[PATCH v4 4/5] qemu: add librbd encryption engine

Or Ozeri posted 5 patches 1 month, 2 weeks ago

[PATCH v4 4/5] qemu: add librbd encryption engine

Posted by Or Ozeri 1 month, 2 weeks ago
rbd encryption is new in qemu 6.1.0.
This commit adds a new encryption engine property which
allows the user to use this new encryption engine.

Signed-off-by: Or Ozeri <oro@il.ibm.com>
---
 docs/formatstorageencryption.html.in          |  7 +-
 docs/schemas/storagecommon.rng                |  1 +
 src/conf/storage_encryption_conf.c            |  2 +-
 src/conf/storage_encryption_conf.h            |  1 +
 src/qemu/qemu_block.c                         | 26 +++++++
 src/qemu/qemu_domain.c                        | 34 +++++++++
 ...sk-network-rbd-encryption.x86_64-6.0.0.err |  1 +
 ...-network-rbd-encryption.x86_64-latest.args | 45 ++++++++++++
 .../disk-network-rbd-encryption.xml           | 63 +++++++++++++++++
 tests/qemuxml2argvtest.c                      |  2 +
 ...k-network-rbd-encryption.x86_64-latest.xml | 70 +++++++++++++++++++
 tests/qemuxml2xmltest.c                       |  1 +
 12 files changed, 251 insertions(+), 2 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
 create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
 create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
 create mode 100644 tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml

diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 178fcd0d7c..02ee8f8ca3 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -27,7 +27,12 @@
       The <code>encryption</code> tag supports an optional <code>engine</code>
       tag, which allows selecting which component actually handles
       the encryption. Currently defined values of <code>engine</code> are
-      <code>qemu</code>.
+      <code>qemu</code> and <code>librbd</code>.
+      Both <code>qemu</code> and <code>librbd</code> require using the qemu driver.
+      The <code>librbd</code> engine requires qemu version >= 6.1.0,
+      and is only applicable for RBD network disks.
+      If the engine tag is not specified, the <code>qemu</code> engine will be
+      used by default (assuming the qemu driver is used).
     </p>
     <p>
       The <code>encryption</code> tag can currently contain a sequence of
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index 60dcfac06c..3ddff02e43 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -19,6 +19,7 @@
         <attribute name="engine">
           <choice>
             <value>qemu</value>
+            <value>librbd</value>
           </choice>
         </attribute>
       </optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 59178b41ef..3c1267ed40 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -49,7 +49,7 @@ VIR_ENUM_IMPL(virStorageEncryptionFormat,
 
 VIR_ENUM_IMPL(virStorageEncryptionEngine,
               VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
-              "default", "qemu",
+              "default", "qemu", "librbd",
 );
 
 static void
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index e0ac0fe4bf..0931618608 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -54,6 +54,7 @@ struct _virStorageEncryptionInfoDef {
 typedef enum {
     VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT = 0,
     VIR_STORAGE_ENCRYPTION_ENGINE_QEMU,
+    VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD,
 
     VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
 } virStorageEncryptionEngine;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 18c5852d2e..5b1b5bea2e 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -875,6 +875,8 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
     qemuDomainStorageSourcePrivate *srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
     g_autoptr(virJSONValue) servers = NULL;
     virJSONValue *ret = NULL;
+    g_autoptr(virJSONValue) encrypt = NULL;
+    const char *encformat;
     const char *username = NULL;
     g_autoptr(virJSONValue) authmodes = NULL;
     g_autoptr(virJSONValue) mode = NULL;
@@ -899,12 +901,36 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
             return NULL;
     }
 
