[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v2 12/17] qcow2: convert QCow2 to use QCryptoBlo

From: Daniel P. Berrange
Subject: Re: [Qemu-devel] [PATCH v2 12/17] qcow2: convert QCow2 to use QCryptoBlock for encryption
Date: Thu, 21 Jan 2016 10:50:45 +0000
User-agent: Mutt/1.5.24 (2015-08-30)

On Thu, Jan 21, 2016 at 05:54:23PM +0800, Fam Zheng wrote:
> On Wed, 01/20 17:38, Daniel P. Berrange wrote:
> > This converts the qcow2 driver to make use of the QCryptoBlock
> > APIs for encrypting image content. As well as continued support
> > for the legacy QCow2 encryption format, the appealing benefit
> > is that it enables support for the LUKS format inside qcow2.
> FWIW, with today's QEMU, it's possible to stack format drivers on top of each
> other.  In other words, even without this patch, we can make LUKS driver
> encrypt/decrypt the qcow2 payload, while keeping them completely orthogonal.

Yep, that is certainly possible, and it is what is intended for using
LUKS with RBD, iSCSI, & other network drivers.

I think there is value in having LUKS integrated directly into qcow2
though. It means that given a qcow2 file you can 100% reliably
distinguish between a file created with the intention of QEMU managing
the LUKS encryption, from a file where the guest OS happens to have
set up LUKS encryption in its virtual disk. If you don't have this,
then given a random qcow2 file, you have to probe to see if LUKS is
present or not. Given the security issues we've had in the past with
raw images being turned into qcow2 images by a malicious guest writing
a qcow2 header, I feel that having explicitly integration LUKS support
in QCow is worthwhile as a concept.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

reply via email to

[Prev in Thread] Current Thread [Next in Thread]