Extract key-manager-types crate to break illumos-utils dependency

Create a new key-manager-types crate containing the disk encryption key
types (Aes256GcmDiskEncryptionKey and VersionedAes256GcmDiskEncryptionKey)
that were previously defined in key-manager. This breaks the dependency
from illumos-utils to key-manager, allowing illumos-utils to depend only
on the minimal types crate.

The key-manager crate re-exports VersionedAes256GcmDiskEncryptionKey for
backwards compatibility.

Author: plaidfinch

Cargo.lock

@@ -74,6 +74,7 @@ members = [
     "internal-dns/types/versions",
     "ipcc",
     "key-manager",
+    "key-manager/types",
     "live-tests",
     "live-tests/macros",
     "nexus",
@@ -247,6 +248,7 @@ default-members = [
     "internal-dns/types/versions",
     "ipcc",
     "key-manager",
+    "key-manager/types",
     "live-tests",
     "live-tests/macros",
     "nexus",
@@ -553,6 +555,7 @@ ipnetwork = { version = "0.21", features = ["schemars", "serde"] }
 ispf = { git = "https://github.com/oxidecomputer/ispf" }
 jiff = "0.2.15"
 key-manager = { path = "key-manager" }
+key-manager-types = { path = "key-manager/types" }
 kstat-rs = "0.2.4"
 libc = "0.2.174"
 libipcc = { git = "https://github.com/oxidecomputer/ipcc-rs", rev = "524eb8f125003dff50b9703900c6b323f00f9e1b" }

Cargo.toml

@@ -24,7 +24,7 @@ futures.workspace = true
 http.workspace = true
 ipnetwork.workspace = true
 itertools.workspace = true
-key-manager.workspace = true
+key-manager-types.workspace = true
 libc.workspace = true
 macaddr.workspace = true
 nix.workspace = true

illumos-utils/Cargo.toml

@@ -1601,7 +1601,7 @@ impl Zfs {
     /// epoch is committed.
     pub async fn change_key(
         dataset: &str,
-        key: &key_manager::VersionedAes256GcmDiskEncryptionKey,
+        key: &key_manager_types::VersionedAes256GcmDiskEncryptionKey,
     ) -> Result<(), ChangeKeyError> {
         // FIXME: Replace the use of `zfs_atomic_change_key` with a native
         // invocation of `zfs change-key` using the `-o oxide:epoch` option to

illumos-utils/src/zfs.rs

@@ -10,6 +10,7 @@ workspace = true
 [dependencies]
 async-trait.workspace = true
 hkdf.workspace = true
+key-manager-types.workspace = true
 omicron-common.workspace = true
 secrecy.workspace = true
 sha3.workspace = true

key-manager/Cargo.toml

@@ -9,7 +9,9 @@ use std::fmt::Debug;
 
 use async_trait::async_trait;
 use hkdf::Hkdf;
-use secrecy::{ExposeSecret, ExposeSecretMut, SecretBox};
+use key_manager_types::Aes256GcmDiskEncryptionKey;
+pub use key_manager_types::VersionedAes256GcmDiskEncryptionKey;
+use secrecy::{ExposeSecret, SecretBox};
 use sha3::Sha3_256;
 use slog::{Logger, o, warn};
 use tokio::sync::{mpsc, oneshot};
@@ -52,28 +54,6 @@ pub enum Error {
     SecretRetrieval(#[from] SecretRetrieverError),
 }
 
-/// Derived Disk Encryption key
-#[derive(Debug, Default)]
-struct Aes256GcmDiskEncryptionKey(SecretBox<[u8; 32]>);
-
-/// A Disk encryption key for a given epoch to be used with ZFS datasets for
-/// U.2 devices
-#[derive(Debug)]
-pub struct VersionedAes256GcmDiskEncryptionKey {
-    epoch: u64,
-    key: Aes256GcmDiskEncryptionKey,
-}
-
-impl VersionedAes256GcmDiskEncryptionKey {
-    pub fn epoch(&self) -> u64 {
-        self.epoch
-    }
-
-    pub fn expose_secret(&self) -> &[u8; 32] {
-        &self.key.0.expose_secret()
-    }
-}
-
 /// A request sent from a [`StorageKeyRequester`] to the [`KeyManager`].
 enum StorageKeyRequest {
     GetKey {
@@ -256,11 +236,11 @@ impl<S: SecretRetriever> KeyManager<S> {
                 disk_id.model.as_bytes(),
                 disk_id.serial.as_bytes(),
             ],
-            key.0.expose_secret_mut(),
+            key.expose_secret_mut(),
         )
         .unwrap();
 
