[PATCH v1] qemu: Add support for librbd encryption

Or Ozeri posted 1 patch 1 week, 3 days ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20210914104315.3088806-1-oro@il.ibm.com
docs/formatstorageencryption.html.in          |  8 +++-
docs/schemas/domainbackup.rng                 |  7 ++++
docs/schemas/storagecommon.rng                |  8 ++++
src/conf/storage_encryption_conf.c            | 30 +++++++++++++-
src/conf/storage_encryption_conf.h            | 11 +++++
src/qemu/qemu_block.c                         | 40 +++++++++++++++++++
src/qemu/qemu_domain.c                        |  3 +-
.../backup-pull-encrypted.xml                 |  6 +--
.../backup-pull-internal-invalid.xml          |  6 +--
.../backup-push-encrypted.xml                 |  6 +--
tests/qemustatusxml2xmldata/upgrade-out.xml   |  6 +--
tests/qemuxml2argvdata/disk-nvme.xml          |  2 +-
tests/qemuxml2argvdata/disk-slices.xml        |  4 +-
.../qemuxml2argvdata/encrypted-disk-usage.xml |  2 +-
tests/qemuxml2argvdata/encrypted-disk.xml     |  2 +-
.../luks-disks-source-qcow2.xml               | 14 +++----
tests/qemuxml2argvdata/luks-disks-source.xml  | 10 ++---
tests/qemuxml2argvdata/luks-disks.xml         |  4 +-
tests/qemuxml2argvdata/user-aliases.xml       |  2 +-
.../disk-slices.x86_64-latest.xml             |  4 +-
tests/qemuxml2xmloutdata/encrypted-disk.xml   |  2 +-
.../luks-disks-source-qcow2.x86_64-latest.xml | 14 +++----
.../qemuxml2xmloutdata/luks-disks-source.xml  | 10 ++---
.../storagevolxml2xmlout/vol-luks-cipher.xml  |  2 +-
tests/storagevolxml2xmlout/vol-luks.xml       |  2 +-
.../vol-qcow2-encryption.xml                  |  2 +-
tests/storagevolxml2xmlout/vol-qcow2-luks.xml |  2 +-
27 files changed, 154 insertions(+), 55 deletions(-)

[PATCH v1] qemu: Add support for librbd encryption

Posted by Or Ozeri 1 week, 3 days ago
Starting from ceph Pacific, RBD has built-in support for image-level encryption.
qemu 6.1 added support for this encryption using a new "encrypt" property
to the RBD qdict.
This commit extends the libvirt XML API to allow the user to choose between
the existing qemu encryption engine, and the new librbd encryption engine.

Signed-off-by: Or Ozeri <oro@il.ibm.com>
---
 docs/formatstorageencryption.html.in          |  8 +++-
 docs/schemas/domainbackup.rng                 |  7 ++++
 docs/schemas/storagecommon.rng                |  8 ++++
 src/conf/storage_encryption_conf.c            | 30 +++++++++++++-
 src/conf/storage_encryption_conf.h            | 11 +++++
 src/qemu/qemu_block.c                         | 40 +++++++++++++++++++
 src/qemu/qemu_domain.c                        |  3 +-
 .../backup-pull-encrypted.xml                 |  6 +--
 .../backup-pull-internal-invalid.xml          |  6 +--
 .../backup-push-encrypted.xml                 |  6 +--
 tests/qemustatusxml2xmldata/upgrade-out.xml   |  6 +--
 tests/qemuxml2argvdata/disk-nvme.xml          |  2 +-
 tests/qemuxml2argvdata/disk-slices.xml        |  4 +-
 .../qemuxml2argvdata/encrypted-disk-usage.xml |  2 +-
 tests/qemuxml2argvdata/encrypted-disk.xml     |  2 +-
 .../luks-disks-source-qcow2.xml               | 14 +++----
 tests/qemuxml2argvdata/luks-disks-source.xml  | 10 ++---
 tests/qemuxml2argvdata/luks-disks.xml         |  4 +-
 tests/qemuxml2argvdata/user-aliases.xml       |  2 +-
 .../disk-slices.x86_64-latest.xml             |  4 +-
 tests/qemuxml2xmloutdata/encrypted-disk.xml   |  2 +-
 .../luks-disks-source-qcow2.x86_64-latest.xml | 14 +++----
 .../qemuxml2xmloutdata/luks-disks-source.xml  | 10 ++---
 .../storagevolxml2xmlout/vol-luks-cipher.xml  |  2 +-
 tests/storagevolxml2xmlout/vol-luks.xml       |  2 +-
 .../vol-qcow2-encryption.xml                  |  2 +-
 tests/storagevolxml2xmlout/vol-qcow2-luks.xml |  2 +-
 27 files changed, 154 insertions(+), 55 deletions(-)

diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 7215c307d7..e0eb8697aa 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -18,11 +18,17 @@
       is <code>encryption</code>, with a mandatory
       attribute <code>format</code>.  Currently defined values
       of <code>format</code> are <code>default</code>, <code>qcow</code>,
-      and <code>luks</code>.
+      <code>luks</code>, and <code>luks2</code>.
       Each value of <code>format</code> implies some expectations about the
       content of the <code>encryption</code> tag.  Other format values may be
       defined in the future.
     </p>
+    <p>
+      The <code>encryption</code> tag supports an optional <code>engine</code>
+      tag, which allows selecting which component actually handles
+      the encryption. Currently defined values of <code>engine</code> are
+      <code>qemu</code> (default) and <code>librbd</code>.
+    </p>
     <p>
       The <code>encryption</code> tag can currently contain a sequence of
       <code>secret</code> tags, each with mandatory attributes <code>type</code>
diff --git a/docs/schemas/domainbackup.rng b/docs/schemas/domainbackup.rng
index c03455a5a7..05cc28ab00 100644
--- a/docs/schemas/domainbackup.rng
+++ b/docs/schemas/domainbackup.rng
@@ -14,6 +14,13 @@
           <value>luks</value>
         </choice>
       </attribute>
+      <optional>
+        <attribute name="engine">
+          <choice>
+            <value>qemu</value>
+          </choice>
+        </attribute>
+      </optional>
       <interleave>
         <ref name="secret"/>
         <optional>
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index 9ebb27700d..3ddff02e43 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -15,6 +15,14 @@
           <value>luks</value>
         </choice>
       </attribute>
+      <optional>
+        <attribute name="engine">
+          <choice>
+            <value>qemu</value>
+            <value>librbd</value>
+          </choice>
+        </attribute>
+      </optional>
       <interleave>
         <ref name="secret"/>
         <optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 9112b96cc7..64044057bf 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -44,7 +44,12 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
 
 VIR_ENUM_IMPL(virStorageEncryptionFormat,
               VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
-              "default", "qcow", "luks",
+              "default", "qcow", "luks", "luks2",
+);
+
+VIR_ENUM_IMPL(virStorageEncryptionEngine,
+              VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
+              "qemu", "librbd",
 );
 
 static void
@@ -217,6 +222,7 @@ virStorageEncryptionParseNode(xmlNodePtr node,
     xmlNodePtr *nodes = NULL;
     virStorageEncryption *encdef = NULL;
     virStorageEncryption *ret = NULL;
+    g_autofree char *engine_str = NULL;
     g_autofree char *format_str = NULL;
     int n;
     size_t i;
@@ -239,6 +245,18 @@ virStorageEncryptionParseNode(xmlNodePtr node,
         goto cleanup;
     }
 
+    if (!(engine_str = virXPathString("string(./@engine)", ctxt))) {
+        encdef->engine = VIR_STORAGE_ENCRYPTION_ENGINE_QEMU;
+    } else {
+        if ((encdef->engine =
+             virStorageEncryptionEngineTypeFromString(engine_str)) < 0) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("unknown volume encryption engine type %s"),
+                           engine_str);
+            goto cleanup;
+        }
+    }
+
     if ((n = virXPathNodeSet("./secret", ctxt, &nodes)) < 0)
         goto cleanup;
 
@@ -327,15 +345,23 @@ int
 virStorageEncryptionFormat(virBuffer *buf,
                            virStorageEncryption *enc)
 {
+    const char *engine;
     const char *format;
     size_t i;
 
+    if (!(engine = virStorageEncryptionEngineTypeToString(enc->engine))) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       "%s", _("unexpected encryption engine"));
+        return -1;
+    }
+
     if (!(format = virStorageEncryptionFormatTypeToString(enc->format))) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        "%s", _("unexpected encryption format"));
         return -1;
     }
-    virBufferAsprintf(buf, "<encryption format='%s'>\n", format);
+    virBufferAsprintf(buf, "<encryption format='%s' engine='%s'>\n", format,
+                      engine);
     virBufferAdjustIndent(buf, 2);
 
     for (i = 0; i < enc->nsecrets; i++) {
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 34adbd5f7b..bd8787be98 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -51,11 +51,21 @@ struct _virStorageEncryptionInfoDef {
     char *ivgen_hash;
 };
 
+typedef enum {
+    /* "default" is only valid for volume creation */
+    VIR_STORAGE_ENCRYPTION_ENGINE_QEMU = 0, /* default */
+    VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD,
+
+    VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
+} virStorageEncryptionEngineType;
+VIR_ENUM_DECL(virStorageEncryptionEngine);
+
 typedef enum {
     /* "default" is only valid for volume creation */
     VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
     VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
     VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
+    VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
 
     VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
 } virStorageEncryptionFormatType;
@@ -63,6 +73,7 @@ VIR_ENUM_DECL(virStorageEncryptionFormat);
 
 typedef struct _virStorageEncryption virStorageEncryption;
 struct _virStorageEncryption {
+    int engine; /* virStorageEncryptionEngineType */
     int format; /* virStorageEncryptionFormatType */
     int payload_offset;
 
