[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: QAPI schema for desired state of LUKS keyslots
|
From: |
Markus Armbruster |
|
Subject: |
Re: QAPI schema for desired state of LUKS keyslots |
|
Date: |
Tue, 25 Feb 2020 17:48:02 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Max Reitz <address@hidden> writes:
> On 15.02.20 15:51, Markus Armbruster wrote:
>> Review of this patch led to a lengthy QAPI schema design discussion.
>> Let me try to condense it into a concrete proposal.
>>
>> This is about the QAPI schema, and therefore about QMP. The
>> human-friendly interface is out of scope. Not because it's not
>> important (it clearly is!), only because we need to *focus* to have a
>> chance at success.
>>
>> I'm going to include a few design options. I'll mark them "Option:".
>>
>> The proposed "amend" interface takes a specification of desired state,
>> and figures out how to get from here to there by itself. LUKS keyslots
>> are one part of desired state.
>>
>> We commonly have eight LUKS keyslots. Each keyslot is either active or
>> inactive. An active keyslot holds a secret.
>>
>> Goal: a QAPI type for specifying desired state of LUKS keyslots.
>>
>> Proposal:
>>
>> { 'enum': 'LUKSKeyslotState',
>> 'data': [ 'active', 'inactive' ] }
>>
>> { 'struct': 'LUKSKeyslotActive',
>> 'data': { 'secret': 'str',
>> '*iter-time': 'int } }
>>
>> { 'struct': 'LUKSKeyslotInactive',
>> 'data': { '*old-secret': 'str' } }
>>
>> { 'union': 'LUKSKeyslotAmend',
>> 'base': { '*keyslot': 'int',
>> 'state': 'LUKSKeyslotState' }
>> 'discriminator': 'state',
>> 'data': { 'active': 'LUKSKeyslotActive',
>> 'inactive': 'LUKSKeyslotInactive' } }
>
> Looks OK to me. The only thing is that @old-secret kind of works as an
> address, just like @keyslot,
It does.
> so it might also make sense to me to put
> @keyslot/@old-secret into a union in the base structure.
I'm fine with state-specific extra adressing modes (I better be, I
proposed them).
I'd also be fine with a single state-independent addressing mode, as
long as we can come up with sane semantics. Less flexible when adding
states, but we almost certainly won't.
Let's see how we could merge my two addressing modes into one.
The two are
* active
keyslot old-secret slot(s) selected
absent N/A one inactive slot if exist, else error
present N/A the slot given by @keyslot
* inactive
keyslot old-secret slot(s) selected
absent absent all keyslots
present absent the slot given by @keyslot
absent present all active slots holding @old-secret
present present the slot given by @keyslot, error unless
it's active holding @old-secret
They conflict:
> (One of the problems that come to mind with that approach is that not
> specifying either of @old-secret or @keyslot has different meanings for
> activating/inactivating a keyslot: When activating it, it means “The
> first unused one”; when deactivating it, it’s just an error because it
> doesn’t really mean anything.)
>
> *shrug*
Note we we don't really care what "inactive, both absent" does. My
proposed semantics are just the most regular I could find. We can
therefore resolve the conflict by picking "active, both absent":
keyslot old-secret slot(s) selected
absent absent one inactive slot if exist, else error
present absent the slot given by @keyslot
absent present all active slots holding @old-secret
present present the slot given by @keyslot, error unless
it's active holding @old-secret
Changes:
* inactive, both absent: changed; we select "one inactive slot" instead of
"all slots".
"All slots" is a no-op when the current state has no active keyslots,
else error.
"One inactive slot" is a no-op when the current state has one, else
error. Thus, we no-op rather than error in some states.
* active, keyslot absent or present, old-secret present: new; selects
active slot(s) holding @old-secret, no-op when old-secret == secret,
else error (no in place update)
Can do. It's differently irregular, and has a few more combinations
that are basically useless, which I find unappealing. Matter of taste,
I guess.
Anyone got strong feelings here?