mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 17:34:18 +03:00
conf: add luks2 encryption format
This commit extends libvirt XML configuration to support luks2 encryption format. This means that <encryption format="luks2" engine="librbd"> becomes valid. Currently librbd is the only engine that supports this new format. Signed-off-by: Or Ozeri <oro@il.ibm.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
This commit is contained in:
parent
59090adf63
commit
060f344c80
@ -18,7 +18,7 @@
|
||||
is <code>encryption</code>, with a mandatory
|
||||
attribute <code>format</code>. Currently defined values
|
||||
of <code>format</code> are <code>default</code>, <code>qcow</code>,
|
||||
and <code>luks</code>.
|
||||
<code>luks</code>, and <code>luks2</code>.
|
||||
Each value of <code>format</code> implies some expectations about the
|
||||
content of the <code>encryption</code> tag. Other format values may be
|
||||
defined in the future.
|
||||
@ -125,6 +125,18 @@
|
||||
</dd>
|
||||
</dl>
|
||||
|
||||
<h3><a id="StorageEncryptionLuks2">"luks2" format</a></h3>
|
||||
<p>
|
||||
The <code>luks2</code> format is currently supported only by the
|
||||
<code>librbd</code> engine, and can only be applied to RBD network disks.
|
||||
Since the <code>librbd</code> engine is currently not supported by the
|
||||
storage driver, you cannot use it to control such disks. However,
|
||||
pre-formatted RBD luks2 disks can be loaded to a qemu VM using the qemu
|
||||
VM driver.
|
||||
A single
|
||||
<code><secret type='passphrase'...></code> element is expected.
|
||||
</p>
|
||||
|
||||
|
||||
<h2><a id="example">Examples</a></h2>
|
||||
|
||||
|
@ -13,6 +13,7 @@
|
||||
<value>default</value>
|
||||
<value>qcow</value>
|
||||
<value>luks</value>
|
||||
<value>luks2</value>
|
||||
</choice>
|
||||
</attribute>
|
||||
<optional>
|
||||
|
@ -44,7 +44,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
|
||||
|
||||
VIR_ENUM_IMPL(virStorageEncryptionFormat,
|
||||
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
|
||||
"default", "qcow", "luks",
|
||||
"default", "qcow", "luks", "luks2",
|
||||
);
|
||||
|
||||
VIR_ENUM_IMPL(virStorageEncryptionEngine,
|
||||
|
@ -65,6 +65,7 @@ typedef enum {
|
||||
VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
|
||||
VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
|
||||
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
|
||||
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
|
||||
|
||||
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
|
||||
} virStorageEncryptionFormatType;
|
||||
|
@ -908,6 +908,10 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
|
||||
encformat = "luks";
|
||||
break;
|
||||
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
|
||||
encformat = "luks2";
|
||||
break;
|
||||
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("librbd encryption engine only supports luks/luks2 formats"));
|
||||
@ -1358,6 +1362,11 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
|
||||
encformat = "luks";
|
||||
break;
|
||||
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("luks2 is currently not supported by the qemu encryption engine"));
|
||||
return -1;
|
||||
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
|
||||
default:
|
||||
|
@ -1188,7 +1188,8 @@ static bool
|
||||
qemuDomainDiskHasEncryptionSecret(virStorageSource *src)
|
||||
{
|
||||
if (!virStorageSourceIsEmpty(src) && src->encryption &&
|
||||
src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
|
||||
(src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS ||
|
||||
src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2) &&
|
||||
src->encryption->nsecrets > 0)
|
||||
return true;
|
||||
|
||||
@ -4778,6 +4779,11 @@ qemuDomainValidateStorageSource(virStorageSource *src,
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
|
||||
break;
|
||||
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
|
||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("luks2 is currently not supported by the qemu encryption engine"));
|
||||
return -1;
|
||||
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
|
||||
default:
|
||||
@ -4796,6 +4802,7 @@ qemuDomainValidateStorageSource(virStorageSource *src,
|
||||
|
||||
switch ((virStorageEncryptionFormatType) src->encryption->format) {
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
|
||||
break;
|
||||
|
||||
