Enable scratch space encryption via annotation

internal/guest/prot/protocol.go

@@ -773,6 +773,7 @@ type MappedVirtualDiskV2 struct {
 	Lun        uint8             `json:",omitempty"`
 	Controller uint8             `json:",omitempty"`
 	ReadOnly   bool              `json:",omitempty"`
+	Encrypted  bool              `json:",omitempty"`
 	Options    []string          `json:",omitempty"`
 	VerityInfo *DeviceVerityInfo `json:",omitempty"`
 }

internal/guest/runtime/hcsv2/uvm.go

@@ -432,12 +432,12 @@ func modifyMappedVirtualDisk(ctx context.Context, rt prot.ModifyRequestType, mvd
 		mountCtx, cancel := context.WithTimeout(ctx, time.Second*5)
 		defer cancel()
 		if mvd.MountPath != "" {
-			return scsi.Mount(mountCtx, mvd.Controller, mvd.Lun, mvd.MountPath, mvd.ReadOnly, false, mvd.Options, mvd.VerityInfo, securityPolicy)
+			return scsi.Mount(mountCtx, mvd.Controller, mvd.Lun, mvd.MountPath, mvd.ReadOnly, mvd.Encrypted, mvd.Options, mvd.VerityInfo, securityPolicy)
 		}
 		return nil
 	case prot.MreqtRemove:
 		if mvd.MountPath != "" {
-			if err := scsi.Unmount(ctx, mvd.Controller, mvd.Lun, mvd.MountPath, false); err != nil {
+			if err := scsi.Unmount(ctx, mvd.Controller, mvd.Lun, mvd.MountPath, mvd.Encrypted); err != nil {
 				return err
 			}
 		}

internal/guestrequest/types.go

@@ -37,6 +37,7 @@ type LCOWMappedVirtualDisk struct {
 	Lun        uint8             `json:"Lun,omitempty"`
 	Controller uint8             `json:"Controller,omitempty"`
 	ReadOnly   bool              `json:"ReadOnly,omitempty"`
+	Encrypted  bool              `json:"Encrypted,omitempty"`
 	Options    []string          `json:"Options,omitempty"`
 	VerityInfo *DeviceVerityInfo `json:"VerityInfo,omitempty"`
 }

internal/hcsoci/resources_lcow.go

@@ -108,7 +108,15 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r *
 
 				// if the scsi device is already attached then we take the uvm path that the function below returns
 				// that is where it was previously mounted in UVM
-				scsiMount, err := coi.HostingSystem.AddSCSI(ctx, hostPath, uvmPathForShare, readOnly, mount.Options, uvm.VMAccessTypeIndividual)
+				scsiMount, err := coi.HostingSystem.AddSCSI(
+					ctx,
+					hostPath,
+					uvmPathForShare,
+					readOnly,
+					false,
+					mount.Options,
+					uvm.VMAccessTypeIndividual,
+				)
 				if err != nil {
 					return errors.Wrapf(err, "adding SCSI virtual disk mount %+v", mount)
 				}
@@ -188,7 +196,15 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r *
 		// must use scsi here since DDA'ing a hyper-v pci device is not supported on VMs that have ANY virtual memory
 		// gpuvhd must be granted VM Group access.
 		options := []string{"ro"}
-		scsiMount, err := coi.HostingSystem.AddSCSI(ctx, gpuSupportVhdPath, uvm.LCOWNvidiaMountPath, true, options, uvm.VMAccessTypeNoop)
+		scsiMount, err := coi.HostingSystem.AddSCSI(
+			ctx,
+			gpuSupportVhdPath,
+			uvm.LCOWNvidiaMountPath,
+			true,
+			false,
+			options,
+			uvm.VMAccessTypeNoop,
+		)
 		if err != nil {
 			return errors.Wrapf(err, "failed to add scsi device %s in the UVM %s at %s", gpuSupportVhdPath, coi.HostingSystem.ID(), uvm.LCOWNvidiaMountPath)
 		}

