From: "Daniel P. Berrange" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: qemu-block@nongnu.org, Eric Blake <eblake@redhat.com>,
Max Reitz <mreitz@redhat.com>, Kevin Wolf <kwolf@redhat.com>,
Alberto Garcia <berto@igalia.com>,
"Daniel P. Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v10 01/20] block: expose crypto option names / defs to other drivers
Date: Fri, 23 Jun 2017 17:24:00 +0100 [thread overview]
Message-ID: <20170623162419.26068-2-berrange@redhat.com> (raw)
In-Reply-To: <20170623162419.26068-1-berrange@redhat.com>
The block/crypto.c defines a set of QemuOpts that provide
parameters for encryption. This will also be needed by
the qcow/qcow2 integration, so expose the relevant pieces
in a new block/crypto.h header. Some helper methods taking
QemuOpts are changed to take QDict to simplify usage in
other places.
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
block/crypto.c | 82 +++++++++++++++++-----------------------------------
block/crypto.h | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 117 insertions(+), 56 deletions(-)
create mode 100644 block/crypto.h
diff --git a/block/crypto.c b/block/crypto.c
index 10e5ddc..ea40ba4 100644
--- a/block/crypto.c
+++ b/block/crypto.c
@@ -24,16 +24,10 @@
#include "sysemu/block-backend.h"
#include "crypto/block.h"
#include "qapi/opts-visitor.h"
+#include "qapi/qobject-input-visitor.h"
#include "qapi-visit.h"
#include "qapi/error.h"
-
-#define BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET "key-secret"
-#define BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG "cipher-alg"
-#define BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE "cipher-mode"
-#define BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG "ivgen-alg"
-#define BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg"
-#define BLOCK_CRYPTO_OPT_LUKS_HASH_ALG "hash-alg"
-#define BLOCK_CRYPTO_OPT_LUKS_ITER_TIME "iter-time"
+#include "block/crypto.h"
typedef struct BlockCrypto BlockCrypto;
@@ -135,11 +129,7 @@ static QemuOptsList block_crypto_runtime_opts_luks = {
.name = "crypto",
.head = QTAILQ_HEAD_INITIALIZER(block_crypto_runtime_opts_luks.head),
.desc = {
- {
- .name = BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET,
- .type = QEMU_OPT_STRING,
- .help = "ID of the secret that provides the encryption key",
- },
+ BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET,
{ /* end of list */ }
},
};
@@ -154,49 +144,21 @@ static QemuOptsList block_crypto_create_opts_luks = {
.type = QEMU_OPT_SIZE,
.help = "Virtual disk size"
},
- {
- .name = BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET,
- .type = QEMU_OPT_STRING,
- .help = "ID of the secret that provides the encryption key",
- },
- {
- .name = BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG,
- .type = QEMU_OPT_STRING,
- .help = "Name of encryption cipher algorithm",
- },
- {
- .name = BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE,
- .type = QEMU_OPT_STRING,
- .help = "Name of encryption cipher mode",
- },
- {
- .name = BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG,
- .type = QEMU_OPT_STRING,
- .help = "Name of IV generator algorithm",
- },
- {
- .name = BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG,
- .type = QEMU_OPT_STRING,
- .help = "Name of IV generator hash algorithm",
- },
- {
- .name = BLOCK_CRYPTO_OPT_LUKS_HASH_ALG,
- .type = QEMU_OPT_STRING,
- .help = "Name of encryption hash algorithm",
- },
- {
- .name = BLOCK_CRYPTO_OPT_LUKS_ITER_TIME,
- .type = QEMU_OPT_NUMBER,
- .help = "Time to spend in PBKDF in milliseconds",
- },
+ BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET,
+ BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG,
+ BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE,
+ BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG,
+ BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG,
+ BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG,
+ BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME,
{ /* end of list */ }
},
};
-static QCryptoBlockOpenOptions *
+QCryptoBlockOpenOptions *
block_crypto_open_opts_init(QCryptoBlockFormat format,
- QemuOpts *opts,
+ QDict *opts,
Error **errp)
{
Visitor *v;
@@ -206,7 +168,7 @@ block_crypto_open_opts_init(QCryptoBlockFormat format,
ret = g_new0(QCryptoBlockOpenOptions, 1);
ret->format = format;
- v = opts_visitor_new(opts);
+ v = qobject_input_visitor_new_keyval(QOBJECT(opts));
visit_start_struct(v, NULL, NULL, 0, &local_err);
if (local_err) {
@@ -240,9 +202,9 @@ block_crypto_open_opts_init(QCryptoBlockFormat format,
}
-static QCryptoBlockCreateOptions *
+QCryptoBlockCreateOptions *
block_crypto_create_opts_init(QCryptoBlockFormat format,
- QemuOpts *opts,
+ QDict *opts,
Error **errp)
{
Visitor *v;
@@ -252,7 +214,7 @@ block_crypto_create_opts_init(QCryptoBlockFormat format,
ret = g_new0(QCryptoBlockCreateOptions, 1);
ret->format = format;
- v = opts_visitor_new(opts);
+ v = qobject_input_visitor_new_keyval(QOBJECT(opts));
visit_start_struct(v, NULL, NULL, 0, &local_err);
if (local_err) {
@@ -299,6 +261,7 @@ static int block_crypto_open_generic(QCryptoBlockFormat format,
int ret = -EINVAL;
QCryptoBlockOpenOptions *open_opts = NULL;
unsigned int cflags = 0;
+ QDict *cryptoopts = NULL;
bs->file = bdrv_open_child(NULL, options, "file", bs, &child_file,
false, errp);
@@ -313,7 +276,9 @@ static int block_crypto_open_generic(QCryptoBlockFormat format,
goto cleanup;
}
- open_opts = block_crypto_open_opts_init(format, opts, errp);
+ cryptoopts = qemu_opts_to_qdict(opts, NULL);
+
+ open_opts = block_crypto_open_opts_init(format, cryptoopts, errp);
if (!open_opts) {
goto cleanup;
}
@@ -337,6 +302,7 @@ static int block_crypto_open_generic(QCryptoBlockFormat format,
ret = 0;
cleanup:
+ QDECREF(cryptoopts);
qapi_free_QCryptoBlockOpenOptions(open_opts);
return ret;
}
@@ -356,8 +322,11 @@ static int block_crypto_create_generic(QCryptoBlockFormat format,
.opts = opts,
.filename = filename,
};
+ QDict *cryptoopts;
+
+ cryptoopts = qemu_opts_to_qdict(opts, NULL);
- create_opts = block_crypto_create_opts_init(format, opts, errp);
+ create_opts = block_crypto_create_opts_init(format, cryptoopts, errp);
if (!create_opts) {
return -1;
}
@@ -375,6 +344,7 @@ static int block_crypto_create_generic(QCryptoBlockFormat format,
ret = 0;
cleanup:
+ QDECREF(cryptoopts);
qcrypto_block_free(crypto);
blk_unref(data.blk);
qapi_free_QCryptoBlockCreateOptions(create_opts);
diff --git a/block/crypto.h b/block/crypto.h
new file mode 100644
index 0000000..c0e9b54
--- /dev/null
+++ b/block/crypto.h
@@ -0,0 +1,91 @@
+/*
+ * QEMU block full disk encryption
+ *
+ * Copyright (c) 2015-2017 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef BLOCK_CRYPTO_H__
+#define BLOCK_CRYPTO_H__
+
+#define BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET "key-secret"
+#define BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG "cipher-alg"
+#define BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE "cipher-mode"
+#define BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG "ivgen-alg"
+#define BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg"
+#define BLOCK_CRYPTO_OPT_LUKS_HASH_ALG "hash-alg"
+#define BLOCK_CRYPTO_OPT_LUKS_ITER_TIME "iter-time"
+
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET \
+ { \
+ .name = BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET, \
+ .type = QEMU_OPT_STRING, \
+ .help = "ID of the secret that provides the keyslot passphrase", \
+ }
+
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG \
+ { \
+ .name = BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG, \
+ .type = QEMU_OPT_STRING, \
+ .help = "Name of encryption cipher algorithm", \
+ }
+
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE \
+ { \
+ .name = BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE, \
+ .type = QEMU_OPT_STRING, \
+ .help = "Name of encryption cipher mode", \
+ }
+
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG \
+ { \
+ .name = BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG, \
+ .type = QEMU_OPT_STRING, \
+ .help = "Name of IV generator algorithm", \
+ }
+
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG \
+ { \
+ .name = BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG, \
+ .type = QEMU_OPT_STRING, \
+ .help = "Name of IV generator hash algorithm", \
+ }
+
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG \
+ { \
+ .name = BLOCK_CRYPTO_OPT_LUKS_HASH_ALG, \
+ .type = QEMU_OPT_STRING, \
+ .help = "Name of encryption hash algorithm", \
+ }
+
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME \
+ { \
+ .name = BLOCK_CRYPTO_OPT_LUKS_ITER_TIME, \
+ .type = QEMU_OPT_NUMBER, \
+ .help = "Time to spend in PBKDF in milliseconds", \
+ }
+
+QCryptoBlockCreateOptions *
+block_crypto_create_opts_init(QCryptoBlockFormat format,
+ QDict *opts,
+ Error **errp);
+
+QCryptoBlockOpenOptions *
+block_crypto_open_opts_init(QCryptoBlockFormat format,
+ QDict *opts,
+ Error **errp);
+
+#endif /* BLOCK_CRYPTO_H__ */
--
2.9.3
next prev parent reply other threads:[~2017-06-23 16:24 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-23 16:23 [Qemu-devel] [PATCH v10 00/20] Convert QCow[2] to QCryptoBlock & add LUKS support Daniel P. Berrange
2017-06-23 16:24 ` Daniel P. Berrange [this message]
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 02/20] block: add ability to set a prefix for opt names Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 03/20] qcow: document another weakness of qcow AES encryption Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 04/20] qcow: require image size to be > 1 for new images Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 05/20] iotests: skip 042 with qcow which dosn't support zero sized images Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 06/20] iotests: skip 048 with qcow which doesn't support resize Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 07/20] block: deprecate "encryption=on" in favor of "encrypt.format=aes" Daniel P. Berrange
2017-06-26 13:18 ` Alberto Garcia
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 08/20] qcow: make encrypt_sectors encrypt in place Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 09/20] qcow: convert QCow to use QCryptoBlock for encryption Daniel P. Berrange
2017-06-26 10:07 ` Alberto Garcia
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 10/20] qcow2: make qcow2_encrypt_sectors encrypt in place Daniel P. Berrange
2017-06-26 13:24 ` Alberto Garcia
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 11/20] qcow2: convert QCow2 to use QCryptoBlock for encryption Daniel P. Berrange
2017-06-26 13:26 ` Alberto Garcia
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 12/20] qcow2: extend specification to cover LUKS encryption Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 13/20] qcow2: add support for LUKS encryption format Daniel P. Berrange
2017-06-26 13:28 ` Alberto Garcia
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 14/20] qcow2: add iotests to cover LUKS encryption support Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 15/20] iotests: enable tests 134 and 158 to work with qcow (v1) Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 16/20] block: rip out all traces of password prompting Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 17/20] block: remove all encryption handling APIs Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 18/20] block: pass option prefix down to crypto layer Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 19/20] qcow2: report encryption specific image information Daniel P. Berrange
2017-06-23 16:24 ` [Qemu-devel] [PATCH v10 20/20] docs: document encryption options for qcow, qcow2 and luks Daniel P. Berrange
2017-06-26 19:20 ` [Qemu-devel] [PATCH v10 00/20] Convert QCow[2] to QCryptoBlock & add LUKS support Max Reitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170623162419.26068-2-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=berto@igalia.com \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).