[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-block] [Qemu-devel] [PATCH 04/13] qapi: Formalize qcow2 encryp
|
From: |
Max Reitz |
|
Subject: |
Re: [Qemu-block] [Qemu-devel] [PATCH 04/13] qapi: Formalize qcow2 encryption probing |
|
Date: |
Fri, 11 May 2018 19:32:57 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 |
On 2018-05-10 09:58, Daniel P. Berrangé wrote:
> On Wed, May 09, 2018 at 06:55:21PM +0200, Max Reitz wrote:
>> Currently, you can give no encryption format for a qcow2 file while
>> still passing a key-secret. That does not conform to the schema, so
>> this patch changes the schema to allow it.
>>
>> Signed-off-by: Max Reitz <address@hidden>
>> ---
>> qapi/block-core.json | 44 ++++++++++++++++++++++++++++++++++++++++----
>> 1 file changed, 40 insertions(+), 4 deletions(-)
>>
>> diff --git a/qapi/block-core.json b/qapi/block-core.json
>> index 71c9ab8538..092a1aba2d 100644
>> --- a/qapi/block-core.json
>> +++ b/qapi/block-core.json
>> @@ -43,6 +43,19 @@
>> { 'struct': 'ImageInfoSpecificQCow2EncryptionBase',
>> 'data': { 'format': 'BlockdevQcow2EncryptionFormat'}}
>>
>> +##
>> +# @ImageInfoSpecificQCow2EncryptionNoInfo:
>> +#
>> +# Only used for the qcow2 encryption format "from-image" in which the
>> +# actual encryption format is determined from the image header.
>> +# Therefore, this encryption format will never be reported in
>> +# ImageInfoSpecificQCow2Encryption.
>> +#
>> +# Since: 2.13
>> +##
>> +{ 'struct': 'ImageInfoSpecificQCow2EncryptionNoInfo',
>> + 'data': { } }
>> +
>> ##
>> # @ImageInfoSpecificQCow2Encryption:
>> #
>> @@ -52,7 +65,8 @@
>> 'base': 'ImageInfoSpecificQCow2EncryptionBase',
>> 'discriminator': 'format',
>> 'data': { 'aes': 'QCryptoBlockInfoQCow',
>> - 'luks': 'QCryptoBlockInfoLUKS' } }
>> + 'luks': 'QCryptoBlockInfoLUKS',
>> + 'from-image': 'ImageInfoSpecificQCow2EncryptionNoInfo' } }
>>
>> ##
>> # @ImageInfoSpecificQCow2:
>> @@ -2739,10 +2753,30 @@
>> # @BlockdevQcow2EncryptionFormat:
>> # @aes: AES-CBC with plain64 initialization venctors
>> #
>> +# @from-image: Determine the encryption format from the image
>> +# header. This only allows the use of the
>> +# key-secret option. (Since: 2.13)
>> +#
>> # Since: 2.10
>> ##
>> { 'enum': 'BlockdevQcow2EncryptionFormat',
>> - 'data': [ 'aes', 'luks' ] }
>> + 'data': [ 'aes', 'luks', 'from-image' ] }
>> +
>> +##
>> +# @BlockdevQcow2EncryptionSecret:
>> +#
>> +# Allows specifying a key-secret without specifying the exact
>> +# encryption format, which is determined automatically from the image
>> +# header.
>> +#
>> +# @key-secret: The ID of a QCryptoSecret object providing the
>> +# decryption key. Mandatory except when probing
>> +# image for metadata only.
>> +#
>> +# Since: 2.13
>> +##
>> +{ 'struct': 'BlockdevQcow2EncryptionSecret',
>> + 'data': { '*key-secret': 'str' } }
>>
>> ##
>> # @BlockdevQcow2Encryption:
>> @@ -2750,10 +2784,12 @@
>> # Since: 2.10
>> ##
>> { 'union': 'BlockdevQcow2Encryption',
>> - 'base': { 'format': 'BlockdevQcow2EncryptionFormat' },
>> + 'base': { '*format': 'BlockdevQcow2EncryptionFormat' },
>> 'discriminator': 'format',
>> + 'default-variant': 'from-image',
>> 'data': { 'aes': 'QCryptoBlockOptionsQCow',
>> - 'luks': 'QCryptoBlockOptionsLUKS'} }
>> + 'luks': 'QCryptoBlockOptionsLUKS',
>> + 'from-image': 'BlockdevQcow2EncryptionSecret' } }
>
> Bike-shedding on name, how about "auto" or "probe" ?
Sure. I like "probe" a bit better than "auto", although "auto" is what
we usually have... But I think "probe" is still a bit better.
>
> IIUC, this schema addition means the QAPI parser now allows
>
> encrypt.format=from-image,encrypt.key-secret=sec0,...other opts...
>
> but the code will not accept "from-image" as a valid string.
Ah, right, I forgot that. Will fix.
Thanks for reviewing!
Max
> eg qcow2_update_options_prepare() will do
>
> case QCOW_CRYPT_AES:
> if (encryptfmt && !g_str_equal(encryptfmt, "aes")) {
> error_setg(errp,
> "Header reported 'aes' encryption format but "
> "options specify '%s'", encryptfmt);
> ret = -EINVAL;
> goto fail;
> }
>
> ...snip....
>
> case QCOW_CRYPT_LUKS:
> if (encryptfmt && !g_str_equal(encryptfmt, "luks")) {
> error_setg(errp,
> "Header reported 'luks' encryption format but "
> "options specify '%s'", encryptfmt);
> ret = -EINVAL;
> goto fail;
> }
>
>
> Regards,
> Daniel
>
signature.asc
Description: OpenPGP digital signature
- Re: [Qemu-block] [PATCH 01/13] qapi: Add default-variant for flat unions, (continued)
- [Qemu-block] [PATCH 02/13] docs/qapi: Document optional discriminators, Max Reitz, 2018/05/09
- [Qemu-block] [PATCH 03/13] tests: Add QAPI optional discriminator tests, Max Reitz, 2018/05/09
- [Qemu-block] [PATCH 04/13] qapi: Formalize qcow2 encryption probing, Max Reitz, 2018/05/09
- [Qemu-block] [PATCH 05/13] qapi: Formalize qcow encryption probing, Max Reitz, 2018/05/09
- [Qemu-block] [PATCH 07/13] qdict: Add qdict_stringify_for_keyval(), Max Reitz, 2018/05/09
- [Qemu-block] [PATCH 06/13] block: Add block-specific QDict header, Max Reitz, 2018/05/09