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 0bc92f6a23..e064e5a490 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -875,6 +875,8 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
     qemuDomainStorageSourcePrivate *srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
     g_autoptr(virJSONValue) servers = NULL;
     virJSONValue *ret = NULL;
+    g_autoptr(virJSONValue) encrypt = NULL;
+    const char *encformat;
     const char *username = NULL;
     g_autoptr(virJSONValue) authmodes = NULL;
     g_autoptr(virJSONValue) mode = NULL;
@@ -899,12 +901,47 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
             return NULL;
     }
 
+    if (src->encryption &&
+        src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD) {
+        switch ((virStorageEncryptionFormatType) src->encryption->format) {
+            case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+                encformat = "luks";
+                break;
+
+            case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+                encformat = "luks2";
+                break;
+
+            case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+            case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+            case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+            default:
+                virReportEnumRangeError(virStorageEncryptionFormatType,
+                                        src->encryption->format);
+                return NULL;
+        }
+
+        if (!srcPriv || !srcPriv->encinfo || !srcPriv->encinfo->s.aes.alias) {
+            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                           _("missing secret info for rbd encryption driver"));
+            return NULL;
+        }
+
+        encrypt = virJSONValueNewObject();
+        if (virJSONValueObjectAdd(encrypt,
+                                  "s:format", encformat,
+                                  "s:key-secret", srcPriv->encinfo->s.aes.alias,
+                                  NULL) < 0)
+            return NULL;
+    }
+
     if (virJSONValueObjectCreate(&ret,
                                  "s:pool", src->volume,
                                  "s:image", src->path,
                                  "S:snapshot", src->snapshot,
                                  "S:conf", src->configFile,
                                  "A:server", &servers,
+                                 "A:encrypt", &encrypt,
                                  "S:user", username,
                                  "A:auth-client-required", &authmodes,
                                  "S:key-secret", keysecret,
@@ -1318,6 +1355,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
      * VIR_DOMAIN_SECRET_INFO_TYPE_AES works here. The correct type needs to be
      * instantiated elsewhere. */
     if (!src->encryption ||
+        src->encryption->engine != VIR_STORAGE_ENCRYPTION_ENGINE_QEMU ||
         !srcpriv ||
         !srcpriv->encinfo ||
         srcpriv->encinfo->type != VIR_DOMAIN_SECRET_INFO_TYPE_AES)
@@ -1333,6 +1371,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
         break;
 
     case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
     case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
     default:
         virReportEnumRangeError(virStorageEncryptionFormatType,
@@ -1453,6 +1492,7 @@ qemuBlockStorageSourceGetBlockdevFormatProps(virStorageSource *src)
          * put a raw layer on top */
     case VIR_STORAGE_FILE_RAW:
         if (src->encryption &&
+            src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_QEMU &&
             src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
             if (qemuBlockStorageSourceGetFormatLUKSProps(src, props) < 0)
                 return NULL;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 25b7f03204..cd7d19a0c5 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1354,7 +1354,8 @@ static bool
 qemuDomainDiskHasEncryptionSecret(virStorageSource *src)
 {
     if (!virStorageSourceIsEmpty(src) && src->encryption &&
-        src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
+        (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS ||
+         src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2) &&
         src->encryption->nsecrets > 0)
         return true;
 
