[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH v2 17/17] block: remove support for legecy AES qcow/
From: |
Daniel P. Berrange |
Subject: |
[Qemu-devel] [PATCH v2 17/17] block: remove support for legecy AES qcow/qcow2 encryption |
Date: |
Wed, 20 Jan 2016 17:38:59 +0000 |
Refuse to use images with the legacy AES-CBC encryption
format in the system emulators. They are still fully
supported in the qemu-img, qemu-io & qemu-nbd tools in
order to allow data to be liberated and for compatibility
with older QEMU versions. Continued support in these tools
is not a notable burden with the new FDE framework.
Signed-off-by: Daniel P. Berrange <address@hidden>
---
block.c | 12 +++++-------
block/qcow.c | 8 ++++++++
block/qcow2.c | 8 ++++++++
include/block/block.h | 1 +
tests/qemu-iotests/049.out | 3 ---
tests/qemu-iotests/087.out | 12 ------------
tests/qemu-iotests/134.out | 12 ------------
7 files changed, 22 insertions(+), 34 deletions(-)
diff --git a/block.c b/block.c
index 5403355..b59bd81 100644
--- a/block.c
+++ b/block.c
@@ -312,6 +312,11 @@ static int bdrv_is_whitelisted(BlockDriver *drv, bool
read_only)
return 0;
}
+bool bdrv_uses_whitelist(void)
+{
+ return use_bdrv_whitelist;
+}
+
typedef struct CreateCo {
BlockDriver *drv;
char *filename;
@@ -1021,13 +1026,6 @@ static int bdrv_open_common(BlockDriverState *bs,
BdrvChild *file,
goto free_and_fail;
}
- if (bs->encrypted) {
- error_report("Encrypted images are deprecated");
- error_printf("Support for them will be removed in a future release.\n"
- "You can use 'qemu-img convert' to convert your image"
- " to an unencrypted one.\n");
- }
-
ret = refresh_total_sectors(bs, bs->total_sectors);
if (ret < 0) {
error_setg_errno(errp, -ret, "Could not refresh total sector count");
diff --git a/block/qcow.c b/block/qcow.c
index 2fc7c3c..3ae438e 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -180,6 +180,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options,
int flags,
s->crypt_method_header = header.crypt_method;
if (s->crypt_method_header) {
if (s->crypt_method_header == QCOW_CRYPT_AES) {
+ if (bdrv_uses_whitelist()) {
+ error_setg(errp,
+ "Use of AES-CBC encrypted qcow images is no longer "
+ "supported. Please use the qcow2 LUKS format
instead.");
+ ret = -ENOSYS;
+ goto fail;
+ }
+
ov = opts_visitor_new(opts);
crypto_opts = g_new0(QCryptoBlockOpenOptions, 1);
diff --git a/block/qcow2.c b/block/qcow2.c
index 1fbae85..a737c6c 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1209,6 +1209,14 @@ static int qcow2_open(BlockDriverState *bs, QDict
*options, int flags,
s->crypt_method_header = header.crypt_method;
if (s->crypt_method_header) {
+ if (bdrv_uses_whitelist() &&
+ s->crypt_method_header == QCOW_CRYPT_AES) {
+ error_setg(errp,
+ "Use of AES-CBC encrypted qcow2 images is no longer "
+ "supported. Please use the qcow2 LUKS format instead.");
+ ret = -ENOSYS;
+ goto fail;
+ }
bs->encrypted = 1;
}
diff --git a/include/block/block.h b/include/block/block.h
index 379a24c..58006d2 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -190,6 +190,7 @@ void bdrv_io_limits_update_group(BlockDriverState *bs,
const char *group);
void bdrv_init(void);
void bdrv_init_with_whitelist(void);
+bool bdrv_uses_whitelist(void);
BlockDriver *bdrv_find_protocol(const char *filename,
bool allow_protocol_prefix,
Error **errp);
diff --git a/tests/qemu-iotests/049.out b/tests/qemu-iotests/049.out
index c9f0bc5..e0bedc0 100644
--- a/tests/qemu-iotests/049.out
+++ b/tests/qemu-iotests/049.out
@@ -187,9 +187,6 @@ qemu-img create -f qcow2 -o encryption=off TEST_DIR/t.qcow2
64M
Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 encryption=off
cluster_size=65536 lazy_refcounts=off refcount_bits=16
qemu-img create -f qcow2 --object secret,id=sec0,data=123456 -o
encryption=on,key-secret=sec0 TEST_DIR/t.qcow2 64M
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 encryption=on
cluster_size=65536 lazy_refcounts=off refcount_bits=16 key-secret=sec0
== Check lazy_refcounts option (only with v3) ==
diff --git a/tests/qemu-iotests/087.out b/tests/qemu-iotests/087.out
index 6582dda..b8842d5 100644
--- a/tests/qemu-iotests/087.out
+++ b/tests/qemu-iotests/087.out
@@ -38,17 +38,11 @@ QMP_VERSION
=== Encrypted image ===
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on
key-secret=sec0
Testing: -S
QMP_VERSION
{"return": {}}
{"return": {}}
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
{"return": {}}
{"return": {}}
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event":
"SHUTDOWN"}
@@ -57,9 +51,6 @@ Testing:
QMP_VERSION
{"return": {}}
{"return": {}}
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
{"return": {}}
{"return": {}}
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event":
"SHUTDOWN"}
@@ -67,9 +58,6 @@ You can use 'qemu-img convert' to convert your image to an
unencrypted one.
=== Missing driver ===
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on
key-secret=sec0
Testing: -S
QMP_VERSION
diff --git a/tests/qemu-iotests/134.out b/tests/qemu-iotests/134.out
index e9bf302..d498570 100644
--- a/tests/qemu-iotests/134.out
+++ b/tests/qemu-iotests/134.out
@@ -1,27 +1,15 @@
QA output created by 134
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on
key-secret=sec0
== reading whole image ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== rewriting whole image ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
wrote 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== verify pattern ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
--
2.5.0
- [Qemu-devel] [PATCH v2 14/17] qcow: convert QCow to use QCryptoBlock for encryption, (continued)
[Qemu-devel] [PATCH v2 15/17] block: rip out all traces of password prompting, Daniel P. Berrange, 2016/01/20
[Qemu-devel] [PATCH v2 16/17] block: remove all encryption handling APIs, Daniel P. Berrange, 2016/01/20
[Qemu-devel] [PATCH v2 17/17] block: remove support for legecy AES qcow/qcow2 encryption,
Daniel P. Berrange <=
[Qemu-devel] [PATCH v2 12/17] qcow2: convert QCow2 to use QCryptoBlock for encryption, Daniel P. Berrange, 2016/01/20