From nobody Fri Apr 26 16:40:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=il.ibm.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1633444942546192.55234498885136; Tue, 5 Oct 2021 07:42:22 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-88-n_4HiUb8PQm9qZhsANuiQA-1; Tue, 05 Oct 2021 10:42:19 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1E03CA40C0; Tue, 5 Oct 2021 14:42:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 009669AA35; Tue, 5 Oct 2021 14:42:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C5C6B1806D02; Tue, 5 Oct 2021 14:42:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 195EfnXK012754 for ; Tue, 5 Oct 2021 10:41:49 -0400 Received: by smtp.corp.redhat.com (Postfix) id A5C967C4D; Tue, 5 Oct 2021 14:41:49 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9CAFB9E89 for ; Tue, 5 Oct 2021 14:41:39 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4F392800883 for ; Tue, 5 Oct 2021 14:41:39 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-458-3co2kdb_Pba_d6_aySU5RQ-1; Tue, 05 Oct 2021 10:41:37 -0400 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 195E8jGm014967 for ; Tue, 5 Oct 2021 10:41:36 -0400 Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3bgr798yhd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 05 Oct 2021 10:41:35 -0400 Received: from m0098396.ppops.net (m0098396.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 195EGo0G012881 for ; Tue, 5 Oct 2021 10:41:35 -0400 Received: from ppma04dal.us.ibm.com (7a.29.35a9.ip4.static.sl-reverse.com [169.53.41.122]) by mx0a-001b2d01.pphosted.com with ESMTP id 3bgr798yh1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 Oct 2021 10:41:35 -0400 Received: from pps.filterd (ppma04dal.us.ibm.com [127.0.0.1]) by ppma04dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 195Ec6w1013392; Tue, 5 Oct 2021 14:41:34 GMT Received: from b01cxnp22034.gho.pok.ibm.com (b01cxnp22034.gho.pok.ibm.com [9.57.198.24]) by ppma04dal.us.ibm.com with ESMTP id 3bef2bjfbn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 Oct 2021 14:41:34 +0000 Received: from b01ledav001.gho.pok.ibm.com (b01ledav001.gho.pok.ibm.com [9.57.199.106]) by b01cxnp22034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 195EfWr713435160 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 Oct 2021 14:41:32 GMT Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 69A0928066; Tue, 5 Oct 2021 14:41:32 +0000 (GMT) Received: from b01ledav001.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E218228073; Tue, 5 Oct 2021 14:41:31 +0000 (GMT) Received: from oro.sl.cloud9.ibm.com (unknown [9.59.192.176]) by b01ledav001.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 5 Oct 2021 14:41:31 +0000 (GMT) X-MC-Unique: n_4HiUb8PQm9qZhsANuiQA-1 X-MC-Unique: 3co2kdb_Pba_d6_aySU5RQ-1 From: Or Ozeri To: libvir-list@redhat.com Subject: [PATCH v2 4/5] conf: add encryption engine property Date: Tue, 5 Oct 2021 09:41:15 -0500 Message-Id: <20211005144116.316855-5-oro@il.ibm.com> In-Reply-To: <20211005144116.316855-1-oro@il.ibm.com> References: <20211005144116.316855-1-oro@il.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: J7PgwlEQ0T1R_00hJp6KdOh5gt7mMlUy X-Proofpoint-ORIG-GUID: SMBGPT0xVxXdm659D4T9nWvbtr9qAcFb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391, FMLib:17.0.607.475 definitions=2021-10-05_02,2021-10-04_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 mlxscore=0 priorityscore=1501 lowpriorityscore=0 malwarescore=0 spamscore=0 bulkscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110050086 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: libvir-list@redhat.com Cc: idryomov@gmail.com, Or Ozeri , to.my.trociny@gmail.com, dannyh@il.ibm.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633444943088100005 Content-Type: text/plain; charset="utf-8" This commit extends libvirt XML configuration to support a custom encryptio= n engine. This means that becomes valid. The only engine for now is qemu. However, a new engine (librbd) will be add= ed in an upcoming commit. If no engine is specified, qemu will be used (assuming qemu driver is used). Signed-off-by: Or Ozeri --- docs/formatstorageencryption.html.in | 6 + docs/schemas/domainbackup.rng | 7 + docs/schemas/storagecommon.rng | 7 + src/conf/storage_encryption_conf.c | 31 +++- src/conf/storage_encryption_conf.h | 9 + src/qemu/qemu_block.c | 2 + src/qemu/qemu_domain.c | 8 + tests/qemustatusxml2xmldata/upgrade-out.xml | 6 +- tests/qemuxml2xmloutdata/disk-nvme.xml | 65 ++++++- .../disk-slices.x86_64-latest.xml | 4 +- .../encrypted-disk-usage.xml | 38 ++++- tests/qemuxml2xmloutdata/encrypted-disk.xml | 2 +- .../luks-disks-source-qcow2.x86_64-latest.xml | 14 +- .../qemuxml2xmloutdata/luks-disks-source.xml | 10 +- tests/qemuxml2xmloutdata/luks-disks.xml | 47 +++++- tests/qemuxml2xmloutdata/user-aliases.xml | 159 +++++++++++++++++- 16 files changed, 392 insertions(+), 23 deletions(-) mode change 120000 =3D> 100644 tests/qemuxml2xmloutdata/disk-nvme.xml mode change 120000 =3D> 100644 tests/qemuxml2xmloutdata/encrypted-disk-usa= ge.xml mode change 120000 =3D> 100644 tests/qemuxml2xmloutdata/luks-disks.xml mode change 120000 =3D> 100644 tests/qemuxml2xmloutdata/user-aliases.xml diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencry= ption.html.in index b2631ab25d..5783381a4a 100644 --- a/docs/formatstorageencryption.html.in +++ b/docs/formatstorageencryption.html.in @@ -23,6 +23,12 @@ content of the encryption tag. Other format values may= be defined in the future.

