Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s390x: add Ignition protection for SE #1939

Merged
merged 4 commits into from
Feb 16, 2023
Merged

s390x: add Ignition protection for SE #1939

merged 4 commits into from
Feb 16, 2023

Conversation

nikita-dubrovskii
Copy link
Contributor

@nikita-dubrovskii nikita-dubrovskii commented Aug 30, 2022
edited
Loading

This is a proof-of-concept for encrypting/decrypting the Ignition config in SE case.

Requires: coreos/coreos-assembler#3055

@nikita-dubrovskii nikita-dubrovskii mentioned this pull request Aug 30, 2022
Merged
@cgwalters
Copy link
Member

Hmm, and the raw disk image containing the private key will itself be protected?

@nikita-dubrovskii
Copy link
Contributor Author

nikita-dubrovskii commented Aug 31, 2022
edited
Loading

Hmm, and the raw disk image containing the private key will itself be protected?

Yes, private key gets appended to the Secure Execution sdboot image only and never lands to the rootfs.

@nikita-dubrovskii nikita-dubrovskii force-pushed the ignition_protection branch 4 times, most recently from 11e6e54 to e1ab701 Compare September 20, 2022 14:06
@nikita-dubrovskii nikita-dubrovskii changed the title WIP: s390x: add Ignition protection s390x: add Ignition protection for SE Sep 29, 2022
@nikita-dubrovskii nikita-dubrovskii force-pushed the ignition_protection branch 2 times, most recently from 2294a2a to 8233731 Compare December 19, 2022 11:50
@nikita-dubrovskii nikita-dubrovskii force-pushed the ignition_protection branch 3 times, most recently from 98d7602 to 63bb5c7 Compare January 20, 2023 14:36
jlebon
jlebon reviewed Jan 27, 2023
View reviewed changes
Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you check if the rd.break shells are covered?

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign Outdated Show resolved Hide resolved
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh Show resolved Hide resolved
...ay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service Show resolved Hide resolved
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh Show resolved Hide resolved
@nikita-dubrovskii
Copy link
Contributor Author

Did you check if the rd.break shells are covered?

This shell is only available when user adds rd.break to kernel args, and that's out of SecEx scope. Or do i miss smth?

jlebon
jlebon previously approved these changes Feb 14, 2023
View reviewed changes
Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.sh Outdated Show resolved Hide resolved
@jlebon jlebon added the hold label Feb 14, 2023
@jschintag
Copy link
Contributor

LGTM

@jlebon jlebon removed the hold label Feb 16, 2023
@jlebon jlebon merged commit d07f9fd into coreos:testing-devel Feb 16, 2023
@nikita-dubrovskii nikita-dubrovskii deleted the ignition_protection branch February 17, 2023 07:51
@bgilbert bgilbert mentioned this pull request Aug 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgilbert bgilbert bgilbert left review comments

@jlebon jlebon jlebon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nikita-dubrovskii @cgwalters @jschintag @bgilbert @jlebon