Skip to content

Add support to encrypt SCSI scratch disks with dm-crypt #1090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
anmaxvl merged 1 commit into from
Aug 4, 2021
Merged

Add support to encrypt SCSI scratch disks with dm-crypt #1090

anmaxvl merged 1 commit into from
Aug 4, 2021

Conversation

@AntonioND
Copy link
Member

@AntonioND AntonioND commented Aug 2, 2021
edited
Loading

This protects the files generated by the guest from the host OS, as they
are encrypted by a key that the host doesn't know.

This commit adds a new argument to the scsi.Mount() function, encrypted,
that makes the SCSI drive be mounted using dm-crypt. It also uses
dm-integrity for integrity checking. This makes the boot process a couple
of seconds slower.

Also, it adds scsi.Unmount(), which also has the encrypted argument,
and it does the necessary cleanup for a drive that has been mounted as
an encrypted drive.

All the pre-existing SCSI tests have been fixed to work with the new
scsi.Mount() function prototype. New tests have been added for the new
code.

This is all disabled for now, it has to be enabled in a future patch.

Important note: This depends on cryptsetup and mkfs.ext4. Also, the
kernel must be compiled with dm-crypt and dm-integrity support.

@AntonioND AntonioND requested a review from a team as a code owner August 2, 2021 13:35
@AntonioND
Add support to encrypt SCSI scratch disks with dm-crypt
69994fc 
This protects the files generated by the guest from the host OS, as they
are encrypted by a key that the host doesn't know.

This commit adds a new argument to the scsi.Mount() function, `encrypted`,
that makes the SCSI drive be mounted using dm-crypt. It also uses
dm-integrity for integrity checking. This makes the boot process a couple
of seconds slower.

Also, it adds scsi.Unmount(), which also has the `encrypted` argument,
and it does the necessary cleanup for a drive that has been mounted as
an encrypted drive.

All the pre-existing SCSI tests have been fixed to work with the new
scsi.Mount() function prototype. New tests have been added for the new
code.

This is all disabled for now, it has to be enabled in a future patch.

Important note: This depends on cryptsetup and mkfs.ext4. Also, the
kernel must be compiled with dm-crypt and dm-integrity support.
anmaxvl
anmaxvl approved these changes Aug 3, 2021
View reviewed changes
Copy link
Contributor

@anmaxvl anmaxvl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@anmaxvl anmaxvl merged commit c65d826 into microsoft:master Aug 4, 2021
anmaxvl added a commit to anmaxvl/hcsshim that referenced this pull request Aug 8, 2021
@anmaxvl
enable scratch encryption
465f61d 
This enables scratch space encryption functionality added in
microsoft#1090.

Add new bool annotation:
 - "io.microsoft.virtualmachine.storage.scratch.encrypted"
Update guest request protocols to support passing encrypt option.

Move dm-verity and dm-linear code to devicemapper package

Revendor hcsshim into tests.

Signed-off-by: Maksim An <[email protected]>
anmaxvl pushed a commit to anmaxvl/hcsshim that referenced this pull request Nov 17, 2021
@ambarve
Merged PR 4988349: Update ADO to c7c44e1
ec06a48 
Related work items: microsoft#930, microsoft#962, microsoft#1004, microsoft#1008, microsoft#1039, microsoft#1045, microsoft#1046, microsoft#1047, microsoft#1052, microsoft#1053, microsoft#1054, microsoft#1057, microsoft#1058, microsoft#1060, microsoft#1061, microsoft#1063, microsoft#1064, microsoft#1068, microsoft#1069, microsoft#1070, microsoft#1071, microsoft#1074, microsoft#1078, microsoft#1079, microsoft#1081, microsoft#1082, microsoft#1083, microsoft#1084, microsoft#1088, microsoft#1090, microsoft#1091, microsoft#1093, microsoft#1094, microsoft#1096, microsoft#1098, microsoft#1099, microsoft#1102, microsoft#1103, microsoft#1105, microsoft#1106, microsoft#1108, microsoft#1109, microsoft#1115, microsoft#1116, microsoft#1122, microsoft#1123, microsoft#1126
@katiewasnothere katiewasnothere mentioned this pull request Apr 4, 2023
Merged
princepereira pushed a commit to princepereira/hcsshim that referenced this pull request Aug 29, 2024
@anmaxvl
Merge pull request microsoft#1090 from AntonioND/encrypted-scratch
9c1d08f 
Add support to encrypt SCSI scratch disks with dm-crypt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anmaxvl anmaxvl anmaxvl approved these changes

+1 more reviewer

@dcantah dcantah dcantah approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AntonioND @anmaxvl @dcantah