+    if (src->encryption &&
+        src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD) {
+        switch ((virStorageEncryptionFormatType) src->encryption->format) {
+            case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+                encformat = "luks";
+                break;
+
+            case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+            case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+            case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+            default:
+                virReportEnumRangeError(virStorageEncryptionFormatType,
+                                        src->encryption->format);
+                return NULL;
+        }
+
+        if (virJSONValueObjectCreate(&encrypt,
+                                     "s:format", encformat,
+                                     "s:key-secret", srcPriv->encinfo->alias,
+                                     NULL) < 0)
+            return NULL;
+    }
+
     if (virJSONValueObjectCreate(&ret,
                                  "s:pool", src->volume,
                                  "s:image", src->path,
                                  "S:snapshot", src->snapshot,
                                  "S:conf", src->configFile,
                                  "A:server", &servers,
+                                 "A:encrypt", &encrypt,
                                  "S:user", username,
                                  "A:auth-client-required", &authmodes,
                                  "S:key-secret", keysecret,
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 354f65c6d5..13869dd79b 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -4814,6 +4814,40 @@ qemuDomainValidateStorageSource(virStorageSource *src,
     if (src->encryption) {
         switch (src->encryption->engine) {
             case VIR_STORAGE_ENCRYPTION_ENGINE_QEMU:
+                switch ((virStorageEncryptionFormatType) src->encryption->format) {
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+                        break;
+
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+                    default:
+                        virReportEnumRangeError(virStorageEncryptionFormatType,
+                                                src->encryption->format);
+                        return -1;
+                }
+
+                break;
+            case VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD:
+                if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION)) {
+                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                                   _("librbd encryption is not supported by this QEMU binary"));
+                    return -1;
+                }
+
+                switch ((virStorageEncryptionFormatType) src->encryption->format) {
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+                        break;
+
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+                    default:
+                        virReportEnumRangeError(virStorageEncryptionFormatType,
+                                                src->encryption->format);
+                        return -1;
+                }
+
                 break;
             case VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT:
             case VIR_STORAGE_ENCRYPTION_ENGINE_LAST:
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
new file mode 100644
index 0000000000..edd8481a20
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
@@ -0,0 +1 @@
+unsupported configuration: librbd encryption is not supported by this QEMU binary
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
new file mode 100644
index 0000000000..69837a8003
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
@@ -0,0 +1,45 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-encryptdisk \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-encryptdisk/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-encryptdisk/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-encryptdisk/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=encryptdisk,debug-threads=on \
+-S \
+-object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-encryptdisk/master-key.aes"}' \
+-machine pc-i440fx-2.1,accel=tcg,usb=off,dump-guest-core=off,memory-backend=pc.ram \
+-cpu qemu64 \
+-m 1024 \
+-object '{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}' \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
+-object '{"qom-type":"secret","id":"libvirt-3-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-3-format","read-only":false,"driver":"luks","key-secret":"libvirt-3-format-encryption-secret0","file":"libvirt-3-storage"}' \
+-device virtio-blk-pci,bus=pci.0,addr=0x2,drive=libvirt-3-format,id=virtio-disk0,bootindex=1 \
+-object '{"qom-type":"secret","id":"libvirt-2-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"luks","key-secret":"libvirt-2-format-encryption-secret0","file":"libvirt-2-storage"}' \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=libvirt-2-format,id=virtio-disk1 \
+-object '{"qom-type":"secret","id":"libvirt-1-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
+-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=libvirt-1-format,id=virtio-disk2 \
+-audiodev id=audio1,driver=none \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
new file mode 100644
index 0000000000..d8c2d3dbe2
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
@@ -0,0 +1,63 @@
+<domain type='qemu'>
+  <name>encryptdisk</name>
+  <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+  <memory unit='KiB'>1048576</memory>
+  <currentMemory unit='KiB'>524288</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vda' bus='virtio'/>
+    </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks' engine='qemu'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vdb' bus='virtio'/>
+    </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks' engine='librbd'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vdc' bus='virtio'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 94aaa2f53e..b14154fd0c 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1349,6 +1349,8 @@ mymain(void)
     DO_TEST_CAPS_LATEST("disk-network-gluster");
     DO_TEST_CAPS_VER("disk-network-rbd", "2.12.0");
     DO_TEST_CAPS_LATEST("disk-network-rbd");
+    DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-rbd-encryption", "6.0.0");
+    DO_TEST_CAPS_LATEST("disk-network-rbd-encryption");
     DO_TEST_CAPS_VER_FAILURE("disk-network-rbd-no-colon", "4.1.0");
     DO_TEST_CAPS_LATEST("disk-network-rbd-no-colon");
     DO_TEST_CAPS_VER("disk-network-sheepdog", "2.12.0");
diff --git a/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
new file mode 100644
index 0000000000..d4942718bb
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
@@ -0,0 +1,70 @@
+<domain type='qemu'>
+  <name>encryptdisk</name>
+  <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+  <memory unit='KiB'>1048576</memory>
+  <currentMemory unit='KiB'>524288</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <cpu mode='custom' match='exact' check='none'>
+    <model fallback='forbid'>qemu64</model>
+  </cpu>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks' engine='qemu'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vda' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+    </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks' engine='qemu'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vdb' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+    </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks' engine='librbd'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vdc' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0' model='piix3-uhci'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <audio id='1' type='none'/>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 69363ef85c..290ab1bed1 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -315,6 +315,7 @@ mymain(void)
             QEMU_CAPS_SCSI_BLOCK);
     DO_TEST_NOCAPS("disk-network-gluster");
     DO_TEST_NOCAPS("disk-network-rbd");
+    DO_TEST_CAPS_LATEST("disk-network-rbd-encryption");
     DO_TEST_NOCAPS("disk-network-source-auth");
     DO_TEST_NOCAPS("disk-network-sheepdog");
     DO_TEST_NOCAPS("disk-network-vxhs");
-- 
2.25.1

