Re: API definition for LUKS key management [V2]

[Maxim Levitsky]

Hi!

This is the second version of the proposed QMP API for key management,
after discussion with Keven and Max.

Will this work?

Adding Peter Krempa to CC, to hear his opinion from the 
libvirt side.

Best regards,
        Maxim Levitsky


diff --git a/qapi/block-core.json b/qapi/block-core.json
index 0cf68fea14..63b4cd2a27 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -4725,6 +4725,69 @@
   'data': { 'job-id': 'str',
             'options': 'BlockdevCreateOptions' } }
 
+
+##
+# @BlockdevAmendOptionsQcow2:
+#
+# Options for amending the qcow2 image format
+# Currently only crypto related options can be amended
+#
+# @driver           block driver to create the image format
+#
+# Since: 5.0
+##
+{ 'struct': 'BlockdevAmendOptionsQcow2',
+  'data': {
+            '*encrypt': 'QCryptoBlockAmendOptions' } }
+
+##
+# @BlockdevAmendOptionsLUKS:
+#
+# Options for amending the luks image format
+#
+# @driver  block driver to create the image format
+#
+# Since: 5.0
+##
+{ 'struct': 'BlockdevAmendOptionsLUKS',
+  'base': 'QCryptoBlockAmendOptionsLUKS',
+  'data': {  }
+}
+
+##
+# @BlockdevAmendOptions:
+#
+# Options for amending blockdev configuration
+#
+# @driver   block driver that was used to create the block device
+#
+# Since: 5.0
+##
+{ 'union': 'BlockdevAmendOptions',
+  'base': {
+      'driver':         'BlockdevDriver' },
+  'discriminator': 'driver',
+  'data': {
+      'luks':           'BlockdevAmendOptionsLUKS',
+      'qcow2':          'BlockdevAmendOptionsQcow2'
+  } }
+
+##
+# @x-blockdev-amend:
+#
+# Starts a job to create an image format on a given node. The job is
+# automatically finalized, but a manual job-dismiss is required.
+#
+# @job-id:          Identifier for the newly created job.
+#
+# @options:         Options for the image creation.
+#
+# Since: 5.0
+##
+{ 'command': 'x-blockdev-amend',
+  'data': { 'job-id': 'str',
+            'options': 'BlockdevAmendOptions' } }
+
 ##
 # @blockdev-open-tray:
 #
diff --git a/qapi/crypto.json b/qapi/crypto.json
index b2a4cff683..019db682cd 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -309,3 +309,56 @@
   'base': 'QCryptoBlockInfoBase',
   'discriminator': 'format',
   'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
+
+
+##
+# @LUKSKeyslotUpdate:
+#
+# @keyslot:         If specified, will update only keyslot with this index
+#
+# @old-secret:      If specified, will only update keyslots that
+#                   can be opened with password which is contained in
+#                   QCryptoSecret with @old-secret ID
+#
+#                   If neither @keyslot nor @old-secret is specified,
+#                   first empty keyslot is selected for the update
+#
+# @new-secret:      The ID of a QCryptoSecret object providing a new decryption
+#                   key to place in all matching keyslots. Empty string erases 
the
+#                   keyslot.
+# @iter-time:       number of milliseconds to spend in
+#                   PBKDF passphrase processing
+##
+{ 'struct': 'LUKSKeyslotUpdate',
+  'data': {
+         '*keyslot': 'int',
+         '*old-secret': 'str',
+         'new-secret' : 'str',
+         '*iter-time' : 'int' } }
+
+
+##
+# @QCryptoBlockAmendOptionsLUKS:
+#
+# The options that can be changed on existing luks encrypted device
+# @keys: list of keyslot updates to perform (updates are performed in order)
+#
+# Since: 5.0
+##
+{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
+  'data' : { 'keys': ['LUKSKeyslotUpdate'] } }
+
+
+##
+# @QCryptoBlockAmendOptions:
+#
+# The options that are available for all encryption formats
+# when initializing a new volume
+#
+# Since: 5.0
+##
+{ 'union': 'QCryptoBlockAmendOptions',
+  'base': 'QCryptoBlockOptionsBase',
+  'discriminator': 'format',
+  'data': {
+            'luks': 'QCryptoBlockAmendOptionsLUKS' } }