1# eStoraged Design - Encrypted Secondary Storage Management Daemon 2 3Author: John Wedig (johnwedig@google.com) 4 5Other contributors: John Broadbent (jebr@google.com) Benjamin Fair 6(benjaminfair@google.com) Nancy Yuenn (yuenn@google.com) 7 8Created: September 2, 2021 9 10## Problem Description 11 12This daemon will serve as an abstraction for an encrypted storage device, 13encapsulating the security functionality and providing a D-Bus interface to 14manage the encrypted filesystem on the device. Using the D-Bus interface, other 15software components can interact with eStoraged to do things like create a new 16encrypted filesystem, wipe its contents, lock/unlock the device, or change the 17password. 18 19## Background and References 20 21This design is intended to manage secondary storage devices and cannot be used 22for the root filesystem, i.e. the BMC needs to be able to boot while the device 23is still locked. 24 25This design makes use of the 26[cryptsetup](https://gitlab.com/cryptsetup/cryptsetup) utility, which in turn 27uses the [dm-crypt](https://en.wikipedia.org/wiki/Dm-crypt) kernel subsystem. 28Dm-crypt provides the encryption and device mapping capability, and Cryptsetup 29provides the [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) 30capability, which facilitates password management so that we can do things like 31change the password without re-encrypting the entire device. 32 33This design is specifically targeted for use with eMMC devices, and we plan to 34make use of the lock/unlock feature (CMD42) at the eMMC hardware level as an 35additional security measure. This feature prohibits all read or write accesses 36to the device while locked. Some documentation on this feature can be found in 37the 38[JEDEC standard JESD84-B51A](https://www.jedec.org/document_search?search_api_views_fulltext=jesd84-b51), 39or in this document: 40[Enabling SD/uSD Card Lock/Unlock Feature in Linux](https://media-www.micron.com/-/media/client/global/documents/products/technical-note/sd-cards/tnsd01_enable_sd_lock_unlock_in_linux.pdf?rev=03f03a6bc0f8435fafa93a8fc8e88988). 41 42There are several types of keys referenced in this doc: 43 44- Volume key: The main encryption key used to encrypt the data on the block 45 device. 46- Encryption Password: The password needed to load the volume key into RAM and 47 decrypt the filesystem. 48- Device Password: The password to lock or unlock the device hardware. 49 50## Requirements 51 52This design should provide an interface for the following capabilities: 53 54- Create a new LUKS encrypted filesystem on the device 55- Securely wipe the device and verify that the data was wiped 56- Lock the device 57- Unlock the device 58- Change the password 59 60In addition, eStoraged should: 61 62- Generate a volume key using a random number generator with enough entropy, 63 making it sufficiently random and secure. 64- Utilize any security features provided by the hardware (as a defense-in-depth 65 measure). 66- Use interfaces that are generic enough, so that they can be extended to 67 support additional types of storage devices, as desired. For example, 68 different devices will have different command sets for device locking, e.g. 69 MMC, SATA, NVMe. Initially, we plan to only use eStoraged with eMMC devices, 70 but we may wish to use this with other types of storage devices in the future. 71 72The users of this design can be any other software component in the BMC. Some 73client daemon on the BMC will interact with eStoraged to set up a new encrypted 74filesystem on the eMMC. In addition, the client daemon could be configured to 75unlock the eMMC device when the BMC boots. It is the responsibility of the 76client daemon to provide a password. For example, this password could come from 77user input, fetched from a secure location, or the client daemon could generate 78the passwords itself. 79 80## Proposed Design 81 82eStoraged will represent each eMMC device as an object on D-Bus that implements 83an interface providing these methods and properties: 84 85- (method) Format 86- (method) Erase 87- (method) Lock 88- (method) Unlock 89- (method) Change Password 90- (property) Locked 91- (property) Status 92 93Upon startup, eStoraged will create a D-Bus object for each eMMC device in the 94system. Specifically, we will use udev to launch an eStoraged instance for each 95eMMC. The bus name and object name will be as follows: 96 97Bus Name: xyz.openbmc_project.eStorage.\<device name\> Object Path: 98/xyz/openbmc_project/storage/\<device name\> 99 100The object path is intended to be generic enough, so that we could ultimately 101have multiple daemons managing the same storage device, while using the same 102object path. For example, this daemon would handle the encryption, whereas 103another daemon could provide stats for the same device. 104 105To manage the encrypted filesystem, we will make use of the 106[cryptsetup API](https://mbroz.fedorapeople.org/libcryptsetup_API/). This 107library provides functions to create a new LUKS header, set the password, etc. 108 109For eMMC devices, we plan to enable the password locking feature (CMD42), to 110prevent all read or write accesses to the device while locked. So, the "Locked" 111property will mean both locked at the hardware level and locked at the 112encryption level. We will likely use the ioctl interface to send the relevant 113commands to the eMMC, similar to what 114[mmc utils](https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git/) does. 115 116Support for hardware locking on other types of devices can be added as needed, 117but at the very least, encryption-only locking will be available, even if 118hardware locking isn't supported for a particular device. 119 120As mentioned earlier, the client will provide a password. This password will be 121used by eStoraged to generate two different passwords: the encryption password 122and the device password (if hardware locking is available). The passwords will 123be different, so that in the event that one password is compromised, we still 124have some protection from the other password. 125 126The Erase method should provide a way to specify the type of erase, e.g. write 127all zeros, or do something else. Different organizations may have different 128opinions of what a secure erase entails. 129 130Since some of the D-Bus methods may take a while (e.g. installing a new 131encrypted filesystem), the D-Bus interface will be asynchronous, with the 132"Status" property that can be queried to indicate one of the following: success, 133error, or in-progress. 134 135## Alternatives Considered 136 137An alternative would be to use systemd targets to manage the eMMC. For example, 138the 139[systemd-cryptsetup@.service](https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup@.service.html) 140is often used to unlock an encrypted block device, where it takes the password 141from a key file or from user input. However, the OpenBMC architecture calls for 142using D-Bus as the primary form of inter-process communication. In addition, 143using a daemon with a well-defined D-Bus interface keeps the security 144functionality more isolated, maintainable, and testable. 145 146Another related piece of software is UDisks2, which also exports a D-Bus object 147for each storage device in a system. It is capable of setting up an encrypted 148block device with the Format method: 149[org.freedesktop.UDisks2.Format](http://storaged.org/doc/udisks2-api/latest/gdbus-org.freedesktop.UDisks2.Block.html#gdbus-method-org-freedesktop-UDisks2-Block.Format). 150And it provides several additional methods related to encryption: Lock, Unlock, 151and ChangePassphrase. See the D-Bus interface 152[org.freedesktop.UDisks2.Encrypted](http://storaged.org/doc/udisks2-api/2.7.5/gdbus-org.freedesktop.UDisks2.Encrypted.html). 153The main problem preventing us from leveraging this tool is that it increases 154our image size too much. We found that the compressed image size increased by 22 155MB due to the transitive dependencies being pulled in, e.g. mozjs and python. 156 157## Impacts 158 159To make use of eStoraged, it may be necessary to provide another client daemon 160that manages the password and invokes the D-Bus API for eStoraged. Since the 161password management scheme can be unique for different platforms and 162organizations, it is outside the scope of this design. 163 164## Testing 165 166- Unit tests to validate the various code paths in eStoraged. 167- Regression tests will exercise the various D-Bus methods: encrypt, erase, 168 lock, unlock, and change password. 169