-        Ok(VersionedAes256GcmDiskEncryptionKey { epoch, key })
+        Ok(VersionedAes256GcmDiskEncryptionKey::new(epoch, key))
     }
 
     /// Return the epochs for all secrets which are loaded
@@ -406,7 +386,7 @@ mod tests {
         };
         let epoch = 0;
         let key = km.disk_encryption_key(epoch, &disk_id).await.unwrap();
-        assert_eq!(key.epoch, epoch);
+        assert_eq!(key.epoch(), epoch);
 
         // Key derivation is deterministic based on disk_id and loaded secrets
         let key2 = km.disk_encryption_key(epoch, &disk_id).await.unwrap();
@@ -437,8 +417,8 @@ mod tests {
         let epoch = 0;
         let key1 = km.disk_encryption_key(epoch, &id_1).await.unwrap();
         let key2 = km.disk_encryption_key(epoch, &id_2).await.unwrap();
-        assert_eq!(key1.epoch, epoch);
-        assert_eq!(key2.epoch, epoch);
+        assert_eq!(key1.epoch(), epoch);
+        assert_eq!(key2.epoch(), epoch);
         assert_ne!(key1.expose_secret(), key2.expose_secret());
     }
 

key-manager/src/lib.rs

@@ -0,0 +1,12 @@
+[package]
+name = "key-manager-types"
+version = "0.1.0"
+edition.workspace = true
+license = "MPL-2.0"
+
+[lints]
+workspace = true
+
+[dependencies]
+secrecy.workspace = true
+omicron-workspace-hack.workspace = true

key-manager/types/Cargo.toml

@@ -0,0 +1,45 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at https://mozilla.org/MPL/2.0/.
+
+//! Types for disk encryption keys used by the key-manager crate.
+
+use secrecy::{ExposeSecret, ExposeSecretMut, SecretBox};
+
+/// Derived Disk Encryption key
+#[derive(Debug, Default)]
+pub struct Aes256GcmDiskEncryptionKey(SecretBox<[u8; 32]>);
+
+impl Aes256GcmDiskEncryptionKey {
+    /// Expose the secret key bytes mutably for writing.
+    ///
+    /// This is intended for use by the key-manager crate during key derivation.
+    pub fn expose_secret_mut(&mut self) -> &mut [u8; 32] {
+        self.0.expose_secret_mut()
+    }
+}
+
+/// A Disk encryption key for a given epoch to be used with ZFS datasets for
+/// U.2 devices
+#[derive(Debug)]
+pub struct VersionedAes256GcmDiskEncryptionKey {
+    epoch: u64,
+    key: Aes256GcmDiskEncryptionKey,
+}
+
+impl VersionedAes256GcmDiskEncryptionKey {
+    /// Create a new versioned disk encryption key.
+    ///
+    /// This is intended for use by the key-manager crate during key derivation.
+    pub fn new(epoch: u64, key: Aes256GcmDiskEncryptionKey) -> Self {
+        Self { epoch, key }
+    }
+
+    pub fn epoch(&self) -> u64 {
+        self.epoch
+    }
+
+    pub fn expose_secret(&self) -> &[u8; 32] {
+        &self.key.0.expose_secret()
+    }
+}

key-manager/types/src/lib.rs

@@ -25,6 +25,7 @@ iddqd.workspace = true
 illumos-utils.workspace = true
 installinator-common.workspace = true
 key-manager.workspace = true
+key-manager-types.workspace = true
 sled-agent-types-versions.workspace = true
 ntp-admin-client.workspace = true
 omicron-common.workspace = true

sled-agent/config-reconciler/Cargo.toml

@@ -26,7 +26,7 @@ use illumos_utils::zfs::DestroyDatasetError;
 use illumos_utils::zfs::Mountpoint;
 use illumos_utils::zfs::WhichDatasets;
 use illumos_utils::zfs::Zfs;
-use key_manager::VersionedAes256GcmDiskEncryptionKey;
+use key_manager_types::VersionedAes256GcmDiskEncryptionKey;
 use omicron_common::disk::DatasetConfig;
 use omicron_common::disk::DatasetKind;
 use omicron_common::disk::DatasetName;