From 4831193bde035f3918408a8d64c7459a23867a54 Mon Sep 17 00:00:00 2001
From: "Wang, Arron" <arron.wang@intel.com>
Date: Sun, 7 Aug 2022 16:37:58 +0800
Subject: [PATCH] agent: initialize trusted storage device

Initialize the trusted stroage when the device is defined
as "/dev/trusted_store" with shell script as first step.

Fixes: #4882

Signed-off-by: Wang, Arron <arron.wang@intel.com>
---
 src/agent/src/rpc.rs                          | 26 ++++++
 .../rootfs-builder/init_trusted_storage.sh    | 79 +++++++++++++++++++
 tools/osbuilder/rootfs-builder/rootfs.sh      |  3 +
 3 files changed, 108 insertions(+)
 create mode 100755 tools/osbuilder/rootfs-builder/init_trusted_storage.sh

diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs
index d48accd047..57cb7cf8a2 100644
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -89,6 +89,8 @@ pub const CONTAINER_BASE: &str = "/run/kata-containers";
 const MODPROBE_PATH: &str = "/sbin/modprobe";
 const ANNO_K8S_IMAGE_NAME: &str = "io.kubernetes.cri.image-name";
 const CONFIG_JSON: &str = "config.json";
+const INIT_TRUSTED_STORAGE: &str = "/usr/bin/kata-init-trusted-storage";
+const TRUSTED_STORAGE_DEVICE: &str = "/dev/trusted_store";
 
 const IPTABLES_SAVE: &str = "/sbin/iptables-save";
 const IPTABLES_RESTORE: &str = "/sbin/iptables-restore";
@@ -217,6 +219,30 @@ impl AgentService {
         // cannot predict everything from the caller.
         add_devices(&req.devices.to_vec(), &mut oci, &self.sandbox).await?;
 
+        let linux = oci
+            .linux
+            .as_mut()
+            .ok_or_else(|| anyhow!("Spec didn't contain linux field"))?;
+
+        for specdev in &mut linux.devices {
+            let dev_major_minor = format!("{}:{}", specdev.major, specdev.minor);
+
+            if specdev.path == TRUSTED_STORAGE_DEVICE {
+                let data_integrity = AGENT_CONFIG.read().await.data_integrity;
+                info!(
+                    sl!(),
+                    "trusted_store device major:min {}, enable data integrity {}",
+                    dev_major_minor,
+                    data_integrity.to_string()
+                );
+
+                Command::new(INIT_TRUSTED_STORAGE)
+                    .args(&[&dev_major_minor, &data_integrity.to_string()])
+                    .output()
+                    .expect("Failed to initialize confidential storage");
+            }
+        }
+
         // Both rootfs and volumes (invoked with --volume for instance) will
         // be processed the same way. The idea is to always mount any provided
         // storage to the specified MountPoint, so that it will match what's
diff --git a/tools/osbuilder/rootfs-builder/init_trusted_storage.sh b/tools/osbuilder/rootfs-builder/init_trusted_storage.sh
new file mode 100755
index 0000000000..279426ce37
--- /dev/null
+++ b/tools/osbuilder/rootfs-builder/init_trusted_storage.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# Copyright (c) 2022 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o errtrace
+
+[ -n "${DEBUG:-}" ] && set -o xtrace
+
+handle_error() {
+        local exit_code="${?}"
+        local line_number="${1:-}"
+        echo "error:"
+        echo "Failed at $line_number: ${BASH_COMMAND}"
+        exit "${exit_code}"
+}
+trap 'handle_error $LINENO' ERR
+
+die()
+{
+	local msg="$*"
+	echo >&2 "ERROR: $msg"
+	exit 1
+}
+
+setup()
+{
+	local cmds=()
+
+	cmds+=("cryptsetup" "mkfs.ext4" "mount")
+
+	local cmd
+	for cmd in "${cmds[@]}"
+	do
+		command -v "$cmd" &>/dev/null || die "need command: '$cmd'"
+	done
+}
+
+setup
+
+device_num=${1:-}
+if [ -z "$device_num" ]; then
+	die "invalid arguments, at least one param for device num"
+fi
+
+data_integrity="true"
+if [ -n "${2-}" ]; then
+        data_integrity="$2"
+fi
+
+device_name=$(sed -e 's/DEVNAME=//g;t;d' /sys/dev/block/${device_num}/uevent)
+device_path="/dev/$device_name"
+if [[ -n "$device_name" && -b "$device_path" ]]; then
+	storage_key_path="/run/cc_storage.key"
+	dd if=/dev/urandom of="$storage_key_path" bs=1 count=4096
+
+	if [ "$data_integrity" == "false" ]; then
+		echo "YES" | cryptsetup luksFormat --type luks2 "$device_path" --sector-size 4096 \
+			--cipher aes-xts-plain64 "$storage_key_path"
+	else
+		echo "YES" | cryptsetup luksFormat --type luks2 "$device_path" --sector-size 4096 \
+			 --cipher aes-xts-plain64 --integrity hmac-sha256 "$storage_key_path"
+	fi
+
+	cryptsetup luksOpen -d "$storage_key_path" "$device_path" ephemeral_image_encrypted_disk
+	rm "$storage_key_path"
+	mkfs.ext4 /dev/mapper/ephemeral_image_encrypted_disk
+
+	[ ! -d "/run/image" ] && mkdir /run/image
+
+	mount /dev/mapper/ephemeral_image_encrypted_disk /run/image
+else
+	die "Invalid device: '$device_path'"
+fi
diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index 60996cde00..9aa1342d53 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -704,6 +704,9 @@ EOF
 
 		skopeo copy "${pause_repo}":"${pause_version}" oci:pause:"${pause_version}"
 		umoci unpack --image pause:"${pause_version}"  "${ROOTFS_DIR}/pause_bundle"
+
+		info "Install init_trusted_storage script for CC"
+		install -o root -g root -m 0500 "${script_dir}/init_trusted_storage.sh" "${ROOTFS_DIR}/usr/bin/kata-init-trusted-storage"
 	fi
 
 	info "Creating summary file"