+

+ The encryption tag supports an optional engine + tag, which allows selecting which component actually handles + the encryption. Currently defined values of engine are + qemu. +

The encryption tag can currently contain a sequence of secret tags, each with mandatory attributes type<= /code> diff --git a/docs/schemas/domainbackup.rng b/docs/schemas/domainbackup.rng index c03455a5a7..05cc28ab00 100644 --- a/docs/schemas/domainbackup.rng +++ b/docs/schemas/domainbackup.rng @@ -14,6 +14,13 @@ luks + + + + qemu + + + diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng index 7d1d066289..b34577c582 100644 --- a/docs/schemas/storagecommon.rng +++ b/docs/schemas/storagecommon.rng @@ -16,6 +16,13 @@ luks2 + + + + qemu + + + diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encrypti= on_conf.c index 2df4ec96af..e8da02b605 100644 --- a/src/conf/storage_encryption_conf.c +++ b/src/conf/storage_encryption_conf.c @@ -47,6 +47,11 @@ VIR_ENUM_IMPL(virStorageEncryptionFormat, "default", "qcow", "luks", "luks2", ); =20 +VIR_ENUM_IMPL(virStorageEncryptionEngine, + VIR_STORAGE_ENCRYPTION_ENGINE_LAST, + "default", "qemu", +); + static void virStorageEncryptionInfoDefClear(virStorageEncryptionInfoDef *def) { @@ -120,6 +125,7 @@ virStorageEncryptionCopy(const virStorageEncryption *sr= c) ret->secrets =3D g_new0(virStorageEncryptionSecret *, src->nsecrets); ret->nsecrets =3D src->nsecrets; ret->format =3D src->format; + ret->engine =3D src->engine; =20 for (i =3D 0; i < src->nsecrets; i++) { if (!(ret->secrets[i] =3D virStorageEncryptionSecretCopy(src->secr= ets[i]))) @@ -217,6 +223,7 @@ virStorageEncryptionParseNode(xmlNodePtr node, xmlNodePtr *nodes =3D NULL; virStorageEncryption *encdef =3D NULL; virStorageEncryption *ret =3D NULL; + g_autofree char *engine_str =3D NULL; g_autofree char *format_str =3D NULL; int n; size_t i; @@ -239,6 +246,16 @@ virStorageEncryptionParseNode(xmlNodePtr node, goto cleanup; } =20 + if ((engine_str =3D virXPathString("string(./@engine)", ctxt))) { + if ((encdef->engine =3D + virStorageEncryptionEngineTypeFromString(engine_str)) < 0) { + virReportError(VIR_ERR_XML_ERROR, + _("unknown volume encryption engine type %s"), + engine_str); + goto cleanup; + } + } + if ((n =3D virXPathNodeSet("./secret", ctxt, &nodes)) < 0) goto cleanup; =20 @@ -327,6 +344,7 @@ int virStorageEncryptionFormat(virBuffer *buf, virStorageEncryption *enc) { + const char *engine; const char *format; size_t i; =20 @@ -335,7 +353,18 @@ virStorageEncryptionFormat(virBuffer *buf, "%s", _("unexpected encryption format")); return -1; } - virBufferAsprintf(buf, "\n", format); + if (enc->engine =3D=3D VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT) { + virBufferAsprintf(buf, "\n", format); + } else { + if (!(engine =3D virStorageEncryptionEngineTypeToString(enc->engin= e))) { + virReportError(VIR_ERR_INTERNAL_ERROR, + "%s", _("unexpected encryption engine")); + return -1; + } + virBufferAsprintf(buf, "\n= ", + format, engine); + } + virBufferAdjustIndent(buf, 2); =20 for (i =3D 0; i < enc->nsecrets; i++) { diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encrypti= on_conf.h index 32e3a1243a..c722f832f5 100644 --- a/src/conf/storage_encryption_conf.h +++ b/src/conf/storage_encryption_conf.h @@ -51,6 +51,14 @@ struct _virStorageEncryptionInfoDef { char *ivgen_hash; }; =20 +typedef enum { + VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT =3D 