add: Support LUKS encryption using IBM CEX secure keys on s390x

base/v0_6_exp/schema.go

@@ -14,6 +14,10 @@
 
 package v0_6_exp
 
+type Cex struct {
+	Enabled *bool `yaml:"enabled"`
+}
+
 type Clevis struct {
 	Custom    ClevisCustom `yaml:"custom"`
 	Tang      []Tang       `yaml:"tang"`
@@ -119,6 +123,7 @@ type Link struct {
 }
 
 type Luks struct {
+	Cex         Cex      `yaml:"cex"`
 	Clevis      Clevis   `yaml:"clevis"`
 	Device      *string  `yaml:"device"`
 	Discard     *bool    `yaml:"discard"`

config/common/errors.go

@@ -59,6 +59,8 @@ var (
 	ErrNoLuksBootDevice        = errors.New("device is required for layouts: s390x-eckd, s390x-zfcp")
 	ErrMirrorNotSupport        = errors.New("mirroring not supported on layouts: s390x-eckd, s390x-zfcp, s390x-virt")
 	ErrLuksBootDeviceBadName   = errors.New("device name must start with /dev/dasd on s390x-eckd layout or /dev/sd on s390x-zfcp layout")
+	ErrCexArchitectureMismatch = errors.New("when using cex the targeted architecture must match s390x")
+	ErrCexNotSupported         = errors.New("cex is not currently supported on the target platform")
 
 	// partition
 	ErrReuseByLabel         = errors.New("partitions cannot be reused by label; number must be specified except on boot disk (/dev/disk/by-id/coreos-boot-disk) or when wipe_table is true")

config/fcos/v1_6_exp/schema.go

@@ -31,6 +31,7 @@ type BootDevice struct {
 }
 
 type BootDeviceLuks struct {
+	Cex       base.Cex    `yaml:"cex"`
 	Discard   *bool       `yaml:"discard"`
 	Device    *string     `yaml:"device"`
 	Tang      []base.Tang `yaml:"tang"`

config/fcos/v1_6_exp/translate.go

@@ -114,7 +114,7 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 	var r report.Report
 
 	// check for high-level features
-	wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0
+	wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0 || util.IsTrue(c.BootDevice.Luks.Cex.Enabled)
 	wantMirror := len(c.BootDevice.Mirror.Devices) > 0
 	if !wantLuks && !wantMirror {
 		return r
@@ -252,25 +252,47 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 		default:
 			luksDevice = "/dev/disk/by-partlabel/root"
 		}
-		clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options)
-		rendered.Storage.Luks = []types.Luks{{
-			Clevis:     clevis,
-			Device:     &luksDevice,
-			Discard:    c.BootDevice.Luks.Discard,
-			Label:      util.StrToPtr("luks-root"),
-			Name:       "root",
-			WipeVolume: util.BoolToPtr(true),
-		}}
-		lpath := path.New("yaml", "boot_device", "luks")
-		rpath := path.New("json", "storage", "luks", 0)
-		renderedTranslations.Merge(ts2.PrefixPaths(lpath, rpath.Append("clevis")))
-		renderedTranslations.AddTranslation(lpath.Append("discard"), rpath.Append("discard"))
-		for _, f := range []string{"device", "label", "name", "wipeVolume"} {
-			renderedTranslations.AddTranslation(lpath, rpath.Append(f))
+		if util.IsTrue(c.BootDevice.Luks.Cex.Enabled) {
+			cex, ts2, r2 := translateBootDeviceLuksCex(c.BootDevice.Luks, options)
+			rendered.Storage.Luks = []types.Luks{{
+				Cex:        cex,
+				Device:     &luksDevice,
+				Discard:    c.BootDevice.Luks.Discard,
+				Label:      util.StrToPtr("luks-root"),
+				Name:       "root",
+				WipeVolume: util.BoolToPtr(true),
+			}}
+			lpath := path.New("yaml", "boot_device", "luks")
+			rpath := path.New("json", "storage", "luks", 0)
+			renderedTranslations.Merge(ts2.PrefixPaths(lpath, rpath.Append("cex")))
+			renderedTranslations.AddTranslation(lpath.Append("discard"), rpath.Append("discard"))
+			for _, f := range []string{"device", "label", "name", "wipeVolume"} {
+				renderedTranslations.AddTranslation(lpath, rpath.Append(f))
+			}
+			renderedTranslations.AddTranslation(lpath, rpath)
+			renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks"))
+			r.Merge(r2)
+		} else {
+			clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options)
+			rendered.Storage.Luks = []types.Luks{{
+				Clevis:     clevis,
+				Device:     &luksDevice,
+				Discard:    c.BootDevice.Luks.Discard,
+				Label:      util.StrToPtr("luks-root"),
+				Name:       "root",
+				WipeVolume: util.BoolToPtr(true),
+			}}
+			lpath := path.New("yaml", "boot_device", "luks")
+			rpath := path.New("json", "storage", "luks", 0)
+			renderedTranslations.Merge(ts2.PrefixPaths(lpath, rpath.Append("clevis")))
+			renderedTranslations.AddTranslation(lpath.Append("discard"), rpath.Append("discard"))
+			for _, f := range []string{"device", "label", "name", "wipeVolume"} {
+				renderedTranslations.AddTranslation(lpath, rpath.Append(f))
+			}
+			renderedTranslations.AddTranslation(lpath, rpath)
+			renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks"))
+			r.Merge(r2)
 		}
-		renderedTranslations.AddTranslation(lpath, rpath)
-		renderedTranslations.AddTranslation(lpath, path.New("json", "storage", "luks"))
-		r.Merge(r2)
 	}
 
