On Fri, May 15, 2015 at 04:43:27PM +0200, Michal Privoznik wrote: > From: Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx> > > Two new domain configuration XML elements have been added to enable/disable They haven't been added yet :) This should be squashed in with the patch implementing XML parsing and formatting of the attributes. > the protected key management operations for a guest: > > <domain> > ... > <keywrap> > <cipher name='aes|dea' state='on|off'/> > </keywrap> > ... > </domain> > > Signed-off-by: Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx> > Signed-off-by: Viktor Mihajlovski <mihajlov@xxxxxxxxxx> > Reviewed-by: Boris Fiuczynski <fiuczy@xxxxxxxxxxxxxxxxxx> > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > docs/formatdomain.html.in | 37 +++++++++++++++++++++++++++++++++++++ > docs/schemas/domaincommon.rng | 24 ++++++++++++++++++++++++ > 2 files changed, 61 insertions(+) > > diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in > index e0b6ba7..db3c81c 100644 > --- a/docs/formatdomain.html.in > +++ b/docs/formatdomain.html.in > @@ -6227,6 +6227,43 @@ qemu-kvm -net nic,model=? /dev/null > being on a file system that lacks security labeling. > </p> > > + <h3><a name="keywrap" shape="rect" id="keywrap">Key Wrap</a></h3> Is the shape attribute needed here? We don't use it for other 'a name's. > + > + <p>The content of the optional <code>keywrap</code> element specifies > + whether the guest will be allowed to perform the S390 cryptographic key > + management operations. A clear key can be protected by encrypting it > + under a unique wrapping key that is generated for each guest VM running > + on the host. Two variations of wrapping keys are generated: one version > + for encrypting protected keys using the DEA/TDEA algorithm, and another > + version for keys encrypted using the AES algorithm. If a > + <code>keywrap</code> element is not included, the guest will be granted > + access to both AES and DEA/TDEA key wrapping by default.</p> > + > + <pre xml:space="preserve"> Same question about this attribute. > +<domain> > + ... > + <keywrap> > + <cipher name='aes' state='off'/> > + <keywrap/> The / needs to be before the tag name. > + ... > +</domain> > +</pre> > + <p>At least one <code>cipher</code> element must be nested within the > + <code>keywrap</code> element.</p> > + <dl><dt><code>cipher</code></dt> > + <dd>The <code>name</code> attribute identifies the algorithm > + for encrypting a protected key. The values supported for this attribute > + are <code>aes</code> for encryption under the AES wrapping key, or > + <code>dea</code> for encryption under the DEA/TDEA wrapping key. The > + <code>state</code> attribute indicates whether the cryptographic key > + management operations should be turned on for the specified encryption > + algorithm. The value can be set to <code>on</code> or <code>off</code>. > + A default state of <code>on</code> will be assumed if a > + <code>cipher</code> element is not included for the AES or DEA/TDEA > + encryption algorithm. > + </dd></dl> > + > + Note: DEA/TDEA is synonymous with DES/TDES. > <h2><a name="examples">Example configs</a></h2> > > <p> > diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng > index c151e92..1e67776 100644 > --- a/docs/schemas/domaincommon.rng > +++ b/docs/schemas/domaincommon.rng > @@ -67,6 +67,9 @@ > <optional> > <ref name='qemucmdline'/> > </optional> > + <optional> > + <ref name='keywrap'/> > + </optional> > </interleave> > </element> > </define> > @@ -382,6 +385,27 @@ > </element> > </define> > > + <define name="keywrap"> > + <element name="keywrap"> > + <oneOrMore> > + <element name="cipher"> > + <attribute name="name"> > + <choice> > + <value>aes</value> > + <value>dea</value> > + </choice> > + </attribute> > + <attribute name="state"> > + <choice> > + <value>on</value> > + <value>off</value> > + </choice> <ref name='virOnOff'/> can be used here > + </attribute> > + </element> > + </oneOrMore> > + </element> > + </define> > + > <!-- > The Identifiers can be: > - an optional id attribute with a number on the domain element ACK with the attributes removed. (and squashing it with the XML parser/formatter) Jan
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list