From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54249)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aeVbS-0002tY-0K
	for qemu-devel@nongnu.org; Fri, 11 Mar 2016 17:32:14 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1aeVbQ-0007YJ-U7
	for qemu-devel@nongnu.org; Fri, 11 Mar 2016 17:32:13 -0500
References: <1456747261-22032-1-git-send-email-berrange@redhat.com>
	<1456747261-22032-14-git-send-email-berrange@redhat.com>
From: Eric Blake <eblake@redhat.com>
Message-ID: <56E3475F.1080207@redhat.com>
Date: Fri, 11 Mar 2016 15:31:59 -0700
MIME-Version: 1.0
In-Reply-To: <1456747261-22032-14-git-send-email-berrange@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="gl2u4HLs31e10iJKxq27IGMWu1wiM4Pa3"
Subject: Re: [Qemu-devel] [PATCH v4 13/26] crypto: implement the LUKS block
 encryption format
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: Fam Zheng <famz@redhat.com>, qemu-block@nongnu.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--gl2u4HLs31e10iJKxq27IGMWu1wiM4Pa3
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 02/29/2016 05:00 AM, Daniel P. Berrange wrote:
> Provide a block encryption implementation that follows the
> LUKS/dm-crypt specification.
>=20
> This supports all combinations of hash, cipher algorithm,
> cipher mode and iv generator that are implemented by the
> current crypto layer.
>=20
> The notable missing feature is support for the 'xts'
> cipher mode, which is commonly used for disk encryption
> instead of 'cbc'. This is because it is not provided by
> either nettle or libgcrypt. A suitable implementation
> will be identified & integrated later.

Stale paragraph, you implemented it earlier in the series.

>=20
> There is support for opening existing volumes formatted
> by dm-crypt, and for formatting new volumes. In the latter
> case it will only use key slot 0.
>=20
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---


> +static int
> +qcrypto_block_luks_open(QCryptoBlock *block,
> +                        QCryptoBlockOpenOptions *options,
> +                        QCryptoBlockReadFunc readfunc,
> +                        void *opaque,
> +                        unsigned int flags,
> +                        Error **errp)
> +{

> +    /* Read the entire LUKS header, minus the key material from
> +     * the underling device */

s/underling/underlying/ (although the typo does read rather humorously -
I now have a mental image of a LUKS overlord :)


> +++ b/qapi/crypto.json
> @@ -117,12 +117,13 @@

>  ##
>  # QCryptoBlockOptionsBase:
> @@ -143,7 +144,8 @@
>  # The options that apply to QCow/QCow2 AES-CBC encryption format
>  #
>  # @key-secret: #optional the ID of a QCryptoSecret object providing th=
e
> -#              decryption key
> +#              decryption key. Mandatory except when probing image for=

> +#              metadata only.

Aha - I think this hunk may belong earlier in the series...

>  #
>  # Since: 2.6
>  ##
> @@ -151,6 +153,45 @@
>    'data': { '*key-secret': 'str' }}
> =20
>  ##
> +# QCryptoBlockOptionsLUKS:
> +#
> +# The options that apply to LUKS encryption format
> +#
> +# @key-secret: #optional the ID of a QCryptoSecret object providing th=
e
> +#              decryption key

=2E..Although you may want to duplicate it here.

Looks like my review on the earlier version helped, and you addressed
most of my comments.  What I pointed out above is minor enough that I'm
okay if you fix it on the pull request without needing another round of
review, so:

Reviewed-by: Eric Blake <eblake@redhat.com>

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--gl2u4HLs31e10iJKxq27IGMWu1wiM4Pa3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJW40dfAAoJEKeha0olJ0NqROoH/ikxT3vXFhQma6KUwrwkkPIT
szmMWNj2EROYktUY37V02la4dQrQ3Jqk98swdesX1eW4JZhlY2Ru9M29Gtg6Hl5N
6aVVACDiXtRpU5J2Yc06XXaP2sNMVqIuLUInPiQ6dws7xy9nJJRZF8Y+wWYlj5tP
BqqQPBrHiUlUsiso+shyqYlreSKmVp6DpvRntsFQGUCcibnLZW5va3R/x95+FaHQ
Cbr3bC/ExVZqucIglVaVDnJylD3Rcpo2yGrpu/Fi8otBLMHT8RWKB59h3sEgY6Q1
+RLGMrnyxlGlTPOhTgg01CfbtvzjpWhrmTjChkjTsEr50agIAQsX067u+IvYzm8=
=Lsqd
-----END PGP SIGNATURE-----

--gl2u4HLs31e10iJKxq27IGMWu1wiM4Pa3--