feedback confidential-containers#1 (to squash)

Author: manuelh-dev

confidential-data-hub/hub/src/auth/kbs.rs

@@ -12,11 +12,8 @@ use kms::{plugins::kbs::KbcClient, Annotations, Getter};
 use log::debug;
 use tokio::fs;
 
-use crate::{hub::Hub, Error, Result};
+use crate::{config::KBS_RESOURCE_STORAGE_DIR, hub::Hub, Error, Result};
 
-/// This directory is used to store all the kbs resources get by CDH's init
-/// function, s.t. `[[Credential]]` sections in the config.toml file.
-pub const KBS_RESOURCE_STORAGE_DIR: &str = "/run/confidential-containers/cdh";
 
 impl Hub {
     pub(crate) async fn init_kbs_resources(&self) -> Result<()> {

confidential-data-hub/hub/src/config.rs

@@ -20,6 +20,10 @@ cfg_if::cfg_if! {
     }
 }
 
+/// This directory is used to store all the kbs resources get by CDH's init
+/// function, s.t. `[[Credential]]` sections in the config.toml file.
+pub const KBS_RESOURCE_STORAGE_DIR: &str = "/run/confidential-containers/cdh";
+
 const CDH_DEFAULT_IMAGE_AUTHENTICATED_REGISTRY_CREDENTIALS: &str =
     "CDH_DEFAULT_IMAGE_AUTHENTICATED_REGISTRY_CREDENTIALS";
 

confidential-data-hub/hub/src/storage/drivers/luks2.rs

@@ -10,10 +10,7 @@
 //!
 //! It requires to install dependency `libcryptsetup-dev` for ubuntu.
 
-use std::{
-    fs::{self, OpenOptions},
-    path::Path,
-};
+use std::path::Path;
 
 use anyhow::{bail, Context};
 use libcryptsetup_rs::consts::flags::{CryptActivate, CryptDeactivate, CryptVolumeKey};
@@ -32,7 +29,6 @@ const LUKS2_VOLUME_KEY_SIZE_BIT_WITH_INTEGRITY: usize = 768;
 const LUKS2_VOLUME_KEY_SIZE_BIT_WITHOUT_INTEGRITY: usize = 256;
 
 const SECTOR_SIZE: u32 = 4096;
-const LUKS2_HEADER_MIN_SIZE_BYTES: u64 = 16 * 1024 * 1024;
 
 #[derive(Default)]
 pub struct Luks2Formatter {
@@ -51,7 +47,7 @@ impl Luks2Formatter {
         header_path: Option<&str>,
         passphrase: Zeroizing<Vec<u8>>,
     ) -> anyhow::Result<()> {
-        let mut device = init_device(device_path, header_path, true)?;
+        let mut device = init_device(device_path, header_path)?;
         let mut volume_key_length = LUKS2_VOLUME_KEY_SIZE_BIT_WITHOUT_INTEGRITY / 8;
         let mut params = CryptParamsLuks2 {
             pbkdf: None,
@@ -90,7 +86,7 @@ impl Luks2Formatter {
         name: &str,
         passphrase: Zeroizing<Vec<u8>>,
     ) -> anyhow::Result<()> {
-        let mut device = init_device(device_path, header_path, false)?;
+        let mut device = init_device(device_path, header_path)?;
 
         let mut params = CryptParamsLuks2 {
             pbkdf: None,
@@ -137,15 +133,12 @@ impl Luks2Formatter {
 fn init_device(
     device_path: &str,
     header_path: Option<&str>,
-    create_header: bool,
 ) -> anyhow::Result<libcryptsetup_rs::CryptDevice> {
     let data_path = Path::new(device_path);
     let device_paths = match header_path {
         Some(header_path) => {
             let header_path = Path::new(header_path);
-            if create_header {
-                ensure_header_file(header_path)?;
-            } else if !header_path.exists() {
+            if !header_path.exists() {
                 bail!(
                     "LUKS header file not found: {}",
                     header_path.display()
@@ -159,49 +152,14 @@ fn init_device(
     Ok(CryptInit::init_with_data_device(device_paths)?)
 }
 
-fn ensure_header_file(header_path: &Path) -> anyhow::Result<()> {
-    if header_path.exists() {
-        let size = fs::metadata(header_path)
-            .with_context(|| format!("Failed to read header file {}", header_path.display()))?
-            .len();
-        if size < LUKS2_HEADER_MIN_SIZE_BYTES {
-            bail!(
-                "LUKS header file too small: {} ({} bytes, need at least {} bytes)",
-                header_path.display(),
-                size,
-                LUKS2_HEADER_MIN_SIZE_BYTES
-            );
-        }
-        return Ok(());
-    }
-
-    if let Some(parent) = header_path.parent() {
-        std::fs::create_dir_all(parent)
-            .with_context(|| format!("Failed to create header directory {}", parent.display()))?;
-    }
-
-    let file = OpenOptions::new()
-        .create(true)
-        .write(true)
-        .open(header_path)
-        .with_context(|| format!("Failed to create header file {}", header_path.display()))?;
-    file.set_len(LUKS2_HEADER_MIN_SIZE_BYTES).with_context(|| {
-        format!(
-            "Failed to size header file {} to {} bytes",
-            header_path.display(),
-            LUKS2_HEADER_MIN_SIZE_BYTES
-        )
-    })?;
-    Ok(())
-}
-
 #[cfg(test)]
 mod tests {
     use std::io::Write;
 
     use serial_test::serial;
     use zeroize::Zeroizing;
 
