From nobody Thu Mar 28 13:23:31 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
170.10.133.124 as permitted sender) client-ip=170.10.133.124;
envelope-from=libvir-list-bounces@redhat.com;
helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
dmarc=fail(p=none dis=none) header.from=il.ibm.com
Return-Path:
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
with SMTPS id 1631616246972208.6303567395688;
Tue, 14 Sep 2021 03:44:06 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-447-rgDOzO0eMWCNUDjvv9cduQ-1; Tue, 14 Sep 2021 06:43:45 -0400
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
[10.5.11.22])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 91A191023F4D;
Tue, 14 Sep 2021 10:43:40 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 7129D100164A;
Tue, 14 Sep 2021 10:43:40 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2A1A61803B30;
Tue, 14 Sep 2021 10:43:40 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
[10.11.54.5])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id 18EAhc2R026952 for ;
Tue, 14 Sep 2021 06:43:38 -0400
Received: by smtp.corp.redhat.com (Postfix)
id 70AB7B34F4; Tue, 14 Sep 2021 10:43:38 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
(mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 6A517B3013
for ; Tue, 14 Sep 2021 10:43:35 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
[205.139.110.120])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 67BD21066680
for ; Tue, 14 Sep 2021 10:43:35 +0000 (UTC)
Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com
[148.163.158.5]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-396-1hLcjsmfNxWtmjxUjG_PPQ-1; Tue, 14 Sep 2021 06:43:33 -0400
Received: from pps.filterd (m0098416.ppops.net [127.0.0.1])
by mx0b-001b2d01.pphosted.com (8.16.1.2/8.16.0.43) with SMTP id
18E8ZhCr009739
for ; Tue, 14 Sep 2021 06:43:33 -0400
Received: from pps.reinject (localhost [127.0.0.1])
by mx0b-001b2d01.pphosted.com with ESMTP id 3b2rc6tdck-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT)
for ; Tue, 14 Sep 2021 06:43:32 -0400
Received: from m0098416.ppops.net (m0098416.ppops.net [127.0.0.1])
by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 18E9kl35032517
for ; Tue, 14 Sep 2021 06:43:32 -0400
Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com
[169.47.144.26])
by mx0b-001b2d01.pphosted.com with ESMTP id 3b2rc6tdce-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT); Tue, 14 Sep 2021 06:43:32 -0400
Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1])
by ppma04wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 18EAbQqR022347;
Tue, 14 Sep 2021 10:43:31 GMT
Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com
[9.57.198.25]) by ppma04wdc.us.ibm.com with ESMTP id 3b0m3aw5ae-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT); Tue, 14 Sep 2021 10:43:31 +0000
Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com
[9.57.199.111])
by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
18EAhTeb40567188
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
verify=OK); Tue, 14 Sep 2021 10:43:29 GMT
Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id 3124EAC065;
Tue, 14 Sep 2021 10:43:29 +0000 (GMT)
Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1])
by IMSVA (Postfix) with ESMTP id A9E2BAC076;
Tue, 14 Sep 2021 10:43:28 +0000 (GMT)
Received: from oro.sl.cloud9.ibm.com (unknown [9.59.192.176])
by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP;
Tue, 14 Sep 2021 10:43:28 +0000 (GMT)
X-MC-Unique: rgDOzO0eMWCNUDjvv9cduQ-1
X-MC-Unique: 1hLcjsmfNxWtmjxUjG_PPQ-1
From: Or Ozeri
To: libvir-list@redhat.com
Subject: [PATCH v1] qemu: Add support for librbd encryption
Date: Tue, 14 Sep 2021 05:43:15 -0500
Message-Id: <20210914104315.3088806-1-oro@il.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-GUID: DJoFDJM35z185pfKZpHyoebkYfUIXM7f
X-Proofpoint-ORIG-GUID: ZHa77P8C71gopLj4lpw0TaVxa8HuKyYQ
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.182.1, Aquarius:18.0.687, Hydra:6.0.235,
FMLib:17.0.607.475
definitions=2020-10-13_15,2020-10-13_02,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
phishscore=0 malwarescore=0
clxscore=1015 lowpriorityscore=0 suspectscore=0 spamscore=0 mlxscore=0
impostorscore=0 priorityscore=1501 adultscore=0 mlxlogscore=999
bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.12.0-2109030001 definitions=main-2109140042
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
Definition; Similar Internal Domain=false;
Similar Monitored External Domain=false;
Custom External Domain=false; Mimecast External Domain=false;
Newly Observed Domain=false; Internal User Name=false;
Custom Display Name List=false; Reply-to Address Mismatch=false;
Targeted Threat Dictionary=false;
Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-loop: libvir-list@redhat.com
Cc: idryomov@gmail.com, Or Ozeri , to.my.trociny@gmail.com,
dannyh@il.ibm.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1631616247564100001
Content-Type: text/plain; charset="utf-8"
Starting from ceph Pacific, RBD has built-in support for image-level encryp=
tion.
qemu 6.1 added support for this encryption using a new "encrypt" property
to the RBD qdict.
This commit extends the libvirt XML API to allow the user to choose between
the existing qemu encryption engine, and the new librbd encryption engine.
Signed-off-by: Or Ozeri
---
docs/formatstorageencryption.html.in | 8 +++-
docs/schemas/domainbackup.rng | 7 ++++
docs/schemas/storagecommon.rng | 8 ++++
src/conf/storage_encryption_conf.c | 30 +++++++++++++-
src/conf/storage_encryption_conf.h | 11 +++++
src/qemu/qemu_block.c | 40 +++++++++++++++++++
src/qemu/qemu_domain.c | 3 +-
.../backup-pull-encrypted.xml | 6 +--
.../backup-pull-internal-invalid.xml | 6 +--
.../backup-push-encrypted.xml | 6 +--
tests/qemustatusxml2xmldata/upgrade-out.xml | 6 +--
tests/qemuxml2argvdata/disk-nvme.xml | 2 +-
tests/qemuxml2argvdata/disk-slices.xml | 4 +-
.../qemuxml2argvdata/encrypted-disk-usage.xml | 2 +-
tests/qemuxml2argvdata/encrypted-disk.xml | 2 +-
.../luks-disks-source-qcow2.xml | 14 +++----
tests/qemuxml2argvdata/luks-disks-source.xml | 10 ++---
tests/qemuxml2argvdata/luks-disks.xml | 4 +-
tests/qemuxml2argvdata/user-aliases.xml | 2 +-
.../disk-slices.x86_64-latest.xml | 4 +-
tests/qemuxml2xmloutdata/encrypted-disk.xml | 2 +-
.../luks-disks-source-qcow2.x86_64-latest.xml | 14 +++----
.../qemuxml2xmloutdata/luks-disks-source.xml | 10 ++---
.../storagevolxml2xmlout/vol-luks-cipher.xml | 2 +-
tests/storagevolxml2xmlout/vol-luks.xml | 2 +-
.../vol-qcow2-encryption.xml | 2 +-
tests/storagevolxml2xmlout/vol-qcow2-luks.xml | 2 +-
27 files changed, 154 insertions(+), 55 deletions(-)
diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencry=
ption.html.in
index 7215c307d7..e0eb8697aa 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -18,11 +18,17 @@
is encryption, with a mandatory
attribute format. Currently defined values
of format are default, qcow,
- and luks.
+ luks, and luks2.
Each value of format implies some expectations about the
content of the encryption tag. Other format values may=
be
defined in the future.
+
+ The encryption tag supports an optional engine
+ tag, which allows selecting which component actually handles
+ the encryption. Currently defined values of engine are
+ qemu (default) and librbd.
+