[PATCH v5 3/5] conf: add encryption engine property

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This commit extends libvirt XML configuration to support a custom encryption engine.
This means that <encryption format="luks" engine="qemu">  becomes valid.
The only engine for now is qemu. However, a new engine (librbd) will be added in an upcoming commit.
If no engine is specified, qemu will be used (assuming qemu driver is used).

Signed-off-by: Or Ozeri <oro@xxxxxxxxxx>
---
 docs/formatstorageencryption.html.in          |  6 +++++
 docs/schemas/domainbackup.rng                 |  7 +++++
 docs/schemas/storagecommon.rng                |  7 +++++
 src/conf/storage_encryption_conf.c            | 26 ++++++++++++++++++-
 src/conf/storage_encryption_conf.h            |  9 +++++++
 src/qemu/qemu_block.c                         |  2 ++
 src/qemu/qemu_domain.c                        | 20 ++++++++++++++
 tests/qemustatusxml2xmldata/upgrade-out.xml   |  6 ++---
 tests/qemuxml2argvdata/disk-nvme.xml          |  2 +-
 .../qemuxml2argvdata/encrypted-disk-usage.xml |  2 +-
 tests/qemuxml2argvdata/luks-disks.xml         |  4 +--
 tests/qemuxml2argvdata/user-aliases.xml       |  2 +-
 .../disk-slices.x86_64-latest.xml             |  4 +--
 tests/qemuxml2xmloutdata/encrypted-disk.xml   |  2 +-
 .../luks-disks-source-qcow2.x86_64-latest.xml | 14 +++++-----
 .../qemuxml2xmloutdata/luks-disks-source.xml  | 10 +++----
 16 files changed, 99 insertions(+), 24 deletions(-)

diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 7215c307d7..178fcd0d7c 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -23,6 +23,12 @@
       content of the <code>encryption</code> tag.  Other format values may be
       defined in the future.
     </p>
+    <p>
+      The <code>encryption</code> tag supports an optional <code>engine</code>
+      tag, which allows selecting which component actually handles
+      the encryption. Currently defined values of <code>engine</code> are
+      <code>qemu</code>.
+    </p>
     <p>
       The <code>encryption</code> tag can currently contain a sequence of
       <code>secret</code> tags, each with mandatory attributes <code>type</code>
diff --git a/docs/schemas/domainbackup.rng b/docs/schemas/domainbackup.rng
index c03455a5a7..05cc28ab00 100644
--- a/docs/schemas/domainbackup.rng
+++ b/docs/schemas/domainbackup.rng
@@ -14,6 +14,13 @@
           <value>luks</value>
         </choice>
       </attribute>
+      <optional>
+        <attribute name="engine">
+          <choice>
+            <value>qemu</value>
+          </choice>
+        </attribute>
+      </optional>
       <interleave>
         <ref name="secret"/>
         <optional>
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index 9ebb27700d..60dcfac06c 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -15,6 +15,13 @@
           <value>luks</value>
         </choice>
       </attribute>
+      <optional>
+        <attribute name="engine">
+          <choice>
+            <value>qemu</value>
+          </choice>
+        </attribute>
+      </optional>
       <interleave>
         <ref name="secret"/>
         <optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 9112b96cc7..7fd601e4a2 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -47,6 +47,11 @@ VIR_ENUM_IMPL(virStorageEncryptionFormat,
               "default", "qcow", "luks",
 );
 
+VIR_ENUM_IMPL(virStorageEncryptionEngine,
+              VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
+              "default", "qemu",
+);
+
 static void
 virStorageEncryptionInfoDefClear(virStorageEncryptionInfoDef *def)
 {
@@ -120,6 +125,7 @@ virStorageEncryptionCopy(const virStorageEncryption *src)
     ret->secrets = g_new0(virStorageEncryptionSecret *, src->nsecrets);
     ret->nsecrets = src->nsecrets;
     ret->format = src->format;
+    ret->engine = src->engine;
 
     for (i = 0; i < src->nsecrets; i++) {
         if (!(ret->secrets[i] = virStorageEncryptionSecretCopy(src->secrets[i])))
@@ -239,6 +245,12 @@ virStorageEncryptionParseNode(xmlNodePtr node,
         goto cleanup;
     }
 
+    if (virXMLPropEnum(node, "engine",
+                       virStorageEncryptionEngineTypeFromString,
+                       VIR_XML_PROP_NONZERO,
+                       &encdef->engine) < 0)
+      goto cleanup;
+
     if ((n = virXPathNodeSet("./secret", ctxt, &nodes)) < 0)
         goto cleanup;
 
@@ -327,6 +339,7 @@ int
 virStorageEncryptionFormat(virBuffer *buf,
                            virStorageEncryption *enc)
 {
+    const char *engine;
     const char *format;
     size_t i;
 
