confidential-containers · Xynnn007 · Jul 11, 2025 · Jul 14, 2025 · Jul 14, 2025 · Jul 14, 2025
@@ -54,10 +54,14 @@ jobs:
         run: |
           sudo apt-get update && sudo apt-get install -y protobuf-compiler
 
+      - name: Install cryptsetup
+        run: |
+          sudo apt-get update && sudo apt-get install -y libcryptsetup-dev pkg-config
+
       - name: Build and install
         run: |
           mkdir -p ${HOME}/.local/bin
-          make RESOURCE_PROVIDER=kbs,sev && make install PREFIX=${HOME}/.local
+          LIBC=gnu make RESOURCE_PROVIDER=kbs,sev && LIBC=gnu make install PREFIX=${HOME}/.local
 
       - name: Run cargo fmt check
         run: cargo fmt -p kms -p confidential-data-hub -- --check

@@ -62,6 +62,11 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libdevmapper-dev
         if: matrix.instance == 'ubuntu-24.04'
+
+      - name: Install cryptsetup
+        run: |
+          sudo apt-get install -y libcryptsetup-dev pkg-config
+        if: matrix.instance == 'ubuntu-24.04'  || matrix.instance == 'ubuntu-24.04-arm'
 
       - name: Install cross-compliation support dependencies
         run: |

@@ -31,3 +31,5 @@ pub use symmetric::*;
 
 mod asymmetric;
 pub use asymmetric::*;
+
+pub mod rand;
@@ -0,0 +1,7 @@
+use rand::Rng;
+
+pub fn random_bytes<const N: usize>() -> Vec<u8> {
+    let mut buffer = vec![0u8; N];
+    rand::rng().fill(&mut buffer[..]);
+    buffer
+}
@@ -27,6 +27,7 @@ else
 endif
 RESOURCE_PROVIDER ?= kbs,sev
 KMS_PROVIDER ?= aliyun
+STORAGE ?= luks2
 DESTDIR ?= $(PREFIX)/bin
 RUSTFLAGS_ARGS ?=
 features ?=
@@ -59,6 +60,10 @@ ifneq ($(KMS_PROVIDER), none)
     features += $(KMS_PROVIDER)
 endif
 
+ifneq ($(STORAGE), none)
+    features += $(STORAGE)
+endif
+
 ifeq ($(LIBC), musl)
     ifeq ($(ARCH), $(filter $(ARCH), s390x powerpc64le))
         $(error ERROR: Confidential Data Hub does not support building with the musl libc target for s390x and ppc64le architectures!)

@@ -77,6 +77,15 @@ RPC plugins (flag `RPC`)
 | grpc                | Use grpc API to serve for requests (TCP/IP socket).                |
 | ttrpc               | Use ttrpc API to serve for requests (Unix socket).                 |
 
+Secure mount plugins (flag `STORAGE`)
+
+Note:
+- If no `STORAGE` flag is given, then all the STORAGE plugins will be enabled by default.
+
+| Feature name        |           Note                                                     |
+| ------------------- | -----------------------------------------------------------------  |
+| luks2               | Support secure mount with [luks2 encrypted block device](./docs/use-cases/secure-mount-with-block-device.md) |
+
 ### Configuration file
 
 CDH will be launched by a configuration file by

@@ -65,11 +65,11 @@ For more details, please refer to [the guide](use-cases/secure-mount-with-aliyun
 
 ### Block Device
 
-The [plugin](../hub/src/storage/volume_type/blockdevice) provides ways to encrypt a block device and mount it to a specific mount point. Currently only support LUKS in [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/) for block device encryption.
+The [plugin](../hub/src/storage/volume_type/blockdevice) provides ways to encrypt a block device and mount it to a specific mount point. Currently only support LUKS2 in [cryptsetup](https://gitlab.com/cryptsetup/cryptsetup/) for block device encryption.
 
 #### LUKS Encryption
 
-In this mode, the device would be encrypted as LUKS device first, and then mount it to a target path to store the data to protect the confidentiality and integrity of the data.
+In this mode, the device would be encrypted as LUKS2 device first, and then mount it to a target path to store the data to protect the confidentiality and integrity of the data.
 
 The architecture diagram is
Original file line number	Diff line number	Diff line change
Expand Up		@@ -31,3 +31,5 @@ pub use symmetric::*;

		mod asymmetric;
		pub use asymmetric::*;

		pub mod rand;