[PATCH v3 3/5] conf: add luks2 encryption format

Or Ozeri posted 5 patches 1 month, 3 weeks ago

[PATCH v3 3/5] conf: add luks2 encryption format

Posted by Or Ozeri 1 month, 3 weeks ago
This commit extends libvirt XML configuration to support luks2 encryption format.
This means that <encryption format="luks2"> becomes valid.
Actual handler (other than returning "not supported") for this new format will be added in an upcoming commit.

Signed-off-by: Or Ozeri <oro@il.ibm.com>
---
 docs/formatstorageencryption.html.in | 2 +-
 docs/schemas/storagecommon.rng       | 1 +
 src/conf/storage_encryption_conf.c   | 2 +-
 src/conf/storage_encryption_conf.h   | 1 +
 src/qemu/qemu_block.c                | 1 +
 src/qemu/qemu_domain.c               | 3 ++-
 6 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 7215c307d7..b2631ab25d 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -18,7 +18,7 @@
       is <code>encryption</code>, with a mandatory
       attribute <code>format</code>.  Currently defined values
       of <code>format</code> are <code>default</code>, <code>qcow</code>,
-      and <code>luks</code>.
+      <code>luks</code>, and <code>luks2</code>.
       Each value of <code>format</code> implies some expectations about the
       content of the <code>encryption</code> tag.  Other format values may be
       defined in the future.
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index 9ebb27700d..7d1d066289 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -13,6 +13,7 @@
           <value>default</value>
           <value>qcow</value>
           <value>luks</value>
+          <value>luks2</value>
         </choice>
       </attribute>
       <interleave>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 9112b96cc7..2df4ec96af 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -44,7 +44,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
 
 VIR_ENUM_IMPL(virStorageEncryptionFormat,
               VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
-              "default", "qcow", "luks",
+              "default", "qcow", "luks", "luks2",
 );
 
 static void
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 34adbd5f7b..32e3a1243a 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -56,6 +56,7 @@ typedef enum {
     VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
     VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
     VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
+    VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
 
     VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
 } virStorageEncryptionFormatType;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 393d3f44d7..31b6b3566b 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1328,6 +1328,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
         break;
 
     case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
     case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
     default:
         virReportEnumRangeError(virStorageEncryptionFormatType,
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 288a40bca6..cd65e8b365 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1228,7 +1228,8 @@ static bool
 qemuDomainDiskHasEncryptionSecret(virStorageSource *src)
 {
     if (!virStorageSourceIsEmpty(src) && src->encryption &&
-        src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
+        (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS ||
+         src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2) &&
         src->encryption->nsecrets > 0)
         return true;
 
-- 
2.25.1

Re: [PATCH v3 3/5] conf: add luks2 encryption format

Posted by Peter Krempa 1 month, 2 weeks ago
On Wed, Oct 06, 2021 at 05:18:44 -0500, Or Ozeri wrote:
> This commit extends libvirt XML configuration to support luks2 encryption format.
> This means that <encryption format="luks2"> becomes valid.
> Actual handler (other than returning "not supported") for this new format will be added in an upcoming commit.
> 
> Signed-off-by: Or Ozeri <oro@il.ibm.com>
> ---
>  docs/formatstorageencryption.html.in | 2 +-
>  docs/schemas/storagecommon.rng       | 1 +
>  src/conf/storage_encryption_conf.c   | 2 +-
>  src/conf/storage_encryption_conf.h   | 1 +
>  src/qemu/qemu_block.c                | 1 +
>  src/qemu/qemu_domain.c               | 3 ++-
>  6 files changed, 7 insertions(+), 3 deletions(-)
> diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c

[...]

> index 393d3f44d7..31b6b3566b 100644
> --- a/src/qemu/qemu_block.c
> +++ b/src/qemu/qemu_block.c
> @@ -1328,6 +1328,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
>          break;
>  
>      case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> +    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
>      case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
>      default:
>          virReportEnumRangeError(virStorageEncryptionFormatType,

One more thing. We definitely want code in qemu_validate.c rejecting
LUKS2 as encryption format for qcow2 and all others that don't support
it.

Doing it here is too late as this code is called only when starting the
VM, but not when the XML is defined.

Re: [PATCH v3 3/5] conf: add luks2 encryption format

Posted by Peter Krempa 1 month, 2 weeks ago
On Wed, Oct 06, 2021 at 05:18:44 -0500, Or Ozeri wrote:
> This commit extends libvirt XML configuration to support luks2 encryption format.
> This means that <encryption format="luks2"> becomes valid.
> Actual handler (other than returning "not supported") for this new format will be added in an upcoming commit.
> 
> Signed-off-by: Or Ozeri <oro@il.ibm.com>
> ---
>  docs/formatstorageencryption.html.in | 2 +-
>  docs/schemas/storagecommon.rng       | 1 +
>  src/conf/storage_encryption_conf.c   | 2 +-
>  src/conf/storage_encryption_conf.h   | 1 +
>  src/qemu/qemu_block.c                | 1 +
>  src/qemu/qemu_domain.c               | 3 ++-
>  6 files changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
> index 7215c307d7..b2631ab25d 100644
> --- a/docs/formatstorageencryption.html.in
> +++ b/docs/formatstorageencryption.html.in
> @@ -18,7 +18,7 @@
>        is <code>encryption</code>, with a mandatory
>        attribute <code>format</code>.  Currently defined values
>        of <code>format</code> are <code>default</code>, <code>qcow</code>,
> -      and <code>luks</code>.
> +      <code>luks</code>, and <code>luks2</code>.
>        Each value of <code>format</code> implies some expectations about the
>        content of the <code>encryption</code> tag.  Other format values may be
>        defined in the future.

Note that this section you've added 'luks2' into is then followed by
sections on each encryption format.

E.g. direct link to the 'luks' section

https://www.libvirt.org/formatstorageencryption.html#StorageEncryptionLuks

You should add a similar section for luks2 outling that it's currently
supported only with librbd2 direct acess and not qcow2 images and
neither the storage driver so that it's clear.

The rest of the patch looks good.