From: Hyman Huang <yong.huang@smartx.com>
To: qemu-devel <qemu-devel@nongnu.org>
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Daniel P . Berrangé" <berrange@redhat.com>,
"Hanna Reitz" <hreitz@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Hyman Huang" <yong.huang@smartx.com>
Subject: [PATCH RESEND v3 00/10] Support generic Luks encryption
Date: Mon, 25 Dec 2023 13:45:02 +0800 [thread overview]
Message-ID: <cover.1703482349.git.yong.huang@smartx.com> (raw)
v3:
- Rebase on master
- Add a test case for detached LUKS header
- Adjust the design to honour preallocation of the payload device
- Adjust the design to honour the payload offset from the header,
even when detached
- Support detached LUKS header creation using qemu-img
- Support detached LUKS header querying
- Do some code clean
Thanks for commenting on this series, please review.
Best regared,
Yong
v2:
- Simplify the design by reusing the LUKS driver to implement
the generic Luks encryption, thank Daniel for the insightful
advice.
- rebase on master.
This functionality was motivated by the following to-do list seen
in crypto documents:
https://wiki.qemu.org/Features/Block/Crypto
The last chapter says we should "separate header volume":
The LUKS format has ability to store the header in a separate volume
from the payload. We should extend the LUKS driver in QEMU to support
this use case.
By enhancing the LUKS driver, it is possible to enable
the detachable LUKS header and, as a result, achieve
general encryption for any disk format that QEMU has
supported.
Take the qcow2 as an example, the usage of the generic
LUKS encryption as follows:
1. add a protocol blockdev node of data disk
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> "arguments":{"node-name":"libvirt-1-storage", "driver":"file",
> "filename":"/path/to/test_disk.qcow2"}}'
2. add a protocol blockdev node of LUKS header as above.
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> "arguments":{"node-name":"libvirt-2-storage", "driver":"file",
> "filename": "/path/to/cipher.gluks" }}'
3. add the secret for decrypting the cipher stored in LUKS
header above
$ virsh qemu-monitor-command vm '{"execute":"object-add",
> "arguments":{"qom-type":"secret", "id":
> "libvirt-2-storage-secret0", "data":"abc123"}}'
4. add the qcow2-drived blockdev format node
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> "arguments":{"node-name":"libvirt-1-format", "driver":"qcow2",
> "file":"libvirt-1-storage"}}'
5. add the luks-drived blockdev to link the qcow2 disk with
LUKS header by specifying the field "header"
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> "arguments":{"node-name":"libvirt-2-format", "driver":"luks",
> "file":"libvirt-1-format", "header":"libvirt-2-storage",
> "key-secret":"libvirt-2-format-secret0"}}'
6. add the virtio-blk device finally
$ virsh qemu-monitor-command vm '{"execute":"device_add",
> "arguments": {"num-queues":"1", "driver":"virtio-blk-pci",
> "drive": "libvirt-2-format", "id":"virtio-disk2"}}'
The generic LUKS encryption method of starting a virtual
machine (VM) is somewhat similar to hot-plug in that both
maintaining the same json command while the starting VM
changes the "blockdev-add/device_add" parameters to
"blockdev/device".
Hyman Huang (10):
crypto: Introduce option and structure for detached LUKS header
crypto: Support generic LUKS encryption
qapi: Make parameter 'file' optional for BlockdevCreateOptionsLUKS
crypto: Introduce creation option and structure for detached LUKS
header
crypto: Mark the payload_offset_sector invalid for detached LUKS
header
block: Support detached LUKS header creation using blockdev-create
block: Support detached LUKS header creation using qemu-img
crypto: Introduce 'detached-header' field in QCryptoBlockInfoLUKS
tests: Add detached LUKS header case
MAINTAINERS: Add section "Detached LUKS header"
MAINTAINERS | 5 +
block.c | 5 +-
block/crypto.c | 146 ++++++++++--
block/crypto.h | 8 +
crypto/block-luks.c | 49 +++-
crypto/block.c | 1 +
crypto/blockpriv.h | 3 +
qapi/block-core.json | 14 +-
qapi/crypto.json | 13 +-
tests/qemu-iotests/210.out | 4 +
tests/qemu-iotests/tests/luks-detached-header | 214 ++++++++++++++++++
.../tests/luks-detached-header.out | 5 +
12 files changed, 436 insertions(+), 31 deletions(-)
create mode 100755 tests/qemu-iotests/tests/luks-detached-header
create mode 100644 tests/qemu-iotests/tests/luks-detached-header.out
--
2.39.1
next reply other threads:[~2023-12-25 5:49 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-25 5:45 Hyman Huang [this message]
2023-12-25 5:45 ` [PATCH RESEND v3 01/10] crypto: Introduce option and structure for detached LUKS header Hyman Huang
2024-01-11 14:35 ` Markus Armbruster
2024-01-11 14:58 ` Daniel P. Berrangé
2024-01-11 16:02 ` Yong Huang
2023-12-25 5:45 ` [PATCH RESEND v3 02/10] crypto: Support generic LUKS encryption Hyman Huang
2024-01-04 14:39 ` Daniel P. Berrangé
2024-01-07 11:56 ` Yong Huang
2023-12-25 5:45 ` [PATCH RESEND v3 03/10] qapi: Make parameter 'file' optional for BlockdevCreateOptionsLUKS Hyman Huang
2024-01-04 14:40 ` Daniel P. Berrangé
2023-12-25 5:45 ` [PATCH RESEND v3 04/10] crypto: Introduce creation option and structure for detached LUKS header Hyman Huang
2024-01-04 14:51 ` Daniel P. Berrangé
2024-01-07 11:58 ` Yong Huang
2023-12-25 5:45 ` [PATCH RESEND v3 05/10] crypto: Mark the payload_offset_sector invalid " Hyman Huang
2024-01-04 14:48 ` Daniel P. Berrangé
2023-12-25 5:45 ` [PATCH RESEND v3 06/10] block: Support detached LUKS header creation using blockdev-create Hyman Huang
2024-01-04 14:47 ` Daniel P. Berrangé
2024-01-11 14:05 ` Markus Armbruster
2024-01-11 15:52 ` Yong Huang
2023-12-25 5:45 ` [PATCH RESEND v3 07/10] block: Support detached LUKS header creation using qemu-img Hyman Huang
2023-12-25 5:45 ` [PATCH RESEND v3 08/10] crypto: Introduce 'detached-header' field in QCryptoBlockInfoLUKS Hyman Huang
2024-01-04 14:59 ` Daniel P. Berrangé
2023-12-25 5:45 ` [PATCH RESEND v3 09/10] tests: Add detached LUKS header case Hyman Huang
2023-12-25 5:45 ` [PATCH RESEND v3 10/10] MAINTAINERS: Add section "Detached LUKS header" Hyman Huang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1703482349.git.yong.huang@smartx.com \
--to=yong.huang@smartx.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).