Enabling the Image Key
cVMs provide image keys. Each server is preconfigured with a unique, randomly generated root key before delivery. Even if the derived parameters are identical across different servers, the resulting derived keys are distinct. This section describes how to enable the image key function.
This function is enabled only in cVMs and is not available on hosts.
- Deploying the Sealing Key
Before the installation, configure the openEuler 24.03 LTS SP2 yum source by following instructions in Compilation Environment Requirements.
- Install the dynamic library and header file.
yum install -y virtCCA_sdk-devel
- Install the kernel-mode driver and update the kernel module dependency relationship.
yum install -y virtCCA_driver depmod
- Load the kernel-mode driver and check whether the load is successful.
modprobe sealing_key lsmod | grep sealing_key
- If the depmod command fails to update the dependency relationship or the modprobe command does not automatically load sealing_key, you can manually run the insmod command to load the file. Run the following command to check the installation location of the sealing_key.ko file, and then run the insmod command to load the file.
rpm -ql virtCCA_driver insmod /path/to/sealing_key.ko
- The yum source must match the kernel version of the current VM. Otherwise, the driver fails to be inserted. If no matched source is found, download the driver source code and compile it based on the current kernel.
git clone -b master https://gitee.com/openeuler/virtCCA_driver.git cd virtCCA_driver/sealing_key/src make KERNEL_DIR=/path/to/kernel
- If the depmod command fails to update the dependency relationship or the modprobe command does not automatically load sealing_key, you can manually run the insmod command to load the file. Run the following command to check the installation location of the sealing_key.ko file, and then run the insmod command to load the file.
- Install the dynamic library and header file.
- Obtain the sealing key through the following API in the application:
int get_sealing_key(SEALING_KEY_ALG alg, uint8_t* user_param, uint32_t user_param_len, uint8_t* sealing_key, uint32_t key_len);
Table 1 Parameter description Parameter
Description
alg
- Input parameter, which specifies the algorithm for deriving the key.
- Only the SEALING_HMAC_SHA256 algorithm is supported.
user_param
- Input parameter, which is the buffer pointer used to store user parameters. Different keys can be derived from different input values.
- The value can be NULL, which indicates that the user does not transfer parameters.
user_param_len
- Input parameter, which specifies the user parameter length.
- Only 64 or 0 bytes are supported.
sealing_key
- Output parameter, which is the buffer pointer used to store the derived sealing key. The parameter value must contain at least 32 bytes.
- Only 32 bytes are supported.
key_len
Input parameter, which specifies the sealing key length.
Reference code:
#include <stdint.h> #include <stdio.h> #include "sealing_key.h" int main(int argc, char *argv[]) { uint8_t sealing_key[SEALING_KEY_LEN] = {0}; uint8_t user_param[64] = {0}; if (get_sealing_key(SEALING_HMAC_SHA256, user_param, 64, sealing_key, SEALING_KEY_LEN) != 0) { printf("failed to get sealing key\n"); return -1; } for (int i = 0; i < SEALING_KEY_LEN; i++) { printf("%02x ", sealing_key[i]); } printf("\n"); return 0; } - Compile and execute the demo code.
gcc demo.c -o demo -lsealingkey ./demo
Parent topic: Feature Usage