diff options
| author | Daniel P. Berrange <berrange@redhat.com> | 2015-10-24 11:55:48 +0100 |
|---|---|---|
| committer | Daniel P. Berrange <berrange@redhat.com> | 2016-03-17 16:50:40 +0000 |
| commit | 3e308f20edfd65a21c98eb2d8079dacd47957444 (patch) | |
| tree | fc2adad357333b48dc7317340c194c55cfd3f7fb /qapi | |
| parent | 7d9690148ac25bc755a759adab7d63f517d092b1 (diff) | |
| download | qemu-3e308f20edfd65a21c98eb2d8079dacd47957444.tar.gz qemu-3e308f20edfd65a21c98eb2d8079dacd47957444.tar.bz2 qemu-3e308f20edfd65a21c98eb2d8079dacd47957444.zip | |
crypto: implement the LUKS block encryption format
Provide a block encryption implementation that follows the
LUKS/dm-crypt specification.
This supports all combinations of hash, cipher algorithm,
cipher mode and iv generator that are implemented by the
current crypto layer.
There is support for opening existing volumes formatted
by dm-crypt, and for formatting new volumes. In the latter
case it will only use key slot 0.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Diffstat (limited to 'qapi')
| -rw-r--r-- | qapi/crypto.json | 49 |
1 files changed, 46 insertions, 3 deletions
diff --git a/qapi/crypto.json b/qapi/crypto.json index 65f46254b3..760d0c0577 100644 --- a/qapi/crypto.json +++ b/qapi/crypto.json @@ -117,12 +117,13 @@ # # @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only # for liberating data from old images. +# @luks: LUKS encryption format. Recommended for new images # # Since: 2.6 ## { 'enum': 'QCryptoBlockFormat', # 'prefix': 'QCRYPTO_BLOCK_FORMAT', - 'data': ['qcow']} + 'data': ['qcow', 'luks']} ## # QCryptoBlockOptionsBase: @@ -152,6 +153,46 @@ 'data': { '*key-secret': 'str' }} ## +# QCryptoBlockOptionsLUKS: +# +# The options that apply to LUKS encryption format +# +# @key-secret: #optional the ID of a QCryptoSecret object providing the +# decryption key. Mandatory except when probing image for +# metadata only. +# Since: 2.6 +## +{ 'struct': 'QCryptoBlockOptionsLUKS', + 'data': { '*key-secret': 'str' }} + + +## +# QCryptoBlockCreateOptionsLUKS: +# +# The options that apply to LUKS encryption format initialization +# +# @cipher-alg: #optional the cipher algorithm for data encryption +# Currently defaults to 'aes'. +# @cipher-mode: #optional the cipher mode for data encryption +# Currently defaults to 'cbc' +# @ivgen-alg: #optional the initialization vector generator +# Currently defaults to 'essiv' +# @ivgen-hash-alg: #optional the initialization vector generator hash +# Currently defaults to 'sha256' +# @hash-alg: #optional the master key hash algorithm +# Currently defaults to 'sha256' +# Since: 2.6 +## +{ 'struct': 'QCryptoBlockCreateOptionsLUKS', + 'base': 'QCryptoBlockOptionsLUKS', + 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm', + '*cipher-mode': 'QCryptoCipherMode', + '*ivgen-alg': 'QCryptoIVGenAlgorithm', + '*ivgen-hash-alg': 'QCryptoHashAlgorithm', + '*hash-alg': 'QCryptoHashAlgorithm'}} + + +## # QCryptoBlockOpenOptions: # # The options that are available for all encryption formats @@ -162,7 +203,8 @@ { 'union': 'QCryptoBlockOpenOptions', 'base': 'QCryptoBlockOptionsBase', 'discriminator': 'format', - 'data': { 'qcow': 'QCryptoBlockOptionsQCow' } } + 'data': { 'qcow': 'QCryptoBlockOptionsQCow', + 'luks': 'QCryptoBlockOptionsLUKS' } } ## @@ -176,4 +218,5 @@ { 'union': 'QCryptoBlockCreateOptions', 'base': 'QCryptoBlockOptionsBase', 'discriminator': 'format', - 'data': { 'qcow': 'QCryptoBlockOptionsQCow' } } + 'data': { 'qcow': 'QCryptoBlockOptionsQCow', + 'luks': 'QCryptoBlockCreateOptionsLUKS' } } |