From: yong.huang@smartx.com
To: qemu-devel@nongnu.org
Cc: "Daniel P . Berrangé" <berrange@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Hanna Reitz" <hreitz@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>,
yong.huang@smartx.com
Subject: [PATCH v4 5/7] block: Support detached LUKS header creation using qemu-img
Date: Tue, 30 Jan 2024 13:37:23 +0800 [thread overview]
Message-ID: <c573cf4d985b0386e2e419fcccd92245800cdeca.1706586786.git.yong.huang@smartx.com> (raw)
In-Reply-To: <cover.1706586786.git.yong.huang@smartx.com>
From: Hyman Huang <yong.huang@smartx.com>
Even though a LUKS header might be created with cryptsetup,
qemu-img should be enhanced to accommodate it as well.
Add the 'detached-header' option to specify the creation of
a detached LUKS header. This is how it is used:
$ qemu-img create --object secret,id=sec0,data=abc123 -f luks
> -o cipher-alg=aes-256,cipher-mode=xts -o key-secret=sec0
> -o detached-header=true header.luks
Using qemu-img or cryptsetup tools to query information of
an LUKS header image as follows:
Assume a detached LUKS header image has been created by:
$ dd if=/dev/zero of=test-header.img bs=1M count=32
$ dd if=/dev/zero of=test-payload.img bs=1M count=1000
$ cryptsetup luksFormat --header test-header.img test-payload.img
> --force-password --type luks1
Header image information could be queried using cryptsetup:
$ cryptsetup luksDump test-header.img
or qemu-img:
$ qemu-img info 'json:{"driver":"luks","file":{"filename":
> "test-payload.img"},"header":{"filename":"test-header.img"}}'
When using qemu-img, keep in mind that the entire disk
information specified by the JSON-format string above must be
supplied on the commandline; if not, an overlay check will reveal
a problem with the LUKS volume check logic.
Signed-off-by: Hyman Huang <yong.huang@smartx.com>
---
block.c | 5 ++++-
block/crypto.c | 10 +++++++++-
block/crypto.h | 8 ++++++++
qapi/crypto.json | 5 ++++-
4 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/block.c b/block.c
index 30afdcbba6..1ed9214f66 100644
--- a/block.c
+++ b/block.c
@@ -7357,7 +7357,10 @@ void bdrv_img_create(const char *filename, const char *fmt,
goto out;
}
- if (size == -1) {
+ /* Parameter 'size' is not needed for detached LUKS header */
+ if (size == -1 &&
+ !(!strcmp(fmt, "luks") &&
+ qemu_opt_get_bool(opts, "detached-header", false))) {
error_setg(errp, "Image creation needs a size parameter");
goto out;
}
diff --git a/block/crypto.c b/block/crypto.c
index 8e7ee5e9ac..65426d3a16 100644
--- a/block/crypto.c
+++ b/block/crypto.c
@@ -231,6 +231,7 @@ static QemuOptsList block_crypto_create_opts_luks = {
BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG(""),
BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG(""),
BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(""),
+ BLOCK_CRYPTO_OPT_DEF_LUKS_DETACHED_HEADER(""),
{ /* end of list */ }
},
};
@@ -405,7 +406,7 @@ block_crypto_co_create_generic(BlockDriverState *bs, int64_t size,
data = (struct BlockCryptoCreateData) {
.blk = blk,
- .size = size,
+ .size = flags & QCRYPTO_BLOCK_CREATE_DETACHED ? 0 : size,
.prealloc = prealloc,
};
@@ -791,6 +792,9 @@ block_crypto_co_create_opts_luks(BlockDriver *drv, const char *filename,
PreallocMode prealloc;
char *buf = NULL;
int64_t size;
+ bool detached_hdr =
+ qemu_opt_get_bool(opts, "detached-header", false);
+ unsigned int cflags = 0;
int ret;
Error *local_err = NULL;
@@ -830,6 +834,10 @@ block_crypto_co_create_opts_luks(BlockDriver *drv, const char *filename,
goto fail;
}
+ if (detached_hdr) {
+ cflags |= QCRYPTO_BLOCK_CREATE_DETACHED;
+ }
