s390x: generate GPG keys for Ignition config protection #3055
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
2 times, most recently
from
0abed72
to
e365bf0
Compare
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
from
e365bf0
to
1156dd3
Compare
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
from
1156dd3
to
ceee648
Compare
nikita-dubrovskii
changed the title
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
from
ceee648
to
6933cec
Compare
nikita-dubrovskii
changed the title
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
2 times, most recently
from
84245e0
to
4addcbc
Compare
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
from
4addcbc
to
7d683e7
Compare
jlebon
reviewed
Jan 27, 2023
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
from
7d683e7
to
acb9fa3
Compare
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
3 times, most recently
from
7a3f0be
to
a1715f1
Compare
jlebon
reviewed
Feb 13, 2023
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
2 times, most recently
from
338d019
to
7899463
Compare
jlebon
reviewed
Feb 14, 2023
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
from
7899463
to
03940c3
Compare
jlebon
reviewed
Feb 14, 2023
jlebon
previously approved these changes
Feb 14, 2023
There was a problem hiding this comment.
LGTM! Two thoughts:
- I wish we didn't have to support both the external genprotimg flow and the "local dev" one. Maybe we can get rid of the latter and add instructions on how to create your own genprotimg qcow2 for local testing. Though that's probably actually more complex to support than this. Let me know if you have ideas around this.
- How are we planning to test this? If this isn't tested by CI, we could easily regress on it. Ideally we'd have something like
kola run -p qemu-secex, but maybe easier is to keep relying on theqemuplatform code, but add a--qemu-secexflag which tells kola to encrypt the Ignition config and present it as the expected virtio device? I guess the hurdle there is that we need to inject the host key in the Ignition config, which depends on whatever the builder we're testing on. We could define some APIs for that to wire it through, though short-term, we could just inject a bogus key; as long as we run tests that don't require regenerating the initramfs, it should work. (Honestly, even just runningbasicto start would be really helpful since it still exercises the Ignition config path.)
I was thinking about it, but removing external VM seems more attractive (
That's smth to discuss with IBM team. As far as i remember, we were discussing P.S.: thank you for the help and review ) |
jschintag
reviewed
Feb 15, 2023
During `cosa buildextend-secex` a pair of GPG keys is randomly generated, where private key becomes part of `sdboot` image, and public key becomes part of build artifacts. User than can encrypt his Ignition config: ``` gpg --recipient-file /path/to/ignition.gpg.pub --output /path/to/config.ign.gpg --armor --encrypt /path/to/config.ign ``` And attach it to `qemu-kvm` as a disk: ``` -drive if=none,id=ignition,format=raw,file=/path/to/config.ign.gpg,readonly=on \ -device virtio-blk,serial=ignition.gpg,iommu_platform=on,drive=ignition ```
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
nikita-dubrovskii
force-pushed
the
ignition_protection
branch
from
03940c3
to
788f1c9
Compare
I agree that doing it via rdcore would be awesome. But i don't think the restrictions on the universal hostkey are going to be lifted, so the genprotimgvm is not going away... |
|
LGTM |
jlebon
approved these changes
Feb 16, 2023
|
Opened a follow-up in #3362. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a proof-of-concept, part of coreos/fedora-coreos-config#1939.
During
cosa buildextend-secexa pair of GPG keys is randomly generated,where private key becomes part of
sdbootimage, and public key becomespart of build artifacts.
User than can encrypt his Ignition config:
And attach it to
qemu-kvmas a disk: