From: Hyman Huang <yong.huang@smartx.com>
To: qemu-devel@nongnu.org
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Hanna Reitz" <hreitz@redhat.com>,
"Daniel P . Berrangé" <berrange@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
yong.huang@smartx.com
Subject: [RFC 0/8] Support generic Luks encryption
Date: Tue, 5 Dec 2023 00:06:17 +0800 [thread overview]
Message-ID: <cover.1701705003.git.yong.huang@smartx.com> (raw)
This functionality was motivated by the following to-do list seen
in crypto documents:
https://wiki.qemu.org/Features/Block/Crypto
The last chapter says we should "separate header volume":
The LUKS format has ability to store the header in a separate volume
from the payload. We should extend the LUKS driver in QEMU to support
this use case.
As a proof-of-concept, I've created this patchset, which I've named
the Gluks: generic luks. As their name suggests, they offer encryption
for any format that QEMU theoretically supports.
As you can see below, the Gluks format block layer driver's design is
quite simple.
virtio-blk/vhost-user-blk...(front-end device)
^
|
Gluks (format-like disk node)
/ \
file header (blockdev reference)
/ \
file file (protocol node)
| |
disk data Luks data
We don't need to create a new disk format in order to use the Gluks
to encrypt the disk; all we need to do is construct a Luks header, which
we will refer to as the "Gluk" because it only contains Luks header data
and no user data. The creation command, for instance, is nearly
identical to Luks image:
$ qemu-img create --object secret,id=sec0,data=abc123 -f gluks
-o cipher-alg=aes-256,cipher-mode=xts -o key-secret=sec0
cipher.gluks
As previously mentioned, the "size" option is not accepted during the
generation of the Gluks format because it only contains the Luks header
data.
To hot-add a raw disk with Gluks encryption, see the following steps:
1. add a protocol blockdev node of data disk
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
"arguments":{"node-name": "libvirt-1-storage", "driver": "file",
"filename": "/path/to/test_disk.raw"}}'
2. add a protocol blockdev node of Luks header
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
"arguments":{"node-name": "libvirt-2-storage", "driver": "file",
"filename": "/path/to/cipher.gluks" }}'
3. add the secret for decrypting the cipher stored in Gluks header
$ virsh qemu-monitor-command c81_node1 '{"execute":"object-add",
"arguments":{"qom-type": "secret", "id":
"libvirt-2-storage-secret0", "data": "abc123"}}'
4. add the Gluks-drived blockdev to connect the user disk with Luks
header, QEMU will use the cipher in the Luks header to
encrypt/decrypt the disk data
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
"arguments":{"node-name": "libvirt-1-format", "driver": "gluks", "file":
"libvirt-1-storage", "header": "libvirt-2-storage", "key-secret":
"libvirt-2-storage-secret0"}}'
5. add the device finally
$ virsh qemu-monitor-command vm '{"execute":"device_add",
"arguments": {"num-queues": "1", "driver": "virtio-blk-pci", "scsi":
"off", "drive": "libvirt-1-format", "id": "virtio-disk1"}}'
Do the reverse to hot-del the raw disk.
To hot-add a qcow2 disk with Gluks encryption:
1. add a protocol blockdev node of data disk
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
"arguments":{"node-name": "libvirt-1-storage", "driver": "file",
"filename": "/path/to/test_disk.qcow2"}}'
2. add a protocol blockdev node of Luks header as above.
block ref: libvirt-2-storage
3. add the secret for decrypting the cipher stored in Gluks header as
above too
secret ref: libvirt-2-storage-secret0
4. add the qcow2-drived blockdev format node:
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
"arguments":{"node-name": "libvirt-1-format", "driver": "qcow2",
"file": "libvirt-1-storage"}}'
5. add the Gluks-drived blockdev to connect the qcow2 disk with Luks
header
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
"arguments":{"node-name": "libvirt-2-format", "driver": "gluks",
"file": "libvirt-1-format", "header": "libvirt-2-storage",
"key-secret": "libvirt-2-format-secret0"}}'
6. add the device finally
$ virsh qemu-monitor-command vm '{"execute":"device_add",
"arguments": {"num-queues": "1", "driver": "virtio-blk-pci", "scsi":
"off", "drive": "libvirt-2-format", "id": "virtio-disk2"}}'
In a virtual machine, several disk nodes are allowed to share a single
Gluks header.
This patchset, as previously said, is a proof-of-concept; additional
work may be required before productization. As the title suggests, we
have uploaded it solely for comments. Additionally, a thorough test
would be performed on the following version.
Any ideas and comments about this feature would be appreciated.
Thanks,
Yong
Best regared !
Hyman Huang (8):
crypto: Export util functions and structures
crypto: Introduce payload offset set function
Gluks: Add the basic framework
Gluks: Introduce Gluks options
qapi: Introduce Gluks types to qapi
crypto: Provide the Luks crypto driver to Gluks
Gluks: Implement the fundamental block layer driver hooks.
block: Support Gluks format image creation using qemu-img
block.c | 5 +
block/crypto.c | 20 +---
block/crypto.h | 23 ++++
block/generic-luks.c | 250 +++++++++++++++++++++++++++++++++++++++++
block/generic-luks.h | 29 +++++
block/meson.build | 1 +
crypto/block.c | 5 +
include/crypto/block.h | 1 +
qapi/block-core.json | 22 +++-
qapi/crypto.json | 10 +-
10 files changed, 348 insertions(+), 18 deletions(-)
create mode 100644 block/generic-luks.c
create mode 100644 block/generic-luks.h
--
2.39.1
next reply other threads:[~2023-12-04 16:09 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-04 16:06 Hyman Huang [this message]
2023-12-04 16:06 ` [RFC 1/8] crypto: Export util functions and structures Hyman Huang
2023-12-04 16:06 ` [RFC 2/8] crypto: Introduce payload offset set function Hyman Huang
2023-12-04 16:06 ` [RFC 3/8] Gluks: Add the basic framework Hyman Huang
2023-12-04 16:06 ` [RFC 4/8] Gluks: Introduce Gluks options Hyman Huang
2023-12-04 16:06 ` [RFC 5/8] qapi: Introduce Gluks types to qapi Hyman Huang
2023-12-04 16:06 ` [RFC 6/8] crypto: Provide the Luks crypto driver to Gluks Hyman Huang
2023-12-04 16:06 ` [RFC 7/8] Gluks: Implement the fundamental block layer driver hooks Hyman Huang
2023-12-04 16:06 ` [RFC 8/8] block: Support Gluks format image creation using qemu-img Hyman Huang
2023-12-04 16:24 ` [RFC 0/8] Support generic Luks encryption Daniel P. Berrangé
2023-12-04 16:32 ` Yong Huang
2023-12-04 16:41 ` Yong Huang
2023-12-04 16:51 ` Daniel P. Berrangé
2023-12-04 17:32 ` Yong Huang
2023-12-04 17:43 ` Daniel P. Berrangé
2023-12-05 1:51 ` Yong Huang
2023-12-05 11:37 ` Daniel P. Berrangé
2023-12-05 11:27 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1701705003.git.yong.huang@smartx.com \
--to=yong.huang@smartx.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).