diff --git a/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml b/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml
index 42051d1d24..e975feddc5 100644
--- a/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml
+++ b/tests/domainbackupxml2xmlout/backup-pull-encrypted.xml
@@ -5,7 +5,7 @@
     <disk name='vda' backup='yes' type='file' backupmode='incremental' incremental='1525889631' exportname='test-vda' exportbitmap='blah'>
       <driver type='qcow2'/>
       <scratch file='/path/to/file'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </scratch>
@@ -13,7 +13,7 @@
     <disk name='vdb' backup='yes' type='file' backupmode='incremental' incremental='1525889631' exportname='test-vda' exportbitmap='blah'>
       <driver type='qcow2'/>
       <scratch file='/path/to/file'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/backup/vdb'/>
         </encryption>
       </scratch>
@@ -21,7 +21,7 @@
     <disk name='vdc' backup='yes' type='block' backupmode='incremental' incremental='1525889631'>
       <driver type='qcow2'/>
       <scratch dev='/dev/block'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/backup/vdc'/>
         </encryption>
       </scratch>
diff --git a/tests/domainbackupxml2xmlout/backup-pull-internal-invalid.xml b/tests/domainbackupxml2xmlout/backup-pull-internal-invalid.xml
index 092b6bf8a7..80c2c8f7d8 100644
--- a/tests/domainbackupxml2xmlout/backup-pull-internal-invalid.xml
+++ b/tests/domainbackupxml2xmlout/backup-pull-internal-invalid.xml
@@ -5,7 +5,7 @@
     <disk name='vda' backup='yes' state='running' type='file' backupmode='incremental' incremental='1525889631' exportname='test-vda' exportbitmap='blah'>
       <driver type='qcow2'/>
       <scratch file='/path/to/file'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </scratch>
@@ -13,7 +13,7 @@
     <disk name='vdb' backup='yes' state='complete' type='file' backupmode='incremental' incremental='1525889631' exportname='test-vda' exportbitmap='blah'>
       <driver type='qcow2'/>
       <scratch file='/path/to/file'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/backup/vdb'/>
         </encryption>
       </scratch>
@@ -21,7 +21,7 @@
     <disk name='vdc' backup='yes' state='running' type='block' backupmode='incremental' incremental='1525889631'>
       <driver type='qcow2'/>
       <scratch dev='/dev/block'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/backup/vdc'/>
         </encryption>
       </scratch>
diff --git a/tests/domainbackupxml2xmlout/backup-push-encrypted.xml b/tests/domainbackupxml2xmlout/backup-push-encrypted.xml
index 3b664b0dcb..95cf16a4b3 100644
--- a/tests/domainbackupxml2xmlout/backup-push-encrypted.xml
+++ b/tests/domainbackupxml2xmlout/backup-push-encrypted.xml
@@ -4,7 +4,7 @@
     <disk name='vda' backup='yes' type='file' backupmode='incremental' incremental='1525889631'>
       <driver type='qcow2'/>
       <target file='/path/to/file'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </target>
@@ -12,7 +12,7 @@
     <disk name='vdb' backup='yes' type='file' backupmode='incremental' incremental='1525889631'>
       <driver type='raw'/>
       <target file='/path/to/file'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/backup/vdb'/>
         </encryption>
       </target>
@@ -20,7 +20,7 @@
     <disk name='vdc' backup='yes' type='block' backupmode='incremental' incremental='1525889631'>
       <driver type='qcow2'/>
       <target dev='/dev/block'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/backup/vdc'/>
         </encryption>
       </target>
diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml b/tests/qemustatusxml2xmldata/upgrade-out.xml
index f9476731f6..5218092cb9 100644
--- a/tests/qemustatusxml2xmldata/upgrade-out.xml
+++ b/tests/qemustatusxml2xmldata/upgrade-out.xml
@@ -316,7 +316,7 @@
       <disk type='file' device='disk'>
         <driver name='qemu' type='qcow2'/>
         <source file='/var/lib/libvirt/images/b.qcow2'>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
           <privateData>
@@ -333,7 +333,7 @@
       <disk type='file' device='disk'>
         <driver name='qemu' type='qcow2'/>
         <source file='/var/lib/libvirt/images/c.qcow2'>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
           <privateData>
@@ -354,7 +354,7 @@
           <auth username='testuser-iscsi'>
             <secret type='iscsi' usage='testuser-iscsi-secret'/>
           </auth>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
           <privateData>
diff --git a/tests/qemuxml2argvdata/disk-nvme.xml b/tests/qemuxml2argvdata/disk-nvme.xml
index 1ccbbfd598..9a5fafce7d 100644
--- a/tests/qemuxml2argvdata/disk-nvme.xml
+++ b/tests/qemuxml2argvdata/disk-nvme.xml
@@ -42,7 +42,7 @@
       <driver name='qemu' type='qcow2' cache='none'/>
       <source type='pci' managed='no' namespace='2'>
         <address domain='0x0001' bus='0x02' slot='0x00' function='0x0'/>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
diff --git a/tests/qemuxml2argvdata/disk-slices.xml b/tests/qemuxml2argvdata/disk-slices.xml
index 016aa1b905..849809f05a 100644
--- a/tests/qemuxml2argvdata/disk-slices.xml
+++ b/tests/qemuxml2argvdata/disk-slices.xml
@@ -44,7 +44,7 @@
         <slices>
           <slice type='storage' offset='1234' size='321'/>