internal/hcsoci/resources_wcow.go

@@ -159,7 +159,15 @@ func setupMounts(ctx context.Context, coi *createOptionsInternal, r *resources.R
 				r.Add(scsiMount)
 			} else if mount.Type == "virtual-disk" {
 				l.Debug("hcsshim::allocateWindowsResources Hot-adding SCSI virtual disk for OCI mount")
-				scsiMount, err := coi.HostingSystem.AddSCSI(ctx, mount.Source, uvmPath, readOnly, mount.Options, uvm.VMAccessTypeIndividual)
+				scsiMount, err := coi.HostingSystem.AddSCSI(
+					ctx,
+					mount.Source,
+					uvmPath,
+					readOnly,
+					false,
+					mount.Options,
+					uvm.VMAccessTypeIndividual,
+				)
 				if err != nil {
 					return errors.Wrapf(err, "adding SCSI virtual disk mount %+v", mount)
 				}

internal/layers/layers.go

@@ -216,7 +216,15 @@ func MountContainerLayers(ctx context.Context, containerID string, layerFolders
 	log.G(ctx).WithField("hostPath", hostPath).Debug("mounting scratch VHD")
 
 	var options []string
-	scsiMount, err := vm.AddSCSI(ctx, hostPath, containerScratchPathInUVM, false, options, uvm.VMAccessTypeIndividual)
+	scsiMount, err := vm.AddSCSI(
+		ctx,
+		hostPath,
+		containerScratchPathInUVM,
+		false,
+		vm.ScratchEncryptionEnabled(),
+		options,
+		uvm.VMAccessTypeIndividual,
+	)
 	if err != nil {
 		return "", fmt.Errorf("failed to add SCSI scratch VHD: %s", err)
 	}
@@ -280,7 +288,7 @@ func addLCOWLayer(ctx context.Context, vm *uvm.UtilityVM, layerPath string) (uvm
 
 	options := []string{"ro"}
 	uvmPath = fmt.Sprintf(uvm.LCOWGlobalMountPrefix, vm.UVMMountCounter())
-	sm, err := vm.AddSCSI(ctx, layerPath, uvmPath, true, options, uvm.VMAccessTypeNoop)
+	sm, err := vm.AddSCSI(ctx, layerPath, uvmPath, true, false, options, uvm.VMAccessTypeNoop)
 	if err != nil {
 		return "", fmt.Errorf("failed to add SCSI layer: %s", err)
 	}

internal/lcow/scratch.go

@@ -67,7 +67,15 @@ func CreateScratch(ctx context.Context, lcowUVM *uvm.UtilityVM, destFile string,
 	}
 
 	var options []string
-	scsi, err := lcowUVM.AddSCSI(ctx, destFile, "", false, options, uvm.VMAccessTypeIndividual) // No destination as not formatted
+	scsi, err := lcowUVM.AddSCSI(
+		ctx,
+		destFile,
+		"", // No destination as not formatted
+		false,
+		lcowUVM.ScratchEncryptionEnabled(),
+		options,
+		uvm.VMAccessTypeIndividual,
+	)
 	if err != nil {
 		return err
 	}

internal/oci/annotations.go

@@ -214,6 +214,10 @@ const (
 	// when setting up ncproxy and computeagent
 	AnnotationNcproxyContainerID = "io.microsoft.network.ncproxy.containerid"
 
+	// AnnotationEncryptedScratchDisk indicates whether or not the container scratch disks
+	// should be encrypted or not
+	AnnotationEncryptedScratchDisk = "io.microsoft.virtualmachine.storage.scratch.encrypted"
+
 	// AnnotationSecurityPolicy is used to specify a security policy for opengcs to enforce
 	AnnotationSecurityPolicy = "io.microsoft.virtualmachine.lcow.securitypolicy"
 )

internal/oci/uvm.go

@@ -329,6 +329,7 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (
 		lopts.BootFilesPath = parseAnnotationsString(s.Annotations, AnnotationBootFilesRootPath, lopts.BootFilesPath)
 		lopts.CPUGroupID = parseAnnotationsString(s.Annotations, AnnotationCPUGroupID, lopts.CPUGroupID)
 		lopts.NetworkConfigProxy = parseAnnotationsString(s.Annotations, AnnotationNetworkConfigProxy, lopts.NetworkConfigProxy)
+		lopts.EnableScratchEncryption = parseAnnotationsBool(ctx, s.Annotations, AnnotationEncryptedScratchDisk, lopts.EnableScratchEncryption)
 		lopts.SecurityPolicy = parseAnnotationsString(s.Annotations, AnnotationSecurityPolicy, lopts.SecurityPolicy)
 		lopts.KernelBootOptions = parseAnnotationsString(s.Annotations, AnnotationKernelBootOptions, lopts.KernelBootOptions)
 

