Add support to encrypt SCSI scratch disks with dm-crypt#1090
Merged
anmaxvl merged 1 commit intomicrosoft:masterfrom Aug 4, 2021
AntonioND:encrypted-scratch
Merged
Add support to encrypt SCSI scratch disks with dm-crypt#1090anmaxvl merged 1 commit intomicrosoft:masterfrom AntonioND:encrypted-scratch
anmaxvl merged 1 commit intomicrosoft:masterfrom
AntonioND:encrypted-scratch
Conversation
This protects the files generated by the guest from the host OS, as they are encrypted by a key that the host doesn't know. This commit adds a new argument to the scsi.Mount() function, `encrypted`, that makes the SCSI drive be mounted using dm-crypt. It also uses dm-integrity for integrity checking. This makes the boot process a couple of seconds slower. Also, it adds scsi.Unmount(), which also has the `encrypted` argument, and it does the necessary cleanup for a drive that has been mounted as an encrypted drive. All the pre-existing SCSI tests have been fixed to work with the new scsi.Mount() function prototype. New tests have been added for the new code. This is all disabled for now, it has to be enabled in a future patch. Important note: This depends on cryptsetup and mkfs.ext4. Also, the kernel must be compiled with dm-crypt and dm-integrity support.
dcantah
approved these changes
Aug 3, 2021
anmaxvl
added a commit
to anmaxvl/hcsshim
that referenced
this pull request
Aug 8, 2021
This enables scratch space encryption functionality added in microsoft#1090. Add new bool annotation: - "io.microsoft.virtualmachine.storage.scratch.encrypted" Update guest request protocols to support passing encrypt option. Move dm-verity and dm-linear code to devicemapper package Revendor hcsshim into tests. Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
pushed a commit
to anmaxvl/hcsshim
that referenced
this pull request
Nov 17, 2021
Related work items: microsoft#930, microsoft#962, microsoft#1004, microsoft#1008, microsoft#1039, microsoft#1045, microsoft#1046, microsoft#1047, microsoft#1052, microsoft#1053, microsoft#1054, microsoft#1057, microsoft#1058, microsoft#1060, microsoft#1061, microsoft#1063, microsoft#1064, microsoft#1068, microsoft#1069, microsoft#1070, microsoft#1071, microsoft#1074, microsoft#1078, microsoft#1079, microsoft#1081, microsoft#1082, microsoft#1083, microsoft#1084, microsoft#1088, microsoft#1090, microsoft#1091, microsoft#1093, microsoft#1094, microsoft#1096, microsoft#1098, microsoft#1099, microsoft#1102, microsoft#1103, microsoft#1105, microsoft#1106, microsoft#1108, microsoft#1109, microsoft#1115, microsoft#1116, microsoft#1122, microsoft#1123, microsoft#1126
princepereira
pushed a commit
to princepereira/hcsshim
that referenced
this pull request
Aug 29, 2024
Add support to encrypt SCSI scratch disks with dm-crypt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This protects the files generated by the guest from the host OS, as they
are encrypted by a key that the host doesn't know.
This commit adds a new argument to the scsi.Mount() function,
encrypted,that makes the SCSI drive be mounted using dm-crypt. It also uses
dm-integrity for integrity checking. This makes the boot process a couple
of seconds slower.
Also, it adds scsi.Unmount(), which also has the
encryptedargument,and it does the necessary cleanup for a drive that has been mounted as
an encrypted drive.
All the pre-existing SCSI tests have been fixed to work with the new
scsi.Mount() function prototype. New tests have been added for the new
code.
This is all disabled for now, it has to be enabled in a future patch.
Important note: This depends on cryptsetup and mkfs.ext4. Also, the
kernel must be compiled with dm-crypt and dm-integrity support.