m: remove references to LUK, GUK
This unifies the unlock key nomenclature throughout the repository:
- Local Unlock Key becomes a Node Unlock Key
- Global Unlock Key becomes a Cluster Unlock Key
Change-Id: I674ad68a50b3845705f3e2c57952fc7fba5be665
Reviewed-on: https://review.monogon.dev/c/monogon/+/816
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
Tested-by: Jenkins CI
diff --git a/metropolis/handbook/src/ch03-00-cluster-architecture.md b/metropolis/handbook/src/ch03-00-cluster-architecture.md
index 9f5669c..68c9384 100644
--- a/metropolis/handbook/src/ch03-00-cluster-architecture.md
+++ b/metropolis/handbook/src/ch03-00-cluster-architecture.md
@@ -54,7 +54,7 @@
'-------------------' | Seals/Unseals
| Mounts v
| .---------------------. .------------------------.
- | .---------| Node Encryption Key | | Running Cluster |
+ | .---------| Node Unlock Key | | Running Cluster |
|/ '---------------------' |------------------------|
| .----------------------------------------| Cluster Encryption Key |
|/ | (per node) |
diff --git a/metropolis/node/core/cluster/cluster_bootstrap.go b/metropolis/node/core/cluster/cluster_bootstrap.go
index 9de5339..707c26c 100644
--- a/metropolis/node/core/cluster/cluster_bootstrap.go
+++ b/metropolis/node/core/cluster/cluster_bootstrap.go
@@ -37,7 +37,7 @@
ownerKey := bootstrap.OwnerPublicKey
state.configuration = &ppb.SealedConfiguration{}
- // Mount new storage with generated CUK, and save LUK into sealed config proto.
+ // Mount new storage with generated CUK, and save NUK into sealed config proto.
supervisor.Logger(ctx).Infof("Bootstrapping: mounting new storage...")
cuk, err := m.storageRoot.Data.MountNew(state.configuration)
if err != nil {
diff --git a/metropolis/node/core/localstorage/directory_data.go b/metropolis/node/core/localstorage/directory_data.go
index 5992bf0..d88afb7 100644
--- a/metropolis/node/core/localstorage/directory_data.go
+++ b/metropolis/node/core/localstorage/directory_data.go
@@ -31,8 +31,8 @@
var keySize uint16 = 256 / 8
-// MountData mounts the node data partition with the given global unlock key.
-// It automatically unseals the local unlock key from the TPM.
+// MountData mounts the node data partition with the given cluster unlock key.
+// It automatically unseals the node unlock key from the TPM.
func (d *DataDirectory) MountExisting(config *ppb.SealedConfiguration, clusterUnlockKey []byte) error {
d.flagLock.Lock()
defer d.flagLock.Unlock()
@@ -82,7 +82,7 @@
_, err = rand.Read(nodeUnlockKey)
}
if err != nil {
- return nil, fmt.Errorf("generating local unlock key: %w", err)
+ return nil, fmt.Errorf("generating node unlock key: %w", err)
}
if tpm.IsInitialized() {
globalUnlockKey, err = tpm.GenerateSafeKey(keySize)
@@ -91,7 +91,7 @@
_, err = rand.Read(globalUnlockKey)
}
if err != nil {
- return nil, fmt.Errorf("generating global unlock key: %w", err)
+ return nil, fmt.Errorf("generating cluster unlock key: %w", err)
}
// The actual key is generated by XORing together the nodeUnlockKey and the
diff --git a/metropolis/proto/common/common.proto b/metropolis/proto/common/common.proto
index 15dc9e3..c25736b 100644
--- a/metropolis/proto/common/common.proto
+++ b/metropolis/proto/common/common.proto
@@ -64,7 +64,7 @@
// NEW: the node has established a first contact with the cluster and
// intends to register into it. The node's identity has not been verified
// and no hardware attestation of the new node was performed.
- // The node has generated a CUK/LUK and set up storage encrypted with the
+ // The node has generated a CUK/NUK and set up storage encrypted with the
// combination of both keys.
// The node has generated a private/public keypair, and that keypair has
// been used to contact the already running Cluster.