 	// create root filesystem
@@ -317,6 +339,19 @@ func translateBootDeviceLuks(from BootDeviceLuks, options common.TranslateOption
 	return
 }
 
+func translateBootDeviceLuksCex(from BootDeviceLuks, options common.TranslateOptions) (to types.Cex, tm translate.TranslationSet, r report.Report) {
+	tr := translate.NewTranslator("yaml", "json", options)
+	// Discard field is handled by the caller because it doesn't go
+	// into types.Cex
+	tm, r = translate.Prefixed(tr, "enabled", &from.Cex.Enabled, &to.Enabled)
+	translate.MergeP(tr, tm, &r, "enabled", &from.Cex.Enabled, &to.Enabled)
+	// we're being called manually, not via the translate package's
+	// custom translator mechanism, so we have to add the base
+	// translation ourselves
+	tm.AddTranslation(path.New("yaml"), path.New("json"))
+	return
+}
+
 func (c Config) handleUserGrubCfg(options common.TranslateOptions) (types.Config, translate.TranslationSet, report.Report) {
 	rendered := types.Config{}
 	ts := translate.NewTranslationSet("yaml", "json")

config/fcos/v1_6_exp/validate.go

@@ -18,6 +18,7 @@ import (
 	"regexp"
 
 	"github.com/coreos/butane/config/common"
+	"github.com/coreos/ignition/v2/config/shared/errors"
 	"github.com/coreos/ignition/v2/config/util"
 
 	"github.com/coreos/vcontext/path"
@@ -51,31 +52,43 @@ func (conf Config) Validate(c path.ContextPath) (r report.Report) {
 }
 
 func (d BootDevice) Validate(c path.ContextPath) (r report.Report) {
-	if d.Layout != nil {
-		switch *d.Layout {
+	var layout = d.Layout
+	if layout != nil {
+		switch *layout {
 		case "aarch64", "ppc64le", "x86_64":
+			if util.IsTrue(d.Luks.Cex.Enabled) {
+				r.AddOnError(c.Append(*layout), common.ErrCexArchitectureMismatch)
+			}
 		case "s390x-eckd":
 			if util.NilOrEmpty(d.Luks.Device) {
-				r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
+				r.AddOnError(c.Append(*layout), common.ErrNoLuksBootDevice)
 			} else if !dasdRe.MatchString(*d.Luks.Device) {
-				r.AddOnError(c.Append(*d.Layout), common.ErrLuksBootDeviceBadName)
+				r.AddOnError(c.Append(*layout), common.ErrLuksBootDeviceBadName)
 			}
 		case "s390x-zfcp":
 			if util.NilOrEmpty(d.Luks.Device) {
-				r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
+				r.AddOnError(c.Append(*layout), common.ErrNoLuksBootDevice)
 			} else if !sdRe.MatchString(*d.Luks.Device) {
-				r.AddOnError(c.Append(*d.Layout), common.ErrLuksBootDeviceBadName)
+				r.AddOnError(c.Append(*layout), common.ErrLuksBootDeviceBadName)
 			}
 		case "s390x-virt":
 		default:
 			r.AddOnError(c.Append("layout"), common.ErrUnknownBootDeviceLayout)
 		}
 
