search

confidential-containers / guest-components

Confidential Containers Guest Tools and Components
Apache License 2.0
83 stars 95 forks source link

cdh: improves the luks-encrypt-storage script #666

Closed wainersm closed 3 months ago

wainersm commented 3 months ago

While reviewing https://github.com/kata-containers/kata-containers/pull/9999 I wanted to understand confidential-data-hub/storage/scripts/luks-encrypt-storage better so I took a deep look at this file. I began to worry whether the logic to detect the blocks could fail or not, and in case of failure if it should continue the script as if everything went well (possible not cleaning up the block pages if any). Is it concern? So I decided to add a check for the block numbers, that if empty then the script bails out. Let me know if it is wrong and will introduce another issue that I could anticipate.

While in here, I delinted the script.

Cc @Xynnn007 @ChengyuZhu6 @fitzthum

wainersm commented 3 months ago

ah, tested I didn't break the script with:

$ loop_file="/tmp/test.img"
$ sudo dd if=/dev/zero of=$loop_file bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes (1.0 GB, 1000 MiB) copied, 0.825012 s, 1.3 GB/s
$ sudo losetup -fP $loop_file
$ device=$(sudo losetup -j $loop_file | awk -F'[: ]' '{print $1}')
$ echo $device
/dev/loop2
$ device_num=$(sudo lsblk -no MAJ:MIN $device)
$ echo $device_num
7:2
$ mkdir -p /tmp/target_path
$ sudo touch /run/encrypt_storage.key
$ sudo ./confidential-data-hub/storage/scripts/luks-encrypt-storage $device_num
mke2fs 1.47.0 (5-Feb-2023)
Clearing page at 0
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 9.7763e-05 s, 41.9 MB/s
Clearing page at 32768
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 8.9638e-05 s, 45.7 MB/s
Clearing page at 98304
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.00010671 s, 38.4 MB/s
Clearing page at 163840
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 8.4598e-05 s, 48.4 MB/s
Clearing page at 229376
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 8.1933e-05 s, 50.0 MB/s
mke2fs 1.47.0 (5-Feb-2023)
Creating filesystem with 247971 4k blocks and 62080 inodes
Filesystem UUID: f6a6053c-e52e-46d4-a12b-6661fbc3cf40
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

$ lsblk |grep "encrypted_disk"
└─encrypted_disk_IUeXM_dif                    253:1    0 968.6M  0 crypt 
  └─encrypted_disk_IUeXM                      253:2    0 968.6M  0 crypt /tmp/target_path