Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable RHEL LUKs to use IBM S390x CEX Card Encryption #438

Open
madhu-pillai opened this issue Aug 29, 2023 · 8 comments
Open

enable RHEL LUKs to use IBM S390x CEX Card Encryption #438

madhu-pillai opened this issue Aug 29, 2023 · 8 comments

Comments

@madhu-pillai
Copy link

Feature Request

Luks PIN for IBM CEX (Cryptograpic Express Card) similar to TPM for Encrypting root volume LUKS with secureKeys by using IBM CEX card co-processor CCA .
I am in process of enabling CEX cryptograhic card in S390x for Luks Disk Encryption specifically for root volume.

The main aim is to implement in OCP to utilize protected key generated from utility zkey where each CEX (CCA)cards will be assigned to each OCP nodes with Master key loaded. For that this feature requires in RHEL.
The secure key get generated from the master key in the cryptographic co-processor and the effective key in securekey can be only derived inside cryptogrpahic cards with master key residing in the card.

Environment

IBM S390x.

What hardware/cloud provider/hypervisor is being used to run Ignition?

IBM S390x.

Desired Feature

A CEX (Hardware Security Module) in LUKS PIN for root device encryption. Similar to TPM2.
Other Information

Have tested by creating volume for pervasive encryption in s390x. similarly we need to use for root volume LUKS encryption with protected key.

https://www.ibm.com/docs/en/linux-on-systems?topic=volumes-creating-volume-pervasive-encryption
@madhu-pillai
Copy link
Author

Hi, Could someone please give a direction that how to progress on the Luks encryption with IBM HSM using clevis?

@sarroutbi
Copy link
Collaborator

Hello. You should create a new pin for that. An example on how to create a new pin can be checked here:
#399
#203

@madhu-pillai
Copy link
Author

Hi @sarroutbi ,
I am creating a PIN For IBM CEX card where the secure_key use for Luks encryption.
I am facing an issue here like my secure_key is gibberish data contains null value because of that I am not able to use as jwk key. I am able to convert that to b64 enc in jose but during the b64 dec the keys cannot be stored in variable.
as it says -bash: warning: command substitution: ignored null byte in input. It does store in the variable but the keys are not get validated because it is corrupted.

Is there any way we can store these types of keys in jose fmt?

eg :

 cat secure_xtskey1.skey 
??q??j5e)(&%$**48$Z#?#?
             ?j?[??FX??ґO?ek2@@q??j5??$???(*&^%$#@yS۽????? ?2??U?A?|

@sarroutbi
Copy link
Collaborator

Can you please ellaborate? How are you generating secure_xtskey1.skey file?

@madhu-pillai
Copy link
Author

We have a CEX card attached to the VM and we generate the secure key by mentioning the cex card domain 00.0047.

/etc/zkey/repository is the default directory when we use following command to generate the secure keys. This can be override by using export ZKEY_REPOSITORY=<dir>. the following command create the keys under the directory.

zkey generate --name secure_xtskey1 --keybits 256 --xts --volume-type LUKS2 --sector-size 512 --apqns 00.0047

Here is the pin I created which explains the process of creating the secure keys.
https://github.com/madhu-pillai/clevis/blob/cex_s390x/src/pins/cex/clevis-encrypt-cex

@sarroutbi
Copy link
Collaborator

Hello @madhu-pillai.

I have tried something like this:

$ cat secure_xtskey1.skey | jose b64 enc -I- | jose b64 dec -i-

I obtain the string generated, so I doubt this is a clevis specific issue

@madhu-pillai
Copy link
Author

Hi @sarroutbi ,
Thanks. that command indeed works, but you cannot save the decrypted key in a variable nor convert that to jose fmt. As you said this is not a clevis issue.

jwk="$(cat secure_xtskey1.skey | jose b64 enc -I- | jose b64 dec -i-)"

A quick question.

Would you be alright to explain what is the working principle of clevis-encrypt and clevis-decrypt?

What I understood is clevis-encrypt PIN CFG command take stdin of plaintext which get encrypted with the HSM key ( in my case it is the secure_xtskey.skey generated from the crypto card,) which inturn convert that to JWE as stdout which get saved in the volume luks header.

Decrypt process clevis decrypt PIN CFG < (hdr.jwe) > plaintext the decrypt process the hdr.jwe get decrypted with the secure key which provide pass to the dracut for unlocking the volume.

Is it how this clevis works? Kindly correct me if I am wrong.

@sarroutbi
Copy link
Collaborator

Hello @madhu-pillai.

clevis has different pins and instructions, so it is more complete than that. But, in this particular case, yes, this is how clevis encrypt works:

$ echo secret | clevis encrypt tpm2 '{}' | clevis decrypt tpm2 '{}'
secret

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sarroutbi @madhu-pillai