On 10/19/22 6:17 AM, Daniel P. Berrangé wrote:
> It is possible to build OVMF for SEV with an embedded Grub that can
> fetch LUKS disk secrets. This adds support for injecting secrets in
> the required format.
>
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
> diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate
> index 5ce5763d5b..2d15edb933 100755
> --- a/tools/virt-qemu-sev-validate
> +++ b/tools/virt-qemu-sev-validate
> @@ -36,16 +36,19 @@
>
> import abc
> import argparse
> -from base64 import b64decode
> +from base64 import b64decode, b64encode
> from hashlib import sha256
> import hmac
> import logging
> +import os
> import re
> import socket
> from struct import pack
> import sys
> import traceback
> from uuid import UUID
> +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
> +
>
> from lxml import etree
> import libvirt
> @@ -573,7 +576,26 @@ class KernelTable(GUIDTable):
> return entries
>
>
> -class ConfidentialVM(object):
> +class SecretsTable(GUIDTable):
> +
> + TABLE_GUID = UUID('{1e74f542-71dd-4d66-963e-ef4287ff173b}').bytes_le
> + DISK_PW_GUID = UUID('{736869e5-84f0-4973-92ec-06879ce3da0b}').bytes_le
> +
> + def __init__(self):
> + super().__init__(guid=self.TABLE_GUID,
> + lenlen=4)
> + self.disk_password = None
> +
> + def load_disk_password(self, path):
> + with open(path, 'rb') as fh:
> + self.disk_password = fh.read()
> +
> + def entries(self):
> + return self.build_entry(self.DISK_PW_GUID,
> + self.disk_password + bytes([0]), 4)
> +
This bytes([0]) NUL byte ends up in the efi_secret /sys path. Dropping
it doesn't seem to impact injecting the secret at all
FWIW once that's dropped, getting automatic luks unlock is really simple
with /etc/crypttab + kernel 5.19
sed -i -e "s| none |
/sys/kernel/security/secrets/coco/736869e5-84f0-4973-92ec-06879ce3da0b
|g" /etc/crypttab
dracut --force --add-drivers efi_secret
shutdown -r now
Thanks,
Cole
