[06/10] qcow2: implement crypto amend options
diff mbox series

Message ID 20190830205608.18192-7-mlevitsk@redhat.com
State New
Headers show
Series
  • RFC crypto/luks: encryption key managment using amend interface
Related show

Commit Message

Maxim Levitsky Aug. 30, 2019, 8:56 p.m. UTC
---
 block/qcow2.c | 79 ++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 63 insertions(+), 16 deletions(-)

Comments

Daniel P. Berrangé Sept. 6, 2019, 2:06 p.m. UTC | #1
On Fri, Aug 30, 2019 at 11:56:04PM +0300, Maxim Levitsky wrote:
> ---
>  block/qcow2.c | 79 ++++++++++++++++++++++++++++++++++++++++-----------
>  1 file changed, 63 insertions(+), 16 deletions(-)
> 

> @@ -4888,9 +4899,22 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
>                  return -ENOTSUP;
>              }
>          } else if (g_str_has_prefix(desc->name, "encrypt.")) {
> -            error_setg(errp,
> -                       "Changing the encryption parameters is not supported");
> -            return -ENOTSUP;
> +
> +            if (!s->crypto) {
> +                error_setg(errp,
> +                           "Can't amend encryption options - encryption not supported");
> +                return -ENOTSUP;
> +
> +            }

Perhaps  ' - encryption not present', and -EINVAL

> +
> +            if (s->crypt_method_header != QCOW_CRYPT_LUKS) {
> +                error_setg(errp,
> +                           "Only LUKS encryption options can be amended");
> +                return -ENOTSUP;
> +            }
> +
> +            encryption_update = true;
> +
>          } else if (!strcmp(desc->name, BLOCK_OPT_CLUSTER_SIZE)) {
>              cluster_size = qemu_opt_get_size(opts, BLOCK_OPT_CLUSTER_SIZE,
>                                               cluster_size);
> @@ -4927,7 +4951,7 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
>                                   "images");
>                  return -EINVAL;
>              }
> -        } else {
> +        } else  {

Accidental change

>              /* if this point is reached, this probably means a new option was
>               * added without having it covered here */
>              abort();
> @@ -4940,7 +4964,8 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
>          .original_status_cb = status_cb,
>          .original_cb_opaque = cb_opaque,
>          .total_operations = (new_version < old_version)
> -                          + (s->refcount_bits != refcount_bits)
> +                          + (s->refcount_bits != refcount_bits) +
> +                          (encryption_update == true)
>      };
>  
>      /* Upgrade first (some features may require compat=1.1) */
> @@ -4954,6 +4979,28 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
>          }
>      }
>  
> +    if (encryption_update) {
> +

Redundant blank line

> +        QCryptoBlockCreateOptions *cryptoopts;
> +
> +        cryptoopts = qcow2_extract_crypto_create_opts(opts, "luks", errp);
> +        if (!cryptoopts)
> +            return -EINVAL;
> +
> +        helper_cb_info.current_operation = QCOW2_UPDATING_ENCRYPTION;
> +
> +        ret = qcrypto_block_amend_options(s->crypto,
> +                                          qcow2_crypto_hdr_read_func,
> +                                          qcow2_crypto_hdr_write_func,
> +                                          bs,
> +                                          cryptoopts,
> +                                          force,
> +                                          errp);
> +        if (ret) {

Check  ret < 0

> +            return ret;
> +        }
> +    }
> +

Regards,
Daniel
Maxim Levitsky Sept. 12, 2019, 7:11 p.m. UTC | #2
On Fri, 2019-09-06 at 15:06 +0100, Daniel P. Berrangé wrote:
> On Fri, Aug 30, 2019 at 11:56:04PM +0300, Maxim Levitsky wrote:
> > ---
> >  block/qcow2.c | 79 ++++++++++++++++++++++++++++++++++++++++-----------
> >  1 file changed, 63 insertions(+), 16 deletions(-)
> > 
> > @@ -4888,9 +4899,22 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
> >                  return -ENOTSUP;
> >              }
> >          } else if (g_str_has_prefix(desc->name, "encrypt.")) {
> > -            error_setg(errp,
> > -                       "Changing the encryption parameters is not supported");
> > -            return -ENOTSUP;
> > +
> > +            if (!s->crypto) {
> > +                error_setg(errp,
> > +                           "Can't amend encryption options - encryption not supported");
> > +                return -ENOTSUP;
> > +
> > +            }
> 
> Perhaps  ' - encryption not present', and -EINVAL
Agree. Fixed.