         </slices>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -69,7 +69,7 @@
         <slices>
           <slice type='storage' offset='1234' size='321'/>
         </slices>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
diff --git a/tests/qemuxml2argvdata/encrypted-disk-usage.xml b/tests/qemuxml2argvdata/encrypted-disk-usage.xml
index 7c2da9ee83..d2b87b94b6 100644
--- a/tests/qemuxml2argvdata/encrypted-disk-usage.xml
+++ b/tests/qemuxml2argvdata/encrypted-disk-usage.xml
@@ -18,7 +18,7 @@
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk'/>
       <target dev='vda' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' usage='/storage/guest_disks/encryptdisk'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
diff --git a/tests/qemuxml2argvdata/encrypted-disk.xml b/tests/qemuxml2argvdata/encrypted-disk.xml
index e996cde889..a75ed7ebf4 100644
--- a/tests/qemuxml2argvdata/encrypted-disk.xml
+++ b/tests/qemuxml2argvdata/encrypted-disk.xml
@@ -18,7 +18,7 @@
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk'/>
       <target dev='vda' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
diff --git a/tests/qemuxml2argvdata/luks-disks-source-qcow2.xml b/tests/qemuxml2argvdata/luks-disks-source-qcow2.xml
index 7192ca00bd..46d2036cc3 100644
--- a/tests/qemuxml2argvdata/luks-disks-source-qcow2.xml
+++ b/tests/qemuxml2argvdata/luks-disks-source-qcow2.xml
@@ -17,7 +17,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -27,7 +27,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk2'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
         </encryption>
       </source>
@@ -41,7 +41,7 @@
         <auth username='myname'>
           <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
         </auth>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
         </encryption>
       </source>
@@ -50,7 +50,7 @@
     <disk type='volume' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
         </encryption>
       </source>
@@ -62,7 +62,7 @@
         <host name='mon1.example.org' port='6321'/>
         <host name='mon2.example.org' port='6322'/>
         <host name='mon3.example.org' port='6322'/>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
         </encryption>
       </source>
@@ -71,14 +71,14 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk5'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
       <backingStore type='file'>
         <format type='qcow2'/>
         <source file='/storage/guest_disks/base.qcow2'>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
           </source>
diff --git a/tests/qemuxml2argvdata/luks-disks-source.xml b/tests/qemuxml2argvdata/luks-disks-source.xml
index 293877df9e..72d97d2f4b 100644
--- a/tests/qemuxml2argvdata/luks-disks-source.xml
+++ b/tests/qemuxml2argvdata/luks-disks-source.xml
@@ -17,7 +17,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -27,7 +27,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk2'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
         </encryption>
       </source>
@@ -41,7 +41,7 @@
         <auth username='myname'>
           <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
         </auth>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
         </encryption>
       </source>
@@ -50,7 +50,7 @@
     <disk type='volume' device='disk'>
       <driver name='qemu' type='raw'/>
       <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
         </encryption>
       </source>
@@ -62,7 +62,7 @@
         <host name='mon1.example.org' port='6321'/>
         <host name='mon2.example.org' port='6322'/>
         <host name='mon3.example.org' port='6322'/>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
         </encryption>
       </source>
diff --git a/tests/qemuxml2argvdata/luks-disks.xml b/tests/qemuxml2argvdata/luks-disks.xml
index ae6d3d996c..1c76f0dc26 100644
--- a/tests/qemuxml2argvdata/luks-disks.xml
+++ b/tests/qemuxml2argvdata/luks-disks.xml
@@ -18,7 +18,7 @@
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk'/>
       <target dev='vda' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
@@ -27,7 +27,7 @@
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk2'/>
       <target dev='vdb' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
diff --git a/tests/qemuxml2argvdata/user-aliases.xml b/tests/qemuxml2argvdata/user-aliases.xml
index 47bfc56e73..10b7749521 100644
--- a/tests/qemuxml2argvdata/user-aliases.xml
+++ b/tests/qemuxml2argvdata/user-aliases.xml
@@ -55,7 +55,7 @@
       <driver name='qemu' type='qcow2'/>
       <source file='/var/lib/libvirt/images/OtherDemo.img'/>
       <target dev='vdb' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
       </encryption>
       <alias name='ua-myEncryptedDisk1'/>
diff --git a/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml b/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
index be5cd25084..a058cbad61 100644
--- a/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
@@ -49,7 +49,7 @@
         <slices>
           <slice type='storage' offset='1234' size='321'/>
         </slices>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -75,7 +75,7 @@
         <slices>
           <slice type='storage' offset='1234' size='321'/>
         </slices>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
