r.Merge(r2)
}

// create root filesystem
Expand Down Expand Up @@ -317,6 +339,19 @@ func translateBootDeviceLuks(from BootDeviceLuks, options common.TranslateOption
return
}

func translateBootDeviceLuksCex(from BootDeviceLuks, options common.TranslateOptions) (to types.Cex, tm translate.TranslationSet, r report.Report) {
tr := translate.NewTranslator("yaml", "json", options)
// Discard field is handled by the caller because it doesn't go
// into types.Cex
tm, r = translate.Prefixed(tr, "enabled", &from.Cex.Enabled, &to.Enabled)
translate.MergeP(tr, tm, &r, "enabled", &from.Cex.Enabled, &to.Enabled)
// we're being called manually, not via the translate package's
// custom translator mechanism, so we have to add the base
// translation ourselves
tm.AddTranslation(path.New("yaml"), path.New("json"))
return
}

func (c Config) handleUserGrubCfg(options common.TranslateOptions) (types.Config, translate.TranslationSet, report.Report) {
rendered := types.Config{}
ts := translate.NewTranslationSet("yaml", "json")
Expand Down
31 changes: 23 additions & 8 deletions config/fcos/v1_6_exp/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,10 @@ package v1_6_exp

import (
"regexp"
"strings"

"github.com/coreos/butane/config/common"
"github.com/coreos/ignition/v2/config/shared/errors"
"github.com/coreos/ignition/v2/config/util"

"github.com/coreos/vcontext/path"
Expand Down Expand Up @@ -54,29 +56,42 @@ func (d BootDevice) Validate(c path.ContextPath) (r report.Report) {
if d.Layout != nil {
switch *d.Layout {
case "aarch64", "ppc64le", "x86_64":
// Nothing to do
case "s390x-eckd":
if util.NilOrEmpty(d.Luks.Device) {
r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
r.AddOnError(c.Append("layout"), common.ErrNoLuksBootDevice)
} else if !dasdRe.MatchString(*d.Luks.Device) {
r.AddOnError(c.Append(*d.Layout), common.ErrLuksBootDeviceBadName)
r.AddOnError(c.Append("layout"), common.ErrLuksBootDeviceBadName)
}
case "s390x-zfcp":
if util.NilOrEmpty(d.Luks.Device) {
r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
r.AddOnError(c.Append("layout"), common.ErrNoLuksBootDevice)
} else if !sdRe.MatchString(*d.Luks.Device) {
r.AddOnError(c.Append(*d.Layout), common.ErrLuksBootDeviceBadName)
r.AddOnError(c.Append("layout"), common.ErrLuksBootDeviceBadName)
}
case "s390x-virt":
default:
r.AddOnError(c.Append("layout"), common.ErrUnknownBootDeviceLayout)
}

if *d.Layout == "s390x-eckd" || *d.Layout == "s390x-zfcp" || *d.Layout == "s390x-virt" {
if len(d.Mirror.Devices) > 0 {
r.AddOnError(c.Append(*d.Layout), common.ErrMirrorNotSupport)
}
// Mirroring the boot disk is not supported on s390x
if strings.HasPrefix(*d.Layout, "s390x") && len(d.Mirror.Devices) > 0 {
r.AddOnError(c.Append("layout"), common.ErrMirrorNotSupport)
}
}

// CEX is only valid on s390x and incompatible with Clevis
if util.IsTrue(d.Luks.Cex.Enabled) {
if d.Layout == nil {
r.AddOnError(c.Append("luks", "cex"), common.ErrCexArchitectureMismatch)
} else if !strings.HasPrefix(*d.Layout, "s390x") {
r.AddOnError(c.Append("layout"), common.ErrCexArchitectureMismatch)
}
if len(d.Luks.Tang) > 0 || util.IsTrue(d.Luks.Tpm2) {
r.AddOnError(c.Append("luks"), errors.ErrCexWithClevis)
}
}