@@ -335,7 +348,18 @@ virStorageEncryptionFormat(virBuffer *buf,
                        "%s", _("unexpected encryption format"));
         return -1;
     }
-    virBufferAsprintf(buf, "<encryption format='%s'>\n", format);
+    if (enc->engine == VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT) {
+        virBufferAsprintf(buf, "<encryption format='%s'>\n", format);
+    } else {
+        if (!(engine = virStorageEncryptionEngineTypeToString(enc->engine))) {
+            virReportError(VIR_ERR_INTERNAL_ERROR,
+                           "%s", _("unexpected encryption engine"));
+            return -1;
+        }
+        virBufferAsprintf(buf, "<encryption format='%s' engine='%s'>\n",
+                          format, engine);
+    }
+
     virBufferAdjustIndent(buf, 2);
 
     for (i = 0; i < enc->nsecrets; i++) {
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 34adbd5f7b..e0ac0fe4bf 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -51,6 +51,14 @@ struct _virStorageEncryptionInfoDef {
     char *ivgen_hash;
 };
 
+typedef enum {
+    VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT = 0,
+    VIR_STORAGE_ENCRYPTION_ENGINE_QEMU,
+
+    VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
+} virStorageEncryptionEngine;
+VIR_ENUM_DECL(virStorageEncryptionEngine);
+
 typedef enum {
     /* "default" is only valid for volume creation */
     VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
@@ -63,6 +71,7 @@ VIR_ENUM_DECL(virStorageEncryptionFormat);
 
 typedef struct _virStorageEncryption virStorageEncryption;
 struct _virStorageEncryption {
+    virStorageEncryptionEngine engine;
     int format; /* virStorageEncryptionFormatType */
     int payload_offset;
 
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index b6d6d95692..0e2395278a 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1314,6 +1314,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
     *encprops = NULL;
 
     if (!src->encryption ||
+        src->encryption->engine != VIR_STORAGE_ENCRYPTION_ENGINE_QEMU ||
         !srcpriv ||
         !srcpriv->encinfo)
         return 0;
@@ -1448,6 +1449,7 @@ qemuBlockStorageSourceGetBlockdevFormatProps(virStorageSource *src)
          * put a raw layer on top */
     case VIR_STORAGE_FILE_RAW:
         if (src->encryption &&
+            src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_QEMU &&
             src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
             if (qemuBlockStorageSourceGetFormatLUKSProps(src, props) < 0)
                 return NULL;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 5ff602e3af..75cc656ed9 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -4770,6 +4770,18 @@ qemuDomainValidateStorageSource(virStorageSource *src,
         }
     }
 
+    if (src->encryption) {
+        switch (src->encryption->engine) {
+            case VIR_STORAGE_ENCRYPTION_ENGINE_QEMU:
+                break;
+            case VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT:
+            case VIR_STORAGE_ENCRYPTION_ENGINE_LAST:
+                virReportEnumRangeError(virStorageEncryptionEngine,
+                                        src->encryption->engine);
+                return -1;
+        }
+    }
+
     return 0;
 }
 
@@ -5222,6 +5234,8 @@ int
 qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk,
                                  unsigned int parseFlags)
 {
+    virStorageSource *n;
+
     /* set default disk types and drivers */
     if (!virDomainDiskGetDriver(disk))
         virDomainDiskSetDriver(disk, "qemu");
@@ -5236,6 +5250,12 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk,
         disk->mirror->format == VIR_STORAGE_FILE_NONE)
         disk->mirror->format = VIR_STORAGE_FILE_RAW;
 
+    /* default disk encryption engine */
+    for (n = disk->src; virStorageSourceIsBacking(n); n = n->backingStore) {
+        if (n->encryption && n->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT)
+            n->encryption->engine = VIR_STORAGE_ENCRYPTION_ENGINE_QEMU;
+    }
+
     if (qemuDomainDeviceDiskDefPostParseRestoreSecAlias(disk, parseFlags) < 0)
         return -1;
 
diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml b/tests/qemustatusxml2xmldata/upgrade-out.xml
index f9476731f6..5218092cb9 100644
--- a/tests/qemustatusxml2xmldata/upgrade-out.xml
+++ b/tests/qemustatusxml2xmldata/upgrade-out.xml
@@ -316,7 +316,7 @@
       <disk type='file' device='disk'>
         <driver name='qemu' type='qcow2'/>
         <source file='/var/lib/libvirt/images/b.qcow2'>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
           <privateData>
@@ -333,7 +333,7 @@
       <disk type='file' device='disk'>
         <driver name='qemu' type='qcow2'/>
         <source file='/var/lib/libvirt/images/c.qcow2'>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
           <privateData>
@@ -354,7 +354,7 @@
           <auth username='testuser-iscsi'>
             <secret type='iscsi' usage='testuser-iscsi-secret'/>
           </auth>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
           <privateData>
diff --git a/tests/qemuxml2argvdata/disk-nvme.xml b/tests/qemuxml2argvdata/disk-nvme.xml
index 1ccbbfd598..9a5fafce7d 100644
--- a/tests/qemuxml2argvdata/disk-nvme.xml
+++ b/tests/qemuxml2argvdata/disk-nvme.xml
@@ -42,7 +42,7 @@
       <driver name='qemu' type='qcow2' cache='none'/>
       <source type='pci' managed='no' namespace='2'>
         <address domain='0x0001' bus='0x02' slot='0x00' function='0x0'/>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
diff --git a/tests/qemuxml2argvdata/encrypted-disk-usage.xml b/tests/qemuxml2argvdata/encrypted-disk-usage.xml
index 7c2da9ee83..d2b87b94b6 100644
--- a/tests/qemuxml2argvdata/encrypted-disk-usage.xml
+++ b/tests/qemuxml2argvdata/encrypted-disk-usage.xml
@@ -18,7 +18,7 @@
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk'/>
       <target dev='vda' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' usage='/storage/guest_disks/encryptdisk'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
diff --git a/tests/qemuxml2argvdata/luks-disks.xml b/tests/qemuxml2argvdata/luks-disks.xml
index ae6d3d996c..1c76f0dc26 100644
--- a/tests/qemuxml2argvdata/luks-disks.xml
+++ b/tests/qemuxml2argvdata/luks-disks.xml
@@ -18,7 +18,7 @@
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk'/>
       <target dev='vda' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
@@ -27,7 +27,7 @@
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk2'/>
       <target dev='vdb' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
diff --git a/tests/qemuxml2argvdata/user-aliases.xml b/tests/qemuxml2argvdata/user-aliases.xml
index 47bfc56e73..10b7749521 100644
--- a/tests/qemuxml2argvdata/user-aliases.xml
+++ b/tests/qemuxml2argvdata/user-aliases.xml
@@ -55,7 +55,7 @@
       <driver name='qemu' type='qcow2'/>
       <source file='/var/lib/libvirt/images/OtherDemo.img'/>
       <target dev='vdb' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
       </encryption>
       <alias name='ua-myEncryptedDisk1'/>
diff --git a/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml b/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
index be5cd25084..a058cbad61 100644
--- a/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
@@ -49,7 +49,7 @@
         <slices>
           <slice type='storage' offset='1234' size='321'/>
         </slices>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -75,7 +75,7 @@
         <slices>
           <slice type='storage' offset='1234' size='321'/>
         </slices>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
diff --git a/tests/qemuxml2xmloutdata/encrypted-disk.xml b/tests/qemuxml2xmloutdata/encrypted-disk.xml
index 06f2c5b47c..e30c8a36e8 100644
--- a/tests/qemuxml2xmloutdata/encrypted-disk.xml
+++ b/tests/qemuxml2xmloutdata/encrypted-disk.xml
@@ -18,7 +18,7 @@
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk'/>
       <target dev='vda' bus='virtio'/>
-      <encryption format='luks'>
+      <encryption format='luks' engine='qemu'>
         <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
       </encryption>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
diff --git a/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml b/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
index 5f600f5ba7..7f98dd597e 100644
--- a/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
@@ -20,7 +20,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -30,7 +30,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk2'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
         </encryption>
       </source>
@@ -44,7 +44,7 @@
         <auth username='myname'>
           <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
         </auth>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
         </encryption>
       </source>
@@ -54,7 +54,7 @@
     <disk type='volume' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
         </encryption>
       </source>
@@ -67,7 +67,7 @@
         <host name='mon1.example.org' port='6321'/>
         <host name='mon2.example.org' port='6322'/>
         <host name='mon3.example.org' port='6322'/>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
         </encryption>
       </source>
@@ -77,14 +77,14 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2'/>
       <source file='/storage/guest_disks/encryptdisk5'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
       <backingStore type='file'>
         <format type='qcow2'/>
         <source file='/storage/guest_disks/base.qcow2'>
-          <encryption format='luks'>
+          <encryption format='luks' engine='qemu'>
             <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
           </encryption>
         </source>
diff --git a/tests/qemuxml2xmloutdata/luks-disks-source.xml b/tests/qemuxml2xmloutdata/luks-disks-source.xml
index 5333d4ac6e..891b5d9d17 100644
--- a/tests/qemuxml2xmloutdata/luks-disks-source.xml
+++ b/tests/qemuxml2xmloutdata/luks-disks-source.xml
@@ -17,7 +17,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
         </encryption>
       </source>
@@ -27,7 +27,7 @@
     <disk type='file' device='disk'>
       <driver name='qemu' type='raw'/>
       <source file='/storage/guest_disks/encryptdisk2'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
         </encryption>
       </source>
@@ -41,7 +41,7 @@
         <auth username='myname'>
           <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
         </auth>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
         </encryption>
       </source>
@@ -51,7 +51,7 @@
     <disk type='volume' device='disk'>
       <driver name='qemu' type='raw'/>
       <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
         </encryption>
       </source>
@@ -64,7 +64,7 @@
         <host name='mon1.example.org' port='6321'/>
         <host name='mon2.example.org' port='6322'/>
         <host name='mon3.example.org' port='6322'/>
-        <encryption format='luks'>
+        <encryption format='luks' engine='qemu'>
           <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
         </encryption>
       </source>
-- 
2.25.1




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux