clevis icon indicating copy to clipboard operation
clevis copied to clipboard
verified publisher icon latchset

enable RHEL LUKs to use IBM S390x CEX Card Encryption

Open madhu-pillai opened this issue 2 years ago • 8 comments

Feature Request

Luks PIN for IBM CEX (Cryptograpic Express Card) similar to TPM for Encrypting root volume LUKS with secureKeys by using IBM CEX card co-processor CCA . I am in process of enabling CEX cryptograhic card in S390x for Luks Disk Encryption specifically for root volume.

The main aim is to implement in OCP to utilize protected key generated from utility zkey where each CEX (CCA)cards will be assigned to each OCP nodes with Master key loaded. For that this feature requires in RHEL. The secure key get generated from the master key in the cryptographic co-processor and the effective key in securekey can be only derived inside cryptogrpahic cards with master key residing in the card.

Environment

IBM S390x.

What hardware/cloud provider/hypervisor is being used to run Ignition?

IBM S390x.

Desired Feature

A CEX (Hardware Security Module) in LUKS PIN for root device encryption. Similar to TPM2. Other Information

Have tested by creating volume for pervasive encryption in s390x. similarly we need to use for root volume LUKS encryption with protected key.

https://www.ibm.com/docs/en/linux-on-systems?topic=volumes-creating-volume-pervasive-encryption

madhu-pillai avatar Aug 29 '23 04:08 madhu-pillai

Hi, Could someone please give a direction that how to progress on the Luks encryption with IBM HSM using clevis?

madhu-pillai avatar Sep 21 '23 16:09 madhu-pillai

Hello. You should create a new pin for that. An example on how to create a new pin can be checked here: https://github.com/latchset/clevis/pull/399 https://github.com/latchset/clevis/pull/203

sarroutbi avatar Sep 21 '23 16:09 sarroutbi

Hi @sarroutbi , I am creating a PIN For IBM CEX card where the secure_key use for Luks encryption. I am facing an issue here like my secure_key is gibberish data contains null value because of that I am not able to use as jwk key. I am able to convert that to b64 enc in jose but during the b64 dec the keys cannot be stored in variable. as it says -bash: warning: command substitution: ignored null byte in input. It does store in the variable but the keys are not get validated because it is corrupted.

Is there any way we can store these types of keys in jose fmt?

eg :

 cat secure_xtskey1.skey 
??q??j5e)(&%$**48$Z#?#?
             ?j?[??FX??ґO?ek2@@q??j5??$???(*&^%$#@yS۽????? ?2??U?A?|

madhu-pillai avatar Dec 12 '23 07:12 madhu-pillai

Can you please ellaborate? How are you generating secure_xtskey1.skey file?

sarroutbi avatar Dec 12 '23 09:12 sarroutbi

We have a CEX card attached to the VM and we generate the secure key by mentioning the cex card domain 00.0047.

/etc/zkey/repository is the default directory when we use following command to generate the secure keys. This can be override by using export ZKEY_REPOSITORY=<dir>. the following command create the keys under the directory.

zkey generate --name secure_xtskey1 --keybits 256 --xts --volume-type LUKS2 --sector-size 512 --apqns 00.0047

Here is the pin I created which explains the process of creating the secure keys. https://github.com/madhu-pillai/clevis/blob/cex_s390x/src/pins/cex/clevis-encrypt-cex

madhu-pillai avatar Dec 12 '23 09:12 madhu-pillai

Hello @madhu-pillai.

I have tried something like this:

$ cat secure_xtskey1.skey | jose b64 enc -I- | jose b64 dec -i-

I obtain the string generated, so I doubt this is a clevis specific issue

sarroutbi avatar Jan 05 '24 10:01 sarroutbi

Hi @sarroutbi , Thanks. that command indeed works, but you cannot save the decrypted key in a variable nor convert that to jose fmt. As you said this is not a clevis issue.

jwk="$(cat secure_xtskey1.skey | jose b64 enc -I- | jose b64 dec -i-)"

A quick question.

Would you be alright to explain what is the working principle of clevis-encrypt and clevis-decrypt?

What I understood is clevis-encrypt PIN CFG command take stdin of plaintext which get encrypted with the HSM key ( in my case it is the secure_xtskey.skey generated from the crypto card,) which inturn convert that to JWE as stdout which get saved in the volume luks header.

Decrypt process clevis decrypt PIN CFG < (hdr.jwe) > plaintext the decrypt process the hdr.jwe get decrypted with the secure key which provide pass to the dracut for unlocking the volume.

Is it how this clevis works? Kindly correct me if I am wrong.

madhu-pillai avatar Jan 05 '24 14:01 madhu-pillai

Hello @madhu-pillai.

clevis has different pins and instructions, so it is more complete than that. But, in this particular case, yes, this is how clevis encrypt works:

$ echo secret | clevis encrypt tpm2 '{}' | clevis decrypt tpm2 '{}'
secret

sarroutbi avatar Jan 15 '24 09:01 sarroutbi