[v2] Support generic Luks encryption

[v2 0/4] Support generic Luks encryption

Posted by Hyman Huang 11 months, 3 weeks ago

v2:
- Simplify the design by reusing the LUKS driver to implement
  the generic Luks encryption, thank Daniel for the insightful 
  advice.
- rebase on master. 

This functionality was motivated by the following to-do list seen
in crypto documents:
https://wiki.qemu.org/Features/Block/Crypto 

The last chapter says we should "separate header volume": 

The LUKS format has ability to store the header in a separate volume
from the payload. We should extend the LUKS driver in QEMU to support
this use case.

By enhancing the LUKS driver, it is possible to enable
the detachable LUKS header and, as a result, achieve
general encryption for any disk format that QEMU has
supported.

Take the qcow2 as an example, the usage of the generic
LUKS encryption as follows:

1. add a protocol blockdev node of data disk
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> "arguments":{"node-name":"libvirt-1-storage", "driver":"file",
> "filename":"/path/to/test_disk.qcow2"}}'

2. add a protocol blockdev node of LUKS header as above.
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> "arguments":{"node-name":"libvirt-2-storage", "driver":"file",
> "filename": "/path/to/cipher.gluks" }}'

3. add the secret for decrypting the cipher stored in LUKS
   header above
$ virsh qemu-monitor-command vm '{"execute":"object-add",
> "arguments":{"qom-type":"secret", "id":
> "libvirt-2-storage-secret0", "data":"abc123"}}'

4. add the qcow2-drived blockdev format node
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> "arguments":{"node-name":"libvirt-1-format", "driver":"qcow2",
> "file":"libvirt-1-storage"}}'

5. add the luks-drived blockdev to link the qcow2 disk with
   LUKS header by specifying the field "header"
$ virsh qemu-monitor-command vm '{"execute":"blockdev-add",
> "arguments":{"node-name":"libvirt-2-format", "driver":"luks",
> "file":"libvirt-1-format", "header":"libvirt-2-storage",
> "key-secret":"libvirt-2-format-secret0"}}'

6. add the virtio-blk device finally
$ virsh qemu-monitor-command vm '{"execute":"device_add",
> "arguments": {"num-queues":"1", "driver":"virtio-blk-pci",
> "drive": "libvirt-2-format", "id":"virtio-disk2"}}'

The generic LUKS encryption method of starting a virtual
machine (VM) is somewhat similar to hot-plug in that both
maintaining the same json command while the starting VM
changes the "blockdev-add/device_add" parameters to
"blockdev/device".

Please review, thanks

Best regared,

Yong

Hyman Huang (4):
  crypto: Introduce option and structure for detached LUKS header
  crypto: Introduce payload offset set function
  crypto: Support generic LUKS encryption
  block: Support detached LUKS header creation for blockdev-create

 block/crypto.c         | 47 ++++++++++++++++++++++++++++++++++++++++--
 crypto/block.c         |  4 ++++
 include/crypto/block.h |  1 +
 qapi/block-core.json   | 11 ++++++++--
 4 files changed, 59 insertions(+), 4 deletions(-)

-- 
2.39.1

Re: [v2 0/4] Support generic Luks encryption

Posted by Daniel P. Berrangé 11 months, 2 weeks ago

On Thu, Dec 07, 2023 at 12:37:41AM +0800, Hyman Huang wrote:
> v2:
> - Simplify the design by reusing the LUKS driver to implement
>   the generic Luks encryption, thank Daniel for the insightful 
>   advice.
> - rebase on master. 
> 

> Hyman Huang (4):
>   crypto: Introduce option and structure for detached LUKS header
>   crypto: Introduce payload offset set function
>   crypto: Support generic LUKS encryption
>   block: Support detached LUKS header creation for blockdev-create
> 
>  block/crypto.c         | 47 ++++++++++++++++++++++++++++++++++++++++--
>  crypto/block.c         |  4 ++++
>  include/crypto/block.h |  1 +
>  qapi/block-core.json   | 11 ++++++++--
>  4 files changed, 59 insertions(+), 4 deletions(-)

Could you add a scenario tests/qemu-iotests/tests/luks-detached-header
to provide coverage of this method feature.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [v2 0/4] Support generic Luks encryption

Posted by Yong Huang 11 months, 2 weeks ago

On Mon, Dec 18, 2023 at 7:21 PM Daniel P. Berrangé <berrange@redhat.com>
wrote:

> On Thu, Dec 07, 2023 at 12:37:41AM +0800, Hyman Huang wrote:
> > v2:
> > - Simplify the design by reusing the LUKS driver to implement
> >   the generic Luks encryption, thank Daniel for the insightful
> >   advice.
> > - rebase on master.
> >
>
> > Hyman Huang (4):
> >   crypto: Introduce option and structure for detached LUKS header
> >   crypto: Introduce payload offset set function
> >   crypto: Support generic LUKS encryption
> >   block: Support detached LUKS header creation for blockdev-create
> >
> >  block/crypto.c         | 47 ++++++++++++++++++++++++++++++++++++++++--
> >  crypto/block.c         |  4 ++++
> >  include/crypto/block.h |  1 +
> >  qapi/block-core.json   | 11 ++++++++--
> >  4 files changed, 59 insertions(+), 4 deletions(-)
>
> Could you add a scenario tests/qemu-iotests/tests/luks-detached-header
> to provide coverage of this method feature.
>

Sure, of course.

>
> With regards,
> Daniel
> --
> |: https://berrange.com      -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-
> https://www.instagram.com/dberrange :|
>
>

-- 
Best regards