[PATCH v4 5/5] conf: add luks2 encryption format

Or Ozeri posted 5 patches 1 month, 2 weeks ago

[PATCH v4 5/5] conf: add luks2 encryption format

Posted by Or Ozeri 1 month, 2 weeks ago
This commit extends libvirt XML configuration to support luks2 encryption format.
This means that <encryption format="luks2" engine="librbd"> becomes valid.
Currently librbd is the only engine that supports this new format.

Signed-off-by: Or Ozeri <oro@il.ibm.com>
---
 docs/formatstorageencryption.html.in             | 12 +++++++++++-
 docs/schemas/storagecommon.rng                   |  1 +
 src/conf/storage_encryption_conf.c               |  2 +-
 src/conf/storage_encryption_conf.h               |  1 +
 src/qemu/qemu_block.c                            |  5 +++++
 src/qemu/qemu_domain.c                           |  5 ++++-
 ...isk-network-rbd-encryption.x86_64-latest.args | 16 ++++++++++------
 .../disk-network-rbd-encryption.xml              | 12 ++++++++++++
 ...disk-network-rbd-encryption.x86_64-latest.xml | 13 +++++++++++++
 9 files changed, 58 insertions(+), 9 deletions(-)

diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 02ee8f8ca3..6cf1f94a9f 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -18,7 +18,7 @@
       is <code>encryption</code>, with a mandatory
       attribute <code>format</code>.  Currently defined values
       of <code>format</code> are <code>default</code>, <code>qcow</code>,
-      and <code>luks</code>.
+      <code>luks</code>, and <code>luks2</code>.
       Each value of <code>format</code> implies some expectations about the
       content of the <code>encryption</code> tag.  Other format values may be
       defined in the future.
@@ -121,6 +121,16 @@
       </dd>
     </dl>
 
+    <h3><a id="StorageEncryptionLuks2">"luks2" format</a></h3>
+    <p>
+      The <code>luks2</code> format is currently supported only by the
+      <code>librbd</code> engine, and can only be applied to RBD network disks.
+      <code>luks2</code> encrypted RBD disks can be decrypted by the domain,
+      but creation of such disks is currently not supported through libvirt.
+      A single
+      <code>&lt;secret type='passphrase'...&gt;</code> element is expected.
+    </p>
+
 
     <h2><a id="example">Examples</a></h2>
 
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index 3ddff02e43..591a158209 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -13,6 +13,7 @@
           <value>default</value>
           <value>qcow</value>
           <value>luks</value>
+          <value>luks2</value>
         </choice>
       </attribute>
       <optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 3c1267ed40..c312236d4c 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -44,7 +44,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
 
 VIR_ENUM_IMPL(virStorageEncryptionFormat,
               VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
-              "default", "qcow", "luks",
+              "default", "qcow", "luks", "luks2",
 );
 
 VIR_ENUM_IMPL(virStorageEncryptionEngine,
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 0931618608..312599ad44 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -65,6 +65,7 @@ typedef enum {
     VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
     VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
     VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
+    VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
 
     VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
 } virStorageEncryptionFormatType;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 5b1b5bea2e..62c40d39d1 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -908,6 +908,10 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
                 encformat = "luks";
                 break;
 
+            case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+                encformat = "luks2";
+                break;
+
             case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
             case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
             case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
@@ -1355,6 +1359,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
         break;
 
     case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
     case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
     default:
         virReportEnumRangeError(virStorageEncryptionFormatType,
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 13869dd79b..8c2a5408da 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1228,7 +1228,8 @@ static bool
 qemuDomainDiskHasEncryptionSecret(virStorageSource *src)
 {
     if (!virStorageSourceIsEmpty(src) && src->encryption &&
-        src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
+        (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS ||
+         src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2) &&
         src->encryption->nsecrets > 0)
         return true;
 
@@ -4820,6 +4821,7 @@ qemuDomainValidateStorageSource(virStorageSource *src,
                         break;
 
                     case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
                     case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
                     default:
                         virReportEnumRangeError(virStorageEncryptionFormatType,
@@ -4837,6 +4839,7 @@ qemuDomainValidateStorageSource(virStorageSource *src,
 
                 switch ((virStorageEncryptionFormatType) src->encryption->format) {
                     case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
                         break;
 
