* James Bottomley (j...@linux.ibm.com) wrote: > To achieve encrypted disk images in the AMD SEV encrypted virtual > machine, we need to add the ability for grub to retrieve the disk > passphrase from the SEV launch secret. To do this, we've modified > OVMF to set aside an area for the injected secret and pass up a > configuration table for it: > > https://edk2.groups.io/g/devel/topic/78198617#67339 > > The patches in this series modify grub to look for the disk passphrase > in the secret configuration table and use it to decrypt any disks in > the system if they are found. This is so an encrypted image with a > properly injected password will boot without any user intervention. > > The three patches firstly modify the cryptodisk consumers to allow > arbitrary password getters instead of the current console based one. > The next patch adds a '-s' option to cryptodisk to allow it to use a > saved password and the final one adds a sevsecret command to check for > the secrets configuration table and provision the disk passphrase from > it if an entry is found. With all this in place, the sequence to boot > an encrypted volume without user intervention is: > > sevsecret > cryptomount -s > source (crypto0)/boot/grub.cfg
I was thinking what happens if the evil admin adds an extra disc; I guess the argument here is that: a) Since you specify (crypto0) it can only be a decrypted disc b) And since only the guest owner can supply the keys, it can only be there disc image that can be decrypted. Right? Dave > Assuming there's a standard Linux root partition. > > James > > --- > > James Bottomley (3): > cryptodisk: make the password getter and additional argument to > recover_key > cryptodisk: add OS provided secret support > efi: Add API for retrieving the AMD SEV injected secret for cryptodisk > > grub-core/Makefile.core.def | 8 +++ > grub-core/disk/cryptodisk.c | 60 +++++++++++++++-- > grub-core/disk/efi/sevsecret.c | 118 +++++++++++++++++++++++++++++++++ > grub-core/disk/geli.c | 5 +- > grub-core/disk/luks.c | 12 ++-- > grub-core/disk/luks2.c | 12 ++-- > include/grub/cryptodisk.h | 8 ++- > include/grub/efi/api.h | 15 +++++ > 8 files changed, 221 insertions(+), 17 deletions(-) > create mode 100644 grub-core/disk/efi/sevsecret.c > > -- > 2.26.2 > -- Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel