CDH | storage: consider implementing luks-encrypt-storage in Rust

[wainersm]

Currently CDH's secure mount with block device relies on luks-encrypt-storage to initialize and mount the block device within the guest. The script should be located inside the guest, in /usr/local/bin/luks-encrypt-storage (see here)

Two problems arise from that design:

1. Being a shell script, the guest image must have a shell (bash actually) installed. For those trying to reduce the image size and minimize attack surface, having to ship bash may be unwanted
2. the shell script should be bundled inside the guest which increases the complexity of the building the guest image as a compatible version of the script should be maintained by the consumer project (e.g. kata) or pulled from this repository (to avoid a derived problem which is the mismatch of versions)

The problem 1) can be solved by converting the script to a program but it still leaves 2) unsolved (and perhaps worsened, now you would need to build the program). Another approach that solves 1) and 2) is to re-implement the script in Rust within the CDH storage's block device luks module.

But users might still want to provide their own script/program. So it could be implemented a resolve algorithm like:

• Run /usr/local/bin/luks-encrypt-storage if found
• Otherwise, fallback to the default Rust implementation

[Xynnn007]

Hi @wainersm , I partially resolve this in #1052 with a rust-implementation version of cryptsetup named libcryptsetup-rs (tbo I did not find any other proper crates on crates.io).

However, libcryptsetup-rs uses the dynamic library ffi at the bottom thus causing it hard to build CDH statically using musl. Thus we need to get rid of musl for CDH and use gnu to enable dynamic links. This means we need to install libcryptsetup-dev to the rootfsto support this.

I will keep an eye on musl building for libcryptsetup-rs but looks like it would take not a short time.

Does this make sense and accepable?