0, + VIR_STORAGE_ENCRYPTION_ENGINE_QEMU, + + VIR_STORAGE_ENCRYPTION_ENGINE_LAST, +} virStorageEncryptionEngineType; +VIR_ENUM_DECL(virStorageEncryptionEngine); + typedef enum { /* "default" is only valid for volume creation */ VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT =3D 0, @@ -64,6 +72,7 @@ VIR_ENUM_DECL(virStorageEncryptionFormat); =20 typedef struct _virStorageEncryption virStorageEncryption; struct _virStorageEncryption { + int engine; /* virStorageEncryptionEngineType */ int format; /* virStorageEncryptionFormatType */ int payload_offset; =20 diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index f7aa052822..693c43dfcc 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -1318,6 +1318,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource= *src, * VIR_DOMAIN_SECRET_INFO_TYPE_AES works here. The correct type needs = to be * instantiated elsewhere. */ if (!src->encryption || + src->encryption->engine !=3D VIR_STORAGE_ENCRYPTION_ENGINE_QEMU || !srcpriv || !srcpriv->encinfo || srcpriv->encinfo->type !=3D VIR_DOMAIN_SECRET_INFO_TYPE_AES) @@ -1454,6 +1455,7 @@ qemuBlockStorageSourceGetBlockdevFormatProps(virStora= geSource *src) * put a raw layer on top */ case VIR_STORAGE_FILE_RAW: if (src->encryption && + src->encryption->engine =3D=3D VIR_STORAGE_ENCRYPTION_ENGINE_Q= EMU && src->encryption->format =3D=3D VIR_STORAGE_ENCRYPTION_FORMAT_L= UKS) { if (qemuBlockStorageSourceGetFormatLUKSProps(src, props) < 0) return NULL; diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 2d35106c2f..9c873c129b 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -5421,6 +5421,8 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *di= sk, virQEMUCaps *qemuCaps, unsigned int parseFlags) { + virStorageSource *n; + /* set default disk types and drivers */ if (!virDomainDiskGetDriver(disk)) virDomainDiskSetDriver(disk, "qemu"); @@ -5435,6 +5437,12 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *d= isk, disk->mirror->format =3D=3D VIR_STORAGE_FILE_NONE) disk->mirror->format =3D VIR_STORAGE_FILE_RAW; =20 + /* default disk encryption engine */ + for (n =3D disk->src; virStorageSourceIsBacking(n); n =3D n->backingSt= ore) { + if (n->encryption && n->encryption->engine =3D=3D VIR_STORAGE_ENCR= YPTION_ENGINE_DEFAULT) + n->encryption->engine =3D VIR_STORAGE_ENCRYPTION_ENGINE_QEMU; + } + if (qemuDomainDeviceDiskDefPostParseRestoreSecAlias(disk, qemuCaps, parseFlags) < 0) return -1; diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml b/tests/qemustatus= xml2xmldata/upgrade-out.xml index f9476731f6..5218092cb9 100644 --- a/tests/qemustatusxml2xmldata/upgrade-out.xml +++ b/tests/qemustatusxml2xmldata/upgrade-out.xml @@ -316,7 +316,7 @@ - + @@ -333,7 +333,7 @@ - + @@ -354,7 +354,7 @@ - + diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml b/tests/qemuxml2xmloutd= ata/disk-nvme.xml deleted file mode 120000 index ea9eb267ac..0000000000 --- a/tests/qemuxml2xmloutdata/disk-nvme.xml +++ /dev/null @@ -1 +0,0 @@ -../qemuxml2argvdata/disk-nvme.xml \ No newline at end of file diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml b/tests/qemuxml2xmloutd= ata/disk-nvme.xml new file mode 100644 index 0000000000..9a5fafce7d --- /dev/null +++ b/tests/qemuxml2xmloutdata/disk-nvme.xml @@ -0,0 +1,64 @@ + + QEMUGuest1 + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 + 1 + + hvm + + + + destroy + restart + destroy + + /usr/bin/qemu-system-i386 + + + +

+ + +
+ + + + +
+ + +
+ + + + +
+ + +
+ + + + +
+ + + + + +
+ + +
+ + + +
+ + + +