From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58216)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bBpbQ-00032M-DP
	for qemu-devel@nongnu.org; Sat, 11 Jun 2016 16:33:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bBpbL-0003xe-Dh
	for qemu-devel@nongnu.org; Sat, 11 Jun 2016 16:33:56 -0400
Received: from resqmta-po-07v.sys.comcast.net
	([2001:558:fe16:19:96:114:154:166]:48703)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bBpbL-0003wX-7D
	for qemu-devel@nongnu.org; Sat, 11 Jun 2016 16:33:51 -0400
References: <1465572773-19451-1-git-send-email-berrange@redhat.com>
From: Eric Blake <eblake@redhat.com>
Message-ID: <575C75AB.5020408@redhat.com>
Date: Sat, 11 Jun 2016 14:33:47 -0600
MIME-Version: 1.0
In-Reply-To: <1465572773-19451-1-git-send-email-berrange@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="7t48ldUb0XRkFgcofJr77GXWblVJ1JJDv"
Subject: Re: [Qemu-devel] [PATCH] block: drop support for using qcow[2]
 encryption with system emulators
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: Kevin Wolf <kwolf@redhat.com>, Markus Armbruster <armbru@redhat.com>, qemu-block@nongnu.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--7t48ldUb0XRkFgcofJr77GXWblVJ1JJDv
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 06/10/2016 09:32 AM, Daniel P. Berrange wrote:
> Back in the 2.3.0 release we declared qcow[2] encryption as
> deprecated, warning people that it would be removed in a future
> release.
>=20
>   commit a1f688f4152e65260b94f37543521ceff8bfebe4
>   Author: Markus Armbruster <armbru@redhat.com>
>   Date:   Fri Mar 13 21:09:40 2015 +0100
>=20
>     block: Deprecate QCOW/QCOW2 encryption
>=20
> The code still exists today, but by a (happy?) accident we entirely
> broke the ability to use qcow[2] encryption in the system emulators
> in the 2.4.0 release due to
>=20
>   commit 8336aafae1451d54c81dd2b187b45f7c45d2428e
>   Author: Daniel P. Berrange <berrange@redhat.com>
>   Date:   Tue May 12 17:09:18 2015 +0100
>=20
>     qcow2/qcow: protect against uninitialized encryption key
>=20
> This commit was designed to prevent future coding bugs which
> might cause QEMU to read/write data on an encrypted block
> device in plain text mode before a decryption key is set.
>=20
> It turns out this preventative measure was a little too good,
> because we already had a long standing bug where QEMU read
> encrypted data in plain text mode during system emulator
> startup, in order to guess disk geometry:

Interesting analysis.


> So rather than fix the crash, and backport it to stable
> releases, just go ahead with what we have warned users about
> and disable any use of qcow2 encryption in the system
> emulators. qemu-img/qemu-io/qemu-nbd are still able to access
> qcow2 encrypted images for the sake of data conversion.
>=20
> In the future, qcow2 will gain support for the alternative
> luks format, but when this happens it'll be using the
> '-object secret' infrastructure for gettings keys, which
> avoids this problematic scenario entirely.
>=20
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  block/qcow.c               | 11 +++++++----
>  block/qcow2.c              | 11 +++++++----
>  tests/qemu-iotests/087.out | 12 ++----------
>  3 files changed, 16 insertions(+), 18 deletions(-)


> +++ b/block/qcow.c
> @@ -162,10 +162,13 @@ static int qcow_open(BlockDriverState *bs, QDict =
*options, int flags,
>      if (s->crypt_method_header) {
>          if (bdrv_uses_whitelist() &&
>              s->crypt_method_header =3D=3D QCOW_CRYPT_AES) {
> -            error_report("qcow built-in AES encryption is deprecated")=
;
> -            error_printf("Support for it will be removed in a future r=
elease.\n"
> -                         "You can use 'qemu-img convert' to switch to =
an\n"
> -                         "unencrypted qcow image, or a LUKS raw image.=
\n");
> +            error_setg(errp,
> +                       "Use of AES-CBC encrypted qcow images is no lon=
ger "
> +                       "supported in system emulators. You can use "
> +                       "'qemu-img convert' to convert your image to us=
e "
> +                       "the LUKS format instead.");

error_setg() should not end in '.'.  Better would be:

error_setg(errp, "Use of AES-CBC encrypted qcow images is not supported")=
;
error_append_hint(errp, "You can use 'qemu-img convert'... instead.\n");

> +++ b/block/qcow2.c
> @@ -968,10 +968,13 @@ static int qcow2_open(BlockDriverState *bs, QDict=
 *options, int flags,
>      if (s->crypt_method_header) {
>          if (bdrv_uses_whitelist() &&
>              s->crypt_method_header =3D=3D QCOW_CRYPT_AES) {
> -            error_report("qcow2 built-in AES encryption is deprecated"=
);
> -            error_printf("Support for it will be removed in a future r=
elease.\n"
> -                         "You can use 'qemu-img convert' to switch to =
an\n"
> -                         "unencrypted qcow2 image, or a LUKS raw image=
=2E\n");
> +            error_setg(errp,
> +                       "Use of AES-CBC encrypted qcow2 images is no lo=
nger "
> +                       "supported in system emulators. You can use "
> +                       "'qemu-img convert' to convert your image to us=
e "
> +                       "the LUKS format instead.");

and again.

> +            ret =3D -ENOSYS;
> +            goto fail;
>          }
> =20
>          bs->encrypted =3D 1;
> diff --git a/tests/qemu-iotests/087.out b/tests/qemu-iotests/087.out
> index 055c553..99853c5 100644
> --- a/tests/qemu-iotests/087.out
> +++ b/tests/qemu-iotests/087.out
> @@ -42,22 +42,14 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=3DIMGFMT size=3D=
134217728 encryption=3Don
>  Testing: -S
>  QMP_VERSION
>  {"return": {}}
> -IMGFMT built-in AES encryption is deprecated
> -Support for it will be removed in a future release.
> -You can use 'qemu-img convert' to switch to an
> -unencrypted IMGFMT image, or a LUKS raw image.
> -{"error": {"class": "GenericError", "desc": "blockdev-add doesn't supp=
ort encrypted devices"}}
> +{"error": {"class": "GenericError", "desc": "Use of AES-CBC encrypted =
qcow2 images is no longer supported in system emulators. You can use 'qem=
u-img convert' to convert your image to use the LUKS format instead."}}

And this will need tweaking to match.

I'm in favor of the idea behind the patch, but the error_setg() usage
needs to be fixed for v2.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--7t48ldUb0XRkFgcofJr77GXWblVJ1JJDv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJXXHWrAAoJEKeha0olJ0NqjOgH/jSAwUEdJGbnIhzFY94EUiB9
fOgavszvTESMbYOpefieq8HIY91jcl7r2/RUmYQYu9dJpiR7I1Fbcz8gGXrcQGVU
x0ClVvXvtEzkyM0lafwQzvew1WIMRvHXFsWecEKUCd7z95JPAHSBDRoRJTwUOx46
nbxXRv9hLbATy3PP3oV5+5AA55jsvXLcrkAJwj7ZL+PZsmrK4Zk74bAMJ2HUNWO0
vh5G1Ftvqbx4O7a1sukGFZqTZhAXX0g+GXYwKvydGACcs4a13DC6hTsMNHPU9EjH
+zqWp8Qvb3IxPMoj0cBnHZETTHJJdhTwriN55yyow1juNZFsehb0ql0nklDuY+U=
=xGZW
-----END PGP SIGNATURE-----

--7t48ldUb0XRkFgcofJr77GXWblVJ1JJDv--