+
/* Create format layer */
ret = block_crypto_co_create_generic(bs, size, create_opts,
prealloc, 0, errp);
diff --git a/block/crypto.h b/block/crypto.h
index 72e792c9af..dc3d2d5ed9 100644
--- a/block/crypto.h
+++ b/block/crypto.h
@@ -41,6 +41,7 @@
#define BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg"
#define BLOCK_CRYPTO_OPT_LUKS_HASH_ALG "hash-alg"
#define BLOCK_CRYPTO_OPT_LUKS_ITER_TIME "iter-time"
+#define BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER "detached-header"
#define BLOCK_CRYPTO_OPT_LUKS_KEYSLOT "keyslot"
#define BLOCK_CRYPTO_OPT_LUKS_STATE "state"
#define BLOCK_CRYPTO_OPT_LUKS_OLD_SECRET "old-secret"
@@ -100,6 +101,13 @@
.help = "Select new state of affected keyslots (active/inactive)",\
}
+#define BLOCK_CRYPTO_OPT_DEF_LUKS_DETACHED_HEADER(prefix) \
+ { \
+ .name = prefix BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER, \
+ .type = QEMU_OPT_BOOL, \
+ .help = "Create a detached LUKS header", \
+ }
+
#define BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT(prefix) \
{ \
.name = prefix BLOCK_CRYPTO_OPT_LUKS_KEYSLOT, \
diff --git a/qapi/crypto.json b/qapi/crypto.json
index fd3d46ebd1..62fd145223 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -223,6 +223,8 @@
# @iter-time: number of milliseconds to spend in PBKDF passphrase
# processing. Currently defaults to 2000. (since 2.8)
#
+# @detached-header: create a detached LUKS header. (since 9.0)
+#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
@@ -232,7 +234,8 @@
'*ivgen-alg': 'QCryptoIVGenAlgorithm',
'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
'*hash-alg': 'QCryptoHashAlgorithm',
- '*iter-time': 'int'}}
+ '*iter-time': 'int',
+ '*detached-header': 'bool'}}
##
# @QCryptoBlockOpenOptions:
--
2.31.1
next prev parent reply other threads:[~2024-01-30 5:40 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 5:37 [PATCH v4 0/7] Support generic Luks encryption yong.huang
2024-01-30 5:37 ` [PATCH v4 1/7] crypto: Support LUKS volume with detached header yong.huang
2024-01-31 10:55 ` Daniel P. Berrangé
2024-01-30 5:37 ` [PATCH v4 2/7] qapi: Make parameter 'file' optional for BlockdevCreateOptionsLUKS yong.huang
2024-02-19 14:22 ` Markus Armbruster
2024-02-20 7:31 ` Yong Huang
2024-02-20 8:55 ` Markus Armbruster
2024-02-20 9:13 ` Yong Huang
2024-02-20 9:41 ` Markus Armbruster
2024-02-20 10:09 ` Yong Huang
2024-01-30 5:37 ` [PATCH v4 3/7] crypto: Modify the qcrypto_block_create to support creation flags yong.huang
2024-01-31 10:59 ` Daniel P. Berrangé
2024-01-30 5:37 ` [PATCH v4 4/7] block: Support detached LUKS header creation using blockdev-create yong.huang
2024-01-31 11:49 ` Daniel P. Berrangé
2024-02-19 14:24 ` Markus Armbruster
2024-02-19 14:49 ` Markus Armbruster
2024-02-19 14:57 ` Daniel P. Berrangé
2024-02-19 15:02 ` Daniel P. Berrangé
2024-02-19 15:43 ` Markus Armbruster
2024-01-30 5:37 ` yong.huang [this message]
2024-01-31 11:50 ` [PATCH v4 5/7] block: Support detached LUKS header creation using qemu-img Daniel P. Berrangé
2024-02-09 12:27 ` Daniel P. Berrangé
2024-02-19 14:24 ` Markus Armbruster
2024-01-30 5:37 ` [PATCH v4 6/7] crypto: Introduce 'detached-header' field in QCryptoBlockInfoLUKS yong.huang
2024-01-31 11:50 ` Daniel P. Berrangé
2024-01-30 5:37 ` [PATCH v4 7/7] tests: Add case for LUKS volume with detached header yong.huang
2024-01-31 11:53 ` Daniel P. Berrangé
2024-02-09 12:43 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c573cf4d985b0386e2e419fcccd92245800cdeca.1706586786.git.yong.huang@smartx.com \
--to=yong.huang@smartx.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).