1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 17:34:18 +03:00

conf: add luks2 encryption format

This commit extends libvirt XML configuration to support luks2 encryption format.
This means that <encryption format="luks2" engine="librbd"> becomes valid.
Currently librbd is the only engine that supports this new format.

Signed-off-by: Or Ozeri <oro@il.ibm.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
This commit is contained in:
Or Ozeri 2021-10-24 04:51:30 -05:00 committed by Peter Krempa
parent 59090adf63
commit 060f344c80
9 changed files with 68 additions and 9 deletions

View File

@ -18,7 +18,7 @@
is <code>encryption</code>, with a mandatory
attribute <code>format</code>. Currently defined values
of <code>format</code> are <code>default</code>, <code>qcow</code>,
and <code>luks</code>.
<code>luks</code>, and <code>luks2</code>.
Each value of <code>format</code> implies some expectations about the
content of the <code>encryption</code> tag. Other format values may be
defined in the future.
@ -125,6 +125,18 @@
</dd>
</dl>
<h3><a id="StorageEncryptionLuks2">"luks2" format</a></h3>
<p>
The <code>luks2</code> format is currently supported only by the
<code>librbd</code> engine, and can only be applied to RBD network disks.
Since the <code>librbd</code> engine is currently not supported by the
storage driver, you cannot use it to control such disks. However,
pre-formatted RBD luks2 disks can be loaded to a qemu VM using the qemu
VM driver.
A single
<code>&lt;secret type='passphrase'...&gt;</code> element is expected.
</p>
<h2><a id="example">Examples</a></h2>

View File

@ -13,6 +13,7 @@
<value>default</value>
<value>qcow</value>
<value>luks</value>
<value>luks2</value>
</choice>
</attribute>
<optional>

View File

@ -44,7 +44,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
VIR_ENUM_IMPL(virStorageEncryptionFormat,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
"default", "qcow", "luks",
"default", "qcow", "luks", "luks2",
);
VIR_ENUM_IMPL(virStorageEncryptionEngine,

View File

@ -65,6 +65,7 @@ typedef enum {
VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
} virStorageEncryptionFormatType;

View File

@ -908,6 +908,10 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
encformat = "luks";
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
encformat = "luks2";
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("librbd encryption engine only supports luks/luks2 formats"));
@ -1358,6 +1362,11 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
encformat = "luks";
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("luks2 is currently not supported by the qemu encryption engine"));
return -1;
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
default:

View File

@ -1188,7 +1188,8 @@ static bool
qemuDomainDiskHasEncryptionSecret(virStorageSource *src)
{
if (!virStorageSourceIsEmpty(src) && src->encryption &&
src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
(src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS ||
src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2) &&
src->encryption->nsecrets > 0)
return true;
@ -4778,6 +4779,11 @@ qemuDomainValidateStorageSource(virStorageSource *src,
case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("luks2 is currently not supported by the qemu encryption engine"));
return -1;
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
default:
@ -4796,6 +4802,7 @@ qemuDomainValidateStorageSource(virStorageSource *src,
switch ((virStorageEncryptionFormatType) src->encryption->format) {
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:

View File

@ -27,18 +27,22 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-encryptdisk/.config \
-no-acpi \
-boot strict=on \
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
-object '{"qom-type":"secret","id":"libvirt-4-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-4-format","read-only":false,"driver":"luks","key-secret":"libvirt-4-format-encryption-secret0","file":"libvirt-4-storage"}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"libvirt-4-format","id":"virtio-disk0","bootindex":1}' \
-object '{"qom-type":"secret","id":"libvirt-3-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-3-format","read-only":false,"driver":"luks","key-secret":"libvirt-3-format-encryption-secret0","file":"libvirt-3-storage"}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"libvirt-3-format","id":"virtio-disk0","bootindex":1}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x4","drive":"libvirt-3-format","id":"virtio-disk1"}' \
-object '{"qom-type":"secret","id":"libvirt-2-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"luks","key-secret":"libvirt-2-format-encryption-secret0","file":"libvirt-2-storage"}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x4","drive":"libvirt-2-format","id":"virtio-disk1"}' \
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-2-format-encryption-secret0"},"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"raw","file":"libvirt-2-storage"}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x5","drive":"libvirt-2-format","id":"virtio-disk2"}' \
-object '{"qom-type":"secret","id":"libvirt-1-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"driver":"rbd","pool":"pool","image":"image2","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks2","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x5","drive":"libvirt-1-format","id":"virtio-disk2"}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x6","drive":"libvirt-1-format","id":"virtio-disk3"}' \
-audiodev id=audio1,driver=none \
-device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","addr":"0x3"}' \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \

View File

@ -50,6 +50,18 @@
</source>
<target dev='vdc' bus='virtio'/>
</disk>
<disk type='network' device='disk'>
<driver name='qemu' type='raw'/>
<source protocol='rbd' name='pool/image2'>
<host name='mon1.example.org' port='6321'/>
<host name='mon2.example.org' port='6322'/>
<host name='mon3.example.org' port='6322'/>
<encryption format='luks2' engine='librbd'>
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
</encryption>
</source>
<target dev='vdd' bus='virtio'/>
</disk>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>

View File

@ -56,6 +56,19 @@
<target dev='vdc' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</disk>
<disk type='network' device='disk'>
<driver name='qemu' type='raw'/>
<source protocol='rbd' name='pool/image2'>
<host name='mon1.example.org' port='6321'/>
<host name='mon2.example.org' port='6322'/>
<host name='mon3.example.org' port='6322'/>
<encryption format='luks2' engine='librbd'>
<secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
</encryption>
</source>
<target dev='vdd' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</disk>
<controller type='usb' index='0' model='piix3-uhci'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
</controller>