COCOS-432 - FDE support#553
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #553 +/- ##
==========================================
+ Coverage 69.49% 69.53% +0.03%
==========================================
Files 85 85
Lines 6075 6119 +44
==========================================
+ Hits 4222 4255 +33
- Misses 1485 1493 +8
- Partials 368 371 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
danko-miladinovic
requested review from
SammyOina,
dorcaslitunya and
jovan-djukic
hal/linux/board/cocos/post-build.sh
Outdated
| # Ensure /etc/fstab exists | ||
| if [ ! -f "${TARGET_DIR}/etc/fstab" ]; then | ||
| touch "${TARGET_DIR}/etc/fstab" | ||
| # Ensure /etc/fstab does not exists |
There was a problem hiding this comment.
| # Ensure /etc/fstab does not exists | |
| # Ensure /etc/fstab does not exist |
| v.vmi.Config.OVMFVarsConfig.File = dstFile | ||
| } | ||
|
|
||
| if v.vmi.Config.EnableDisk { |
There was a problem hiding this comment.
If disk creation succeeds but VM startup fails later (e.g., in executableAndArgs or cmd.Start), the created qcow2 file in /tmp will be orphaned. Additionally, Stop() cleans up CertsMount and EnvMount but not DstFile.
There was a problem hiding this comment.
Stop() has been modified to delete the disk.
scripts/nbd/README.md
Outdated
| 2. Creates a fresh encrypted LUKS2 disk | ||
| 3. Copies the qcow2 contents into the encrypted disk | ||
| 4. Hashes the content | ||
| 5. Extends a vTPM PCR with that hash (onyl for vTPM with SEV-SNP) |
There was a problem hiding this comment.
| 5. Extends a vTPM PCR with that hash (onyl for vTPM with SEV-SNP) | |
| 5. Extends a vTPM PCR with that hash (only for vTPM with SEV-SNP) |
danko-miladinovic
force-pushed
the
fde
branch
from
e1c0b0c to
682ad2a
Compare
There was a problem hiding this comment.
Because the WASM and all the other packages (Agent and so on) should be part of the source disk image. Not the initramfs that is being built here. The initramfs role with disk support is to copy the source disk to the destination disk and encrypt the destination disk in the process.
manager/qemu/config.go
Outdated
| type Config struct { | ||
| EnableSEVSNP bool | ||
| EnableTDX bool | ||
| EnableDisk bool |
There was a problem hiding this comment.
EnableDisk has no env tag and isn't set programmatically in NewConfig(), so it always defaults to false.
hal/linux/configs/cocos_defconfig
Outdated
| BR2_PACKAGE_GCC=y | ||
| BR2_PACKAGE_GCC_TARGET=y | ||
| BR2_PACKAGE_LIBSTDCPP=y | ||
| BR2_PACKAGE_LIBSTDCPP=y No newline at end of file |
There was a problem hiding this comment.
| BR2_PACKAGE_LIBSTDCPP=y | |
| BR2_PACKAGE_LIBSTDCPP=y | |
hal/linux/configs/cocos_defconfig
Outdated
| BR2_PACKAGE_NBD=y | ||
| BR2_PACKAGE_NBD_CLIENT=y | ||
| BR2_PACKAGE_CRYPTSETUP=y | ||
| BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDE=y |
There was a problem hiding this comment.
looks like a misspelling of EUDE to EUDEV
There was a problem hiding this comment.
Yes, my mistake. Thanks.
danko-miladinovic
force-pushed
the
fde
branch
from
64b19c8 to
86f9b39
Compare
2 participants
What type of PR is this?
This is a feature because it adds Full Disk Encryption (FDE) capability to the CVM.
What does this do?
This PR changes the Buildroot configuration to add support for FDE. The main idea is to run a QEMU-NBD source disk and alter the initramfs init script to read the connect and read the source disk. The init script would then copy the source disk into the disk attached to the CVM. After the copy process is done the init script will boot the encrypted disk.
The kernel configuration is altered to match Ubuntu Noble OS.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Tests will be added.
Did you document any new/modified feature?
The documentation for launching the source disk image is added.
Notes