Revision as of 16:25, 10 July 2024

Self Encrypting Drives Support in the Installer

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Add option for using using native hardware encryption on drives that provide an OPAL interface when configuring disk encryption in the installer.

Owner

Name: Vojtech Trefny
Email: vtrefny AT redhat.com

Name: Ondrej Kozina
Email: okozina AT redhat.com

Name: Jiri Konecny
Email: jkonecny AT redhat.com

Current status

Targeted release: Fedora Linux 41
Last updated: 2024-07-10
[Announced]
[<will be assigned by the Wrangler> Discussion thread]
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Some SATA and NVMe devices support hardware encryption through the OPAL2 TCG interface and with the latest cryptsetup the OPAL interface can be used to configure LUKS devices to use hardware encryption to encrypt the data either by itself or together with the existing dm-crypt software encryption. We'd like to provide an option for users to use this feature when installing Fedora with disk encryption.

As this is an expert option, it will be available only through the kickstart interface. The existing --luks-version option which allows choosing between LUKS1 and LUKS2 versions will be extended to allow configuring hardware encryption as an addition to the software encryption layer or to select hardware encryption only.

Using hardware encryption only can be beneficial on low performance systems where using CPU to encrypt the data when reading/writing from/to the disk can significantly affect the system performance. On the other side, using both software and hardware encryption layers increases the security margin by adding an additional layer of protection.

Note: We'd like to emphasis that we do not intent to enable this feature by default, it must be explicitly selected by the user. Using the option to set up only hardware encryption can be risky as it places the trust fully in the disk manufacturers ability to implement the data encryption in the disk firmware correctly. There are known instances of security issues in the hardware encryption implementations.

Benefit to Fedora

Scope

Proposal owners: This feature is not yet implemented in the upstream so we'll need to add support for the new LUKS-OPAL format to both the backend storage libraries (blivet and libblockdev) and the installer itself. As this is only expanding and existing feature (disk encryption) already present in the installer, the changes will be relatively small (especially in the installer itself).

Other developers: No work from other developers should be needed.

Release engineering: #Releng issue number

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with the Fedora Strategy:

Upgrade/compatibility impact

This change will affect only new installations.

How To Test

A special hardware is required for testing -- you need a disk that supports the OPAL specification. You can check for OPAL support using the sedutil-cli utility (provided by the sedutil package), simply run sudo sedutil-cli --scan to scan for OPAL compliant disks.

Because this feature is not configurable from the GUI you need to run a kickstart installation. Sample kickstart file is displayed below.

TODO

User Experience

After the installation users shouldn't notice any differences, the system will behave in the same way as with "normal" disk encryption.

Dependencies

Following projects needs to be changed for this feature: anaconda, blivet, kickstart, libblockdev. All necessary changes will be done by the change owners.

cryptsetup with the LUKS-OPAL support is already available in Fedora 41 and no other changes will be needed for the support in the installer.

Once configured the LUKS-OPAL device works in the same way any other "normal" LUKS devices work so there is no need to change any other tools for this feature to work (e.g. unlocking the LUKS-OPAL device doesn't require special configuration).

Contingency Plan

Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
Contingency deadline: N/A (not a System Wide Change)
Blocks release? No

Documentation

cryptsetup 2.7.0 release notes describing the feature: https://cdn.kernel.org/pub/linux/utils/cryptsetup/v2.7/v2.7.0-ReleaseNotes

Release Notes

@@ Line 22: / Line 22: @@
 * Name: [[User:jkonecny| Jiri Konecny]]
 * Email: jkonecny AT redhat.com
 == Current status ==
@@ Line 56: / Line 55: @@
 Note: We'd like to emphasis that we do not intent to enable this feature by default, it must be explicitly selected by the user. Using the option to set up only hardware encryption can be risky as it places the trust fully in the disk manufacturers ability to implement the data encryption in the disk firmware correctly. There are known instances of security issues in the hardware encryption implementations.
-== Feedback ==
-<!-- Summarize the feedback from the community and address why you chose not to accept proposed alternatives. This section is optional for all change proposals but is strongly suggested. Incorporating feedback here as it is raised gives FESCo a clearer view of your proposal and leaves a good record for the future. If you get no feedback, that is useful to note in this section as well. For innovative or possibly controversial ideas, consider collecting feedback before you file the change proposal. -->
 == Benefit to Fedora ==

Search

Changes/SelfEncryptingDrivesSupportInAnaconda: Difference between revisions