COCOS-432 - FDE support #553
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #553 +/- ##
==========================================
- Coverage 68.34% 68.11% -0.24%
==========================================
Files 77 77
Lines 5626 5670 +44
==========================================
+ Hits 3845 3862 +17
- Misses 1439 1461 +22
- Partials 342 347 +5 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
danko-miladinovic
requested review from
SammyOina,
dorcaslitunya and
jovan-djukic
hal/linux/board/cocos/post-build.sh
Outdated
| # Ensure /etc/fstab exists | ||
| if [ ! -f "${TARGET_DIR}/etc/fstab" ]; then | ||
| touch "${TARGET_DIR}/etc/fstab" | ||
| # Ensure /etc/fstab does not exists |
There was a problem hiding this comment.
| # Ensure /etc/fstab does not exists | |
| # Ensure /etc/fstab does not exist |
| v.vmi.Config.OVMFVarsConfig.File = dstFile | ||
| } | ||
|
|
||
| if v.vmi.Config.EnableDisk { |
There was a problem hiding this comment.
If disk creation succeeds but VM startup fails later (e.g., in executableAndArgs or cmd.Start), the created qcow2 file in /tmp will be orphaned. Additionally, Stop() cleans up CertsMount and EnvMount but not DstFile.
There was a problem hiding this comment.
Stop() has been modified to delete the disk.
scripts/nbd/README.md
Outdated
| 2. Creates a fresh encrypted LUKS2 disk | ||
| 3. Copies the qcow2 contents into the encrypted disk | ||
| 4. Hashes the content | ||
| 5. Extends a vTPM PCR with that hash (onyl for vTPM with SEV-SNP) |
There was a problem hiding this comment.
| 5. Extends a vTPM PCR with that hash (onyl for vTPM with SEV-SNP) | |
| 5. Extends a vTPM PCR with that hash (only for vTPM with SEV-SNP) |
danko-miladinovic
force-pushed
the
fde
branch
from
e1c0b0c to
682ad2a
Compare
| type Config struct { | ||
| EnableSEVSNP bool | ||
| EnableTDX bool | ||
| EnableDisk bool |
There was a problem hiding this comment.
EnableDisk has no env tag and isn't set programmatically in NewConfig(), so it always defaults to false.
| BR2_PACKAGE_GCC=y | ||
| BR2_PACKAGE_GCC_TARGET=y | ||
| BR2_PACKAGE_LIBSTDCPP=y | ||
| BR2_PACKAGE_LIBSTDCPP=y No newline at end of file |
There was a problem hiding this comment.
| BR2_PACKAGE_LIBSTDCPP=y | |
| BR2_PACKAGE_LIBSTDCPP=y | |
| BR2_PACKAGE_NBD=y | ||
| BR2_PACKAGE_NBD_CLIENT=y | ||
| BR2_PACKAGE_CRYPTSETUP=y | ||
| BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDE=y |
There was a problem hiding this comment.
looks like a misspelling of EUDE to EUDEV
2 participants
What type of PR is this?
This is a feature because it adds Full Disk Encryption (FDE) capability to the CVM.
What does this do?
This PR changes the Buildroot configuration to add support for FDE. The main idea is to run a QEMU-NBD source disk and alter the initramfs init script to read the connect and read the source disk. The init script would then copy the source disk into the disk attached to the CVM. After the copy process is done the init script will boot the encrypted disk.
The kernel configuration is altered to match Ubuntu Noble OS.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Tests will be added.
Did you document any new/modified feature?
The documentation for launching the source disk image is added.
Notes