                     case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
index 69837a8003..9b3e8d31b8 100644
--- a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
@@ -27,18 +27,22 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-encryptdisk/.config \
 -no-acpi \
 -boot strict=on \
 -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
+-object '{"qom-type":"secret","id":"libvirt-4-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-4-format","read-only":false,"driver":"luks","key-secret":"libvirt-4-format-encryption-secret0","file":"libvirt-4-storage"}' \
+-device virtio-blk-pci,bus=pci.0,addr=0x2,drive=libvirt-4-format,id=virtio-disk0,bootindex=1 \
 -object '{"qom-type":"secret","id":"libvirt-3-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
 -blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}' \
 -blockdev '{"node-name":"libvirt-3-format","read-only":false,"driver":"luks","key-secret":"libvirt-3-format-encryption-secret0","file":"libvirt-3-storage"}' \
--device virtio-blk-pci,bus=pci.0,addr=0x2,drive=libvirt-3-format,id=virtio-disk0,bootindex=1 \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=libvirt-3-format,id=virtio-disk1 \
 -object '{"qom-type":"secret","id":"libvirt-2-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
--blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"luks","key-secret":"libvirt-2-format-encryption-secret0","file":"libvirt-2-storage"}' \
--device virtio-blk-pci,bus=pci.0,addr=0x4,drive=libvirt-2-format,id=virtio-disk1 \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-2-format-encryption-secret0"},"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"raw","file":"libvirt-2-storage"}' \
+-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=libvirt-2-format,id=virtio-disk2 \
 -object '{"qom-type":"secret","id":"libvirt-1-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image2","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks2","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
 -blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
--device virtio-blk-pci,bus=pci.0,addr=0x5,drive=libvirt-1-format,id=virtio-disk2 \
+-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=libvirt-1-format,id=virtio-disk3 \
 -audiodev id=audio1,driver=none \
 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 \
 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
index d8c2d3dbe2..eeadbfeeba 100644
--- a/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
@@ -50,6 +50,18 @@
       </source>
       <target dev='vdc' bus='virtio'/>
     </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image2'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks2' engine='librbd'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vdd' bus='virtio'/>
+    </disk>
     <controller type='usb' index='0'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
     </controller>
diff --git a/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
index d4942718bb..a91504202a 100644
--- a/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
@@ -56,6 +56,19 @@
       <target dev='vdc' bus='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
     </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image2'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks2' engine='librbd'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vdd' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </disk>
     <controller type='usb' index='0' model='piix3-uhci'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
     </controller>
-- 
2.25.1

Re: [PATCH v4 5/5] conf: add luks2 encryption format

Posted by Peter Krempa 1 month ago
On Thu, Oct 07, 2021 at 14:21:21 -0500, Or Ozeri wrote:
> This commit extends libvirt XML configuration to support luks2 encryption format.
> This means that <encryption format="luks2" engine="librbd"> becomes valid.
> Currently librbd is the only engine that supports this new format.
> 
> Signed-off-by: Or Ozeri <oro@il.ibm.com>
> ---
>  docs/formatstorageencryption.html.in             | 12 +++++++++++-
>  docs/schemas/storagecommon.rng                   |  1 +
>  src/conf/storage_encryption_conf.c               |  2 +-
>  src/conf/storage_encryption_conf.h               |  1 +
>  src/qemu/qemu_block.c                            |  5 +++++
>  src/qemu/qemu_domain.c                           |  5 ++++-
>  ...isk-network-rbd-encryption.x86_64-latest.args | 16 ++++++++++------
>  .../disk-network-rbd-encryption.xml              | 12 ++++++++++++
>  ...disk-network-rbd-encryption.x86_64-latest.xml | 13 +++++++++++++
>  9 files changed, 58 insertions(+), 9 deletions(-)
> 
> diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
> index 02ee8f8ca3..6cf1f94a9f 100644
> --- a/docs/formatstorageencryption.html.in
> +++ b/docs/formatstorageencryption.html.in

[...]

> @@ -121,6 +121,16 @@
>        </dd>
>      </dl>
>  
> +    <h3><a id="StorageEncryptionLuks2">"luks2" format</a></h3>
> +    <p>
> +      The <code>luks2</code> format is currently supported only by the
> +      <code>librbd</code> engine, and can only be applied to RBD network disks.
> +      <code>luks2</code> encrypted RBD disks can be decrypted by the domain,
> +      but creation of such disks is currently not supported through libvirt.
> +      A single
> +      <code>&lt;secret type='passphrase'...&gt;</code> element is expected.
> +    </p>

As noted before this doesn't really tell what's happening in the storage
driver, so it will need some tweaking.


> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index 13869dd79b..8c2a5408da 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -1228,7 +1228,8 @@ static bool
>  qemuDomainDiskHasEncryptionSecret(virStorageSource *src)
>  {
>      if (!virStorageSourceIsEmpty(src) && src->encryption &&
> -        src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
> +        (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS ||
> +         src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2) &&
>          src->encryption->nsecrets > 0)
>          return true;
>  
> @@ -4820,6 +4821,7 @@ qemuDomainValidateStorageSource(virStorageSource *src,
>                          break;
>  
>                      case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> +                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
>                      case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
>                      default:
>                          virReportEnumRangeError(virStorageEncryptionFormatType,

Same problem as in previous patch. This creates an error message which
is not really descriptive.

Again both seem to be easy enough for me to do before pushing if you are
okay with it.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>

(Note that I'm on PTO until Monday).