On Tue, Dec 20, 2022 at 09:27:10AM +0100, Michal Privoznik wrote:
I'm kind of convinced that we want to do this, but also it's
a
significant change in the behaviour of the daemon, hence RFC prefix.
This stemmed from a discussion with a user who wants us to use something
more secure than base64 encoded secret values stored on a disk. They
suggested storing the values in TPM and while that might sound like a
good idea, I suggested using ephemeral secrets for the time being. Well,
because of '--timeout 120', ephemeral secrets are short lived, indeed.
Meanwhile, let me see if there's a library we could use to talk to TPM.
Storing secrets in the TPM isn't viable, as it has insufficient
NVRAM for our needs. What we need todo is encrypt the secrets,
with a primary key that is in turn sealed against the TPM. This
sounds difficult, but its actually fairly trivial as we can receive
such a primary key from systemd, using its credentials mechanism.
If we assume a (encrypted) primary key in /var/lib/libvirt, then
we can put a line in virtsecretd.service:
LoadCredential=primary:/var/lib/libvirt/secret/primary.creds
When virtsecretd runs, this will result in the plain text primary
key being made available in a file under $CREDENTIALS_DIRECTORY.
We can reference this directory using %d, so for example we
change virtsecretd.service to use:
ExecStart=/usr/sbin/virtsecretd --primary-key %d/primary $VIRTSECRETD_ARGS
The problem is how do we create the original encrypted primary
key. The best trick I've come up with is to use a ExecStartPre
script:
ExecStartPre=/usr/sbin/virtsecretd-mkcreds /var/lib/libvirt/secret/primary.creds
Where virtsecretd-mkcreds contains:
#!/bin/sh
CREDS=$1
if test -f $CREDS
then
exit 0
fi
dd if=/dev/urandom bs=256 count=1 status=none | systemd-creds encrypt - $CREDS
exit 0
This creates a random key encrypting it, preferentially with the TPM2
if one is available.
It is kinda irritating that systemd can't auto-create creds itself when
a service is started, as this mkcreds script would be the same for
everyone who wants this kind of functionality.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|