diff --git a/tests/qemuxml2xmloutdata/encrypted-disk.xml b/tests/qemuxml2xmloutdata/encrypted-disk.xml
index 06f2c5b47c..e30c8a36e8 100644
--- a/tests/qemuxml2xmloutdata/encrypted-disk.xml
+++ b/tests/qemuxml2xmloutdata/encrypted-disk.xml
@@ -18,7 +18,7 @@
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk'/>
       <target dev='vda' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
diff --git a/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml b/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
index 5f600f5ba7..7f98dd597e 100644
--- a/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
@@ -20,7 +20,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -30,7 +30,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk2'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
         </encryption>
       </source>
@@ -44,7 +44,7 @@
         <auth username='myname'>
           <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
         </auth>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
         </encryption>
       </source>
@@ -54,7 +54,7 @@
     <disk type='volume' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
         </encryption>
       </source>
@@ -67,7 +67,7 @@
         <host name='mon1.example.org' port='6321'/>
         <host name='mon2.example.org' port='6322'/>
         <host name='mon3.example.org' port='6322'/>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
         </encryption>
       </source>
@@ -77,14 +77,14 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk5'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
       <backingStore type='file'>
         <format type='qcow2'/>
         <source file='/storage/guest_disks/base.qcow2'>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
         </source>
diff --git a/tests/qemuxml2xmloutdata/luks-disks-source.xml b/tests/qemuxml2xmloutdata/luks-disks-source.xml
index 5333d4ac6e..891b5d9d17 100644
--- a/tests/qemuxml2xmloutdata/luks-disks-source.xml
+++ b/tests/qemuxml2xmloutdata/luks-disks-source.xml
@@ -17,7 +17,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -27,7 +27,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk2'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
         </encryption>
       </source>
@@ -41,7 +41,7 @@
         <auth username='myname'>
           <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
         </auth>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
         </encryption>
       </source>
@@ -51,7 +51,7 @@
     <disk type='volume' device='disk'>
       <driver name='qemu' type='raw'/>
       <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
         </encryption>
       </source>
@@ -64,7 +64,7 @@
         <host name='mon1.example.org' port='6321'/>
         <host name='mon2.example.org' port='6322'/>
         <host name='mon3.example.org' port='6322'/>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
         </encryption>
       </source>
diff --git a/tests/storagevolxml2xmlout/vol-luks-cipher.xml b/tests/storagevolxml2xmlout/vol-luks-cipher.xml
index fd99793612..b3fbcbe9a3 100644
--- a/tests/storagevolxml2xmlout/vol-luks-cipher.xml
+++ b/tests/storagevolxml2xmlout/vol-luks-cipher.xml
@@ -12,7 +12,7 @@
       <group>0</group>
       <label>unconfined_u:object_r:virt_image_t:s0</label>
     </permissions>
-    <encryption format='luks'>
+    <encryption format='luks' engine='qemu'>
       <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
       <cipher name='serpent' size='256' mode='cbc' hash='sha256'/>
       <ivgen name='plain64' hash='sha256'/>
diff --git a/tests/storagevolxml2xmlout/vol-luks.xml b/tests/storagevolxml2xmlout/vol-luks.xml
index c011d4cc62..8ff345ecb3 100644
--- a/tests/storagevolxml2xmlout/vol-luks.xml
+++ b/tests/storagevolxml2xmlout/vol-luks.xml
@@ -12,7 +12,7 @@
       <group>0</group>
       <label>unconfined_u:object_r:virt_image_t:s0</label>
     </permissions>
-    <encryption format='luks'>
+    <encryption format='luks' engine='qemu'>
       <secret type='passphrase' uuid='f52a81b2-424e-490c-823d-6bd4235bc572'/>
     </encryption>
   </target>
diff --git a/tests/storagevolxml2xmlout/vol-qcow2-encryption.xml b/tests/storagevolxml2xmlout/vol-qcow2-encryption.xml
index 837adf41b1..d9a34492bb 100644
--- a/tests/storagevolxml2xmlout/vol-qcow2-encryption.xml
+++ b/tests/storagevolxml2xmlout/vol-qcow2-encryption.xml
@@ -12,7 +12,7 @@
       <group>0</group>
       <label>unconfined_u:object_r:virt_image_t:s0</label>
     </permissions>
-    <encryption format='qcow'>
+    <encryption format='qcow' engine='qemu'>
       <secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
     </encryption>
   </target>
diff --git a/tests/storagevolxml2xmlout/vol-qcow2-luks.xml b/tests/storagevolxml2xmlout/vol-qcow2-luks.xml
index 78edc4239c..63f2bdf9b2 100644
--- a/tests/storagevolxml2xmlout/vol-qcow2-luks.xml
+++ b/tests/storagevolxml2xmlout/vol-qcow2-luks.xml
@@ -12,7 +12,7 @@
       <group>0</group>
       <label>unconfined_u:object_r:virt_image_t:s0</label>
     </permissions>
-    <encryption format='luks'>
+    <encryption format='luks' engine='qemu'>
       <secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
     </encryption>
   </target>
-- 
2.25.1

