xref: /openbmc/docs/designs/estoraged.md (revision 0ee8da09)
1
2# eStoraged Design - Encrypted Secondary Storage Management Daemon
3
4Author: John Wedig (johnwedig@google.com)
5
6Other contributors:
7John Broadbent (jebr@google.com)
8Benjamin Fair (benjaminfair@google.com)
9Nancy Yuenn (yuenn@google.com)
10
11Created: September 2, 2021
12
13## Problem Description
14
15This daemon will serve as an abstraction for an encrypted storage device,
16encapsulating the security functionality and providing a D-Bus interface to
17manage the encrypted filesystem on the device. Using the D-Bus interface, other
18software components can interact with eStoraged to do things like create a
19new encrypted filesystem, wipe its contents, lock/unlock the device, or change
20the password.
21
22## Background and References
23
24This design is intended to manage secondary storage devices and cannot be used
25for the root filesystem, i.e. the BMC needs to be able to boot while the device
26is still locked.
27
28This design makes use of the
29[cryptsetup](https://gitlab.com/cryptsetup/cryptsetup) utility, which in turn
30uses the [dm-crypt](https://en.wikipedia.org/wiki/Dm-crypt) kernel subsystem.
31Dm-crypt provides the encryption and device mapping capability, and Cryptsetup
32provides the [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup)
33capability, which facilitates password management so that we can do things like
34change the password without re-encrypting the entire device.
35
36This design is specifically targeted for use with eMMC devices, and we plan to
37make use of the lock/unlock feature (CMD42) at the eMMC hardware level as an
38additional security measure. This feature prohibits all read or write accesses
39to the device while locked. Some documentation on this feature can be found in
40the
41[JEDEC standard JESD84-B51A](https://www.jedec.org/document_search?search_api_views_fulltext=jesd84-b51), or in this document:
42[Enabling SD/uSD Card Lock/Unlock Feature in Linux](https://media-www.micron.com/-/media/client/global/documents/products/technical-note/sd-cards/tnsd01_enable_sd_lock_unlock_in_linux.pdf?rev=03f03a6bc0f8435fafa93a8fc8e88988).
43
44There are several types of keys referenced in this doc:
45
46- Volume key: The main encryption key used to encrypt the data on the block
47  device.
48- Encryption Password: The password needed to load the volume key into RAM and
49  decrypt the filesystem.
50- Device Password: The password to lock or unlock the device hardware.
51
52## Requirements
53
54This design should provide an interface for the following capabilities:
55- Create a new LUKS encrypted filesystem on the device
56- Securely wipe the device and verify that the data was wiped
57- Lock the device
58- Unlock the device
59- Change the password
60
61In addition, eStoraged should:
62- Generate a volume key using a random number generator with enough entropy,
63  making it sufficiently random and secure.
64- Utilize any security features provided by the hardware (as a defense-in-depth
65  measure).
66- Use interfaces that are generic enough, so that they can be extended to
67  support additional types of storage devices, as desired. For example,
68  different devices will have different command sets for device locking, e.g.
69  MMC, SATA, NVMe. Initially, we plan to only use eStoraged with eMMC devices,
70  but we may wish to use this with other types of storage devices in the
71  future.
72
73The users of this design can be any other software component in the BMC. Some
74client daemon on the BMC will interact with eStoraged to set up a new encrypted
75filesystem on the eMMC. In addition, the client daemon could be configured to
76unlock the eMMC device when the BMC boots. It is the responsibility of the
77client daemon to provide a password. For example, this password could come
78from user input, fetched from a secure location, or the client daemon could
79generate the passwords itself.
80
81## Proposed Design
82
83eStoraged will represent each eMMC device as an object on D-Bus that
84implements an interface providing these methods and properties:
85- (method) Format
86- (method) Erase
87- (method) Lock
88- (method) Unlock
89- (method) Change Password
90- (property) Locked
91- (property) Status
92
93Upon startup, eStoraged will create a D-Bus object for each eMMC device in
94the system. Specifically, we will use udev to launch an eStoraged instance for
95each eMMC. The bus name and object name will be as follows:
96
97Bus Name: xyz.openbmc\_project.eStorage.\<device name\>
98Object Path: /xyz/openbmc\_project/storage/\<device name\>
99
100The object path is intended to be generic enough, so that we could ultimately
101have multiple daemons managing the same storage device, while using the same
102object path. For example, this daemon would handle the encryption, whereas
103another daemon could provide stats for the same device.
104
105To manage the encrypted filesystem, we will make use of the
106[cryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/). This
107library provides functions to create a new LUKS header, set the password, etc.
108
109For eMMC devices, we plan to enable the password locking feature (CMD42),
110to prevent all read or write accesses to the device while locked. So, the
111"Locked" property will mean both locked at the hardware level and locked at the
112encryption level. We will likely use the ioctl interface to send the relevant
113commands to the eMMC, similar to what
114[mmc utils](https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git/) does.
115
116Support for hardware locking on other types of devices can be added as needed,
117but at the very least, encryption-only locking will be available, even if
118hardware locking isn't supported for a particular device.
119
120As mentioned earlier, the client will provide a password. This password will
121be used by eStoraged to generate two different passwords: the encryption
122password and the device password (if hardware locking is available). The
123passwords will be different, so that in the event that one password is
124compromised, we still have some protection from the other password.
125
126The Erase method should provide a way to specify the type of erase, e.g. write
127all zeros, or do something else. Different organizations may have different
128opinions of what a secure erase entails.
129
130Since some of the D-Bus methods may take a while (e.g. installing a new
131encrypted filesystem), the D-Bus interface will be asynchronous, with the
132"Status" property that can be queried to indicate one of the following:
133success, error, or in-progress.
134
135## Alternatives Considered
136An alternative would be to use systemd targets to manage the eMMC. For example,
137the
138[systemd-cryptsetup@.service](https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup@.service.html)
139is often used to unlock an encrypted block device, where it takes the password
140from a key file or from user input. However, the OpenBMC architecture calls for
141using D-Bus as the primary form of inter-process communication. In addition,
142using a daemon with a well-defined D-Bus interface keeps the security
143functionality more isolated, maintainable, and testable.
144
145Another related piece of software is UDisks2, which also exports a D-Bus object
146for each storage device in a system. It is capable of setting up an encrypted
147block device with the Format method:
148[org.freedesktop.UDisks2.Format](http://storaged.org/doc/udisks2-api/latest/gdbus-org.freedesktop.UDisks2.Block.html#gdbus-method-org-freedesktop-UDisks2-Block.Format).
149And it provides several additional methods related to encryption: Lock, Unlock,
150and ChangePassphrase. See the D-Bus interface
151[org.freedesktop.UDisks2.Encrypted](http://storaged.org/doc/udisks2-api/2.7.5/gdbus-org.freedesktop.UDisks2.Encrypted.html).
152The main problem preventing us from leveraging this tool is that it increases
153our image size too much. We found that the compressed image size increased by
15422 MB due to the transitive dependencies being pulled in, e.g. mozjs and
155python.
156
157## Impacts
158To make use of eStoraged, it may be necessary to provide another client daemon
159that manages the password and invokes the D-Bus API for eStoraged. Since the
160password management scheme can be unique for different platforms and
161organizations, it is outside the scope of this design.
162
163## Testing
164- Unit tests to validate the various code paths in eStoraged.
165- Regression tests will exercise the various D-Bus methods: encrypt, erase,
166  lock, unlock, and change password.
167