From 43cbd06df2dcdfe236e68351bb3c350e0d1d857a Mon Sep 17 00:00:00 2001 From: Maxim Levitsky Date: Thu, 25 Jun 2020 14:55:36 +0200 Subject: qcrypto/core: add generic infrastructure for crypto options amendment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will be used first to implement luks keyslot management. block_crypto_amend_opts_init will be used to convert qemu-img cmdline to QCryptoBlockAmendOptions Signed-off-by: Maxim Levitsky Reviewed-by: Daniel P. Berrangé Message-Id: <20200608094030.670121-2-mlevitsk@redhat.com> Signed-off-by: Max Reitz --- qapi/crypto.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'qapi') diff --git a/qapi/crypto.json b/qapi/crypto.json index b2a4cff..aeb6c7e 100644 --- a/qapi/crypto.json +++ b/qapi/crypto.json @@ -309,3 +309,19 @@ 'base': 'QCryptoBlockInfoBase', 'discriminator': 'format', 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } + + + +## +# @QCryptoBlockAmendOptions: +# +# The options that are available for all encryption formats +# when amending encryption settings +# +# Since: 5.1 +## +{ 'union': 'QCryptoBlockAmendOptions', + 'base': 'QCryptoBlockOptionsBase', + 'discriminator': 'format', + 'data': { + } } -- cgit v1.1 From 557d2bdcca8fa42e9aa956210e863192ddeb8acf Mon Sep 17 00:00:00 2001 From: Maxim Levitsky Date: Thu, 25 Jun 2020 14:55:37 +0200 Subject: qcrypto/luks: implement encryption key management MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Next few patches will expose that functionality to the user. Signed-off-by: Maxim Levitsky Reviewed-by: Daniel P. Berrangé Message-Id: <20200608094030.670121-3-mlevitsk@redhat.com> Signed-off-by: Max Reitz --- qapi/crypto.json | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) (limited to 'qapi') diff --git a/qapi/crypto.json b/qapi/crypto.json index aeb6c7e..5a68e0d 100644 --- a/qapi/crypto.json +++ b/qapi/crypto.json @@ -297,7 +297,6 @@ 'uuid': 'str', 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} - ## # @QCryptoBlockInfo: # @@ -310,7 +309,63 @@ 'discriminator': 'format', 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } +## +# @QCryptoBlockLUKSKeyslotState: +# +# Defines state of keyslots that are affected by the update +# +# @active: The slots contain the given password and marked as active +# @inactive: The slots are erased (contain garbage) and marked as inactive +# +# Since: 5.1 +## +{ 'enum': 'QCryptoBlockLUKSKeyslotState', + 'data': [ 'active', 'inactive' ] } + +## +# @QCryptoBlockAmendOptionsLUKS: +# +# This struct defines the update parameters that activate/de-activate set +# of keyslots +# +# @state: the desired state of the keyslots +# +# @new-secret: The ID of a QCryptoSecret object providing the password to be +# written into added active keyslots +# +# @old-secret: Optional (for deactivation only) +# If given will deactive all keyslots that +# match password located in QCryptoSecret with this ID +# +# @iter-time: Optional (for activation only) +# Number of milliseconds to spend in +# PBKDF passphrase processing for the newly activated keyslot. +# Currently defaults to 2000. +# +# @keyslot: Optional. ID of the keyslot to activate/deactivate. +# For keyslot activation, keyslot should not be active already +# (this is unsafe to update an active keyslot), +# but possible if 'force' parameter is given. +# If keyslot is not given, first free keyslot will be written. +# +# For keyslot deactivation, this parameter specifies the exact +# keyslot to deactivate +# +# @secret: Optional. The ID of a QCryptoSecret object providing the +# password to use to retrive current master key. +# Defaults to the same secret that was used to open the image +# +# +# Since 5.1 +## +{ 'struct': 'QCryptoBlockAmendOptionsLUKS', + 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', + '*new-secret': 'str', + '*old-secret': 'str', + '*keyslot': 'int', + '*iter-time': 'int', + '*secret': 'str' } } ## # @QCryptoBlockAmendOptions: @@ -324,4 +379,4 @@ 'base': 'QCryptoBlockOptionsBase', 'discriminator': 'format', 'data': { - } } + 'luks': 'QCryptoBlockAmendOptionsLUKS' } } -- cgit v1.1 From ced914d0ab9fb2c900f873f6349a0b8eecd1fdbe Mon Sep 17 00:00:00 2001 From: Maxim Levitsky Date: Thu, 25 Jun 2020 14:55:45 +0200 Subject: block/core: add generic infrastructure for x-blockdev-amend qmp command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit blockdev-amend will be used similiar to blockdev-create to allow on the fly changes of the structure of the format based block devices. Current plan is to first support encryption keyslot management for luks based formats (raw and