Skip to content

cdh: store ephemeral LUKS headers in tmpfs #1313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
manuelh-dev wants to merge 3 commits into
base: main
Choose a base branch
from
Open

cdh: store ephemeral LUKS headers in tmpfs #1313

manuelh-dev wants to merge 3 commits into from
+312 −66

Conversation

@manuelh-dev
Copy link

@manuelh-dev manuelh-dev commented Feb 11, 2026
edited
Loading

Outline:
When creating ephemeral storages, place the LUKS headers in guest memory rather than onto the storage device itself. For this, create LUKS header files in the CDH storage directory, and call into CryptInit::init_with_data_device instead of into CryptInit::init. This aims to mitigate Vulnerabilities in LUKS2 disk encryption for confidential VMs for ephemeral storages.

The path where existing, encrypted storages are utilized remains untouched. We should evaluate switch to utilizing different encryption schemes, such as using ZFS, or VeraCrypt, instead.

Testing:
I tested this end-to-end flow against kata-containers for which I created this draft PR for integration of the new CDH bits: kata-containers/kata-containers#12459
In my tests, I was using the trusted image store functionality in combination with the kata-qemu-gpu-snp handler.

I have also onboarded the luks2 tests to CI, and CI tests pass.

Outlook:
The ongoing work stream to support ephemeral container storage in Kata Containers should benefit from this PR and from the integration branch as well once the guest components are updated in Kata Containers.

Output:
In the guest:

root@26a7f28fc681:/# ls -lha /run/confidential-containers/cdh/luks-headers/
total 16M
drwxr-xr-x 2 root root  60 Feb 11 19:17 .
drwxr-xr-x 3 root root  60 Feb 11 19:17 ..
-rw-r--r-- 1 root root 16M Feb 11 19:17 ODow
< 160 /run/confidential-containers/cdh/luks-headers/ODow | head -n 10
000000 4c 55 4b 53 ba be 00 02 00 00 00 00 00 00 40 00
000010 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00
000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
000040 00 00 00 00 00 00 00 00 73 68 61 32 35 36 00 00
000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000060 00 00 00 00 00 00 00 00 3d 7b bb b5 fd eb 88 c6
000070 98 53 9b 77 84 ad a5 98 4e 73 bb fe 77 2e 6a b6
000080 3d e3 88 5a 6d 0d 5d 68 77 a0 5c 51 db bb 88 79
000090 bc 09 89 d6 c6 e3 54 ec 82 73 0b f1 91 d9 e8 40

4c 55 4b 53 = LUKS magic
ba be 00 02 = LUKS2
sha256 appears in the header metadata

On the host:

$ od -Ax -tx1 -N 64 /tmp/trusted-image-storage.img
000000 69 6e 74 65 67 72 74 00 04 0f 20 00 f0 01 00 00
000010 78 67 0c 06 00 00 00 00 08 00 00 00 03 0c 00 00
000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
000040

69 6e 74 65 67 72 74 00 is the dm-integrity magic, which is ASCII integrt\0.

Log from CDH:

