On 10/19/22 6:17 AM, Daniel P. Berrangé wrote:
It is possible to build OVMF for SEV with an embedded Grub that can
fetch LUKS disk secrets. This adds support for injecting secrets in
the required format.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
diff --git a/tools/virt-qemu-sev-validate
b/tools/virt-qemu-sev-validate
index 5ce5763d5b..2d15edb933 100755
--- a/tools/virt-qemu-sev-validate
+++ b/tools/virt-qemu-sev-validate
@@ -36,16 +36,19 @@
import abc
import argparse
-from base64 import b64decode
+from base64 import b64decode, b64encode
from hashlib import sha256
import hmac
import logging
+import os
import re
import socket
from struct import pack
import sys
import traceback
from uuid import UUID
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+
from lxml import etree
import libvirt
@@ -573,7 +576,26 @@ class KernelTable(GUIDTable):
return entries
-class ConfidentialVM(object):
+class SecretsTable(GUIDTable):
+
+ TABLE_GUID = UUID('{1e74f542-71dd-4d66-963e-ef4287ff173b}').bytes_le
+ DISK_PW_GUID = UUID('{736869e5-84f0-4973-92ec-06879ce3da0b}').bytes_le
+
+ def __init__(self):
+ super().__init__(guid=self.TABLE_GUID,
+ lenlen=4)
+ self.disk_password = None
+
+ def load_disk_password(self, path):
+ with open(path, 'rb') as fh:
+ self.disk_password = fh.read()
+
+ def entries(self):
+ return self.build_entry(self.DISK_PW_GUID,
+ self.disk_password + bytes([0]), 4)
+
This bytes([0]) NUL byte ends up in the efi_secret /sys path. Dropping
it doesn't seem to impact injecting the secret at all
FWIW once that's dropped, getting automatic luks unlock is really simple
with /etc/crypttab + kernel 5.19
sed -i -e "s| none |
/sys/kernel/security/secrets/coco/736869e5-84f0-4973-92ec-06879ce3da0b
|g" /etc/crypttab
dracut --force --add-drivers efi_secret
shutdown -r now
Thanks,
Cole