+    use crate::storage::volume_type::blockdevice::prepare_luks_header_file;
     use crate::storage::drivers::luks2::Luks2Formatter;
 
     const TEST_PASSPHRASE: &[u8] = b"test";
@@ -259,101 +217,90 @@ mod tests {
     #[serial]
     fn encrypt_open_device_no_integrity_with_header() {
         let mut bin_file = tempfile::NamedTempFile::new().unwrap();
-        let header_dir = tempfile::tempdir().unwrap();
-        let header_path = header_dir.path().join("luks-header");
-
         bin_file
             .as_file_mut()
             .write_all(&vec![0; 20 * 1024 * 1024])
             .unwrap();
         let path = bin_file.path().to_str().unwrap();
-        let header_path = header_path.to_str().unwrap();
+        let header_path = prepare_luks_header_file(None, path).unwrap();
 
         let passphrase = Zeroizing::new(TEST_PASSPHRASE.to_vec());
         let luks2_formatter = Luks2Formatter { integrity: false };
         luks2_formatter
-            .encrypt_device(path, Some(header_path), passphrase.clone())
+            .encrypt_device(path, Some(&header_path), passphrase.clone())
             .unwrap();
 
         luks2_formatter
-            .open_device(path, Some(header_path), NAME, passphrase)
+            .open_device(path, Some(&header_path), NAME, passphrase)
             .unwrap();
 
         luks2_formatter.close_device(NAME).unwrap();
+        std::fs::remove_file(&header_path).unwrap();
     }
 
     #[test]
     #[serial]
     fn encrypt_open_device_integrity_with_header() {
         let mut bin_file = tempfile::NamedTempFile::new().unwrap();
-        let header_dir = tempfile::tempdir().unwrap();
-        let header_path = header_dir.path().join("luks-header");
-
         bin_file
             .as_file_mut()
             .write_all(&vec![0; 20 * 1024 * 1024])
             .unwrap();
         let path = bin_file.path().to_str().unwrap();
-        let header_path = header_path.to_str().unwrap();
+        let header_path = prepare_luks_header_file(None, path).unwrap();
 
         let passphrase = Zeroizing::new(TEST_PASSPHRASE.to_vec());
         let luks2_formatter = Luks2Formatter { integrity: true };
         luks2_formatter
-            .encrypt_device(path, Some(header_path), passphrase.clone())
+            .encrypt_device(path, Some(&header_path), passphrase.clone())
             .unwrap();
 
         luks2_formatter
-            .open_device(path, Some(header_path), NAME, passphrase)
+            .open_device(path, Some(&header_path), NAME, passphrase)
             .unwrap();
 
         luks2_formatter.close_device(NAME).unwrap();
+        std::fs::remove_file(&header_path).unwrap();
     }
 
     #[test]
     #[serial]
     fn encrypt_with_existing_header_file() {
         let mut bin_file = tempfile::NamedTempFile::new().unwrap();
-        let header_dir = tempfile::tempdir().unwrap();
-        let header_path = header_dir.path().join("luks-header");
-        std::fs::write(&header_path, b"").unwrap();
-
         bin_file
             .as_file_mut()
             .write_all(&vec![0; 20 * 1024 * 1024])
             .unwrap();
         let path = bin_file.path().to_str().unwrap();
-        let header_path = header_path.to_str().unwrap();
+        let header_path = prepare_luks_header_file(None, path).unwrap();
 
         let passphrase = Zeroizing::new(TEST_PASSPHRASE.to_vec());
         let luks2_formatter = Luks2Formatter { integrity: false };
-        luks2_formatter
-            .encrypt_device(path, Some(header_path), passphrase)
-            .unwrap();
+        let result = luks2_formatter.encrypt_device(path, Some(&header_path), passphrase);
+        assert!(result.is_ok());
+        std::fs::remove_file(&header_path).unwrap();
     }
 
     #[test]
     #[serial]
     fn open_device_missing_header_file_fails() {
         let mut bin_file = tempfile::NamedTempFile::new().unwrap();
-        let header_dir = tempfile::tempdir().unwrap();
-        let header_path = header_dir.path().join("luks-header");
-
         bin_file
             .as_file_mut()
             .write_all(&vec![0; 20 * 1024 * 1024])
             .unwrap();
         let path = bin_file.path().to_str().unwrap();
-        let header_path = header_path.to_str().unwrap();
+        let header_path = prepare_luks_header_file(None, path).unwrap();
 
         let passphrase = Zeroizing::new(TEST_PASSPHRASE.to_vec());
         let luks2_formatter = Luks2Formatter { integrity: false };
         luks2_formatter
-            .encrypt_device(path, Some(header_path), passphrase.clone())
+            .encrypt_device(path, Some(&header_path), passphrase.clone())
             .unwrap();
 
-        std::fs::remove_file(header_path).unwrap();
+        std::fs::remove_file(&header_path).unwrap();
 
-        let result = luks2_formatter.open_device(path, Some(header_path), NAME, passphrase);
+        let result = luks2_formatter.open_device(path, Some(&header_path), NAME, passphrase);
         assert!(result.is_err());
     }
 

confidential-data-hub/hub/src/storage/volume_type/blockdevice/error.rs

@@ -29,6 +29,9 @@ pub enum BlockDeviceError {
     #[error("The scheme of the key uri should be `kbs`, `file` or `sealed`")]
     IllegalKeyScheme,
 
+    #[error("Providing a key is not supported when formatting empty LUKS2 devices with detached headers")]
+    KeyNotAllowedForEphemeralLuksHeader,
+
     #[error("Failed to get key: {source}")]
     GetKeyFailed {
         #[source]