Re: [PATCH v1] qemu: Add support for librbd encryption

Posted by Peter Krempa 1 week, 3 days ago
On Tue, Sep 14, 2021 at 05:43:15 -0500, Or Ozeri wrote:
> Starting from ceph Pacific, RBD has built-in support for image-level encryption.
> qemu 6.1 added support for this encryption using a new "encrypt" property
> to the RBD qdict.
> This commit extends the libvirt XML API to allow the user to choose between
> the existing qemu encryption engine, and the new librbd encryption engine.
> 
> Signed-off-by: Or Ozeri <oro@il.ibm.com>
> ---
>  docs/formatstorageencryption.html.in          |  8 +++-
>  docs/schemas/domainbackup.rng                 |  7 ++++
>  docs/schemas/storagecommon.rng                |  8 ++++
>  src/conf/storage_encryption_conf.c            | 30 +++++++++++++-
>  src/conf/storage_encryption_conf.h            | 11 +++++
>  src/qemu/qemu_block.c                         | 40 +++++++++++++++++++
>  src/qemu/qemu_domain.c                        |  3 +-
>  .../backup-pull-encrypted.xml                 |  6 +--
>  .../backup-pull-internal-invalid.xml          |  6 +--
>  .../backup-push-encrypted.xml                 |  6 +--
>  tests/qemustatusxml2xmldata/upgrade-out.xml   |  6 +--
>  tests/qemuxml2argvdata/disk-nvme.xml          |  2 +-
>  tests/qemuxml2argvdata/disk-slices.xml        |  4 +-
>  .../qemuxml2argvdata/encrypted-disk-usage.xml |  2 +-
>  tests/qemuxml2argvdata/encrypted-disk.xml     |  2 +-
>  .../luks-disks-source-qcow2.xml               | 14 +++----
>  tests/qemuxml2argvdata/luks-disks-source.xml  | 10 ++---
>  tests/qemuxml2argvdata/luks-disks.xml         |  4 +-
>  tests/qemuxml2argvdata/user-aliases.xml       |  2 +-
>  .../disk-slices.x86_64-latest.xml             |  4 +-
>  tests/qemuxml2xmloutdata/encrypted-disk.xml   |  2 +-
>  .../luks-disks-source-qcow2.x86_64-latest.xml | 14 +++----
>  .../qemuxml2xmloutdata/luks-disks-source.xml  | 10 ++---
>  .../storagevolxml2xmlout/vol-luks-cipher.xml  |  2 +-
>  tests/storagevolxml2xmlout/vol-luks.xml       |  2 +-
>  .../vol-qcow2-encryption.xml                  |  2 +-
>  tests/storagevolxml2xmlout/vol-qcow2-luks.xml |  2 +-
>  27 files changed, 154 insertions(+), 55 deletions(-)

There's a bit too much going on in this single commit. You'll probably
need to split it into more granular pieces.

> 
> diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
> index 7215c307d7..e0eb8697aa 100644
> --- a/docs/formatstorageencryption.html.in
> +++ b/docs/formatstorageencryption.html.in
> @@ -18,11 +18,17 @@
>        is <code>encryption</code>, with a mandatory
>        attribute <code>format</code>.  Currently defined values
>        of <code>format</code> are <code>default</code>, <code>qcow</code>,
> -      and <code>luks</code>.
> +      <code>luks</code>, and <code>luks2</code>.

Adding 'luks2' ...

>        Each value of <code>format</code> implies some expectations about the
>        content of the <code>encryption</code> tag.  Other format values may be
>        defined in the future.
>      </p>
> +    <p>
> +      The <code>encryption</code> tag supports an optional <code>engine</code>
> +      tag, which allows selecting which component actually handles
> +      the encryption. Currently defined values of <code>engine</code> are
> +      <code>qemu</code> (default) and <code>librbd</code>.

... should be done separately from adding this.

> +    </p>
>      <p>
>        The <code>encryption</code> tag can currently contain a sequence of
>        <code>secret</code> tags, each with mandatory attributes <code>type</code>

[...]

> diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
> index 9112b96cc7..64044057bf 100644
> --- a/src/conf/storage_encryption_conf.c
> +++ b/src/conf/storage_encryption_conf.c
> @@ -44,7 +44,12 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
>  
>  VIR_ENUM_IMPL(virStorageEncryptionFormat,
>                VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
> -              "default", "qcow", "luks",
> +              "default", "qcow", "luks", "luks2",
> +);
> +
> +VIR_ENUM_IMPL(virStorageEncryptionEngine,
> +              VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
> +              "qemu", "librbd",

Same here. These are two separate changes.

>  );
>  
>  static void

[...]

> @@ -239,6 +245,18 @@ virStorageEncryptionParseNode(xmlNodePtr node,
>          goto cleanup;
>      }
>  
> +    if (!(engine_str = virXPathString("string(./@engine)", ctxt))) {
> +        encdef->engine = VIR_STORAGE_ENCRYPTION_ENGINE_QEMU;

QEMU must not be the default, more on that below. Additionally we
initialize the structs to 0, thus doing this explicitly is pointless.

> +    } else {
> +        if ((encdef->engine =
> +             virStorageEncryptionEngineTypeFromString(engine_str)) < 0) {
> +            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,

This should be "VIR_ERR_XML_ERROR".

