From: Gonglei <arei.gonglei@huawei.com>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations
Date: Fri, 22 May 2015 19:29:05 +0800 [thread overview]
Message-ID: <555F1301.8070900@huawei.com> (raw)
In-Reply-To: <1432205817-16414-1-git-send-email-berrange@redhat.com>
On 2015/5/21 18:56, Daniel P. Berrange wrote:
> This small series covers the crypto consolidation patches
> I previously posted as part of a larger RFC for the TLS work
>
> https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html
>
> Currently there are a 5 main places in QEMU which use some
> form of cryptographic hash or cipher algorithm. These are
> the quorum block driver (hash), qcow[2] block driver (cipher),
> VNC password auth (cipher), VNC websockets (hash) and some
> of the CPU instruction emulation (cipher).
>
> For ciphers the code is using the in-tree implementations
> of AES and/or the RFB cripple-DES. While there is nothing
> broken about these implementations, it is none the less
> desirable to be able to use the GNUTLS provided impls in
> cases whre we are already linking to GNUTLS. This will
> allow QEMU to use FIPS certified implementations, which
> have been well audited, have some protection against
> side-channel leakage and are generally actively maintained
> by people knowledgable about encryption.
>
Can we use OpenSSL library in Qemu? If not, that's because of the license?
> For hash digests the code is already using GNUTLS APIs.
>
> With the TLS work, and possible future improved block device
> encryption, there will be more general purpose crypto APIs
> needed in QEMU.
>
> It is undesirable to continue to litter the code with
> countless #ifdef WITH_GNUTLS conditionals, as it makes
> it increasingly hard to understand the code.
>
> The goal of this series is to thus consolidate all the
> crypto code into a single logical place in QEMU - the
> source in $GIT/crypto and heads in $GIT/include/crypto
> The code in this location will provide QEMU internal
> APIs for hash digests, ciphers, and later TLS and block
> encryption primitives. The implementations will be
> backed by GNUTLS, and either libgcrypt or nettle depending
> on which of these GNUTLS is linking to. In the case where
> GNUTLS is disabled at build time, we'll still keep the
> built-in AES & RFB-cripple-DES implementations available
> so we have no regression vs today's level of support.
>
> The callers of the crypto code can now be unconditionally
> compiled and, if needed, they can check the availability
> of algorithms they want at runtime and report clear errors
> to the CLI or QMP if not available. This is a minor
> difference in behaviour for the quorum block driver which
> would previously be disabled at compile time if gnutls
> was not available.
>
> A future posting will include the TLS crypto APIs.
>
> I have not attempted to convert the CPU emulation code to
> use the new crypto APIs, since that code appears to have
> quite specific need for access to the low level internal
> stages of the AES algorithm. So I've left it using the
> QEMU built-in AES code.
>
> I've added myself in the MAINTAINERS file for the new
> directories, since it was't clear if anyone else on the
> existing QEMU maintainer list had any interest / knowledge
> in maintaining the crypto related pieces.
>
Good job :)
Recently, My colleague and I do some work about cryptography,
maybe we can discuss them if possible.
