[Qemu-devel] Problem(s) with encrypted images

[Qemu-devel] Problem(s) with encrypted images

[nuitari-qemu]

Hi,

First I would like to apologize if this isn't the correct place for this. 
The Qemu-users board won't let me agree to the terms and when I view 
threads found by the search engine I get a lot of error messages about the 
session table being corrupted.

This is on a non-kvm "vintage" opteron. Linux is the host and another 
linux is the guest OS. I use kqemu once the kernel is compiled. (btw the 
kernel panics inside the guest with kqemu using the gentoo live cds).

Anyways, here are the problems that I've found:
1. Qemu-img doesn't show a password prompt when I create a new encrypted 
image. It does show it when I convert a plain text image to an encrypted 
one.

2. When I start qemu, it just hangs there waiting for (assumingly) the 
password of the encrypted image. However I cannot find the place where the 
prompt actually is.

I've tried staring it with stdio as the monitor, which just errored out.
Inside a vnc server it would do the same thing.
It also does not open the vnc server nor the tcp server for the monitor to 
askk for it.

Does encryption work in QEMU 0.9.1?

[Qemu-devel] Re: Problem(s) with encrypted images

[Sebastian Herbszt]

> 1. Qemu-img doesn't show a password prompt when I create a new encrypted 
> image. It does show it when I convert a plain text image to an encrypted 
> one.

After creating a new image with bdrv_create in qemu-img.c img_convert there
is a bdrv_new_open which got read_password and bdrv_set_key. This seems
to be missing from img_create.

> 2. When I start qemu, it just hangs there waiting for (assumingly) the 
> password of the encrypted image. However I cannot find the place where the 
> prompt actually is.

qemu_key_check in vl.c does use monitor_readline, so you should see a "Password:"
prompt in the monitor window (press ctrl-alt-2 to get there).

- Sebastian

[Qemu-devel] Re: Problem(s) with encrypted images

[Sebastian Herbszt]

>> 2. When I start qemu, it just hangs there waiting for (assumingly) the 
>> password of the encrypted image. However I cannot find the place where the 
>> prompt actually is.
> 
> qemu_key_check in vl.c does use monitor_readline, so you should see a "Password:"
> prompt in the monitor window (press ctrl-alt-2 to get there).
 
The initialization order seems to be wrong in main() (vl.c):

    for(i = 0; i < nb_drives_opt; i++)
        if (drive_init(&drives_opt[i], snapshot, machine) == -1)
            exit(1);
    ...
    *_display_init();
    ...
    monitor_init();

drive_init() got
...
if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, file)) {

and qemu_key_check depends on the monitor:

    term_printf("%s is encrypted.\n", name);
    for(i = 0; i < 3; i++) {
        monitor_readline("Password: ", 1, password, sizeof(password));

- Sebastian

Re: [Qemu-devel] Re: Problem(s) with encrypted images

[nuitari]

>>  qemu_key_check in vl.c does use monitor_readline, so you should see a
>>  "Password:"
>>  prompt in the monitor window (press ctrl-alt-2 to get there).
>
> The initialization order seems to be wrong in main() (vl.c):
>
>    for(i = 0; i < nb_drives_opt; i++)
>        if (drive_init(&drives_opt[i], snapshot, machine) == -1)
>            exit(1);
>    ...
>    *_display_init();
>    ...
>    monitor_init();
>
> drive_init() got
> ...
> if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, 
> file)) {
>
> and qemu_key_check depends on the monitor:
>
>    term_printf("%s is encrypted.\n", name);
>    for(i = 0; i < 3; i++) {
>        monitor_readline("Password: ", 1, password, sizeof(password));

I've tried to simply reorder the drive_init after the monitor_init(), 
however it doesn't seem to read the password properly.

Also connecting to VNC would make a segmentation fault.

Re: [Qemu-devel] Re: Problem(s) with encrypted images

[nuitari-qemu]

>> >  2. When I start qemu, it just hangs there waiting for (assumingly) the 
>> >  password of the encrypted image. However I cannot find the place where 
>> >  the prompt actually is.
>>
>>  qemu_key_check in vl.c does use monitor_readline, so you should see a
>>  "Password:"
>>  prompt in the monitor window (press ctrl-alt-2 to get there).
>
> The initialization order seems to be wrong in main() (vl.c):
>
>    for(i = 0; i < nb_drives_opt; i++)
>        if (drive_init(&drives_opt[i], snapshot, machine) == -1)
>            exit(1);
>    ...
>    *_display_init();
>    ...
>    monitor_init();
>
> drive_init() got
> ...
> if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, 
> file)) {
>
> and qemu_key_check depends on the monitor:
>
>    term_printf("%s is encrypted.\n", name);
>    for(i = 0; i < 3; i++) {
>        monitor_readline("Password: ", 1, password, sizeof(password));

Just changing the order in vl.c doesn't work.

For example I get:
VM_Serveur_de_scripts.crypt.qcow2 is encrypted.
Password: QEMU 0.9.1 monitor - type 'help' for more information
(qemu) blahblahblahblah
unknown command: 'blahblahblahblah'
(qemu)
(qemu)

Also connecting to vnc results in a segmentation fault with the reordering 
that I did.

[Qemu-devel] Re: Problem(s) with encrypted images

[Sebastian Herbszt]

>>> 2. When I start qemu, it just hangs there waiting for (assumingly) the 
>>> password of the encrypted image. However I cannot find the place where the 
>>> prompt actually is.
>> 
>> qemu_key_check in vl.c does use monitor_readline, so you should see a "Password:"
>> prompt in the monitor window (press ctrl-alt-2 to get there).
> 
> The initialization order seems to be wrong in main() (vl.c):
> 
>    for(i = 0; i < nb_drives_opt; i++)
>        if (drive_init(&drives_opt[i], snapshot, machine) == -1)
>            exit(1);
>    ...
>    *_display_init();
>    ...
>    monitor_init();
> 
> drive_init() got
> ...
> if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, file)) {
> 
> and qemu_key_check depends on the monitor:
> 
>    term_printf("%s is encrypted.\n", name);
>    for(i = 0; i < 3; i++) {
>        monitor_readline("Password: ", 1, password, sizeof(password));
> 

Can you try this patch? It will break monitor but should read the password.

- Sebastian

--- vl.c.orig Mon Jun 16 18:07:39 2008
+++ vl.c Mon Jun 16 17:47:44 2008
@@ -5307,7 +5307,7 @@ static int drive_init(struct drive_opt *
         bdrv_flags |= BDRV_O_SNAPSHOT;
     if (!cache)
         bdrv_flags |= BDRV_O_DIRECT;
-    if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 || qemu_key_check(bdrv, file)) {
+    if (bdrv_open2(bdrv, file, bdrv_flags, drv) < 0 ) {
         fprintf(stderr, "qemu: could not open disk image %s\n",
                         file);
         return -1;
--- monitor.c.orig Mon Jun 16 17:56:17 2008
+++ monitor.c Mon Jun 16 18:06:23 2008
@@ -2642,10 +2642,12 @@ static void term_event(void *opaque, int
     if (event != CHR_EVENT_RESET)
  return;
 
+/*
     if (!hide_banner)
      term_printf("QEMU %s monitor - type 'help' for more information\n",
    QEMU_VERSION);
     monitor_start_input();
+*/
 }
 
 static int is_first_init = 1;