From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37978) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YVOmb-0004Pu-DE for qemu-devel@nongnu.org; Tue, 10 Mar 2015 14:21:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YVOma-0002PT-0h for qemu-devel@nongnu.org; Tue, 10 Mar 2015 14:21:33 -0400 Message-ID: <54FF3623.8040209@redhat.com> Date: Tue, 10 Mar 2015 12:21:23 -0600 From: Eric Blake MIME-Version: 1.0 References: <1426008400-22016-1-git-send-email-armbru@redhat.com> <1426008400-22016-2-git-send-email-armbru@redhat.com> In-Reply-To: <1426008400-22016-2-git-send-email-armbru@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vRu82ewCrRq0rLHBEnqUOpEsEqcC9MUXH" Subject: Re: [Qemu-devel] [PATCH RFC 1/2] block: Limit opening of encrypted images to qemu-img List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Markus Armbruster , qemu-devel@nongnu.org Cc: kwolf@redhat.com, stefanha@redhat.com, qemu-block@nongnu.org, kraxel@redhat.com This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vRu82ewCrRq0rLHBEnqUOpEsEqcC9MUXH Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 03/10/2015 11:26 AM, Markus Armbruster wrote: > Signed-off-by: Markus Armbruster > --- > block/qcow.c | 5 +++++ > block/qcow2.c | 5 +++++ > include/block/block.h | 3 +-- > qemu-img.c | 1 + > 4 files changed, 12 insertions(+), 2 deletions(-) >=20 > diff --git a/block/qcow.c b/block/qcow.c > index 0558969..f54fc86 100644 > --- a/block/qcow.c > +++ b/block/qcow.c > @@ -155,6 +155,11 @@ static int qcow_open(BlockDriverState *bs, QDict *= options, int flags, > } > s->crypt_method_header =3D header.crypt_method; > if (s->crypt_method_header) { > + if (!(flags & BDRV_O_CRYPT_OK)) { > + error_setg(errp, "image is encrypted, use qemu-img to decr= ypt it"); > + ret =3D -EINVAL; > + goto fail; > + } > bs->encrypted =3D 1; I think this message will make it nicely through to libvirt, if libvirt still tries to use encryption (although I didn't actually test it, as qcow2 encryption is so broken that I've never actually tried using it). More importantly, patch 2/2 does something that can be observed via 'query-commands' introspection, so that newer libvirt can be made smart enough to not even attempt to use encrypted images. Reviewed-by: Eric Blake --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --vRu82ewCrRq0rLHBEnqUOpEsEqcC9MUXH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJU/zYjAAoJEKeha0olJ0Nq374H/08CV7NmSSImB0Mwr7a174I4 fZKA2X/PSdHPxdufTHyYXENKhEG3IzAF2rFggionmI7GZ4iWSpu0hfRFIpaZB8ic qgujjVhtbQFra1YsihvKaQJC+Mia6MTHjtk8ldN9Q6F3JcYdw08xi0y/Dzpz2Ja0 +G9CF4/BUeXBiAgRc7NCOPVgtv/PP0dzAWnapsrmJsvh92D0lxzxWEvAHtpTTxyF FAj7XgPxS9qcYK/J+1s+USh5ja49AVc79Ecdf4p+xbKxr7HKb7TqXby3n9xUkh3J Eb1Jef2qfmYzSUZL64gewXgOsFOe7QPhwxx9kxSl4ibAPoQYCfw2ftR37dzB0NU= =jNnD -----END PGP SIGNATURE----- --vRu82ewCrRq0rLHBEnqUOpEsEqcC9MUXH--