> 
> > +
> > +            if (s->crypt_method_header != QCOW_CRYPT_LUKS) {
> > +                error_setg(errp,
> > +                           "Only LUKS encryption options can be amended");
> > +                return -ENOTSUP;
> > +            }
> > +
> > +            encryption_update = true;
> > +
> >          } else if (!strcmp(desc->name, BLOCK_OPT_CLUSTER_SIZE)) {
> >              cluster_size = qemu_opt_get_size(opts, BLOCK_OPT_CLUSTER_SIZE,
> >                                               cluster_size);
> > @@ -4927,7 +4951,7 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
> >                                   "images");
> >                  return -EINVAL;
> >              }
> > -        } else {
> > +        } else  {
> 
> Accidental change
Fixed.
> 
> >              /* if this point is reached, this probably means a new option was
> >               * added without having it covered here */
> >              abort();
> > @@ -4940,7 +4964,8 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
> >          .original_status_cb = status_cb,
> >          .original_cb_opaque = cb_opaque,
> >          .total_operations = (new_version < old_version)
> > -                          + (s->refcount_bits != refcount_bits)
> > +                          + (s->refcount_bits != refcount_bits) +
> > +                          (encryption_update == true)
> >      };
> >  
> >      /* Upgrade first (some features may require compat=1.1) */
> > @@ -4954,6 +4979,28 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
> >          }
> >      }
> >  
> > +    if (encryption_update) {
> > +
> 
> Redundant blank line
Fixed.
> 
> > +        QCryptoBlockCreateOptions *cryptoopts;
> > +
> > +        cryptoopts = qcow2_extract_crypto_create_opts(opts, "luks", errp);
> > +        if (!cryptoopts)
> > +            return -EINVAL;
> > +
> > +        helper_cb_info.current_operation = QCOW2_UPDATING_ENCRYPTION;
> > +
> > +        ret = qcrypto_block_amend_options(s->crypto,
> > +                                          qcow2_crypto_hdr_read_func,
> > +                                          qcow2_crypto_hdr_write_func,
> > +                                          bs,
> > +                                          cryptoopts,
> > +                                          force,
> > +                                          errp);
> > +        if (ret) {
> 
> Check  ret < 0
Fixed.
> 
> > +            return ret;
> > +        }
> > +    }
> > +
> 
> Regards,
> Daniel

Best regards,
	Maxim Levitsky

Patch
diff mbox series

diff --git a/block/qcow2.c b/block/qcow2.c
index 376bb416fd..8dff4c6b5f 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -171,6 +171,25 @@  static ssize_t qcow2_crypto_hdr_write_func(QCryptoBlock *block, size_t offset,
     return ret;
 }
 
+static QCryptoBlockCreateOptions*
+qcow2_extract_crypto_create_opts(QemuOpts *opts, const char *fmt, Error **errp)
+{
+    QDict *cryptoopts_qdict;
+    QCryptoBlockCreateOptions *cryptoopts;
+    QDict *opts_qdict;
+
+    /* Extract "encrypt." options into a qdict */
+    opts_qdict = qemu_opts_to_qdict(opts, NULL);
+    qdict_extract_subqdict(opts_qdict, &cryptoopts_qdict, "encrypt.");
+    qobject_unref(opts_qdict);
+
+    /* Build QCryptoBlockCreateOptions object from qdict */
+    qdict_put_str(cryptoopts_qdict, "format", "luks");
+    cryptoopts = block_crypto_create_opts_init(cryptoopts_qdict, errp);
+    qobject_unref(cryptoopts_qdict);
+    return cryptoopts;
+}
+
 