internal/uvm/create_lcow.go

@@ -56,26 +56,27 @@ const (
 type OptionsLCOW struct {
 	*Options
 
-	BootFilesPath         string              // Folder in which kernel and root file system reside. Defaults to \Program Files\Linux Containers
-	KernelFile            string              // Filename under `BootFilesPath` for the kernel. Defaults to `kernel`
-	KernelDirect          bool                // Skip UEFI and boot directly to `kernel`
-	RootFSFile            string              // Filename under `BootFilesPath` for the UVMs root file system. Defaults to `InitrdFile`
-	KernelBootOptions     string              // Additional boot options for the kernel
-	EnableGraphicsConsole bool                // If true, enable a graphics console for the utility VM
-	ConsolePipe           string              // The named pipe path to use for the serial console.  eg \\.\pipe\vmpipe
-	SCSIControllerCount   uint32              // The number of SCSI controllers. Defaults to 1. Currently we only support 0 or 1.
-	UseGuestConnection    bool                // Whether the HCS should connect to the UVM's GCS. Defaults to true
-	ExecCommandLine       string              // The command line to exec from init. Defaults to GCS
-	ForwardStdout         bool                // Whether stdout will be forwarded from the executed program. Defaults to false
-	ForwardStderr         bool                // Whether stderr will be forwarded from the executed program. Defaults to true
-	OutputHandler         OutputHandler       `json:"-"` // Controls how output received over HVSocket from the UVM is handled. Defaults to parsing output as logrus messages
-	VPMemDeviceCount      uint32              // Number of VPMem devices. Defaults to `DefaultVPMEMCount`. Limit at 128. If booting UVM from VHD, device 0 is taken.
-	VPMemSizeBytes        uint64              // Size of the VPMem devices. Defaults to `DefaultVPMemSizeBytes`.
-	VPMemNoMultiMapping   bool                // Disables LCOW layer multi mapping
-	PreferredRootFSType   PreferredRootFSType // If `KernelFile` is `InitrdFile` use `PreferredRootFSTypeInitRd`. If `KernelFile` is `VhdFile` use `PreferredRootFSTypeVHD`
-	EnableColdDiscardHint bool                // Whether the HCS should use cold discard hints. Defaults to false
-	VPCIEnabled           bool                // Whether the kernel should enable pci
-	SecurityPolicy        string              // Optional security policy
+	BootFilesPath           string              // Folder in which kernel and root file system reside. Defaults to \Program Files\Linux Containers
+	KernelFile              string              // Filename under `BootFilesPath` for the kernel. Defaults to `kernel`
+	KernelDirect            bool                // Skip UEFI and boot directly to `kernel`
+	RootFSFile              string              // Filename under `BootFilesPath` for the UVMs root file system. Defaults to `InitrdFile`
+	KernelBootOptions       string              // Additional boot options for the kernel
+	EnableGraphicsConsole   bool                // If true, enable a graphics console for the utility VM
+	ConsolePipe             string              // The named pipe path to use for the serial console.  eg \\.\pipe\vmpipe
+	SCSIControllerCount     uint32              // The number of SCSI controllers. Defaults to 1. Currently we only support 0 or 1.
+	UseGuestConnection      bool                // Whether the HCS should connect to the UVM's GCS. Defaults to true
+	ExecCommandLine         string              // The command line to exec from init. Defaults to GCS
+	ForwardStdout           bool                // Whether stdout will be forwarded from the executed program. Defaults to false
+	ForwardStderr           bool                // Whether stderr will be forwarded from the executed program. Defaults to true
+	OutputHandler           OutputHandler       `json:"-"` // Controls how output received over HVSocket from the UVM is handled. Defaults to parsing output as logrus messages
+	VPMemDeviceCount        uint32              // Number of VPMem devices. Defaults to `DefaultVPMEMCount`. Limit at 128. If booting UVM from VHD, device 0 is taken.
+	VPMemSizeBytes          uint64              // Size of the VPMem devices. Defaults to `DefaultVPMemSizeBytes`.
+	VPMemNoMultiMapping     bool                // Disables LCOW layer multi mapping
+	PreferredRootFSType     PreferredRootFSType // If `KernelFile` is `InitrdFile` use `PreferredRootFSTypeInitRd`. If `KernelFile` is `VhdFile` use `PreferredRootFSTypeVHD`
+	EnableColdDiscardHint   bool                // Whether the HCS should use cold discard hints. Defaults to false
+	VPCIEnabled             bool                // Whether the kernel should enable pci
+	EnableScratchEncryption bool                // Whether the scratch should be encrypted
+	SecurityPolicy          string              // Optional security policy
 }
 
