From: Maxim Levitsky <mlevitsk@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Peter Krempa <pkrempa@redhat.com>,
qemu-block@nongnu.org, Markus Armbruster <armbru@redhat.com>,
qemu-devel@nongnu.org, John Ferlan <jferlan@redhat.com>,
Max Reitz <mreitz@redhat.com>, John Snow <jsnow@redhat.com>
Subject: Re: API definition for LUKS key management [V2]
Date: Fri, 22 Nov 2019 16:22:18 +0200 [thread overview]
Message-ID: <d6ead0c3f9758b5def21dd690217bc9deeace2a9.camel@redhat.com> (raw)
In-Reply-To: <20191112100253.GM2366658@redhat.com>
Hi!
This is the second version of the proposed QMP API for key management,
after discussion with Keven and Max.
Will this work?
Adding Peter Krempa to CC, to hear his opinion from the
libvirt side.
Best regards,
Maxim Levitsky
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 0cf68fea14..63b4cd2a27 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -4725,6 +4725,69 @@
'data': { 'job-id': 'str',
'options': 'BlockdevCreateOptions' } }
+
+##
+# @BlockdevAmendOptionsQcow2:
+#
+# Options for amending the qcow2 image format
+# Currently only crypto related options can be amended
+#
+# @driver block driver to create the image format
+#
+# Since: 5.0
+##
+{ 'struct': 'BlockdevAmendOptionsQcow2',
+ 'data': {
+ '*encrypt': 'QCryptoBlockAmendOptions' } }
+
+##
+# @BlockdevAmendOptionsLUKS:
+#
+# Options for amending the luks image format
+#
+# @driver block driver to create the image format
+#
+# Since: 5.0
+##
+{ 'struct': 'BlockdevAmendOptionsLUKS',
+ 'base': 'QCryptoBlockAmendOptionsLUKS',
+ 'data': { }
+}
+
+##
+# @BlockdevAmendOptions:
+#
+# Options for amending blockdev configuration
+#
+# @driver block driver that was used to create the block device
+#
+# Since: 5.0
+##
+{ 'union': 'BlockdevAmendOptions',
+ 'base': {
+ 'driver': 'BlockdevDriver' },
+ 'discriminator': 'driver',
+ 'data': {
+ 'luks': 'BlockdevAmendOptionsLUKS',
+ 'qcow2': 'BlockdevAmendOptionsQcow2'
+ } }
+
+##
+# @x-blockdev-amend:
+#
+# Starts a job to create an image format on a given node. The job is
+# automatically finalized, but a manual job-dismiss is required.
+#
+# @job-id: Identifier for the newly created job.
+#
+# @options: Options for the image creation.
+#
+# Since: 5.0
+##
+{ 'command': 'x-blockdev-amend',
+ 'data': { 'job-id': 'str',
+ 'options': 'BlockdevAmendOptions' } }
+
##
# @blockdev-open-tray:
#
diff --git a/qapi/crypto.json b/qapi/crypto.json
index b2a4cff683..019db682cd 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -309,3 +309,56 @@
'base': 'QCryptoBlockInfoBase',
'discriminator': 'format',
'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
+
+
+##
+# @LUKSKeyslotUpdate:
+#
+# @keyslot: If specified, will update only keyslot with this index
+#
+# @old-secret: If specified, will only update keyslots that
+# can be opened with password which is contained in
+# QCryptoSecret with @old-secret ID
+#
+# If neither @keyslot nor @old-secret is specified,
+# first empty keyslot is selected for the update
+#
+# @new-secret: The ID of a QCryptoSecret object providing a new decryption
+# key to place in all matching keyslots. Empty string erases the
+# keyslot.
+# @iter-time: number of milliseconds to spend in
+# PBKDF passphrase processing
+##
+{ 'struct': 'LUKSKeyslotUpdate',
+ 'data': {
+ '*keyslot': 'int',
+ '*old-secret': 'str',
+ 'new-secret' : 'str',
+ '*iter-time' : 'int' } }
+
+
+##
+# @QCryptoBlockAmendOptionsLUKS:
+#
+# The options that can be changed on existing luks encrypted device
+# @keys: list of keyslot updates to perform (updates are performed in order)
+#
+# Since: 5.0
+##
+{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
+ 'data' : { 'keys': ['LUKSKeyslotUpdate'] } }
+
+
+##
+# @QCryptoBlockAmendOptions:
+#
+# The options that are available for all encryption formats
+# when initializing a new volume
+#
+# Since: 5.0
+##
+{ 'union': 'QCryptoBlockAmendOptions',
+ 'base': 'QCryptoBlockOptionsBase',
+ 'discriminator': 'format',
+ 'data': {
+ 'luks': 'QCryptoBlockAmendOptionsLUKS' } }
next prev parent reply other threads:[~2019-11-22 14:23 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-11 15:58 API definition for LUKS key management Maxim Levitsky
2019-11-11 18:34 ` Daniel P. Berrangé
2019-11-12 9:12 ` Kevin Wolf
2019-11-12 10:47 ` Max Reitz
2019-11-12 11:02 ` Daniel P. Berrangé
2019-11-14 10:54 ` Maxim Levitsky
2019-11-14 10:58 ` Maxim Levitsky
2019-11-14 10:37 ` Maxim Levitsky
2019-11-12 10:02 ` Daniel P. Berrangé
2019-11-22 14:22 ` Maxim Levitsky [this message]
2019-11-25 18:45 ` API definition for LUKS key management [V2] Max Reitz
2019-11-26 9:28 ` Maxim Levitsky
2019-11-26 14:24 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6ead0c3f9758b5def21dd690217bc9deeace2a9.camel@redhat.com \
--to=mlevitsk@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=jferlan@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=pkrempa@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).