From: Maxim Levitsky <mlevitsk@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
qemu-block@nongnu.org, "Markus Armbruster" <armbru@redhat.com>,
"Max Reitz" <mreitz@redhat.com>,
"Maxim Levitsky" <mlevitsk@redhat.com>,
"John Snow" <jsnow@redhat.com>
Subject: [PATCH v3 08/14] block/qcow2: extend qemu-img amend interface with crypto options
Date: Sun, 3 May 2020 21:43:18 +0300 [thread overview]
Message-ID: <20200503184324.12506-9-mlevitsk@redhat.com> (raw)
In-Reply-To: <20200503184324.12506-1-mlevitsk@redhat.com>
Now that we have all the infrastructure in place,
wire it in the qcow2 driver and expose this to the user.
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---
block/qcow2.c | 72 +++++++++++++++++++++++++++++++++-----
tests/qemu-iotests/082.out | 45 ++++++++++++++++++++++++
2 files changed, 108 insertions(+), 9 deletions(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index e6c4d0b0b4..ce1e25f341 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -176,6 +176,19 @@ static ssize_t qcow2_crypto_hdr_write_func(QCryptoBlock *block, size_t offset,
return ret;
}
+static QDict*
+qcow2_extract_crypto_opts(QemuOpts *opts, const char *fmt, Error **errp)
+{
+ QDict *cryptoopts_qdict;
+ QDict *opts_qdict;
+
+ /* Extract "encrypt." options into a qdict */
+ opts_qdict = qemu_opts_to_qdict(opts, NULL);
+ qdict_extract_subqdict(opts_qdict, &cryptoopts_qdict, "encrypt.");
+ qobject_unref(opts_qdict);
+ qdict_put_str(cryptoopts_qdict, "format", fmt);
+ return cryptoopts_qdict;
+}
/*
* read qcow2 extension and fill bs
@@ -4733,17 +4746,11 @@ static BlockMeasureInfo *qcow2_measure(QemuOpts *opts, BlockDriverState *in_bs,
g_free(optstr);
if (has_luks) {
+
g_autoptr(QCryptoBlockCreateOptions) create_opts = NULL;
- QDict *opts_qdict;
- QDict *cryptoopts;
+ QDict *cryptoopts = qcow2_extract_crypto_opts(opts, "luks", errp);
size_t headerlen;
- opts_qdict = qemu_opts_to_qdict(opts, NULL);
- qdict_extract_subqdict(opts_qdict, &cryptoopts, "encrypt.");
- qobject_unref(opts_qdict);
-
- qdict_put_str(cryptoopts, "format", "luks");
-
create_opts = block_crypto_create_opts_init(cryptoopts, errp);
qobject_unref(cryptoopts);
if (!create_opts) {
@@ -5122,6 +5129,7 @@ typedef enum Qcow2AmendOperation {
QCOW2_NO_OPERATION = 0,
QCOW2_UPGRADING,
+ QCOW2_UPDATING_ENCRYPTION,
QCOW2_CHANGING_REFCOUNT_ORDER,
QCOW2_DOWNGRADING,
} Qcow2AmendOperation;
@@ -5203,6 +5211,7 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
int ret;
QemuOptDesc *desc = opts->list->desc;
Qcow2AmendHelperCBInfo helper_cb_info;
+ bool encryption_update = false;
while (desc && desc->name) {
if (!qemu_opt_find(opts, desc->name)) {
@@ -5229,6 +5238,18 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
backing_file = qemu_opt_get(opts, BLOCK_OPT_BACKING_FILE);
} else if (!strcmp(desc->name, BLOCK_OPT_BACKING_FMT)) {
backing_format = qemu_opt_get(opts, BLOCK_OPT_BACKING_FMT);
+ } else if (g_str_has_prefix(desc->name, "encrypt.")) {
+ if (!s->crypto) {
+ error_setg(errp,
+ "Can't amend encryption options - encryption not present");
+ return -EINVAL;
+ }
+ if (s->crypt_method_header != QCOW_CRYPT_LUKS) {
+ error_setg(errp,
+ "Only LUKS encryption options can be amended");
+ return -ENOTSUP;
+ }
+ encryption_update = true;
} else if (!strcmp(desc->name, BLOCK_OPT_LAZY_REFCOUNTS)) {
lazy_refcounts = qemu_opt_get_bool(opts, BLOCK_OPT_LAZY_REFCOUNTS,
lazy_refcounts);
@@ -5271,7 +5292,8 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
.original_status_cb = status_cb,
.original_cb_opaque = cb_opaque,
.total_operations = (new_version != old_version)
- + (s->refcount_bits != refcount_bits)
+ + (s->refcount_bits != refcount_bits) +
+ (encryption_update == true)
};
/* Upgrade first (some features may require compat=1.1) */
@@ -5284,6 +5306,33 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
}
}
+ if (encryption_update) {
+ QDict *amend_opts_dict;
+ QCryptoBlockAmendOptions *amend_opts;
+
+ helper_cb_info.current_operation = QCOW2_UPDATING_ENCRYPTION;
+ amend_opts_dict = qcow2_extract_crypto_opts(opts, "luks", errp);
+ if (!amend_opts_dict) {
+ return -EINVAL;
+ }
+ amend_opts = block_crypto_amend_opts_init(amend_opts_dict, errp);
+ qobject_unref(amend_opts_dict);
+ if (!amend_opts) {
+ return -EINVAL;
+ }
+ ret = qcrypto_block_amend_options(s->crypto,
