From: "Daniel P. Berrange" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org,
Max Reitz <mreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>,
Alberto Garcia <berto@igalia.com>
Subject: Re: [Qemu-devel] [PATCH v6 13/18] qcow2: add support for LUKS encryption format
Date: Tue, 9 May 2017 15:05:38 +0100 [thread overview]
Message-ID: <20170509140538.GJ1669@redhat.com> (raw)
In-Reply-To: <b3f9f0dd-8925-4528-807e-3cf97a199298@redhat.com>
On Wed, Apr 26, 2017 at 12:46:18PM -0500, Eric Blake wrote:
> On 04/25/2017 10:38 AM, Daniel P. Berrange wrote:
> > This adds support for using LUKS as an encryption format
> > with the qcow2 file, using the new encrypt.format parameter
> > to request "luks" format. e.g.
> >
> > # qemu-img create --object secret,data=123456,id=sec0 \
> > -f qcow2 -o encrypt.-format=luks,encrypt.key-secret=sec0 \
>
> s/encrypt.-format/encrypt.format/
>
> > test.qcow2 10G
> >
>
> >
> > Aside from all the cryptographic differences implied by
> > use of the LUKS format, there is one further key difference
> > between the use of legacy AES and LUKS encryption in qcow2.
> > For LUKS, the initialiazation vectors are generated using
> > the host physical sector as the input, rather than the
> > guest virtual sector. This guarantees unique initialization
> > vectors for all sectors when qcow2 internal snapshots are
> > used, thus giving stronger protection against watermarking
> > attacks.
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
>
> > @@ -165,6 +246,47 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
> > }
> > break;
> >
> > + case QCOW2_EXT_MAGIC_CRYPTO_HEADER: {
> > + unsigned int cflags = 0;
> > + if (s->crypt_method_header != QCOW_CRYPT_LUKS) {
> > + error_setg(errp, "CRYPTO header extension only "
> > + "expected with LUKS encryption method");
> > + return -EINVAL;
> > + }
> > + if (ext.len != sizeof(Qcow2CryptoHeaderExtension)) {
> > + error_setg(errp, "CRYPTO header extension size %u, "
> > + "but expected size %zu", ext.len,
> > + sizeof(Qcow2CryptoHeaderExtension));
> > + return -EINVAL;
> > + }
> > +
> > + ret = bdrv_pread(bs->file, offset, &s->crypto_header, ext.len);
> > + if (ret < 0) {
> > + error_setg_errno(errp, -ret,
> > + "Unable to read CRYPTO header extension");
> > + return ret;
> > + }
> > + be64_to_cpus(&s->crypto_header.offset);
> > + be64_to_cpus(&s->crypto_header.length);
> > +
> > + if ((s->crypto_header.offset % s->cluster_size) != 0) {
> > + error_setg(errp, "Encryption header offset '%" PRIu64 "' is "
> > + "not a multiple of cluster size '%u'",
> > + s->crypto_header.offset, s->cluster_size);
> > + return -EINVAL;
> > + }
>
> Do we need to sanity check that crypto_header.length is not bogus?
The only sanity check I can see would be to put an arbitrary size limit
on the length ? I'm a little loathe to do that since LUKSv2 is going to
make the header extensible, and/or future LUKSv1 changes might adjust
padding, both making the header longer than it would be today. I would
like qemu-img to be able to open such future files, even if it then
refuses support for the features.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2017-05-09 14:05 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-25 15:38 [Qemu-devel] [PATCH v6 00/18]Convert QCow[2] to QCryptoBlock & add LUKS support Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 01/18] block: expose crypto option names / defs to other drivers Daniel P. Berrange
2017-04-26 13:26 ` Eric Blake
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 02/18] block: add ability to set a prefix for opt names Daniel P. Berrange
2017-04-26 13:28 ` Eric Blake
2017-04-26 13:50 ` Daniel P. Berrange
2017-04-26 14:12 ` Eric Blake
2017-04-26 14:13 ` Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 03/18] qcow: document another weakness of qcow AES encryption Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 04/18] qcow: require image size to be > 1 for new images Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 05/18] iotests: skip 042 with qcow which dosn't support zero sized images Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 06/18] iotests: skip 048 with qcow which doesn't support resize Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 07/18] block: deprecate "encryption=on" in favour of "encrypt.format=aes" Daniel P. Berrange
2017-04-26 14:14 ` Eric Blake
2017-05-11 12:55 ` Alberto Garcia
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 08/18] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 09/18] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
2017-04-26 15:12 ` Eric Blake
2017-05-11 14:05 ` Alberto Garcia
2017-05-11 14:09 ` Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 10/18] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 11/18] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2017-04-26 15:25 ` Eric Blake
2017-05-11 14:29 ` Alberto Garcia
2017-05-24 16:46 ` Daniel P. Berrange
2017-05-25 10:46 ` Alberto Garcia
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 12/18] qcow2: extend specification to cover LUKS encryption Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 13/18] qcow2: add support for LUKS encryption format Daniel P. Berrange
2017-04-26 17:46 ` Eric Blake
2017-05-09 14:05 ` Daniel P. Berrange [this message]
2017-05-11 14:44 ` Alberto Garcia
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 14/18] qcow2: add iotests to cover LUKS encryption support Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 15/18] iotests: enable tests 134 and 158 to work with qcow (v1) Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 16/18] block: rip out all traces of password prompting Daniel P. Berrange
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 17/18] block: remove all encryption handling APIs Daniel P. Berrange
2017-05-11 14:49 ` Alberto Garcia
2017-04-25 15:38 ` [Qemu-devel] [PATCH v6 18/18] block: pass option prefix down to crypto layer Daniel P. Berrange
2017-04-26 17:47 ` Eric Blake
2017-04-25 15:56 ` [Qemu-devel] [PATCH v6 00/18]Convert QCow[2] to QCryptoBlock & add LUKS support no-reply
2017-04-25 17:25 ` no-reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170509140538.GJ1669@redhat.com \
--to=berrange@redhat.com \
--cc=berto@igalia.com \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).