qemu: Forbid old qcow2 encryption

[libvirt] [RFC PATCH 0/4] qemu: Forbid old qcow2 encryption

Posted by Peter Krempa 5 years, 11 months ago

This applies on top of the text monitor cleanup. See explanation in 3/4
for justification.

Peter Krempa (4):
  tests: qemublock: Switch to qcow2+luks in test files
  tests: qemu: Modernize/remove qcow2 encryption from tests not related
    to storage
  qemu: domain: Forbid storage with old QCOW2 encryption
  qemu: Remove code for setting up disk passphrases

 src/qemu/qemu_domain.c                             |  20 ++--
 src/qemu/qemu_monitor.c                            |  13 ---
 src/qemu/qemu_monitor.h                            |   4 -
 src/qemu/qemu_monitor_json.c                       |  28 ------
 src/qemu/qemu_monitor_json.h                       |   4 -
 src/qemu/qemu_process.c                            | 103 ---------------------
 .../file-qcow2-backing-chain-encryption.json       |   2 +-
 .../file-qcow2-backing-chain-encryption.xml        |   2 +-
 ...etwork-qcow2-backing-chain-encryption_auth.json |   2 +-
 ...network-qcow2-backing-chain-encryption_auth.xml |   2 +-
 tests/qemumonitorjsontest.c                        |   2 -
 tests/qemuxml2argvdata/encrypted-disk-usage.args   |   8 +-
 tests/qemuxml2argvdata/encrypted-disk-usage.xml    |   2 +-
 tests/qemuxml2argvdata/encrypted-disk.args         |   8 +-
 tests/qemuxml2argvdata/encrypted-disk.xml          |   2 +-
 tests/qemuxml2argvdata/interface-server.xml        |   3 -
 tests/qemuxml2argvdata/user-aliases.args           |   8 +-
 tests/qemuxml2argvdata/user-aliases.xml            |   2 +-
 tests/qemuxml2argvtest.c                           |   7 +-
 tests/qemuxml2xmloutdata/encrypted-disk.xml        |   2 +-
 tests/qemuxml2xmloutdata/interface-server.xml      |   3 -
 tests/qemuxml2xmltest.c                            |   6 +-
 22 files changed, 50 insertions(+), 183 deletions(-)

-- 
2.16.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [RFC PATCH 0/4] qemu: Forbid old qcow2 encryption

Posted by John Ferlan 5 years, 11 months ago


On 05/22/2018 10:04 AM, Peter Krempa wrote:
> This applies on top of the text monitor cleanup. See explanation in 3/4
> for justification.
> 
> Peter Krempa (4):
>   tests: qemublock: Switch to qcow2+luks in test files
>   tests: qemu: Modernize/remove qcow2 encryption from tests not related
>     to storage
>   qemu: domain: Forbid storage with old QCOW2 encryption
>   qemu: Remove code for setting up disk passphrases
> 

This would be nice, but based on this series:

https://www.redhat.com/archives/libvir-list/2018-May/msg01268.html

I believe there are quite a few more tests/files to modify/delete in
order to remove qcow[2] from the source tree.

There's also the formatstorageencryption and formatsecret documentation
that would need updating.

Based only on the effort from the above series to convert/consume a non
encrypted image to result in a qcow[2] encrypted image - I assume
conversion of qcow[2] images is not a simple exercise. Not sure whether
anyone really uses qcow[2] encryption anymore in the wild, but just
telling them they have to convert (without providing a shred of details
as to what that entails isn't very friendly.

Also not sure it's possible to just convert to using LUKS since at one
time at least usage required having code/tests inside a "# ifdef
WITH_GNUTLS" (something that can be seen in the diffs from
tests/qemuxml2argvtest.c in patch 3).

