On Mon, Mar 06, 2023 at 06:59:36 -0600, Or Ozeri wrote:
> The newly added luks-any rbd encryption format in qemu
> allows for opening both LUKS and LUKS2 encryption formats.
> This commit enables libvirt uses to use this wildcard format.
>
> Signed-off-by: Or Ozeri <oro@xxxxxxxxxx>
> ---
> docs/formatstorageencryption.rst | 9 ++++
> src/conf/schemas/storagecommon.rng | 1 +
> src/conf/storage_encryption_conf.c | 2 +-
> src/conf/storage_encryption_conf.h | 1 +
> src/libvirt_private.syms | 1 +
> src/qemu/qemu_block.c | 10 ++++-
> src/qemu/qemu_domain.c | 32 +++++++++++++-
> ...k-rbd-encryption-luks-any.x86_64-7.2.0.err | 1 +
> ...rbd-encryption-luks-any.x86_64-latest.args | 38 ++++++++++++++++
> .../disk-network-rbd-encryption-luks-any.xml | 39 ++++++++++++++++
> tests/qemuxml2argvtest.c | 2 +
> ...-rbd-encryption-luks-any.x86_64-latest.xml | 44 +++++++++++++++++++
> tests/qemuxml2xmltest.c | 1 +
> 13 files changed, 176 insertions(+), 5 deletions(-)
> create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-7.2.0.err
> create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-latest.args
> create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.xml
> create mode 100644 tests/qemuxml2xmloutdata/disk-network-rbd-encryption-luks-any.x86_64-latest.xml
>
> diff --git a/docs/formatstorageencryption.rst b/docs/formatstorageencryption.rst
> index 2c19473d6b..c58d088403 100644
> --- a/docs/formatstorageencryption.rst
> +++ b/docs/formatstorageencryption.rst
> @@ -104,6 +104,15 @@ it to control such disks. However, pre-formatted RBD luks2 disks can be loaded
> to a qemu VM using the qemu VM driver. A single
> ``<secret type='passphrase'...>`` element is expected.
>
> +``luks-any`` format
> +~~~~~~~~~~~~~~~~~~~
> +
> +The ``luks-any`` format is currently supported only by the ``librbd`` engine,
> +and can only be applied to RBD network disks (RBD images). This format will try
> +to parse the disk as either LUKS or LUKS2, depending on the actual on-disk
> +format. A single ``<secret type='passphrase'...>`` element is expected (except
> +for the case of RBD layered encryption mentioned above) :since:`Since 9.3.0` .
> +
> Examples
> --------
>
> diff --git a/src/conf/schemas/storagecommon.rng b/src/conf/schemas/storagecommon.rng
> index 4d6e646c9a..aef1bd969c 100644
> --- a/src/conf/schemas/storagecommon.rng
> +++ b/src/conf/schemas/storagecommon.rng
> @@ -14,6 +14,7 @@
> <value>qcow</value>
> <value>luks</value>
> <value>luks2</value>
> + <value>luks-any</value>
> </choice>
> </attribute>
> <optional>
> diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
> index 3651ff8cfd..639cbf2e58 100644
> --- a/src/conf/storage_encryption_conf.c
> +++ b/src/conf/storage_encryption_conf.c
> @@ -41,7 +41,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
>
> VIR_ENUM_IMPL(virStorageEncryptionFormat,
> VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
> - "default", "qcow", "luks", "luks2",
> + "default", "qcow", "luks", "luks2", "luks-any",
> );
>
> VIR_ENUM_IMPL(virStorageEncryptionEngine,
> diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
> index 312599ad44..03f0e60feb 100644
> --- a/src/conf/storage_encryption_conf.h
> +++ b/src/conf/storage_encryption_conf.h
> @@ -66,6 +66,7 @@ typedef enum {
> VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
> VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
> VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
> + VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY,
>
> VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
> } virStorageEncryptionFormatType;
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index b249dcc85c..eb3ff37b81 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -1095,6 +1095,7 @@ virStorageVolTypeToString;
>
> # conf/storage_encryption_conf.h
> virStorageEncryptionFormat;
> +virStorageEncryptionFormatTypeToString;
> virStorageEncryptionFree;
> virStorageEncryptionParseNode;
>
> diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
> index 5e700eff99..254d82df41 100644
> --- a/src/qemu/qemu_block.c
> +++ b/src/qemu/qemu_block.c
> @@ -572,6 +572,10 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
> encformat = "luks2";
> break;
>
> + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
> + encformat = "luks-any";
> + break;
> +
> case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
> case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
> @@ -1040,8 +1044,10 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
> break;
>
> case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
> - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> - _("luks2 is currently not supported by the qemu encryption engine"));
> + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
> + _("%s is currently not supported by the qemu encryption engine"),
> + virStorageEncryptionFormatTypeToString(src->encryption->format));
> return -1;
I'd add a comment here instead saying that these were caught by the
validation code as this is simply dead code.
>
> case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index f5fd140c85..94ea482363 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -5136,8 +5136,10 @@ qemuDomainValidateStorageSource(virStorageSource *src,
> break;
>
> case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
> - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> - _("luks2 is currently not supported by the qemu encryption engine"));
> + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
> + _("%s is currently not supported by the qemu encryption engine"),
Add quotes around substitutions: '%s' encryption format is ....
> + virStorageEncryptionFormatTypeToString(src->encryption->format));
> return -1;
>
> case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> @@ -5163,6 +5165,32 @@ qemuDomainValidateStorageSource(virStorageSource *src,
> _("librbd encryption is supported only with RBD backed disks"));
> return -1;
> }
> +
> + switch ((virStorageEncryptionFormatType) src->encryption->format) {
> + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
> + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
> + break;
> +
> + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
> + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY)) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("luks-any encryption is not supported by this QEMU binary"));
> + return -1;
> + }
> + break;
> +
> + case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("qcow encryption format is not supported by the librbd encryption engine"));
This is dead code (and subsequently a unnecessary translatable string),
a check above completely denies VIR_STORAGE_ENCRYPTION_FORMAT_QCOW for
any other cases.
> + return -1;
> +
> + case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
> + case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
> + default:
> + virReportEnumRangeError(virStorageEncryptionFormatType,
> + src->encryption->format);
> + return -1;
> + }
> break;
>
> case VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT:
