Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4522

Support additional protection via PCRs attestation for disk encryption with TPM

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      Support additional protection via PCR attestation for disk encryption with TPM

      2. What is the nature and description of the request?

      Edge customers (including Telco customers in the Far Edge) face the challenge to deploy OpenShift in public places with not reliable physical control. 

      For that reason, customers require encryption at rest of their data using disk encryption in case disk is stolen. 

      Currently disk encryption is supported in OCP via NBDE and TPM. Given the edge use case, the preferred way to protect disk encryption key is via TPM as it can be done locally and it doesn't rely on a secured network connection.

      However, this method doesn't protect if the whole box (which includes TPM) is stolen - which will result on disk encryption being unlocked.

      The proposal is add an additional level of protection using PCR values for attestation in order to decrypt the disk.  That means that disk encryption will only unlock if the selected PCRs show the same value they were on when disk encryption was enabled. Ie - no bios changes were made and no additional hw was introduced, etc. that also include the boot order

      This is already possible to do in RHEL and it has also been tested in OCP (although it is not documented).

      The major gap that should be covered in this epic is to handle upgrades of PCR values:

      • PCR values chosen are updated in case they change over any LCM activity in OpenShift, such as: OCP upgrades
      • Document the procedure for customers on how to upgrade values in case they change due to changes external to OCP, like for instance, when they do a firmware upgrade.

      3. Why does the customer need this? (List the business requirements here)

      I, as an edge customer want to ensure that my data at rest is protected in case both the disk and the entire box is stolen because the OCP instance will be installed in public location. 

      4. List any affected packages or components.

      RHCOS (Ignition) , OCP (CVO - Cluster Version Operator) 

       

      5. Additional considerations: 

      An assessment on what PCRs should be used for attestation is available there https://docs.google.com/document/d/1XKhG0D5BGqFCO5jeBZkCZpxIlqrlGNsO7d6EIMb1aJ0/edit

      The conclusion is that as a starting point PCR 1 & 7 offer enough level of protection

              rhn-support-mrussell Mark Russell
              rh-ee-masimonm Maria Simon Marcos
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: