confidential-containers · arronwy · Nov 21, 2023 · Sep 5, 2023 · Sep 15, 2023 · Sep 27, 2023
@@ -16,6 +16,7 @@ members = [
     "confidential-data-hub/kms",
     "confidential-data-hub/image",
     "confidential-data-hub/secret",
+    "confidential-data-hub/storage",
     "image-rs",
     "ocicrypt-rs",
 ]

@@ -0,0 +1,13 @@
+# Secure Storage
+
+## Purpose
+The Purpose of this secure storage feature is:
+1. Mounting external storage from guest instead of host which would then share it to guest, this is due to performance consideration.
+2. The unencrypted data in storage could only be accessed within TEE, that is why we call it secure storage.
+
+## Architecture
+![architecture](./images/secure_storage.png)
+
+First of all, the sensitive information of external storage is sealed by the key from KBS/KMS, and store in [sealed secret](https://github.com/confidential-containers/guest-components/blob/main/confidential-data-hub/docs/SEALED_SECRET.md). The sensitive information includes access key id/access key secret to storage, the encryption key of the data(such as AI model) stored in the storage, which also means we supported client encryption.
+We reuse [direct block device assigned volume feature](https://github.com/kata-containers/kata-containers/blob/main/docs/design/direct-blk-device-assignment.md) to mount external storage from guest directly. CSI plugin, such as [alibaba cloud OSS CSI plugin](https://github.com/kubernetes-sigs/alibaba-cloud-csi-driver/blob/master/docs/oss.md) reads the sensitve information from sealed secret and pass it to kata agent. When secure mount service in CDH receives secure mount request, it calls sealed secret service to unseal the sensitive information mentioned above, this process could be based on remote attestation. If success, the secure mount service would use the unsealed sensitive information to mount the external storage and decrypt the data in storage.
+
@@ -21,6 +21,7 @@ lazy_static.workspace = true
 log.workspace = true
 protobuf = { workspace = true, optional = true }
 secret.path = "../secret"
+storage.path = "../storage"
 serde = { workspace = true, optional = true }
 serde_json.workspace = true
 sev = { path = "../../attestation-agent/deps/sev", optional = true }

@@ -26,6 +26,19 @@ message KeyProviderKeyWrapProtocolOutput {
     bytes KeyProviderKeyWrapProtocolOutput = 1;
 }
 
+message SecureMountRequest {
+    string driver = 1;
+    repeated string driver_options = 2;
+    string source = 3;
+    string fstype = 4;
+    repeated string options = 5;
+    string mount_point = 6;
+}
+
+message SecureMountResponse {
+    string mount_path = 1;
+}
+
 service SealedSecretService {
     rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {};
 }
@@ -37,3 +50,7 @@ service GetResourceService {
 service KeyProviderService {
     rpc UnWrapKey(KeyProviderKeyWrapProtocolInput) returns (KeyProviderKeyWrapProtocolOutput) {};
 }
+
+service SecureMountService {
+    rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {};
+}
@@ -6,6 +6,7 @@
 use async_trait::async_trait;
 
 use crate::Result;
+use storage::volume_type::Storage;
 
 /// The APIs of the DataHub. See
 /// <https://github.com/confidential-containers/documentation/issues/131> for
@@ -26,4 +27,6 @@ pub trait DataHub {
     /// URI is defined in
     /// <https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md>
     async fn get_resource(&self, uri: String) -> Result<Vec<u8>>;
+
+    async fn secure_mount(&self, storage: Storage) -> Result<String>;
 }