Skip to content

Fix encrypted ZFS persistence and dcap-qvl security vulnerability #468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
kvinwang wants to merge 3 commits into from
Closed

Fix encrypted ZFS persistence and dcap-qvl security vulnerability #468

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d687862
kdf: rename derive_ecdsa_* functions to more accurate names
kvinwang Jan 25, 2026
e22391d
Fix encrypted ZFS persistence issue
kvinwang Jan 26, 2026
bd20175
Fix security vulnerability in key-provider-build
kvinwang Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions dstack-util/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ use ra_rpc::Attestation;
use ra_tls::{
attestation::QuoteContentType,
cert::generate_ra_cert,
kdf::{derive_ecdsa_key, derive_ecdsa_key_pair_from_bytes},
kdf::{derive_key, derive_p256_key_pair_from_bytes},
rcgen::KeyPair,
};
use std::{
Expand Down Expand Up @@ -378,9 +378,9 @@ fn gen_app_keys_from_seed(
provider: KeyProviderKind,
mr: Option<Vec<u8>>,
) -> Result<AppKeys> {
let key = derive_ecdsa_key_pair_from_bytes(seed, &["app-key".as_bytes()])?;
let disk_key = derive_ecdsa_key_pair_from_bytes(seed, &["app-disk-key".as_bytes()])?;
let k256_key = derive_ecdsa_key(seed, &["app-k256-key".as_bytes()], 32)?;
let key = derive_p256_key_pair_from_bytes(seed, &["app-key".as_bytes()])?;
let disk_key = derive_p256_key_pair_from_bytes(seed, &["app-disk-key".as_bytes()])?;
let k256_key = derive_key(seed, &["app-k256-key".as_bytes()], 32)?;
let k256_key = SigningKey::from_bytes(&k256_key).context("Failed to parse k256 key")?;
let key_provider = match provider {
KeyProviderKind::None => KeyProvider::None {
Expand Down
9 changes: 5 additions & 4 deletions dstack-util/src/system_setup.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1053,11 +1053,12 @@ impl<'a> Stage0<'a> {
}
};

// For encrypted ZFS, need both LUKS header AND zpool to exist
let initialized = if opts.storage_encrypted && opts.storage_fs == FsType::Zfs {
has_luks && has_fs
// For encrypted filesystems, we can only detect the filesystem after LUKS is opened
// So we rely on LUKS header presence as the indicator for both ext4 and ZFS
let initialized = if opts.storage_encrypted {
has_luks
} else {
has_luks || has_fs
has_fs
};

if !initialized {
Expand Down
10 changes: 5 additions & 5 deletions guest-agent/src/rpc_service.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ use ra_rpc::{Attestation, CallContext, RpcCall};
use ra_tls::{
attestation::{QuoteContentType, VersionedAttestation, DEFAULT_HASH_ALGORITHM},
cert::CertConfigV2,
kdf::{derive_ecdsa_key, derive_ecdsa_key_pair_from_bytes},
kdf::{derive_key, derive_p256_key_pair_from_bytes},
};
use rcgen::KeyPair;
use ring::rand::{SecureRandom, SystemRandom};
Expand Down Expand Up @@ -235,7 +235,7 @@ impl DstackGuestRpc for InternalRpcHandler {
.fill(&mut seed)
.context("Failed to generate secure seed")?;
let derived_key =
derive_ecdsa_key_pair_from_bytes(&seed, &[]).context("Failed to derive key")?;
derive_p256_key_pair_from_bytes(&seed, &[]).context("Failed to derive key")?;
let config = CertConfigV2 {
org_name: None,
subject: request.subject,
Expand Down Expand Up @@ -270,7 +270,7 @@ impl DstackGuestRpc for InternalRpcHandler {

let (key, pubkey_hex) = match request.algorithm.as_str() {
"ed25519" => {
let derived_key = derive_ecdsa_key(k256_app_key, &[request.path.as_bytes()], 32)
let derived_key = derive_key(k256_app_key, &[request.path.as_bytes()], 32)
.context("Failed to derive ed25519 key")?;
let signing_key = Ed25519SigningKey::from_bytes(
&derived_key
Expand All @@ -282,7 +282,7 @@ impl DstackGuestRpc for InternalRpcHandler {
(derived_key, pubkey_hex)
}
"secp256k1" | "secp256k1_prehashed" | "" => {
let derived_key = derive_ecdsa_key(k256_app_key, &[request.path.as_bytes()], 32)
let derived_key = derive_key(k256_app_key, &[request.path.as_bytes()], 32)
.context("Failed to derive k256 key")?;

let signing_key =
Expand Down Expand Up @@ -497,7 +497,7 @@ impl TappdRpc for InternalRpcHandlerV0 {
} else {
&self.state.inner.keys.k256_key
};
let derived_key = derive_ecdsa_key_pair_from_bytes(seed, &[request.path.as_bytes()])
let derived_key = derive_p256_key_pair_from_bytes(seed, &[request.path.as_bytes()])
.context("Failed to derive key")?;
let config = CertConfigV2 {
org_name: None,
Expand Down
Loading