On 10/19/22 6:17 AM, Daniel P. Berrangé wrote:
It is possible to build OVMF for SEV with an embedded Grub that can fetch LUKS disk secrets. This adds support for injecting secrets in the required format.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> ---
diff --git a/tools/virt-qemu-sev-validate b/tools/virt-qemu-sev-validate index 5ce5763d5b..2d15edb933 100755 --- a/tools/virt-qemu-sev-validate +++ b/tools/virt-qemu-sev-validate @@ -36,16 +36,19 @@
import abc import argparse -from base64 import b64decode +from base64 import b64decode, b64encode from hashlib import sha256 import hmac import logging +import os import re import socket from struct import pack import sys import traceback from uuid import UUID +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes +
from lxml import etree import libvirt @@ -573,7 +576,26 @@ class KernelTable(GUIDTable): return entries
-class ConfidentialVM(object): +class SecretsTable(GUIDTable): + + TABLE_GUID = UUID('{1e74f542-71dd-4d66-963e-ef4287ff173b}').bytes_le + DISK_PW_GUID = UUID('{736869e5-84f0-4973-92ec-06879ce3da0b}').bytes_le + + def __init__(self): + super().__init__(guid=self.TABLE_GUID, + lenlen=4) + self.disk_password = None + + def load_disk_password(self, path): + with open(path, 'rb') as fh: + self.disk_password = fh.read() + + def entries(self): + return self.build_entry(self.DISK_PW_GUID, + self.disk_password + bytes([0]), 4) +
This bytes([0]) NUL byte ends up in the efi_secret /sys path. Dropping it doesn't seem to impact injecting the secret at all FWIW once that's dropped, getting automatic luks unlock is really simple with /etc/crypttab + kernel 5.19 sed -i -e "s| none | /sys/kernel/security/secrets/coco/736869e5-84f0-4973-92ec-06879ce3da0b |g" /etc/crypttab dracut --force --add-drivers efi_secret shutdown -r now Thanks, Cole