No edit summary |
(announcing the change) |
||
Line 24: | Line 24: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAnnounced]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Line 40: | Line 40: | ||
ON_QA -> change is fully code complete | ON_QA -> change is fully code complete | ||
--> | --> | ||
* [Announced] | * [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/KI2YKYTVJIYB6MQHF3OVMHU27CL3EUSF/ Announced] | ||
* [ | * [https://discussion.fedoraproject.org/t/f41-change-proposal-self-encrypting-drives-support-in-the-installer-self-contained/125529 Discussion thread] | ||
* FESCo issue: <will be assigned by the Wrangler> | * FESCo issue: <will be assigned by the Wrangler> | ||
* Tracker bug: <will be assigned by the Wrangler> | * Tracker bug: <will be assigned by the Wrangler> |
Revision as of 15:57, 12 July 2024
Self Encrypting Drives Support in the Installer
Summary
Add optional support for using native hardware encryption on TCG OPAL2 compliant drives when configuring disk encryption in the installer.
Owner
- Name: Vojtech Trefny
- Email: vtrefny AT redhat.com
- Name: Ondrej Kozina
- Email: okozina AT redhat.com
- Name: Jiri Konecny
- Email: jkonecny AT redhat.com
Current status
- Targeted release: Fedora Linux 41
- Last updated: 2024-07-12
- Announced
- Discussion thread
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Some SATA and NVMe devices support hardware encryption (TCG OPAL2 standard) and with the latest cryptsetup LUKS devices can be configured to use hardware encryption to encrypt the data either by itself or together with the existing dm-crypt software encryption. Support for this feature was added in the latest cryptsetup upstream release and we'd like to provide an option for users to use this feature when installing Fedora with disk encryption.
As this is an expert option, it will be available only through the kickstart interface. The existing --luks-version option which allows choosing between LUKS1 and LUKS2 versions when configuring device encryption will be extended to enable using hardware encryption. There will be two new options to select either hardware encryption only or hardware encryption in combination with software encryption (analogous to the --hw-opal-only
and --hw-opal
options used when configuring hardware encryption with cryptsetup
).
Using hardware encryption only can be beneficial on low-performance systems where utilising the CPU to encrypt the data when reading/writing from/to the disk can significantly affect the system's performance. Using both software and hardware encryption layers increases the security margin by adding an additional layer of protection.
Note: We'd like to emphasize that we do not intend to enable this feature by default, it must be explicitly selected by the user. Using the option to set up only hardware encryption can be risky as it places the trust fully in the disk manufacturer's ability to implement the data encryption in the disk firmware correctly.
Benefit to Fedora
Scope
- Proposal owners:
- This feature is not yet implemented in the upstream so we'll need to add support for the new LUKS-OPAL format to both the backend storage libraries (blivet and libblockdev) and the installer itself. As this is only expanding and existing feature (disk encryption) already present in the installer, the changes will be relatively small (especially in the installer itself).
- Other developers:
- No work from other developers should be needed.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
This change will affect only new installations.
How To Test
A special hardware is required for testing -- you need a disk that supports the OPAL specification. You can check for OPAL support using the sedutil-cli
utility (provided by the sedutil
package), simply run sudo sedutil-cli --scan
to scan for OPAL compliant disks.
Because this feature is not configurable from the GUI you need to run a kickstart installation. Sample kickstart file for encrypted automatic partitioning is shown below.
autopart --type=lvm --encrypted --passphrase="passphrase" --luks-version=luks2-hw-opal --opal-admin-passphrase="..."
(The exact syntax might change, we'll provide more detailed kickstart files for testing later.)
After the installation check that the correct setup for LUKS was used by running sudo cryptsetup luksDump <device>
. Check the Data segments
section, it should say either hw-opal-crypt
for combination of hardware and software encryption
LUKS header information Version: 2 ... Data segments: 0: hw-opal-crypt
or hw-opal
for hardware encryption only
LUKS header information Version: 2 ... Data segments: 0: hw-opal
(crypt
is shown for software encryption only which is default behaviour).
User Experience
After the installation users shouldn't notice any differences, the system will behave in the same way as with "normal" disk encryption.
Dependencies
Following projects needs to be changed for this feature: anaconda, blivet, kickstart, libblockdev. All necessary changes will be done by the change owners.
cryptsetup with the LUKS-OPAL support is already available in Fedora 41 and no other changes will be needed for the support in the installer.
Once configured the LUKS-OPAL device works in the same way any other "normal" LUKS devices work so there is no need to change any other tools for this feature to work (e.g. unlocking the LUKS-OPAL device doesn't require special configuration).
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- No specific contingency plan is needed, we will simply not include the feature if we fail to implement all the necessary changes in time.
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
Documentation
- cryptsetup 2.7.0 release notes describing the feature: https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes
- DevConf.cz talk about self-encrypting drives: https://pretalx.com/devconf-cz-2024/talk/PMLHGN/