case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
|
||||
|
@ -27,18 +27,22 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-encryptdisk/.config \
|
||||
-no-acpi \
|
||||
-boot strict=on \
|
||||
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
|
||||
-object '{"qom-type":"secret","id":"libvirt-4-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
|
||||
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||
-blockdev '{"node-name":"libvirt-4-format","read-only":false,"driver":"luks","key-secret":"libvirt-4-format-encryption-secret0","file":"libvirt-4-storage"}' \
|
||||
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"libvirt-4-format","id":"virtio-disk0","bootindex":1}' \
|
||||
-object '{"qom-type":"secret","id":"libvirt-3-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
|
||||
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||
-blockdev '{"node-name":"libvirt-3-format","read-only":false,"driver":"luks","key-secret":"libvirt-3-format-encryption-secret0","file":"libvirt-3-storage"}' \
|
||||
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"libvirt-3-format","id":"virtio-disk0","bootindex":1}' \
|
||||
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x4","drive":"libvirt-3-format","id":"virtio-disk1"}' \
|
||||
-object '{"qom-type":"secret","id":"libvirt-2-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
|
||||
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||
-blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"luks","key-secret":"libvirt-2-format-encryption-secret0","file":"libvirt-2-storage"}' \
|
||||
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x4","drive":"libvirt-2-format","id":"virtio-disk1"}' \
|
||||
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-2-format-encryption-secret0"},"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||
-blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"raw","file":"libvirt-2-storage"}' \
|
||||
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x5","drive":"libvirt-2-format","id":"virtio-disk2"}' \
|
||||
-object '{"qom-type":"secret","id":"libvirt-1-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
|
||||
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||
-blockdev '{"driver":"rbd","pool":"pool","image":"image2","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks2","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
|
||||
-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
|
||||
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x5","drive":"libvirt-1-format","id":"virtio-disk2"}' \
|
||||
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x6","drive":"libvirt-1-format","id":"virtio-disk3"}' \
|
||||
-audiodev id=audio1,driver=none \
|
||||
-device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","addr":"0x3"}' \
|
||||
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
|
||||
|
@ -50,6 +50,18 @@
|
||||
</source>
|
||||
<target dev='vdc' bus='virtio'/>
|
||||
</disk>
|
||||
<disk type='network' device='disk'>
|
||||
<driver name='qemu' type='raw'/>
|
||||
<source protocol='rbd' name='pool/image2'>
|
||||
<host name='mon1.example.org' port='6321'/>
|
||||
<host name='mon2.example.org' port='6322'/>
|
||||
<host name='mon3.example.org' port='6322'/>
|
||||
<encryption format='luks2' engine='librbd'>
|
||||
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
|
||||
</encryption>
|
||||
</source>
|
||||
<target dev='vdd' bus='virtio'/>
|
||||
</disk>
|
||||
<controller type='usb' index='0'>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
|
||||
</controller>
|
||||
|
@ -56,6 +56,19 @@
|
||||
<target dev='vdc' bus='virtio'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
|
||||
</disk>
|
||||
<disk type='network' device='disk'>
|
||||
<driver name='qemu' type='raw'/>
|
||||
<source protocol='rbd' name='pool/image2'>
|
||||
<host name='mon1.example.org' port='6321'/>
|
||||
<host name='mon2.example.org' port='6322'/>
|
||||
<host name='mon3.example.org' port='6322'/>
|
||||
<encryption format='luks2' engine='librbd'>
|
||||
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
|
||||
</encryption>
|
||||
</source>
|
||||
<target dev='vdd' bus='virtio'/>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
|
||||
</disk>
|
||||
<controller type='usb' index='0' model='piix3-uhci'>
|
||||
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
|
||||
</controller>
|
||||
|
Loading…
Reference in New Issue
Block a user