 // defaultLCOWOSBootFilesPath returns the default path used to locate the LCOW
@@ -101,27 +102,28 @@ func NewDefaultOptionsLCOW(id, owner string) *OptionsLCOW {
 	// Use KernelDirect boot by default on all builds that support it.
 	kernelDirectSupported := osversion.Build() >= 18286
 	opts := &OptionsLCOW{
-		Options:               newDefaultOptions(id, owner),
-		BootFilesPath:         defaultLCOWOSBootFilesPath(),
-		KernelFile:            KernelFile,
-		KernelDirect:          kernelDirectSupported,
-		RootFSFile:            InitrdFile,
-		KernelBootOptions:     "",
-		EnableGraphicsConsole: false,
-		ConsolePipe:           "",
-		SCSIControllerCount:   1,
-		UseGuestConnection:    true,
-		ExecCommandLine:       fmt.Sprintf("/bin/gcs -v4 -log-format json -loglevel %s", logrus.StandardLogger().Level.String()),
-		ForwardStdout:         false,
-		ForwardStderr:         true,
-		OutputHandler:         parseLogrus(id),
-		VPMemDeviceCount:      DefaultVPMEMCount,
-		VPMemSizeBytes:        DefaultVPMemSizeBytes,
-		VPMemNoMultiMapping:   osversion.Get().Build < osversion.V19H1,
-		PreferredRootFSType:   PreferredRootFSTypeInitRd,
-		EnableColdDiscardHint: false,
-		VPCIEnabled:           false,
-		SecurityPolicy:        "",
+		Options:                 newDefaultOptions(id, owner),
+		BootFilesPath:           defaultLCOWOSBootFilesPath(),
+		KernelFile:              KernelFile,
+		KernelDirect:            kernelDirectSupported,
+		RootFSFile:              InitrdFile,
+		KernelBootOptions:       "",
+		EnableGraphicsConsole:   false,
+		ConsolePipe:             "",
+		SCSIControllerCount:     1,
+		UseGuestConnection:      true,
+		ExecCommandLine:         fmt.Sprintf("/bin/gcs -v4 -log-format json -loglevel %s", logrus.StandardLogger().Level.String()),
+		ForwardStdout:           false,
+		ForwardStderr:           true,
+		OutputHandler:           parseLogrus(id),
+		VPMemDeviceCount:        DefaultVPMEMCount,
+		VPMemSizeBytes:          DefaultVPMemSizeBytes,
+		VPMemNoMultiMapping:     osversion.Get().Build < osversion.V19H1,
+		PreferredRootFSType:     PreferredRootFSTypeInitRd,
+		EnableColdDiscardHint:   false,
+		VPCIEnabled:             false,
+		EnableScratchEncryption: false,
+		SecurityPolicy:          "",
 	}
 
 	if _, err := os.Stat(filepath.Join(opts.BootFilesPath, VhdFile)); err == nil {
@@ -176,6 +178,7 @@ func CreateLCOW(ctx context.Context, opts *OptionsLCOW) (_ *UtilityVM, err error
 		devicesPhysicallyBacked: opts.FullyPhysicallyBacked,
 		createOpts:              opts,
 		vpmemMultiMapping:       !opts.VPMemNoMultiMapping,
+		encryptScratch:          opts.EnableScratchEncryption,
 	}
 
 	defer func() {

internal/uvm/create_wcow.go

@@ -296,6 +296,7 @@ func CreateWCOW(ctx context.Context, opts *OptionsWCOW) (_ *UtilityVM, err error
 			1,
 			0,
 			0,
+			false,
 			false)
 	} else {
 		doc.VirtualMachine.RestoreState = &hcsschema.RestoreState{}