John

>  src/qemu/qemu_domain.c                             |  20 ++--
>  src/qemu/qemu_monitor.c                            |  13 ---
>  src/qemu/qemu_monitor.h                            |   4 -
>  src/qemu/qemu_monitor_json.c                       |  28 ------
>  src/qemu/qemu_monitor_json.h                       |   4 -
>  src/qemu/qemu_process.c                            | 103 ---------------------
>  .../file-qcow2-backing-chain-encryption.json       |   2 +-
>  .../file-qcow2-backing-chain-encryption.xml        |   2 +-
>  ...etwork-qcow2-backing-chain-encryption_auth.json |   2 +-
>  ...network-qcow2-backing-chain-encryption_auth.xml |   2 +-
>  tests/qemumonitorjsontest.c                        |   2 -
>  tests/qemuxml2argvdata/encrypted-disk-usage.args   |   8 +-
>  tests/qemuxml2argvdata/encrypted-disk-usage.xml    |   2 +-
>  tests/qemuxml2argvdata/encrypted-disk.args         |   8 +-
>  tests/qemuxml2argvdata/encrypted-disk.xml          |   2 +-
>  tests/qemuxml2argvdata/interface-server.xml        |   3 -
>  tests/qemuxml2argvdata/user-aliases.args           |   8 +-
>  tests/qemuxml2argvdata/user-aliases.xml            |   2 +-
>  tests/qemuxml2argvtest.c                           |   7 +-
>  tests/qemuxml2xmloutdata/encrypted-disk.xml        |   2 +-
>  tests/qemuxml2xmloutdata/interface-server.xml      |   3 -
>  tests/qemuxml2xmltest.c                            |   6 +-
>  22 files changed, 50 insertions(+), 183 deletions(-)
> 

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [RFC PATCH 0/4] qemu: Forbid old qcow2 encryption

Posted by Peter Krempa 5 years, 11 months ago

On Tue, May 22, 2018 at 10:40:39 -0400, John Ferlan wrote:
> 
> 
> On 05/22/2018 10:04 AM, Peter Krempa wrote:
> > This applies on top of the text monitor cleanup. See explanation in 3/4
> > for justification.
> > 
> > Peter Krempa (4):
> >   tests: qemublock: Switch to qcow2+luks in test files
> >   tests: qemu: Modernize/remove qcow2 encryption from tests not related
> >     to storage
> >   qemu: domain: Forbid storage with old QCOW2 encryption
> >   qemu: Remove code for setting up disk passphrases
> > 
> 
> This would be nice, but based on this series:
> 
> https://www.redhat.com/archives/libvir-list/2018-May/msg01268.html
> 
> I believe there are quite a few more tests/files to modify/delete in
> order to remove qcow[2] from the source tree.

Yes, because the check in 3/4 only does this for qcow2, but it also
should be done for qcow.

> 
> There's also the formatstorageencryption and formatsecret documentation
> that would need updating.

Yep.

> 
> Based only on the effort from the above series to convert/consume a non
> encrypted image to result in a qcow[2] encrypted image - I assume
> conversion of qcow[2] images is not a simple exercise. Not sure whether
> anyone really uses qcow[2] encryption anymore in the wild, but just
> telling them they have to convert (without providing a shred of details
> as to what that entails isn't very friendly.

Starting with qemu 2.7 qcow[2] encryption can't be used with system
emulators only with qemu-img. It was deprecated since 2.3. While this
breaks compatibility with old qemus the upstream support for this is
declared dead.

With these patches you get a failure even with old qemus and you know
that you have to fix your images rather than waiting for the doom which
can happen.

commit 8c0dcbc4ad2bf4f9f3b27c637b357e87cad70ec7
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Mon Jun 13 12:30:09 2016 +0100

    block: drop support for using qcow[2] encryption with system emulators
    
    Back in the 2.3.0 release we declared qcow[2] encryption as
    deprecated, warning people that it would be removed in a future
    release.
    
      commit a1f688f4152e65260b94f37543521ceff8bfebe4
      Author: Markus Armbruster <armbru@redhat.com>
      Date:   Fri Mar 13 21:09:40 2015 +0100
    
        block: Deprecate QCOW/QCOW2 encryption


> Also not sure it's possible to just convert to using LUKS since at one
> time at least usage required having code/tests inside a "# ifdef
> WITH_GNUTLS" (something that can be seen in the diffs from
> tests/qemuxml2argvtest.c in patch 3).

Well, without gnutls this will not work, but in that case even qemu
encryption will most probably not work.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list