1. Patchew
  2. Libvirt
  3. View series

[PATCH 0/4] Protect secret values stored on disk with TPM

Michal Privoznik posted 4 patches 2 months, 1 week ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cover.1707840643.git.mprivozn@redhat.com
NEWS.rst                                 |   6 +
docs/formatsecret.rst                    |   8 +-
src/conf/schemas/secret.rng              |   5 +
src/conf/secret_conf.c                   |  17 +++
src/conf/secret_conf.h                   |   2 +
src/conf/virsecretobj.c                  |  32 ++++-
src/libvirt_private.syms                 |   3 +
src/secret/secret_driver.c               |   7 +
src/util/virsecret.c                     | 170 +++++++++++++++++++++++
src/util/virsecret.h                     |  10 ++
tests/secretxml2xmlin/usage-tpm-vtpm.xml |   7 +
tests/secretxml2xmltest.c                |   1 +
12 files changed, 263 insertions(+), 5 deletions(-)
create mode 100644 tests/secretxml2xmlin/usage-tpm-vtpm.xml
[PATCH 0/4] Protect secret values stored on disk with TPM
Posted by Michal Privoznik 2 months, 1 week ago 
Secret values are stored effectively in plaintext on a disk and we rely
on file perms to secure them. But with systemd-cred we can use system's
TPM chip and encrypt them.

Such secrets won't be transferable to another system by simply copying
files stored on disk, but: a) that's not recommended way anyway, b)
one can argue secrets shouldn't be migrated anyway.

Future work consists of encrypting secret values even when stored in
memory, as it's now possible to obtain secrets by dumping memory of
virsecretd. Though, to dump a memory admin rights are required at which
point users can just read values stored on disk (which is not true for
ephemeral secrets).

Michal Prívozník (4):
  virsecret: Introduce APIs to talk to systemd-cred
  conf: Introduce @tpm attribute to <secret/>
  virsecretobj: Encrypt/decrypt secrets using TPM
  NEWS: Document new virSecret TPM feature

 NEWS.rst                                 |   6 +
 docs/formatsecret.rst                    |   8 +-
 src/conf/schemas/secret.rng              |   5 +
 src/conf/secret_conf.c                   |  17 +++
 src/conf/secret_conf.h                   |   2 +
 src/conf/virsecretobj.c                  |  32 ++++-
 src/libvirt_private.syms                 |   3 +
 src/secret/secret_driver.c               |   7 +
 src/util/virsecret.c                     | 170 +++++++++++++++++++++++
 src/util/virsecret.h                     |  10 ++
 tests/secretxml2xmlin/usage-tpm-vtpm.xml |   7 +
 tests/secretxml2xmltest.c                |   1 +
 12 files changed, 263 insertions(+), 5 deletions(-)
 create mode 100644 tests/secretxml2xmlin/usage-tpm-vtpm.xml

-- 
2.43.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
Re: [PATCH 0/4] Protect secret values stored on disk with TPM
Posted by Daniel P. Berrangé 2 months, 1 week ago 
On Tue, Feb 13, 2024 at 05:16:04PM +0100, Michal Privoznik wrote:
> Secret values are stored effectively in plaintext on a disk and we rely
> on file perms to secure them. But with systemd-cred we can use system's
> TPM chip and encrypt them.
> 
> Such secrets won't be transferable to another system by simply copying
> files stored on disk, but: a) that's not recommended way anyway, b)
> one can argue secrets shouldn't be migrated anyway.
> 
> Future work consists of encrypting secret values even when stored in
> memory, as it's now possible to obtain secrets by dumping memory of
> virsecretd. Though, to dump a memory admin rights are required at which
> point users can just read values stored on disk (which is not true for
> ephemeral secrets).

We should not read the secret values into memory durnig startup
at all. They ought to remain on disk only, except during execution
of the virSecretGetValue API call. That way we don't need to have
encryption of values in memory. We just need to scrub memory
used by GetValue.

> 
> Michal Prívozník (4):
>   virsecret: Introduce APIs to talk to systemd-cred
>   conf: Introduce @tpm attribute to <secret/>
>   virsecretobj: Encrypt/decrypt secrets using TPM
>   NEWS: Document new virSecret TPM feature
> 
>  NEWS.rst                                 |   6 +
>  docs/formatsecret.rst                    |   8 +-
>  src/conf/schemas/secret.rng              |   5 +
>  src/conf/secret_conf.c                   |  17 +++
>  src/conf/secret_conf.h                   |   2 +
>  src/conf/virsecretobj.c                  |  32 ++++-
>  src/libvirt_private.syms                 |   3 +
>  src/secret/secret_driver.c               |   7 +
>  src/util/virsecret.c                     | 170 +++++++++++++++++++++++
>  src/util/virsecret.h                     |  10 ++
>  tests/secretxml2xmlin/usage-tpm-vtpm.xml |   7 +
>  tests/secretxml2xmltest.c                |   1 +
>  12 files changed, 263 insertions(+), 5 deletions(-)
>  create mode 100644 tests/secretxml2xmlin/usage-tpm-vtpm.xml
> 
> -- 
> 2.43.0
> _______________________________________________
> Devel mailing list -- devel@lists.libvirt.org
> To unsubscribe send an email to devel-leave@lists.libvirt.org

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.