Re: [Qemu-devel] [PATCH RFC 0/2] Limit support for encrypted images to qemu-img

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Markus Armbruster <armbru@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: kwolf@redhat.com, qemu-block@nongnu.org, qemu-devel@nongnu.org,
	stefanha@redhat.com, kraxel@redhat.com
Subject: Re: [Qemu-devel] [PATCH RFC 0/2] Limit support for encrypted images to qemu-img
Date: Wed, 11 Mar 2015 13:05:08 +0100	[thread overview]
Message-ID: <871tkvn3ij.fsf@blackfin.pond.sub.org> (raw)
In-Reply-To: <20150311095926.GC22609@redhat.com> (Daniel P. Berrange's message of "Wed, 11 Mar 2015 09:59:26 +0000")

"Daniel P. Berrange" <berrange@redhat.com> writes:

> On Wed, Mar 11, 2015 at 09:55:16AM +0100, Markus Armbruster wrote:
>> "Daniel P. Berrange" <berrange@redhat.com> writes:
[...]
>> > My only concern here is whether we've given users enough prior
>> > warning. While we added that doc change a year ago, what are the
>> > odds that anyone has actually read those docs & noticed the warning.
>> > Should we have one major release where we log a deprecation warning
>> > on stderr, informing users of an explicit timeframe for its removal,
>> > before we actually use the big hammer of disabling it permanently ?
>> 
>> I'm fine with that.  In fact, I could agree to pretty much any
>> deprecation schedule, as long as we start it *now*.
>
> IIUC, the 2.3.0 major branch is targetted for end of this month,
> so we could put in code that issues a deprecation warning on
> stderr for 2.3.0, and then delete all this stuff when GIT master
> opens for 2.4.0 development ?

Let's do that.  Kevin, any objections?

>> > FWIW, I could see an improved interaction scheme working as follows
>> >
>> > First, introduce a new monitor command for setting named passwords,
>> >
>> >     add_key mykey1 SECRETDATA
>> >
>> > Now, extend the blockdev_add so that you can provide key names
>> > by adding
>> >
>> >     'keyname': 'mykey1'
>> >
>> > as a parameter in the json args.
>> 
>> Can you explain why that's better than sticking 'key': SECRETDATA right
>> into blockdev-add's arguments?
>
> Just have a small preference to keep passwords separated from the
> rest of the data, so when logging the stuff for debug purposes we
> don't compromise people's passwords quite so readily. It is more
> straightforward for us to mask out the passwords if we can just
> match on the command name, and not have to try to grok the specific
> field in a large set of args.

Makes sense.

>                                Also in terms of cold startup, it
> is not desirable to have the password directly included in the
> args to -drive or equiv, as that's visible in process listings.

The obvious command line use should prompt for the key.

A reasonably safe non-interactive way to start with an encrypted image
would be nice, but I haven't considered details.

[...]

next prev parent reply	other threads:[~2015-03-11 12:05 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-10 17:26 [Qemu-devel] [PATCH RFC 0/2] Limit support for encrypted images to qemu-img Markus Armbruster
2015-03-10 17:26 ` [Qemu-devel] [PATCH RFC 1/2] block: Limit opening of " Markus Armbruster
2015-03-10 18:15   ` Daniel P. Berrange
2015-03-11  8:57     ` Markus Armbruster
2015-03-10 18:21   ` Eric Blake
2015-03-11 10:14   ` Kevin Wolf
2015-03-11 11:59     ` Markus Armbruster
2015-03-11 12:22       ` Kevin Wolf
2015-03-10 17:26 ` [Qemu-devel] [PATCH RFC 2/2] block: Drop code supporting encryption outside qemu-img Markus Armbruster
2015-03-10 18:25   ` Eric Blake
2015-03-10 18:13 ` [Qemu-devel] [PATCH RFC 0/2] Limit support for encrypted images to qemu-img Daniel P. Berrange
2015-03-11  8:55   ` Markus Armbruster
2015-03-11  9:59     ` Daniel P. Berrange
2015-03-11 10:10       ` Kevin Wolf
2015-03-11 12:05       ` Markus Armbruster [this message]
2015-03-12 16:58   ` Paolo Bonzini
2015-03-13  8:26     ` Kevin Wolf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871tkvn3ij.fsf@blackfin.pond.sub.org \
    --to=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.