+ qcow2_crypto_hdr_read_func,
+ qcow2_crypto_hdr_write_func,
+ bs,
+ amend_opts,
+ force,
+ errp);
+ qapi_free_QCryptoBlockAmendOptions(amend_opts);
+ if (ret < 0) {
+ return ret;
+ }
+ }
+
if (s->refcount_bits != refcount_bits) {
int refcount_order = ctz32(refcount_bits);
@@ -5538,6 +5587,11 @@ static QemuOptsList qcow2_amend_opts = {
.name = "qcow2-amend-opts",
.head = QTAILQ_HEAD_INITIALIZER(qcow2_amend_opts.head),
.desc = {
+ BLOCK_CRYPTO_OPT_DEF_LUKS_STATE("encrypt."),
+ BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT("encrypt."),
+ BLOCK_CRYPTO_OPT_DEF_LUKS_OLD_SECRET("encrypt."),
+ BLOCK_CRYPTO_OPT_DEF_LUKS_NEW_SECRET("encrypt."),
+ BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME("encrypt."),
QCOW_COMMON_OPTIONS,
{ /* end of list */ }
}
diff --git a/tests/qemu-iotests/082.out b/tests/qemu-iotests/082.out
index c68458da8c..6558f38ba8 100644
--- a/tests/qemu-iotests/082.out
+++ b/tests/qemu-iotests/082.out
@@ -620,6 +620,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
@@ -631,6 +636,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
@@ -642,6 +652,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
@@ -653,6 +668,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
@@ -664,6 +684,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
@@ -675,6 +700,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
@@ -686,6 +716,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
@@ -697,6 +732,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
@@ -725,6 +765,11 @@ Amend options for 'qcow2':
compat=<str> - Compatibility level (v2 [0.10] or v3 [1.1])
data_file=<str> - File name of an external data file
data_file_raw=<bool (on/off)> - The external data file must stay valid as a raw image
+ encrypt.iter-time=<num> - Time to spend in PBKDF in milliseconds
+ encrypt.keyslot=<num> - Select a single keyslot to modify explicitly
+ encrypt.new-secret=<str> - New secret to set in the matching keyslots. Empty string to erase
+ encrypt.old-secret=<str> - Select all keyslots that match this password
+ encrypt.state=<str> - Select new state of affected keyslots (active/inactive)
lazy_refcounts=<bool (on/off)> - Postpone refcount updates
refcount_bits=<num> - Width of a reference count entry in bits
size=<size> - Virtual disk size
--
2.17.2
next prev parent reply other threads:[~2020-05-03 18:48 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-03 18:43 [PATCH v3 00/14] LUKS: encryption slot management using amend interface Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 01/14] qcrypto/core: add generic infrastructure for crypto options amendment Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 02/14] qcrypto/luks: implement encryption key management Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 03/14] block/amend: add 'force' option Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 04/14] block/amend: separate amend and create options for qemu-img Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 05/14] block/amend: refactor qcow2 amend options Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 06/14] block/crypto: rename two functions Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 07/14] block/crypto: implement the encryption key management Maxim Levitsky
2020-05-03 18:43 ` Maxim Levitsky [this message]
2020-05-03 18:43 ` [PATCH v3 09/14] iotests: filter few more luks specific create options Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 10/14] iotests: qemu-img tests for luks key management Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 11/14] block/core: add generic infrastructure for x-blockdev-amend qmp command Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 12/14] block/crypto: implement blockdev-amend Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 13/14] block/qcow2: " Maxim Levitsky
2020-05-03 18:43 ` [PATCH v3 14/14] iotests: add tests for blockdev-amend Maxim Levitsky
2020-05-03 19:43 ` [PATCH v3 00/14] LUKS: encryption slot management using amend interface no-reply
2020-05-04 10:19 ` Daniel P. Berrangé
2020-05-04 10:26 ` Maxim Levitsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200503184324.12506-9-mlevitsk@redhat.com \
--to=mlevitsk@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.