From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Hanna Reitz" <hreitz@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Cleber Rosa" <crosa@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Stefan Weil" <sw@weilnetz.de>, "Kevin Wolf" <kwolf@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Hyman Huang" <yong.huang@smartx.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"John Snow" <jsnow@redhat.com>,
qemu-block@nongnu.org, "Daniel P. Berrangé" <berrange@redhat.com>
Subject: [PULL 15/17] block: Support detached LUKS header creation using qemu-img
Date: Fri, 9 Feb 2024 14:05:03 +0000 [thread overview]
Message-ID: <20240209140505.2536635-16-berrange@redhat.com> (raw)
In-Reply-To: <20240209140505.2536635-1-berrange@redhat.com>
From: Hyman Huang <yong.huang@smartx.com>
Even though a LUKS header might be created with cryptsetup,
qemu-img should be enhanced to accommodate it as well.
Add the 'detached-header' option to specify the creation of
a detached LUKS header. This is how it is used:
$ qemu-img create --object secret,id=sec0,data=abc123 -f luks
> -o cipher-alg=aes-256,cipher-mode=xts -o key-secret=sec0
> -o detached-header=true header.luks
Using qemu-img or cryptsetup tools to query information of
an LUKS header image as follows:
Assume a detached LUKS header image has been created by:
$ dd if=/dev/zero of=test-header.img bs=1M count=32
$ dd if=/dev/zero of=test-payload.img bs=1M count=1000
$ cryptsetup luksFormat --header test-header.img test-payload.img
> --force-password --type luks1
Header image information could be queried using cryptsetup:
$ cryptsetup luksDump test-header.img
or qemu-img:
$ qemu-img info 'json:{"driver":"luks","file":{"filename":
> "test-payload.img"},"header":{"filename":"test-header.img"}}'
When using qemu-img, keep in mind that the entire disk
information specified by the JSON-format string above must be
supplied on the commandline; if not, an overlay check will reveal
a problem with the LUKS volume check logic.
Signed-off-by: Hyman Huang <yong.huang@smartx.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
[changed to pass 'cflags' to block_crypto_co_create_generic]
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
block.c | 5 ++++-
block/crypto.c | 12 ++++++++++--
block/crypto.h | 8 ++++++++
qapi/crypto.json | 5 ++++-
4 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/block.c b/block.c
index 30afdcbba6..1ed9214f66 100644
--- a/block.c
+++ b/block.c
@@ -7357,7 +7357,10 @@ void bdrv_img_create(const char *filename, const char *fmt,
goto out;
}
- if (size == -1) {
+ /* Parameter 'size' is not needed for detached LUKS header */
+ if (size == -1 &&
+ !(!strcmp(fmt, "luks") &&
+ qemu_opt_get_bool(opts, "detached-header", false))) {
error_setg(errp, "Image creation needs a size parameter");
goto out;
}
diff --git a/block/crypto.c b/block/crypto.c
index 8e7ee5e9ac..21eed909c1 100644
--- a/block/crypto.c
+++ b/block/crypto.c
@@ -231,6 +231,7 @@ static QemuOptsList block_crypto_create_opts_luks = {
BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG(""),
BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG(""),
BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(""),
+ BLOCK_CRYPTO_OPT_DEF_LUKS_DETACHED_HEADER(""),
{ /* end of list */ }
},
};
@@ -405,7 +406,7 @@ block_crypto_co_create_generic(BlockDriverState *bs, int64_t size,
data = (struct BlockCryptoCreateData) {
.blk = blk,
- .size = size,
+ .size = flags & QCRYPTO_BLOCK_CREATE_DETACHED ? 0 : size,
.prealloc = prealloc,
};
@@ -791,6 +792,9 @@ block_crypto_co_create_opts_luks(BlockDriver *drv, const char *filename,
PreallocMode prealloc;
char *buf = NULL;
int64_t size;
+ bool detached_hdr =
+ qemu_opt_get_bool(opts, "detached-header", false);
+ unsigned int cflags = 0;
int ret;
Error *local_err = NULL;
@@ -830,9 +834,13 @@ block_crypto_co_create_opts_luks(BlockDriver *drv, const char *filename,
goto fail;
}
+ if (detached_hdr) {
+ cflags |= QCRYPTO_BLOCK_CREATE_DETACHED;
+ }
+
/* Create format layer */
ret = block_crypto_co_create_generic(bs, size, create_opts,
- prealloc, 0, errp);
+ prealloc, cflags, errp);
if (ret < 0) {