 /* 
  * read qcow2 extension and fill bs
@@ -4366,20 +4385,10 @@  static ssize_t qcow2_measure_crypto_hdr_write_func(QCryptoBlock *block,
 static bool qcow2_measure_luks_headerlen(QemuOpts *opts, size_t *len,
                                          Error **errp)
 {
-    QDict *opts_qdict;
-    QDict *cryptoopts_qdict;
     QCryptoBlockCreateOptions *cryptoopts;
     QCryptoBlock *crypto;
 
-    /* Extract "encrypt." options into a qdict */
-    opts_qdict = qemu_opts_to_qdict(opts, NULL);
-    qdict_extract_subqdict(opts_qdict, &cryptoopts_qdict, "encrypt.");
-    qobject_unref(opts_qdict);
-
-    /* Build QCryptoBlockCreateOptions object from qdict */
-    qdict_put_str(cryptoopts_qdict, "format", "luks");
-    cryptoopts = block_crypto_create_opts_init(cryptoopts_qdict, errp);
-    qobject_unref(cryptoopts_qdict);
+    cryptoopts = qcow2_extract_crypto_create_opts(opts, "luks", errp);
     if (!cryptoopts) {
         return false;
     }
@@ -4756,6 +4765,7 @@  typedef enum Qcow2AmendOperation {
      * invocation from an operation change */
     QCOW2_NO_OPERATION = 0,
 
+    QCOW2_UPDATING_ENCRYPTION,
     QCOW2_CHANGING_REFCOUNT_ORDER,
     QCOW2_DOWNGRADING,
 } Qcow2AmendOperation;
@@ -4840,6 +4850,7 @@  static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
     int ret;
     QemuOptDesc *desc = opts->list->desc;
     Qcow2AmendHelperCBInfo helper_cb_info;
+    bool encryption_update = false;
 
     while (desc && desc->name) {
         if (!qemu_opt_find(opts, desc->name)) {
@@ -4888,9 +4899,22 @@  static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
                 return -ENOTSUP;
             }
         } else if (g_str_has_prefix(desc->name, "encrypt.")) {
-            error_setg(errp,
-                       "Changing the encryption parameters is not supported");
-            return -ENOTSUP;
+
+            if (!s->crypto) {
+                error_setg(errp,
+                           "Can't amend encryption options - encryption not supported");
+                return -ENOTSUP;
+
+            }
+
+            if (s->crypt_method_header != QCOW_CRYPT_LUKS) {
+                error_setg(errp,
+                           "Only LUKS encryption options can be amended");
+                return -ENOTSUP;
+            }
+
+            encryption_update = true;
+
         } else if (!strcmp(desc->name, BLOCK_OPT_CLUSTER_SIZE)) {
             cluster_size = qemu_opt_get_size(opts, BLOCK_OPT_CLUSTER_SIZE,
                                              cluster_size);
@@ -4927,7 +4951,7 @@  static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
                                  "images");
                 return -EINVAL;
             }
-        } else {
+        } else  {
             /* if this point is reached, this probably means a new option was
              * added without having it covered here */
             abort();
@@ -4940,7 +4964,8 @@  static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
         .original_status_cb = status_cb,
         .original_cb_opaque = cb_opaque,
         .total_operations = (new_version < old_version)
-                          + (s->refcount_bits != refcount_bits)
+                          + (s->refcount_bits != refcount_bits) +
+                          (encryption_update == true)
     };
 
     /* Upgrade first (some features may require compat=1.1) */
@@ -4954,6 +4979,28 @@  static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts,
         }
     }
 
+    if (encryption_update) {
+
+        QCryptoBlockCreateOptions *cryptoopts;
+
+        cryptoopts = qcow2_extract_crypto_create_opts(opts, "luks", errp);
+        if (!cryptoopts)
+            return -EINVAL;
+
+        helper_cb_info.current_operation = QCOW2_UPDATING_ENCRYPTION;
+
+        ret = qcrypto_block_amend_options(s->crypto,
+                                          qcow2_crypto_hdr_read_func,
+                                          qcow2_crypto_hdr_write_func,
+                                          bs,
+                                          cryptoopts,
+                                          force,
+                                          errp);
+        if (ret) {
+            return ret;
+        }
+    }
+
     if (s->refcount_bits != refcount_bits) {
         int refcount_order = ctz32(refcount_bits);