Re: [PATCH v4 4/5] qemu: add librbd encryption engine

Posted by Peter Krempa 1 month ago
On Thu, Oct 07, 2021 at 14:21:20 -0500, Or Ozeri wrote:
> rbd encryption is new in qemu 6.1.0.
> This commit adds a new encryption engine property which
> allows the user to use this new encryption engine.
> 
> Signed-off-by: Or Ozeri <oro@il.ibm.com>
> ---
>  docs/formatstorageencryption.html.in          |  7 +-
>  docs/schemas/storagecommon.rng                |  1 +
>  src/conf/storage_encryption_conf.c            |  2 +-
>  src/conf/storage_encryption_conf.h            |  1 +
>  src/qemu/qemu_block.c                         | 26 +++++++
>  src/qemu/qemu_domain.c                        | 34 +++++++++
>  ...sk-network-rbd-encryption.x86_64-6.0.0.err |  1 +
>  ...-network-rbd-encryption.x86_64-latest.args | 45 ++++++++++++
>  .../disk-network-rbd-encryption.xml           | 63 +++++++++++++++++
>  tests/qemuxml2argvtest.c                      |  2 +
>  ...k-network-rbd-encryption.x86_64-latest.xml | 70 +++++++++++++++++++
>  tests/qemuxml2xmltest.c                       |  1 +
>  12 files changed, 251 insertions(+), 2 deletions(-)
>  create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
>  create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
>  create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
>  create mode 100644 tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
> 
> diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
> index 178fcd0d7c..02ee8f8ca3 100644
> --- a/docs/formatstorageencryption.html.in
> +++ b/docs/formatstorageencryption.html.in
> @@ -27,7 +27,12 @@
>        The <code>encryption</code> tag supports an optional <code>engine</code>
>        tag, which allows selecting which component actually handles
>        the encryption. Currently defined values of <code>engine</code> are
> -      <code>qemu</code>.
> +      <code>qemu</code> and <code>librbd</code>.
> +      Both <code>qemu</code> and <code>librbd</code> require using the qemu driver.
> +      The <code>librbd</code> engine requires qemu version >= 6.1.0,
> +      and is only applicable for RBD network disks.
> +      If the engine tag is not specified, the <code>qemu</code> engine will be
> +      used by default (assuming the qemu driver is used).

Okay, this is slightly better but it doesn't specify what's happening in
the storage driver.

>      </p>
>      <p>
>        The <code>encryption</code> tag can currently contain a sequence of

[...]


> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index 354f65c6d5..13869dd79b 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -4814,6 +4814,40 @@ qemuDomainValidateStorageSource(virStorageSource *src,
>      if (src->encryption) {
>          switch (src->encryption->engine) {
>              case VIR_STORAGE_ENCRYPTION_ENGINE_QEMU:
> +                switch ((virStorageEncryptionFormatType) src->encryption->format) {
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
> +                        break;
> +
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
> +                    default:
> +                        virReportEnumRangeError(virStorageEncryptionFormatType,
> +                                                src->encryption->format);
> +                        return -1;

This here is okay, because both are basically impossible.

> +                }
> +
> +                break;
> +            case VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD:
> +                if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION)) {
> +                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                                   _("librbd encryption is not supported by this QEMU binary"));
> +                    return -1;
> +                }
> +
> +                switch ((virStorageEncryptionFormatType) src->encryption->format) {
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
> +                        break;
> +
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
> +                    default:
> +                        virReportEnumRangeError(virStorageEncryptionFormatType,
> +                                                src->encryption->format);

This creates an error message which is not very informative.
Specifically for VIR_STORAGE_ENCRYPTION_FORMAT_QCOW which is a
legitimate configuration we need a proper error message.

> +                        return -1;
> +                }
> +
>                  break;
>              case VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT:
>              case VIR_STORAGE_ENCRYPTION_ENGINE_LAST:

[...]

The test input files are okay. The output files will need some tweaking
after recent changes. I think adding the error message is trivial enough
so that I'll do it before pushing if you are okay with it.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>

RE: [PATCH v4 4/5] qemu: add librbd encryption engine

Posted by Or Ozeri 1 month ago

                
            

Re: [PATCH v4 4/5] qemu: add librbd encryption engine

Posted by Peter Krempa 1 month ago
On Thu, Oct 21, 2021 at 11:40:20 +0000, Or Ozeri wrote:
>    Thanks for reviewing all of my patches!
>    I'm fine with you making any of the changes you suggested.
>    So the only change I need to make is "specify what's happening in the
>    storage driver"?
>    Can you elaborate what do you mean by that?
>    I can add something like:
>    For librbd engine, the encryption happens inside the librbd storage
>    driver, so block read/write requests coming in from the hypervisor (qemu)
>    are plaintext,
>    but encrypted by the storage driver before being persisted.
>    Is this the kind of thing you were thinking about?

I meant the libvirt storage driver, which provides the storage
pool/volume functionality.

The code in the storage driver can create encrypted qcow2 images. (not
on RBD IIRC), but is using qemu-img to do that, which doesn't use the
same code we use in the qemu driver to instantiate VMs.

So while qemu-img could use the librbd encryption engine, the storage
driver code can't control it in such way.

Similarly the code doesn't share the 'qemu' validation/post-parse checks
so the librbd and luks2 combinations are not rejected.