> +                           _("unknown volume encryption engine type %s"),
> +                           engine_str);
> +            goto cleanup;
> +        }
> +    }
> +
>      if ((n = virXPathNodeSet("./secret", ctxt, &nodes)) < 0)
>          goto cleanup;
>  
> @@ -327,15 +345,23 @@ int
>  virStorageEncryptionFormat(virBuffer *buf,
>                             virStorageEncryption *enc)
>  {
> +    const char *engine;
>      const char *format;
>      size_t i;
>  
> +    if (!(engine = virStorageEncryptionEngineTypeToString(enc->engine))) {
> +        virReportError(VIR_ERR_INTERNAL_ERROR,
> +                       "%s", _("unexpected encryption engine"));
> +        return -1;
> +    }
> +
>      if (!(format = virStorageEncryptionFormatTypeToString(enc->format))) {
>          virReportError(VIR_ERR_INTERNAL_ERROR,
>                         "%s", _("unexpected encryption format"));
>          return -1;
>      }
> -    virBufferAsprintf(buf, "<encryption format='%s'>\n", format);
> +    virBufferAsprintf(buf, "<encryption format='%s' engine='%s'>\n", format,
> +                      engine);

You'll need to have possibility to keep engine optional.

>      virBufferAdjustIndent(buf, 2);
>  
>      for (i = 0; i < enc->nsecrets; i++) {
> diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
> index 34adbd5f7b..bd8787be98 100644
> --- a/src/conf/storage_encryption_conf.h
> +++ b/src/conf/storage_encryption_conf.h
> @@ -51,11 +51,21 @@ struct _virStorageEncryptionInfoDef {
>      char *ivgen_hash;
>  };
>  
> +typedef enum {
> +    /* "default" is only valid for volume creation */
> +    VIR_STORAGE_ENCRYPTION_ENGINE_QEMU = 0, /* default */

This is a too qemu-centric view.  We'll have to keep a default of the
engine being unspecified. We can then use either some logic in the post
parse callback or when starting the VM in the qemu driver to pick QEMU
as the engine but filling it in into everything is IMO not desired.

> +    VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD,
> +
> +    VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
> +} virStorageEncryptionEngineType;
> +VIR_ENUM_DECL(virStorageEncryptionEngine);

[...]

> diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
> index 0bc92f6a23..e064e5a490 100644
> --- a/src/qemu/qemu_block.c
> +++ b/src/qemu/qemu_block.c

[...]

> @@ -899,12 +901,47 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
>              return NULL;
>      }
>  
> +    if (src->encryption &&
> +        src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD) {
> +        switch ((virStorageEncryptionFormatType) src->encryption->format) {
> +            case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
> +                encformat = "luks";
> +                break;
> +
> +            case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
> +                encformat = "luks2";
> +                break;
> +
> +            case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> +            case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
> +            case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
> +            default:
> +                virReportEnumRangeError(virStorageEncryptionFormatType,
> +                                        src->encryption->format);
> +                return NULL;

This should also be validated in 'qemu_validate.c' so that we fail
before even attempting to start the VM.

> +        }
> +
> +        if (!srcPriv || !srcPriv->encinfo || !srcPriv->encinfo->s.aes.alias) {
> +            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> +                           _("missing secret info for rbd encryption driver"));
> +            return NULL;
> +        }

This shouldn't be possible and needs to be checked elsewhere. The props
formatter isn't a place for such logic.

> +
> +        encrypt = virJSONValueNewObject();
> +        if (virJSONValueObjectAdd(encrypt,

Use virJSONValueObjectCreate instead of the two lines.

> +                                  "s:format", encformat,
> +                                  "s:key-secret", srcPriv->encinfo->s.aes.alias,
> +                                  NULL) < 0)
> +            return NULL;
> +    }
> +
>      if (virJSONValueObjectCreate(&ret,
>                                   "s:pool", src->volume,
>                                   "s:image", src->path,
>                                   "S:snapshot", src->snapshot,
>                                   "S:conf", src->configFile,
>                                   "A:server", &servers,
> +                                 "A:encrypt", &encrypt,
>                                   "S:user", username,
>                                   "A:auth-client-required", &authmodes,
>                                   "S:key-secret", keysecret,


> diff --git a/tests/qemuxml2argvdata/disk-nvme.xml b/tests/qemuxml2argvdata/disk-nvme.xml
> index 1ccbbfd598..9a5fafce7d 100644
> --- a/tests/qemuxml2argvdata/disk-nvme.xml
> +++ b/tests/qemuxml2argvdata/disk-nvme.xml
> @@ -42,7 +42,7 @@
>        <driver name='qemu' type='qcow2' cache='none'/>
>        <source type='pci' managed='no' namespace='2'>
>          <address domain='0x0001' bus='0x02' slot='0x00' function='0x0'/>
> -        <encryption format='luks'>
> +        <encryption format='luks' engine='qemu'>

It should be also now possible to use both

 <encryption format='luks' engine='qemu'>
 and 
 <encryption format='luks' engine='librbd'>

In the same config given the -blockdev layering. You should add a test
for it.

>            <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
>          </encryption>
>        </source>

qemuxml2argvtest and qemuxml2xmltest cases using librbd are completely
missing.

Also if librbd encryption was added recently you will need to add
capability probing for it and validate that given qemu actually supports
it.