refactor: encrypt EMWP with native Go XTS instead of cryptsetup#20
Merged
Conversation
milesdai
force-pushed
the
milesdai/native-xts
branch
from
34018c6 to
5aea818
Compare
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 13 files
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Replace the cryptsetup/device-mapper EMWP encryption path with a pure-Go AES-XTS-plain64 implementation (new crypt package) that streams the ciphertext directly into the GPT image. Encrypting in userspace lets the packer drop: - the --privileged container (no loop device or device-mapper at pack time) - the derived volume key written to a temp file in the output dir - the global /dev/mapper name and its cleanup/collision races VerifyEMWP now decrypts in Go and runs veritysetup verify over the plaintext. To maintain parity with the kernel, we keep a golden test vector and add a kernel round-trip test that ensures the encrypted volume can be opened with dmcrypt.
milesdai
force-pushed
the
milesdai/native-xts
branch
from
5aea818 to
407e961
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace the cryptsetup/device-mapper EMWP encryption path with a pure-Go AES-XTS-plain64 implementation (new crypt package) that streams the ciphertext directly into the GPT image.
Encrypting in userspace lets the packer drop:
VerifyEMWP now decrypts in Go and runs veritysetup verify over the plaintext.
To maintain parity with the kernel, we keep a golden test vector and add a kernel round-trip test that ensures the encrypted volume can be opened with dmcrypt.
Summary by cubic
Encrypt EMWP with a native Go AES-XTS-plain64 implementation that streams directly into the GPT image, replacing
cryptsetup/device-mapper. Pack and verify now run unprivileged, avoid loop/dev-mapper and on-disk keys, and remain byte-identical to dm-crypt.Refactors
cryptpackage: pure-Go AES-XTS-plain64 (4096-byte sectors) with streaming Encrypt/Decrypt usinggolang.org/x/crypto/xts; pads trailing partial sector on encrypt and enforces alignment on decrypt.wrap.encryptEMWPstreams ciphertext into the payload partition;VerifyEMWPdecrypts in Go to a temp file and runs verity over plaintext./dev/mapper, no temp volume key file, and no--privilegedin launcher/CLI/e2e; tests assert this.cryptsetup, compares plaintext bytes, and verifies dm-verity.Migration
--privileged. No loop devices or device-mapper are required at pack time.Written for commit 407e961. Summary will update on new commits.