[2026-02-11T19:17:16Z INFO  ttrpc_cdh] [ttRPC] Confidential Data Hub starts to listen to request: unix:///run/confidential-containers/cdh.sock
[2026-02-11T19:17:17Z DEBUG ttrpc_cdh::ttrpc_server] [ttRPC CDH] get new secure mount request
[2026-02-11T19:17:17Z INFO  confidential_data_hub::hub] secure mount called
[2026-02-11T19:17:17Z DEBUG confidential_data_hub::storage::volume_type::blockdevice] generate a random key. All data on the device will be overwritten.
[2026-02-11T19:17:17Z WARN  confidential_data_hub::storage::volume_type::blockdevice] encrypting the device. This will wipe original data on the disk.
[2026-02-11T19:17:29Z DEBUG confidential_data_hub::storage::volume_type::blockdevice] No mapper name provided, generating a random one
[2026-02-11T19:17:29Z DEBUG confidential_data_hub::storage::volume_type::blockdevice] luks2 opening device: /dev/sda
[2026-02-11T19:17:29Z DEBUG confidential_data_hub::storage::drivers::luks2] activating device: 628918be-bb49-4f52-8ace-8df7ea05a8db
[2026-02-11T19:17:31Z DEBUG confidential_data_hub::storage::drivers::luks2] device activated: 628918be-bb49-4f52-8ace-8df7ea05a8db
[2026-02-11T19:17:31Z INFO  confidential_data_hub::storage::volume_type::blockdevice] formatting device: /dev/mapper/628918be-bb49-4f52-8ace-8df7ea05a8db and mounting it to mount point: /run/kata-containers/image/
[2026-02-11T19:17:31Z DEBUG confidential_data_hub::storage::volume_type::blockdevice] formatting device: /dev/mapper/628918be-bb49-4f52-8ace-8df7ea05a8db
[2026-02-11T19:17:31Z DEBUG confidential_data_hub::storage::volume_type::blockdevice] mounting device: /dev/mapper/628918be-bb49-4f52-8ace-8df7ea05a8db
[2026-02-11T19:17:31Z INFO  confidential_data_hub::storage::volume_type::blockdevice] Target path /run/kata-containers/image/ mounted successfully
[2026-02-11T19:17:31Z DEBUG ttrpc_cdh::ttrpc_server] [ttRPC CDH] secure mount succeeded.
[2026-02-11T19:17:31Z DEBUG ttrpc_cdh::ttrpc_server] [ttRPC CDH] get new image pull request
[2026-02-11T19:17:31Z DEBUG confidential_data_hub::hub] Image client lazy initializing...
[2026-02-11T19:17:31Z INFO  image_rs::resource::kbs] secure channel uses ttrpc
[2026-02-11T19:17:31Z WARN  image_rs::builder] No `image_security_policy` given, thus all images can be pulled by the image client without filtering.
[2026-02-11T19:17:31Z INFO  image_rs::builder] Initialize new metadata.
[2026-02-11T19:17:31Z INFO  image_rs::builder] Image work directory: "/run/kata-containers/image/"

@manuelh-dev manuelh-dev force-pushed the mahuber/luks-temp-header branch 4 times, most recently from eca6522 to 3826f17 Compare February 12, 2026 21:22
@manuelh-dev manuelh-dev mentioned this pull request Feb 12, 2026
Merged
@manuelh-dev
cdh: store ephemeral LUKS headers in tmpfs
dce3e8d 
When creating ephemeral storages, place the LUKS headers in guest
memory rather than onto the storage device itself.
For this, create LUKS header files in the CDH storage directory,
and call into CryptInit::init_with_data_device instead of into
CryptInit::init.

The path where existing, encrypted storages are utilized remains
untouched.

Signed-off-by: Manuel Huber <[email protected]>
@manuelh-dev
ci: enable unit tests for luks2 source file
515b04e 
Make sure the unit tests for CDH's luks2 storage driver are executed.

Signed-off-by: Manuel Huber <[email protected]>
@manuelh-dev
cdh: add missing gate for luks2 test
f2ce4fb 
The test case
encrypt_an_empty_device_and_make_a_filesystem_on_it_using_luks2
should be gated behind the luks2 feature.

Signed-off-by: Manuel Huber <[email protected]>
@manuelh-dev manuelh-dev force-pushed the mahuber/luks-temp-header branch from 3826f17 to f2ce4fb Compare February 12, 2026 22:13
@manuelh-dev manuelh-dev changed the title WIP: cdh: store ephemeral LUKS headers in tmpfs cdh: store ephemeral LUKS headers in tmpfs Feb 12, 2026
@manuelh-dev manuelh-dev mentioned this pull request Feb 12, 2026
Closed
@manuelh-dev manuelh-dev marked this pull request as ready for review February 12, 2026 22:15
@manuelh-dev manuelh-dev requested a review from a team as a code owner February 12, 2026 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@manuelh-dev