GyroidOS provides two layers of encryption. First the full disk encryption for overall persitent data of the container managment layer (CML) itself. Second for each compartment with an individual container specific key.
CML Storage Encryption
Persistent data, especially sensitive user data of the containers or the virtualization layers should be encrypted in permanent storge. The integrity of the kernel and initial-ramdisk is assured by secure boot but they are not encrypted, since they contain only code and no sensitive data. All other persistend data of the virtualization layer including the container images are encrypted via Full Disk Encryption (FDE). The key for this KFDE is protected by the TPM. For this, the KFDE is saved in Non-Volatile Random-Acess Memory (NVRAM) of the TPM and it’s release is bound to the state of the platform (similar to the Windows Bitlocker technology). The TPM only releases the key, if the system can attest the correct values during the “Measured Boot”. The key is used directly by the Linux Kernel for the FDE (it could also be used to decrypt a Linux Unified Key Setup (LUKS) for example). No password is neccesary, therefore the decryption is coupled to the state of the platform and not the user.
Implementation for the KFDE
On the left side, the figure above shows how the KFDE (FDE_key) is created and bound to the TPM. At first boot, the encryption is initialized in the init script if the Initial-Ramdisk. For this it uses the tpm2d daemon. This daemon is responsible for the whole communication with the TPM in GyroidOS. The daemon creates a key called FDE_key, saves it in the NVRAM of the TPM and binds it to the state of the platform, which is saved in the Platform Control Register (PCR) 7.
As shown on the right side of the figure above, every start of the system following the first boot , the state of the platform is measured by the “Measured Boot”. After this, the container manager module of the virtualization layer uses the tpm2d to read the FDE_key from the TPM’s NVRAM. This is only possible, if the expected value has previoulsy been written to PCR 7. After reading the key successfully, the container manager passes it on to the device mapper, which is responsible for the transparent de- and encryption of memory. Therefore, the container manager can mount the data partition and proceed to the startup of the core0 Container.
Container Storage Encryption
Additionally to system-wide persistent data encryption, the persistant data of a container is encrypted with a seperate container individual key KCFDE. When the container first gets instanced, the virtualization layer creates a random key KCFDE. Analogous to the system-wide encryption this key is given to the device mapper, which is responsible for the transparent de- and encryption of memory. AES-XTS is combined with HMAC via dm-integrity for the encryption of the persistend data. The KCFDE is a 768 bit long key, which consists of 512 bit for the AES-XTS and 256 bit for the HMAC key.
KCFDE itself is encrypted either another key encryption key the KKEK and a Key-Wrapping procedure defined in RFC 3394 and it is only saved encrpyted either in a per container softtoken or Secure Element. The procedure protects the confidentiality and the integrity of the wrapped KCFDE. GyroidOS supports the SmartCard-HSM in form of a USB-Token.