[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 02/14] qcrypto/luks: implement encryption key management
|
From: |
Max Reitz |
|
Subject: |
Re: [PATCH v2 02/14] qcrypto/luks: implement encryption key management |
|
Date: |
Tue, 10 Mar 2020 11:58:01 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 |
On 08.03.20 16:18, Maxim Levitsky wrote:
> Next few patches will expose that functionality
> to the user.
>
> Signed-off-by: Maxim Levitsky <address@hidden>
> ---
> crypto/block-luks.c | 398 +++++++++++++++++++++++++++++++++++++++++++-
> qapi/crypto.json | 61 ++++++-
> 2 files changed, 455 insertions(+), 4 deletions(-)
[...]
> +##
> +# @QCryptoBlockAmendOptionsLUKS:
> +#
> +# This struct defines the update parameters that activate/de-activate set
> +# of keyslots
> +#
> +# @state: the desired state of the keyslots
> +#
> +# @new-secret: The ID of a QCryptoSecret object providing the password to
> be
> +# written into added active keyslots
> +#
> +# @old-secret: Optional (for deactivation only)
> +# If given will deactive all keyslots that
> +# match password located in QCryptoSecret with this ID
> +#
> +# @iter-time: Optional (for activation only)
> +# Number of milliseconds to spend in
> +# PBKDF passphrase processing for the newly activated
> keyslot.
> +# Currently defaults to 2000.
> +#
> +# @keyslot: Optional. ID of the keyslot to activate/deactivate.
> +# For keyslot activation, keyslot should not be active
> already
> +# (this is unsafe to update an active keyslot),
> +# but possible if 'force' parameter is given.
> +# If keyslot is not given, first free keyslot will be
> written.
> +#
> +# For keyslot deactivation, this parameter specifies the
> exact
> +# keyslot to deactivate
> +#
> +# @unlock-secret: Optional. The ID of a QCryptoSecret object providing the
> +# password to use to retrive current master key.
> +# Defaults to the same secret that was used to open the image
So this matches Markus’ proposal except everything is flattened (because
we don’t support nested unions, AFAIU). Sounds OK to me. The only
difference is @unlock-secret, which did not appear in his proposal. Why
do we need it again?
Max
signature.asc
Description: OpenPGP digital signature
[PATCH v2 03/14] block/amend: add 'force' option, Maxim Levitsky, 2020/03/08
[PATCH v2 04/14] block/amend: separate amend and create options for qemu-img, Maxim Levitsky, 2020/03/08
[PATCH v2 06/14] block/crypto: rename two functions, Maxim Levitsky, 2020/03/08
[PATCH v2 07/14] block/crypto: implement the encryption key management, Maxim Levitsky, 2020/03/08
[PATCH v2 08/14] block/qcow2: extend qemu-img amend interface with crypto options, Maxim Levitsky, 2020/03/08
[PATCH v2 09/14] iotests: filter few more luks specific create options, Maxim Levitsky, 2020/03/08