r.Merge(d.Mirror.Validate(c.Append("mirror")))
return
}
Expand Down
124 changes: 124 additions & 0 deletions config/fcos/v1_6_exp/validate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,80 @@ func TestValidateBootDevice(t *testing.T) {
nil,
path.New("yaml"),
},
// complete config with cex
{
BootDevice{
Layout: util.StrToPtr("s390x-eckd"),
Luks: BootDeviceLuks{
Device: util.StrToPtr("/dev/dasda"),
Cex: base.Cex{
Enabled: util.BoolToPtr(true),
},
},
},
nil,
path.New("yaml"),
},
// can not use both cex & tang
{
BootDevice{
Layout: util.StrToPtr("s390x-eckd"),
Luks: BootDeviceLuks{
Device: util.StrToPtr("/dev/dasda"),
Cex: base.Cex{
Enabled: util.BoolToPtr(true),
},
Tang: []base.Tang{{
URL: "https://example.com/",
Thumbprint: util.StrToPtr("x"),
}},
},
},
errors.ErrCexWithClevis,
path.New("yaml", "luks"),
},
// can not use both cex & tpm2
{
BootDevice{
Layout: util.StrToPtr("s390x-eckd"),
Luks: BootDeviceLuks{
Device: util.StrToPtr("/dev/dasda"),
Cex: base.Cex{
Enabled: util.BoolToPtr(true),
},
Tpm2: util.BoolToPtr(true),
},
},
errors.ErrCexWithClevis,
path.New("yaml", "luks"),
},
// can not use cex on non s390x
{
BootDevice{
Layout: util.StrToPtr("x86_64"),
Luks: BootDeviceLuks{
Device: util.StrToPtr("/dev/sda"),
Cex: base.Cex{
Enabled: util.BoolToPtr(true),
},
},
},
common.ErrCexArchitectureMismatch,
path.New("yaml", "layout"),
},
// must set s390x layout with cex
{
BootDevice{
Luks: BootDeviceLuks{
Device: util.StrToPtr("/dev/sda"),
Cex: base.Cex{
Enabled: util.BoolToPtr(true),
},
},
},
common.ErrCexArchitectureMismatch,
path.New("yaml", "luks", "cex"),
},
// invalid layout
{
BootDevice{
Expand All @@ -179,6 +253,56 @@ func TestValidateBootDevice(t *testing.T) {
common.ErrTooFewMirrorDevices,
path.New("yaml", "mirror", "devices"),
},
// s390x-eckd/s390x-zfcp layouts require a boot device with luks
{
BootDevice{
Layout: util.StrToPtr("s390x-eckd"),
},
common.ErrNoLuksBootDevice,
path.New("yaml", "layout"),
},
// s390x-eckd/s390x-zfcp layouts do not support mirroring
{
BootDevice{
Layout: util.StrToPtr("s390x-zfcp"),
Luks: BootDeviceLuks{
Device: util.StrToPtr("/dev/sda"),
Tpm2: util.BoolToPtr(true),
},
Mirror: BootDeviceMirror{
Devices: []string{
"/dev/sda",
"/dev/sdb",
},
},
},
common.ErrMirrorNotSupport,
path.New("yaml", "layout"),
},
// s390x-eckd devices must start with /dev/dasd
{
BootDevice{
Layout: util.StrToPtr("s390x-eckd"),
Luks: BootDeviceLuks{
Device: util.StrToPtr("/dev/sda"),
Tpm2: util.BoolToPtr(true),
},
},
common.ErrLuksBootDeviceBadName,
path.New("yaml", "layout"),
},
// s390x-zfcp devices must start with /dev/sd
{
BootDevice{
Layout: util.StrToPtr("s390x-eckd"),
Luks: BootDeviceLuks{
Device: util.StrToPtr("/dev/dasd"),
Tpm2: util.BoolToPtr(true),
},
},
common.ErrLuksBootDeviceBadName,
path.New("yaml", "layout"),
},
}

for i, test := range tests {
Expand Down
8 changes: 7 additions & 1 deletion config/flatcar/v1_2_exp/translate.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,15 @@ import (
"github.com/coreos/vcontext/report"
)

var (
fieldFilters = cutil.NewFilters(types.Config{}, cutil.FilterMap{
prestist marked this conversation as resolved.
Show resolved Hide resolved
"storage.luks.cex": common.ErrCexNotSupported,
})
)

// Return FieldFilters for this spec.
func (c Config) FieldFilters() *cutil.FieldFilters {
return nil
return &fieldFilters
}

// ToIgn3_5 translates the config to an Ignition config. It returns a
Expand Down
4 changes: 4 additions & 0 deletions docs/config-fcos-v1_6-exp.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,8 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
* **pin** (string): the clevis pin.
* **config** (string): the clevis configuration JSON.
* **_needs_network_** (boolean): whether or not the device requires networking.
* **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device.
* **_enabled_** (boolean): whether or not to use a CEX secure key to encrypt the luks device.
* **_trees_** (list of objects): a list of local directory trees to be embedded in the config. Ownership is not preserved. File modes are set to 0755 if the local file is executable or 0644 otherwise. Attributes of files, directories, and symlinks can be overridden by creating a corresponding entry in the `files`, `directories`, or `links` section; such `files` entries must omit `contents` and such `links` entries must omit `target`.
* **local** (string): the base of the local directory tree, relative to the directory specified by the `--files-dir` command-line argument.
* **_path_** (string): the path of the tree within the target system. Defaults to `/`.
Expand Down Expand Up @@ -219,6 +221,8 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
* **_tpm2_** (boolean): whether or not to use a tpm2 device.
* **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1.
* **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
* **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device.
* **_enabled_** (boolean): whether or not to enable cex compatibility for luks. If omitted, defaults to false.
* **_mirror_** (object): describes mirroring of the boot disk for fault tolerance.
* **_devices_** (list of strings): the list of whole-disk devices (not partitions) to include in the disk array, referenced by their absolute path. At least two devices must be specified.
* **_grub_** (object): describes the desired GRUB bootloader configuration.
Expand Down
4 changes: 4 additions & 0 deletions docs/config-openshift-v4_18-exp.md
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,8 @@ The OpenShift configuration is a YAML document conforming to the following speci
* **pin** (string): the clevis pin.
* **config** (string): the clevis configuration JSON.
* **_needs_network_** (boolean): whether or not the device requires networking.
* **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device.
* **_enabled_** (boolean): whether or not to use a CEX secure key to encrypt the luks device.
* **_trees_** (list of objects): a list of local directory trees to be embedded in the config. Symlinks must not be present. Ownership is not preserved. File modes are set to 0755 if the local file is executable or 0644 otherwise. File attributes can be overridden by creating a corresponding entry in the `files` section; such entries must omit `contents`.
* **local** (string): the base of the local directory tree, relative to the directory specified by the `--files-dir` command-line argument.
* **_path_** (string): the path of the tree within the target system. Defaults to `/`.
Expand Down Expand Up @@ -168,6 +170,8 @@ The OpenShift configuration is a YAML document conforming to the following speci
* **_tpm2_** (boolean): whether or not to use a tpm2 device.
* **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1.
* **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
* **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device.
* **_enabled_** (boolean): whether or not to enable cex compatibility for luks. If omitted, defaults to false.
* **_mirror_** (object): describes mirroring of the boot disk for fault tolerance.
* **_devices_** (list of strings): the list of whole-disk devices (not partitions) to include in the disk array, referenced by their absolute path. At least two devices must be specified.
* **_grub_** (object): describes the desired GRUB bootloader configuration.
Expand Down
Loading
Loading