On Tue, Jan 30, 2024 at 01:37:19PM +0800, yong.hu...@smartx.com wrote:
> From: Hyman Huang <yong.hu...@smartx.com>
>
> By enhancing the LUKS driver, it is possible to implement
> the LUKS volume with a detached header.
>
> Normally a LUKS volume has a layout:
> disk: | header | key material | disk payload data |
>
> With a detached LUKS header, you need 2 disks so getting:
> disk1: | header | key material |
> disk2: | disk payload data |
>
> There are a variety of benefits to doing this:
> * Secrecy - the disk2 cannot be identified as containing LUKS
> volume since there's no header
> * Control - if access to the disk1 is restricted, then even
> if someone has access to disk2 they can't unlock
> it. Might be useful if you have disks on NFS but
> want to restrict which host can launch a VM
> instance from it, by dynamically providing access
> to the header to a designated host
> * Flexibility - your application data volume may be a given
> size and it is inconvenient to resize it to
> add encryption.You can store the LUKS header
> separately and use the existing storage
> volume for payload
> * Recovery - corruption of a bit in the header may make the
> entire payload inaccessible. It might be
> convenient to take backups of the header. If
> your primary disk header becomes corrupt, you
> can unlock the data still by pointing to the
> backup detached header
>
> Take the raw-format image as an example to introduce the usage
> of the LUKS volume with a detached header:
>
> 1. prepare detached LUKS header images
> $ dd if=/dev/zero of=test-header.img bs=1M count=32
> $ dd if=/dev/zero of=test-payload.img bs=1M count=1000
> $ cryptsetup luksFormat --header test-header.img test-payload.img
> > --force-password --type luks1
>
> 2. block-add a protocol blockdev node of payload image
> $ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> > "arguments":{"node-name":"libvirt-1-storage", "driver":"file",
> > "filename":"test-payload.img"}}'
>
> 3. block-add a protocol blockdev node of LUKS header as above.
> $ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> > "arguments":{"node-name":"libvirt-2-storage", "driver":"file",
> > "filename": "test-header.img" }}'
>
> 4. object-add the secret for decrypting the cipher stored in
> LUKS header above
> $ virsh qemu-monitor-command vm '{"execute":"object-add",
> > "arguments":{"qom-type":"secret", "id":
> > "libvirt-2-storage-secret0", "data":"abc123"}}'
>
> 5. block-add the raw-drived blockdev format node
> $ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> > "arguments":{"node-name":"libvirt-1-format", "driver":"raw",
> > "file":"libvirt-1-storage"}}'
>
> 6. block-add the luks-drived blockdev to link the raw disk
> with the LUKS header by specifying the field "header"
> $ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> > "arguments":{"node-name":"libvirt-2-format", "driver":"luks",
> > "file":"libvirt-1-format", "header":"libvirt-2-storage",
> > "key-secret":"libvirt-2-format-secret0"}}'
>
> 7. hot-plug the virtio-blk device finally
> $ virsh qemu-monitor-command vm '{"execute":"device_add",
> > "arguments": {"num-queues":"1", "driver":"virtio-blk-pci",
> > "drive": "libvirt-2-format", "id":"virtio-disk2"}}'
>
> Starting a VM with a LUKS volume with detached header is
> somewhat similar to hot-plug in that both maintaining the
> same json command while the starting VM changes the
> "blockdev-add/device_add" parameters to "blockdev/device".
>
> Signed-off-by: Hyman Huang <yong.hu...@smartx.com>
> ---
> block/crypto.c | 21 +++++++++++++++++++--
> crypto/block-luks.c | 11 +++++++----
> include/crypto/block.h | 5 +++++
> qapi/block-core.json | 5 ++++-
> 4 files changed, 35 insertions(+), 7 deletions(-)
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
