...
We also want to make it more clear which agent owns particular directories from a defense-in-depth and storage management perspective.
New layout
/persist/vault - is the encrypted top-level directory for the parts needing encryption. This will be encrypted using a key sealed under the PCRs in the TPM, thus must not be used to store information which the device needs to access in order to be able to perform remote attestation with the controller.
/persist/novault - clear is an alternative for the parts not needing encryption (currently this is only proposed for volumes where encryption incurs some overhead for running ECOs). Using that requires the addition of a boolean to the EVE API to specify unencrypted storage for the volume.
/persist/unsealed-vault is a future location which will be encrypted using a key stored in the TPM but not sealed under the PCRs. In the future we can move things which are needed during a post-update boot before re-attestation to this unsealed vault, such as /persist/status/nim/DevicePortConfigList/ which keeps the network configuration across device reboots.
Under those three directories we will in principle have sub-directories as follows, but the use of the future /persist/unsealed-vault is TBD.
Volumes
In /persist/vault/volumes/ and /persist/novaultclear/volumes
The naming of the volumes will be <volumeUUID>#<generation counter> for VM and container-based ones.
...
Volumes which should not be encrypted (TBD: we need to add a boolean to the volume config API for that) will be placed in /persist/novaultclear/volumes
Content addressable storage
...