-		if *d.Layout == "s390x-eckd" || *d.Layout == "s390x-zfcp" || *d.Layout == "s390x-virt" {
+		if *layout == "s390x-eckd" || *layout == "s390x-zfcp" || *layout == "s390x-virt" {
 			if len(d.Mirror.Devices) > 0 {
-				r.AddOnError(c.Append(*d.Layout), common.ErrMirrorNotSupport)
+				r.AddOnError(c.Append(*layout), common.ErrMirrorNotSupport)
 			}
 		}
+
+		if util.IsTrue(d.Luks.Cex.Enabled) && (len(d.Luks.Tang) > 0 || util.IsTrue(d.Luks.Tpm2)) {
+			r.AddOnError(c.Append("luks"), errors.ErrCexWithClevis)
+		}
+	}
+
+	if layout == nil && util.IsTrue(d.Luks.Cex.Enabled) {
+		r.AddOnError(c.Append("cex"), common.ErrCexArchitectureMismatch)
 	}
 	r.Merge(d.Mirror.Validate(c.Append("mirror")))
 	return

config/fcos/v1_6_exp/validate_test.go

@@ -161,6 +161,20 @@ func TestValidateBootDevice(t *testing.T) {
 			nil,
 			path.New("yaml"),
 		},
+		// complete config with cex
+		{
+			BootDevice{
+				Layout: util.StrToPtr("s390x-eckd"),
+				Luks: BootDeviceLuks{
+					Device: util.StrToPtr("/dev/dasda"),
+					Cex: base.Cex{
+						Enabled: util.BoolToPtr(true),
+					},
+				},
+			},
+			nil,
+			path.New("yaml"),
+		},
 		// invalid layout
 		{
 			BootDevice{

config/flatcar/v1_2_exp/translate.go

@@ -22,9 +22,15 @@ import (
 	"github.com/coreos/vcontext/report"
 )
 
+var (
+	fieldFilters = cutil.NewFilters(types.Config{}, cutil.FilterMap{
+		"storage.luks.cex": common.ErrCexNotSupported,
+	})
+)
+
 // Return FieldFilters for this spec.
 func (c Config) FieldFilters() *cutil.FieldFilters {
-	return nil
+	return &fieldFilters
 }
 
 // ToIgn3_5 translates the config to an Ignition config.  It returns a

docs/config-fcos-v1_6-exp.md

@@ -168,6 +168,8 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
         * **pin** (string): the clevis pin.
         * **config** (string): the clevis configuration JSON.
         * **_needs_network_** (boolean): whether or not the device requires networking.
+    * **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device.
+      * **_enabled_** (boolean): whether or not to use a CEX secure key to encrypt the luks device.
   * **_trees_** (list of objects): a list of local directory trees to be embedded in the config. Ownership is not preserved. File modes are set to 0755 if the local file is executable or 0644 otherwise. Attributes of files, directories, and symlinks can be overridden by creating a corresponding entry in the `files`, `directories`, or `links` section; such `files` entries must omit `contents` and such `links` entries must omit `target`.
     * **local** (string): the base of the local directory tree, relative to the directory specified by the `--files-dir` command-line argument.
     * **_path_** (string): the path of the tree within the target system. Defaults to `/`.
@@ -219,6 +221,8 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
     * **_tpm2_** (boolean): whether or not to use a tpm2 device.
     * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1.
     * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
+    * **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device.
+      * **_enabled_** (boolean): whether or not to enable cex compatibility for luks. If omitted, defaults to false.
   * **_mirror_** (object): describes mirroring of the boot disk for fault tolerance.
     * **_devices_** (list of strings): the list of whole-disk devices (not partitions) to include in the disk array, referenced by their absolute path. At least two devices must be specified.
 * **_grub_** (object): describes the desired GRUB bootloader configuration.

docs/config-openshift-v4_18-exp.md

@@ -137,6 +137,8 @@ The OpenShift configuration is a YAML document conforming to the following speci
         * **pin** (string): the clevis pin.
         * **config** (string): the clevis configuration JSON.
         * **_needs_network_** (boolean): whether or not the device requires networking.
+    * **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device.
+      * **_enabled_** (boolean): whether or not to use a CEX secure key to encrypt the luks device.
   * **_trees_** (list of objects): a list of local directory trees to be embedded in the config. Symlinks must not be present. Ownership is not preserved. File modes are set to 0755 if the local file is executable or 0644 otherwise. File attributes can be overridden by creating a corresponding entry in the `files` section; such entries must omit `contents`.
     * **local** (string): the base of the local directory tree, relative to the directory specified by the `--files-dir` command-line argument.
     * **_path_** (string): the path of the tree within the target system. Defaults to `/`.
@@ -168,6 +170,8 @@ The OpenShift configuration is a YAML document conforming to the following speci
     * **_tpm2_** (boolean): whether or not to use a tpm2 device.
     * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1.
     * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
+    * **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device.
+      * **_enabled_** (boolean): whether or not to enable cex compatibility for luks. If omitted, defaults to false.
   * **_mirror_** (object): describes mirroring of the boot disk for fault tolerance.
     * **_devices_** (list of strings): the list of whole-disk devices (not partitions) to include in the disk array, referenced by their absolute path. At least two devices must be specified.
 * **_grub_** (object): describes the desired GRUB bootloader configuration.

