To achieve encrypted disk images in the AMD SEV encrypted virtual machine, we need to add the ability for grub to retrieve the disk passphrase from the SEV launch secret. To do this, we've modified OVMF to set aside an area for the injected secret and pass up a configuration table for it:
https://edk2.groups.io/g/devel/topic/78198617#67339 The patches in this series modify grub to look for the disk passphrase in the secret configuration table and use it to decrypt any disks in the system if they are found. This is so an encrypted image with a properly injected password will boot without any user intervention. The three patches firstly modify the cryptodisk consumers to allow arbitrary password getters instead of the current console based one. The next patch adds a '-s' option to cryptodisk to allow it to use a saved password and the final one adds a sevsecret command to check for the secrets configuration table and provision the disk passphrase from it if an entry is found. With all this in place, the sequence to boot an encrypted volume without user intervention is: sevsecret cryptomount -s source (crypto0)/boot/grub.cfg Assuming there's a standard Linux root partition. James --- James Bottomley (3): cryptodisk: make the password getter and additional argument to recover_key cryptodisk: add OS provided secret support efi: Add API for retrieving the AMD SEV injected secret for cryptodisk grub-core/Makefile.core.def | 8 +++ grub-core/disk/cryptodisk.c | 60 +++++++++++++++-- grub-core/disk/efi/sevsecret.c | 118 +++++++++++++++++++++++++++++++++ grub-core/disk/geli.c | 5 +- grub-core/disk/luks.c | 12 ++-- grub-core/disk/luks2.c | 12 ++-- include/grub/cryptodisk.h | 8 ++- include/grub/efi/api.h | 15 +++++ 8 files changed, 221 insertions(+), 17 deletions(-) create mode 100644 grub-core/disk/efi/sevsecret.c -- 2.26.2 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