embedded in qcow2) Signed-off-by: Maxim Levitsky Reviewed-by: Daniel P. Berrangé Message-Id: <20200608094030.670121-12-mlevitsk@redhat.com> Signed-off-by: Max Reitz --- qapi/block-core.json | 42 ++++++++++++++++++++++++++++++++++++++++++ qapi/job.json | 4 +++- 2 files changed, 45 insertions(+), 1 deletion(-) (limited to 'qapi') diff --git a/qapi/block-core.json b/qapi/block-core.json index 0e1c6a5..c229962 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -4675,6 +4675,48 @@ 'options': 'BlockdevCreateOptions' } } ## +# @BlockdevAmendOptions: +# +# Options for amending an image format +# +# @driver: Block driver of the node to amend. +# +# Since: 5.1 +## +{ 'union': 'BlockdevAmendOptions', + 'base': { + 'driver': 'BlockdevDriver' }, + 'discriminator': 'driver', + 'data': { + } } + +## +# @x-blockdev-amend: +# +# Starts a job to amend format specific options of an existing open block device +# The job is automatically finalized, but a manual job-dismiss is required. +# +# @job-id: Identifier for the newly created job. +# +# @node-name: Name of the block node to work on +# +# @options: Options (driver specific) +# +# @force: Allow unsafe operations, format specific +# For luks that allows erase of the last active keyslot +# (permanent loss of data), +# and replacement of an active keyslot +# (possible loss of data if IO error happens) +# +# Since: 5.1 +## +{ 'command': 'x-blockdev-amend', + 'data': { 'job-id': 'str', + 'node-name': 'str', + 'options': 'BlockdevAmendOptions', + '*force': 'bool' } } + +## # @BlockErrorAction: # # An enumeration of action that has been taken when a DISK I/O occurs diff --git a/qapi/job.json b/qapi/job.json index 5e65828..c48a0c3 100644 --- a/qapi/job.json +++ b/qapi/job.json @@ -19,10 +19,12 @@ # # @create: image creation job type, see "blockdev-create" (since 3.0) # +# @amend: image options amend job type, see "x-blockdev-amend" (since 5.1) +# # Since: 1.7 ## { 'enum': 'JobType', - 'data': ['commit', 'stream', 'mirror', 'backup', 'create'] } + 'data': ['commit', 'stream', 'mirror', 'backup', 'create', 'amend'] } ## # @JobStatus: -- cgit v1.1 From 30da9dd88a0315d73320e27dfb69093ee3ce5d1c Mon Sep 17 00:00:00 2001 From: Maxim Levitsky Date: Thu, 25 Jun 2020 14:55:46 +0200 Subject: block/crypto: implement blockdev-amend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxim Levitsky Reviewed-by: Daniel P. Berrangé Reviewed-by: Max Reitz Message-Id: <20200608094030.670121-13-mlevitsk@redhat.com> Signed-off-by: Max Reitz --- qapi/block-core.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'qapi') diff --git a/qapi/block-core.json b/qapi/block-core.json index c229962..cd679ad 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -4675,6 +4675,18 @@ 'options': 'BlockdevCreateOptions' } } ## +# @BlockdevAmendOptionsLUKS: +# +# Driver specific image amend options for LUKS. +# +# Since: 5.1 +## +{ 'struct': 'BlockdevAmendOptionsLUKS', + 'base': 'QCryptoBlockAmendOptionsLUKS', + 'data': { } +} + +## # @BlockdevAmendOptions: # # Options for amending an image format @@ -4688,7 +4700,7 @@ 'driver': 'BlockdevDriver' }, 'discriminator': 'driver', 'data': { - } } + 'luks': 'BlockdevAmendOptionsLUKS' } } ## # @x-blockdev-amend: -- cgit v1.1 From 8ea1613d91b2f515132f015430efaa35adb8f6d0 Mon Sep 17 00:00:00 2001 From: Maxim Levitsky Date: Thu, 25 Jun 2020 14:55:47 +0200 Subject: block/qcow2: implement blockdev-amend MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently the implementation only supports amending the encryption options, unlike the qemu-img version Signed-off-by: Maxim Levitsky Reviewed-by: Daniel P. Berrangé Reviewed-by: Max Reitz Message-Id: <20200608094030.670121-14-mlevitsk@redhat.com> Signed-off-by: Max Reitz --- qapi/block-core.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'qapi') diff --git a/qapi/block-core.json b/qapi/block-core.json index cd679ad..b20332e 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -4687,6 +4687,19 @@ } ## +# @BlockdevAmendOptionsQcow2: +# +# Driver specific image amend options for qcow2. +# For now, only encryption options can be amended +# +# @encrypt Encryption options to be amended +# +# Since: 5.1 +## +{ 'struct': 'BlockdevAmendOptionsQcow2', + 'data': { '*encrypt': 'QCryptoBlockAmendOptions' } } + +## # @BlockdevAmendOptions: # # Options for amending an image format @@ -4700,7 +4713,8 @@ 'driver': 'BlockdevDriver' }, 'discriminator': 'driver', 'data': { - 'luks': 'BlockdevAmendOptionsLUKS' } } + 'luks': 'BlockdevAmendOptionsLUKS', + 'qcow2': 'BlockdevAmendOptionsQcow2' } } ## # @x-blockdev-amend: -- cgit v1.1