goto fail;
}
diff --git a/block/crypto.h b/block/crypto.h
index 72e792c9af..dc3d2d5ed9 100644
--- a/block/crypto.h
+++ b/block/crypto.h
@@ -41,6 +41,7 @@
#define BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg"
#define BLOCK_CRYPTO_OPT_LUKS_HASH_ALG "hash-alg"
#define BLOCK_CRYPTO_OPT_LUKS_ITER_TIME "iter-time"
+#define BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER "detached-header"
#define BLOCK_CRYPTO_OPT_LUKS_KEYSLOT "keyslot"
#define BLOCK_CRYPTO_OPT_LUKS_STATE "state"
#define BLOCK_CRYPTO_OPT_LUKS_OLD_SECRET "old-secret"
@@ -100,6 +101,13 @@
.help = "Select new state of affected keyslots (active/inactive)",\
}
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_DETACHED_HEADER(prefix) \
+ { \
+ .name = prefix BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER, \
+ .type = QEMU_OPT_BOOL, \
+ .help = "Create a detached LUKS header", \
+ }
+
#define BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT(prefix) \
{ \
.name = prefix BLOCK_CRYPTO_OPT_LUKS_KEYSLOT, \
diff --git a/qapi/crypto.json b/qapi/crypto.json
index 2f2aeff5fd..22c6cce3ae 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -226,6 +226,8 @@
# @iter-time: number of milliseconds to spend in PBKDF passphrase
# processing. Currently defaults to 2000. (since 2.8)
#
+# @detached-header: create a detached LUKS header. (since 9.0)
+#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
@@ -235,7 +237,8 @@
'*ivgen-alg': 'QCryptoIVGenAlgorithm',
'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
'*hash-alg': 'QCryptoHashAlgorithm',
- '*iter-time': 'int'}}
+ '*iter-time': 'int',
+ '*detached-header': 'bool'}}
##
# @QCryptoBlockOpenOptions:
--
2.43.0
next prev parent reply other threads:[~2024-02-09 14:08 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-09 14:04 [PULL 00/17] Misc fixes patches Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 01/17] meson: sort C warning flags alphabetically Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 02/17] crypto: Introduce SM4 symmetric cipher algorithm Daniel P. Berrangé
2024-06-07 14:27 ` Peter Maydell
2024-02-09 14:04 ` [PULL 03/17] qemu_init: increase NOFILE soft limit on POSIX Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 04/17] ui: drop VNC feature _MASK constants Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 05/17] softmmu: remove obsolete comment about libvirt timeouts Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 06/17] scripts: drop comment about autogenerated CPU API file Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 07/17] docs: fix highlighting of CPU ABI header rows Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 08/17] docs: re-generate x86_64 ABI compatibility CSV Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 09/17] chardev: close QIOChannel before unref'ing Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 10/17] io: add trace event when cancelling TLS handshake Daniel P. Berrangé
2024-02-09 14:04 ` [PULL 11/17] crypto: Support LUKS volume with detached header Daniel P. Berrangé
2024-02-09 14:05 ` [PULL 12/17] qapi: Make parameter 'file' optional for BlockdevCreateOptionsLUKS Daniel P. Berrangé
2024-02-09 14:05 ` [PULL 13/17] crypto: Modify the qcrypto_block_create to support creation flags Daniel P. Berrangé
2024-02-09 14:05 ` [PULL 14/17] block: Support detached LUKS header creation using blockdev-create Daniel P. Berrangé
2024-02-09 14:05 ` Daniel P. Berrangé [this message]
2024-02-09 14:05 ` [PULL 16/17] crypto: Introduce 'detached-header' field in QCryptoBlockInfoLUKS Daniel P. Berrangé
2024-02-09 14:05 ` [PULL 17/17] tests: Add case for LUKS volume with detached header Daniel P. Berrangé
2024-02-12 18:31 ` [PULL 00/17] Misc fixes patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240209140505.2536635-16-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=crosa@redhat.com \
--cc=eblake@redhat.com \
--cc=eduardo@habkost.net \
--cc=hreitz@redhat.com \
--cc=jsnow@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=sw@weilnetz.de \
--cc=thuth@redhat.com \
--cc=yong.huang@smartx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.