qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Hyman Huang <yong.huang@smartx.com>
To: qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
	"Hanna Reitz" <hreitz@redhat.com>,
	"Daniel P . Berrangé" <berrange@redhat.com>,
	"Eric Blake" <eblake@redhat.com>,
	"Markus Armbruster" <armbru@redhat.com>,
	yong.huang@smartx.com
Subject: [RFC 0/8] Support generic Luks encryption
Date: Tue,  5 Dec 2023 00:06:17 +0800	[thread overview]
Message-ID: <cover.1701705003.git.yong.huang@smartx.com> (raw)

This functionality was motivated by the following to-do list seen
in crypto documents:
https://wiki.qemu.org/Features/Block/Crypto 

The last chapter says we should "separate header volume": 

The LUKS format has ability to store the header in a separate volume
from the payload. We should extend the LUKS driver in QEMU to support
this use case.

As a proof-of-concept, I've created this patchset, which I've named
the Gluks: generic luks. As their name suggests, they offer encryption
for any format that QEMU theoretically supports.

As you can see below, the Gluks format block layer driver's design is
quite simple.

         virtio-blk/vhost-user-blk...(front-end device)
              ^            
              |            
             Gluks   (format-like disk node) 
          /         \         
       file       header (blockdev reference)
        /             \        
     file            file (protocol node)
       |               |
   disk data       Luks data 

We don't need to create a new disk format in order to use the Gluks
to encrypt the disk; all we need to do is construct a Luks header, which
we will refer to as the "Gluk" because it only contains Luks header data
and no user data. The creation command, for instance, is nearly
identical to Luks image:

$ qemu-img create --object secret,id=sec0,data=abc123 -f gluks
  -o cipher-alg=aes-256,cipher-mode=xts -o key-secret=sec0
  cipher.gluks

As previously mentioned, the "size" option is not accepted during the
generation of the Gluks format because it only contains the Luks header
data.

To hot-add a raw disk with Gluks encryption, see the following steps:

1. add a protocol blockdev node of data disk 
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
  "arguments":{"node-name": "libvirt-1-storage", "driver": "file",
  "filename": "/path/to/test_disk.raw"}}'

2. add a protocol blockdev node of Luks header
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
  "arguments":{"node-name": "libvirt-2-storage", "driver": "file",
  "filename": "/path/to/cipher.gluks" }}'

3. add the secret for decrypting the cipher stored in Gluks header
$ virsh qemu-monitor-command c81_node1 '{"execute":"object-add",
  "arguments":{"qom-type": "secret", "id":
  "libvirt-2-storage-secret0", "data": "abc123"}}'

4. add the Gluks-drived blockdev to connect the user disk with Luks
   header, QEMU will use the cipher in the Luks header to
   encrypt/decrypt the disk data
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
  "arguments":{"node-name": "libvirt-1-format", "driver": "gluks", "file":
  "libvirt-1-storage", "header": "libvirt-2-storage", "key-secret":
  "libvirt-2-storage-secret0"}}' 

5. add the device finally
$ virsh qemu-monitor-command vm '{"execute":"device_add",
  "arguments": {"num-queues": "1", "driver": "virtio-blk-pci", "scsi":
  "off", "drive": "libvirt-1-format", "id": "virtio-disk1"}}'

Do the reverse to hot-del the raw disk.

To hot-add a qcow2 disk with Gluks encryption:

1. add a protocol blockdev node of data disk
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
  "arguments":{"node-name": "libvirt-1-storage", "driver": "file",
  "filename": "/path/to/test_disk.qcow2"}}'

2. add a protocol blockdev node of Luks header as above.
   block ref: libvirt-2-storage

3. add the secret for decrypting the cipher stored in Gluks header as
   above too 
   secret ref: libvirt-2-storage-secret0

4. add the qcow2-drived blockdev format node:
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
  "arguments":{"node-name": "libvirt-1-format", "driver": "qcow2",
  "file": "libvirt-1-storage"}}'

5. add the Gluks-drived blockdev to connect the qcow2 disk with Luks
   header 
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
  "arguments":{"node-name": "libvirt-2-format", "driver": "gluks",
  "file": "libvirt-1-format", "header": "libvirt-2-storage",
  "key-secret": "libvirt-2-format-secret0"}}'

6. add the device finally
$ virsh qemu-monitor-command vm '{"execute":"device_add",
  "arguments": {"num-queues": "1", "driver": "virtio-blk-pci", "scsi":
  "off", "drive": "libvirt-2-format", "id": "virtio-disk2"}}'

In a virtual machine, several disk nodes are allowed to share a single
Gluks header.

This patchset, as previously said, is a proof-of-concept; additional
work may be required before productization. As the title suggests, we
have uploaded it solely for comments. Additionally, a thorough test
would be performed on the following version.

Any ideas and comments about this feature would be appreciated.

Thanks,

Yong

Best regared !

Hyman Huang (8):
  crypto: Export util functions and structures
  crypto: Introduce payload offset set function
  Gluks: Add the basic framework
  Gluks: Introduce Gluks options
  qapi: Introduce Gluks types to qapi
  crypto: Provide the Luks crypto driver to Gluks
  Gluks: Implement the fundamental block layer driver hooks.
  block: Support Gluks format image creation using qemu-img

 block.c                |   5 +
 block/crypto.c         |  20 +---
 block/crypto.h         |  23 ++++
 block/generic-luks.c   | 250 +++++++++++++++++++++++++++++++++++++++++
 block/generic-luks.h   |  29 +++++
 block/meson.build      |   1 +
 crypto/block.c         |   5 +
 include/crypto/block.h |   1 +
 qapi/block-core.json   |  22 +++-
 qapi/crypto.json       |  10 +-
 10 files changed, 348 insertions(+), 18 deletions(-)
 create mode 100644 block/generic-luks.c
 create mode 100644 block/generic-luks.h

-- 
2.39.1



             reply	other threads:[~2023-12-04 16:09 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-04 16:06 Hyman Huang [this message]
2023-12-04 16:06 ` [RFC 1/8] crypto: Export util functions and structures Hyman Huang
2023-12-04 16:06 ` [RFC 2/8] crypto: Introduce payload offset set function Hyman Huang
2023-12-04 16:06 ` [RFC 3/8] Gluks: Add the basic framework Hyman Huang
2023-12-04 16:06 ` [RFC 4/8] Gluks: Introduce Gluks options Hyman Huang
2023-12-04 16:06 ` [RFC 5/8] qapi: Introduce Gluks types to qapi Hyman Huang
2023-12-04 16:06 ` [RFC 6/8] crypto: Provide the Luks crypto driver to Gluks Hyman Huang
2023-12-04 16:06 ` [RFC 7/8] Gluks: Implement the fundamental block layer driver hooks Hyman Huang
2023-12-04 16:06 ` [RFC 8/8] block: Support Gluks format image creation using qemu-img Hyman Huang
2023-12-04 16:24 ` [RFC 0/8] Support generic Luks encryption Daniel P. Berrangé
2023-12-04 16:32   ` Yong Huang
2023-12-04 16:41   ` Yong Huang
2023-12-04 16:51     ` Daniel P. Berrangé
2023-12-04 17:32       ` Yong Huang
2023-12-04 17:43         ` Daniel P. Berrangé
2023-12-05  1:51           ` Yong Huang
2023-12-05 11:37             ` Daniel P. Berrangé
2023-12-05 11:27           ` Kevin Wolf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cover.1701705003.git.yong.huang@smartx.com \
    --to=yong.huang@smartx.com \
    --cc=armbru@redhat.com \
    --cc=berrange@redhat.com \
    --cc=eblake@redhat.com \
    --cc=hreitz@redhat.com \
    --cc=kwolf@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).