docs/examples.md

@@ -340,6 +340,20 @@ boot_device:
         thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
 ```
 
+This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x on the `dasda` DASD device unlocked with a CEX card.
+
+<!-- butane-config -->
+```yaml
+variant: fcos
+version: 1.6.0-experimental
+boot_device:
+  layout: s390x-eckd
+  luks:
+    device: /dev/dasda
+    cex:
+      enabled: true
+```
+
 ### Mirrored boot disk
 
 This example replicates all default partitions on the boot disk across multiple disks, allowing the system to survive disk failure.

docs/release-notes.md

@@ -30,6 +30,23 @@ nav_order: 9
 - Roll back to Ignition spec 3.4.0 _(openshift 4.17.0)_
 
 
+### Breaking changes
+
+
+### Features
+
+- Support LUKS encryption using IBM CEX secure keys on s390x
+
+### Bug fixes
+
+
+## Misc. changes
+
+
+### Docs changes
+
+
+
 ## Butane 0.21.0 (2024-06-06)
 
 Starting with this release, Butane binaries are signed with the [Fedora 40

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/clarketm/json v1.17.1
 	github.com/coreos/go-semver v0.3.1
 	github.com/coreos/go-systemd/v22 v22.5.0
-	github.com/coreos/ignition/v2 v2.18.0
+	github.com/coreos/ignition/v2 v2.19.0
 	github.com/coreos/vcontext v0.0.0-20230201181013-d72178a18687
 	github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace
 	github.com/stretchr/testify v1.9.0
@@ -15,7 +15,7 @@ require (
 )
 
 require (
-	github.com/aws/aws-sdk-go v1.50.25 // indirect
+	github.com/aws/aws-sdk-go v1.53.5 // indirect
 	github.com/coreos/go-json v0.0.0-20230131223807-18775e0fb4fb // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/kr/pretty v0.3.1 // indirect

go.sum

@@ -1,5 +1,5 @@
-github.com/aws/aws-sdk-go v1.50.25 h1:vhiHtLYybv1Nhx3Kv18BBC6L0aPJHaG9aeEsr92W99c=
-github.com/aws/aws-sdk-go v1.50.25/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.53.5 h1:1OcVWMjGlwt7EU5OWmmEEXqaYfmX581EK317QJZXItM=
+github.com/aws/aws-sdk-go v1.53.5/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/clarketm/json v1.17.1 h1:U1IxjqJkJ7bRK4L6dyphmoO840P6bdhPdbbLySourqI=
 github.com/clarketm/json v1.17.1/go.mod h1:ynr2LRfb0fQU34l07csRNBTcivjySLLiY1YzQqKVfdo=
 github.com/coreos/go-json v0.0.0-20230131223807-18775e0fb4fb h1:rmqyI19j3Z/74bIRhuC59RB442rXUazKNueVpfJPxg4=
@@ -8,8 +8,8 @@ github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/coreos/ignition/v2 v2.18.0 h1:sPSGGsxaCuFMpKOMBQ71I9RIR20SIF4dWnoTomcPEYQ=
-github.com/coreos/ignition/v2 v2.18.0/go.mod h1:TURPHDqWUWTmej8c+CEMBENMU3N/Lt6GfreHJuoDMbA=
+github.com/coreos/ignition/v2 v2.19.0 h1:ek200E31M1NCVyvL22Bd40kOJp7yt1gdHAb3xwqTi8Y=
+github.com/coreos/ignition/v2 v2.19.0/go.mod h1:ydb815SaH9A4304wIUoCS5IHyKRHWEp7dfJH8cQW2gA=
 github.com/coreos/vcontext v0.0.0-20230201181013-d72178a18687 h1:uSmlDgJGbUB0bwQBcZomBTottKwEDF5fF8UjSwKSzWM=
 github.com/coreos/vcontext v0.0.0-20230201181013-d72178a18687/go.mod h1:Salmysdw7DAVuobBW/LwsKKgpyCPHUhjyJoMJD+ZJiI=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=

internal/doc/butane.yaml

@@ -344,6 +344,11 @@ root:
               desc: sets the minimum number of pieces required to decrypt the device. Default is 1.
             - name: discard
               desc: whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
+            - name: cex 
+              desc: describes the IBM Crypto Express (CEX) card configuration for the luks device. 
+              children:
+                - name: enabled
+                  desc: whether or not to enable cex compatibility for luks. If omitted, defaults to false. 
         - name: mirror
           desc: describes mirroring of the boot disk for fault tolerance.
           children: