From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37670) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WL9G9-0000J5-4t for qemu-devel@nongnu.org; Wed, 05 Mar 2014 05:41:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WL9G3-00039y-IV for qemu-devel@nongnu.org; Wed, 05 Mar 2014 05:41:09 -0500 Received: from mail-qg0-x22d.google.com ([2607:f8b0:400d:c04::22d]:45961) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WL9G3-00039t-Dm for qemu-devel@nongnu.org; Wed, 05 Mar 2014 05:41:03 -0500 Received: by mail-qg0-f45.google.com with SMTP id j5so2417908qga.4 for ; Wed, 05 Mar 2014 02:41:02 -0800 (PST) Sender: Paolo Bonzini Message-ID: <5316FF3A.3050801@redhat.com> Date: Wed, 05 Mar 2014 11:40:58 +0100 From: Paolo Bonzini MIME-Version: 1.0 References: <87wqgflzno.fsf@blackfin.pond.sub.org> <20140303105837.GD4850@dhcp-200-207.str.redhat.com> <87zjl56nog.fsf@blackfin.pond.sub.org> <5316EF5F.2040003@suse.de> <87k3c9ylss.fsf@blackfin.pond.sub.org> In-Reply-To: <87k3c9ylss.fsf@blackfin.pond.sub.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [Qemu-devel] The unholy encrypted image key mess List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Markus Armbruster , =?UTF-8?B?QW5kcmVhcyBGw6RyYmVy?= Cc: Kevin Wolf , qemu-devel@nongnu.org, Stefan Hajnoczi , Gerd Hoffmann Il 05/03/2014 11:36, Markus Armbruster ha scritto: > Andreas Färber writes: > >> Am 05.03.2014 09:43, schrieb Markus Armbruster: >>> Kevin Wolf writes: >>> >>>> 'change' is a bit trickier because it involves several low-level actions >>>> at once, and device_add is not one of them. >>> >>> The problem is that it can run while a device model is attached. >> >> What exactly is the problem here? 'change' is for floppy and CD, right? >> The device stays realized/connected and guest-visible during that time, >> and the guest should be able to live with no media while the new drive >> is not yet decrypted. Are we just lacking a QMP command to enter the >> password and complete the change while the guest is executing? > > Here's how change works (both HMP and QMP): > > 1. bdrv_close(); now we have no medium. > > 2. If a device model is attached, tell it the medium has been ejected. > A device model supporting notification (anything but floppy, I guess) > in turn notifies the guest. > > 3. bdrv_open(); now we again have a medium, we're in state NOKEY if the > image is unencrypted, and in state NEEDKEY if it's encrypted. > > 4. Only in state NOKEY: if a device model is attached, tell it a medium > has been loaded. A device model supporting notification in turn > notifies the guest. > > 5. Only in state NEEDKEY: > > If QMP, fail the command with error DeviceEncrypted. > > If HMP, prompt user for password. > > In QMP, the client needs to follow up with a block_passwd command. In > HMP, the user neeeds to enter a password. In both cases, time passes, > guest can run, and even other monitor commands can be executed, possibly > in other monitors. When the password arrives: > > 7. Set the key, state is now GOTKEY. > > 8. If a device model is attached, tell it a medium has been loaded. A > device model supporting notification in turn notifies the guest. > > Shit happens for encrypted images if anything reads or writes between > 3. and 8. You could use bdrv_new before step 3, to open the new medium on a new temporary BDS. Then before step 8 you use bdrv_swap and delete the temporary BDS. Paolo