Regards,
-Gonglei
> Daniel P. Berrange (10):
> crypto: introduce new module for computing hash digests
> crypto: move built-in AES implementation into crypto/
> crypto: move built-in D3DES implementation into crypto/
> crypto: introduce generic cipher API & built-in implementation
> crypto: add a gcrypt cipher implementation
> crypto: add a nettle cipher implementation
> block: convert quorum blockdrv to use crypto APIs
> ui: convert VNC websockets to use crypto APIs
> block: convert qcow/qcow2 to use generic cipher API
> ui: convert VNC to use generic cipher API
>
> MAINTAINERS | 7 +
> Makefile.objs | 1 +
> block/Makefile.objs | 2 +-
> block/qcow.c | 100 ++++++---
> block/qcow2-cluster.c | 46 +++-
> block/qcow2.c | 95 +++++----
> block/qcow2.h | 13 +-
> block/quorum.c | 38 ++--
> configure | 162 +++++++++-----
> crypto/Makefile.objs | 5 +
> {util => crypto}/aes.c | 2 +-
> crypto/cipher-builtin.c | 391 ++++++++++++++++++++++++++++++++++
> crypto/cipher-gcrypt.c | 203 ++++++++++++++++++
> crypto/cipher-nettle.c | 226 ++++++++++++++++++++
> crypto/cipher.c | 31 +++
> ui/d3des.c => crypto/desrfb.c | 2 +-
> crypto/hash.c | 202 ++++++++++++++++++
> crypto/init.c | 152 +++++++++++++
> include/{qemu => crypto}/aes.h | 0
> include/crypto/cipher.h | 208 ++++++++++++++++++
> ui/d3des.h => include/crypto/desrfb.h | 0
> include/crypto/hash.h | 189 ++++++++++++++++
> include/crypto/init.h | 29 +++
> target-arm/crypto_helper.c | 2 +-
> target-i386/fpu_helper.c | 1 -
> target-i386/ops_sse.h | 2 +-
> target-ppc/int_helper.c | 2 +-
> tests/.gitignore | 2 +
> tests/Makefile | 4 +
> tests/test-crypto-cipher.c | 290 +++++++++++++++++++++++++
> tests/test-crypto-hash.c | 209 ++++++++++++++++++
> ui/Makefile.objs | 4 +-
> ui/vnc-ws.c | 22 +-
> ui/vnc-ws.h | 2 -
> ui/vnc.c | 122 +++++------
> ui/vnc.h | 8 -
> util/Makefile.objs | 2 +-
> vl.c | 8 +
> 38 files changed, 2517 insertions(+), 267 deletions(-)
> create mode 100644 crypto/Makefile.objs
> rename {util => crypto}/aes.c (99%)
> create mode 100644 crypto/cipher-builtin.c
> create mode 100644 crypto/cipher-gcrypt.c
> create mode 100644 crypto/cipher-nettle.c
> create mode 100644 crypto/cipher.c
> rename ui/d3des.c => crypto/desrfb.c (99%)
> create mode 100644 crypto/hash.c
> create mode 100644 crypto/init.c
> rename include/{qemu => crypto}/aes.h (100%)
> create mode 100644 include/crypto/cipher.h
> rename ui/d3des.h => include/crypto/desrfb.h (100%)
> create mode 100644 include/crypto/hash.h
> create mode 100644 include/crypto/init.h
> create mode 100644 tests/test-crypto-cipher.c
> create mode 100644 tests/test-crypto-hash.c
>
next prev parent reply other threads:[~2015-05-22 11:29 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 10:56 [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 01/10] crypto: introduce new module for computing hash digests Daniel P. Berrange
2015-05-28 13:28 ` Gonglei
2015-06-01 16:46 ` Daniel P. Berrange
2015-06-02 7:43 ` Markus Armbruster
2015-06-02 8:34 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 02/10] crypto: move built-in AES implementation into crypto/ Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 03/10] crypto: move built-in D3DES " Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 04/10] crypto: introduce generic cipher API & built-in implementation Daniel P. Berrange
2015-05-21 19:52 ` Richard Henderson
2015-05-22 9:10 ` Daniel P. Berrange
2015-05-29 2:39 ` Gonglei
2015-06-01 16:50 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 05/10] crypto: add a gcrypt cipher implementation Daniel P. Berrange
2015-05-29 3:53 ` Gonglei
2015-06-01 16:53 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 06/10] crypto: add a nettle " Daniel P. Berrange
2015-05-21 19:35 ` Richard Henderson
2015-05-29 6:36 ` Gonglei
2015-05-21 19:38 ` Richard Henderson
2015-05-22 9:05 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 07/10] block: convert quorum blockdrv to use crypto APIs Daniel P. Berrange
2015-05-29 6:49 ` Gonglei
2015-06-01 16:56 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 08/10] ui: convert VNC websockets " Daniel P. Berrange
2015-05-29 6:55 ` Gonglei
2015-05-21 10:56 ` [Qemu-devel] [PATCH 09/10] block: convert qcow/qcow2 to use generic cipher API Daniel P. Berrange
2015-05-29 7:16 ` Gonglei
2015-06-01 16:58 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 10/10] ui: convert VNC " Daniel P. Berrange
2015-05-21 12:51 ` Eric Blake
2015-06-01 16:58 ` Daniel P. Berrange
2015-05-22 11:29 ` Gonglei [this message]
2015-05-22 11:37 ` [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations Daniel P. Berrange
2015-05-22 11:50 ` Gonglei
2015-05-22 12:12 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555F1301.8070900@huawei.com \
--to=arei.gonglei@huawei.com \
--cc=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).