On 09/11/2018 04:15 PM, John Ferlan wrote: > > > On 09/11/2018 07:16 AM, Michal Privoznik wrote: >> On 08/21/2018 06:23 PM, John Ferlan wrote: >>> https://bugzilla.redhat.com/show_bug.cgi?id=1613737 >>> >>> When processing the inputvol for encryption, we need to handle >>> the case where the inputvol is encrypted. This then allows for >>> the encrypted inputvol to be used either for an output encrypted >>> volume or an output volume of some XML provided type. >>> >>> Add tests to show the various conversion options when either input >>> or output is encrypted. This includes when both are encrypted. >>> >>> Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> >>> --- >>> src/storage/storage_util.c | 62 ++++++++++++++++--- >>> src/storage/storage_util.h | 1 + >>> .../luks-convert-encrypt.argv | 11 ++++ >>> .../luks-convert-encrypt2fileqcow2.argv | 7 +++ >>> .../luks-convert-encrypt2fileraw.argv | 7 +++ >>> tests/storagevolxml2argvtest.c | 15 ++++- >>> tests/storagevolxml2xmlin/vol-encrypt1.xml | 21 +++++++ >>> tests/storagevolxml2xmlin/vol-encrypt2.xml | 21 +++++++ >>> 8 files changed, 137 insertions(+), 8 deletions(-) >>> create mode 100644 tests/storagevolxml2argvdata/luks-convert-encrypt.argv >>> create mode 100644 tests/storagevolxml2argvdata/luks-convert-encrypt2fileqcow2.argv >>> create mode 100644 tests/storagevolxml2argvdata/luks-convert-encrypt2fileraw.argv >>> create mode 100644 tests/storagevolxml2xmlin/vol-encrypt1.xml >>> create mode 100644 tests/storagevolxml2xmlin/vol-encrypt2.xml >>> >>> diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c >>> index cc49a5b9f7..3c1e875b27 100644 >>> --- a/src/storage/storage_util.c >>> +++ b/src/storage/storage_util.c >>> @@ -1084,6 +1084,7 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool, >>> unsigned int flags, >>> const char *create_tool, >>> const char *secretPath, >>> + const char *inputSecretPath, >>> virStorageVolEncryptConvertStep convertStep) >>> { >>> virCommandPtr cmd = NULL; >>> @@ -1101,6 +1102,8 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool, >>> .secretAlias = NULL, >>> }; >>> virStorageEncryptionPtr enc = vol->target.encryption; >>> + char *inputSecretAlias = NULL; >>> + virStorageEncryptionPtr inputenc = inputvol ? inputvol->target.encryption : NULL; >>> virStorageEncryptionInfoDefPtr encinfo = NULL; >>> >>> virCheckFlags(VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA, NULL); >>> @@ -1114,6 +1117,12 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool, >>> goto error; >>> } >>> >>> + if (inputenc && inputenc->format != VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) { >>> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", >>> + _("encryption format of inputvol must be LUKS")); >>> + goto error; >>> + } >>> + >>> if (virStorageBackendCreateQemuImgSetInfo(pool, vol, inputvol, >>> convertStep, &info) < 0) >>> goto error; >>> @@ -1153,6 +1162,20 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool, >>> encinfo = &enc->encinfo; >>> } >>> >>> + if (inputenc && convertStep == VIR_STORAGE_VOL_ENCRYPT_CONVERT) { >>> + if (!inputSecretPath) { >>> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", >>> + _("path to inputvol secret data file is required")); >>> + goto error; >>> + } >>> + if (virAsprintf(&inputSecretAlias, "%s_encrypt0", >>> + inputvol->name) < 0) >>> + goto error; >>> + if (storageBackendCreateQemuImgSecretObject(cmd, inputSecretPath, >>> + inputSecretAlias) < 0) >>> + goto error; >>> + } >>> + >>> if (convertStep != VIR_STORAGE_VOL_ENCRYPT_CONVERT) { >>> if (storageBackendCreateQemuImgSetOptions(cmd, encinfo, info) < 0) >>> goto error; >>> @@ -1163,19 +1186,32 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool, >>> virCommandAddArgFormat(cmd, "%lluK", info.size_arg); >>> } else { >>> /* source */ >>> - virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s", >>> - info.inputType, info.inputPath); >>> + if (inputenc) >>> + virCommandAddArgFormat(cmd, >>> + "driver=luks,file.filename=%s,key-secret=%s", >>> + info.inputPath, inputSecretAlias); >>> + else >>> + virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s", >>> + info.inputType, info.inputPath); >>> >>> /* dest */ >>> - virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s,key-secret=%s", >>> - info.type, info.path, info.secretAlias); >>> + if (enc) >>> + virCommandAddArgFormat(cmd, >>> + "driver=%s,file.filename=%s,key-secret=%s", >>> + info.type, info.path, info.secretAlias); >>> + else >>> + virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s", >>> + info.type, info.path); >>> + >> >> Same comment here as in previous patch. >> > > OK, yeah, right, but only for info.inputType which just means a merge > conflict resolution for this patch, unless there was something else you > were referencing that I'm missing. Yep, it's only inputType that I had in mind. > > For this particular patch, altering the dest to account for the case > when the source was encrypted, but the destination is not - IOW: the > removal of secretAlias in that case. Okay, Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
