From patchwork Tue Jan 14 19:33:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Levitsky X-Patchwork-Id: 1223020 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org (client-ip=209.51.188.17; helo=lists.gnu.org; envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=PAYX0L6G; dkim-atps=neutral Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47y10l6WwSz9s29 for ; Wed, 15 Jan 2020 06:36:23 +1100 (AEDT) Received: from localhost ([::1]:45122 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1irRzB-0003Vm-DE for incoming@patchwork.ozlabs.org; Tue, 14 Jan 2020 14:36:21 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:38441) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1irRyN-0003GD-Dr for qemu-devel@nongnu.org; Tue, 14 Jan 2020 14:35:34 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1irRyK-0007jh-OG for qemu-devel@nongnu.org; Tue, 14 Jan 2020 14:35:31 -0500 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:21380 helo=us-smtp-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1irRyK-0007j6-K8 for qemu-devel@nongnu.org; Tue, 14 Jan 2020 14:35:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1579030528; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1Yy7MXuoHyFbyV2yl4FMvL6qH7mKHQC/6W4zJtb6D0E=; b=PAYX0L6GUy4Vzz1aJLjpcqGzB6mgbh+n6NivI7FMTy7bwyc3Nt874Q1zr4BU9AyU/6ikO2 HoPZs17hWJrSapbr9jl8UyFYVz1pxdIVdbJ55OhhskUcTG5gFVqLByM+UPzz3vKBvrjCdb THPoRXzmBH0T7VeBSNeNQQD0x8JtFnw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-170-2rGv6P3ROyCJXtQW96Hptg-1; Tue, 14 Jan 2020 14:34:19 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9C969DC24; Tue, 14 Jan 2020 19:34:18 +0000 (UTC) Received: from maximlenovopc.usersys.redhat.com (unknown [10.35.206.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5F4C687EFE; Tue, 14 Jan 2020 19:34:16 +0000 (UTC) From: Maxim Levitsky To: qemu-devel@nongnu.org Subject: [PATCH 07/13] qcow2: extend qemu-img amend interface with crypto options Date: Tue, 14 Jan 2020 21:33:44 +0200 Message-Id: <20200114193350.10830-8-mlevitsk@redhat.com> In-Reply-To: <20200114193350.10830-1-mlevitsk@redhat.com> References: <20200114193350.10830-1-mlevitsk@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-MC-Unique: 2rGv6P3ROyCJXtQW96Hptg-1 X-Mimecast-Spam-Score: 0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 207.211.31.120 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= , qemu-block@nongnu.org, Markus Armbruster , Max Reitz , Maxim Levitsky , John Snow Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" Now that we have all the infrastructure in place, wire it in the qcow2 driver and expose this to the user. Signed-off-by: Maxim Levitsky --- block/qcow2.c | 101 +++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 79 insertions(+), 22 deletions(-) diff --git a/block/qcow2.c b/block/qcow2.c index c6c2deee75..1b01174aed 100644 --- a/block/qcow2.c +++ b/block/qcow2.c @@ -173,6 +173,19 @@ static ssize_t qcow2_crypto_hdr_write_func(QCryptoBlock *block, size_t offset, return ret; } +static QDict* +qcow2_extract_crypto_opts(QemuOpts *opts, const char *fmt, Error **errp) +{ + QDict *cryptoopts_qdict; + QDict *opts_qdict; + + /* Extract "encrypt." options into a qdict */ + opts_qdict = qemu_opts_to_qdict(opts, NULL); + qdict_extract_subqdict(opts_qdict, &cryptoopts_qdict, "encrypt."); + qobject_unref(opts_qdict); + qdict_put_str(cryptoopts_qdict, "format", "luks"); + return cryptoopts_qdict; +} /* * read qcow2 extension and fill bs @@ -4631,20 +4644,18 @@ static ssize_t qcow2_measure_crypto_hdr_write_func(QCryptoBlock *block, static bool qcow2_measure_luks_headerlen(QemuOpts *opts, size_t *len, Error **errp) { - QDict *opts_qdict; - QDict *cryptoopts_qdict; QCryptoBlockCreateOptions *cryptoopts; + QDict* crypto_opts_dict; QCryptoBlock *crypto; - /* Extract "encrypt." options into a qdict */ - opts_qdict = qemu_opts_to_qdict(opts, NULL); - qdict_extract_subqdict(opts_qdict, &cryptoopts_qdict, "encrypt."); - qobject_unref(opts_qdict); + crypto_opts_dict = qcow2_extract_crypto_opts(opts, "luks", errp); + if (!crypto_opts_dict) { + return false; + } + + cryptoopts = block_crypto_create_opts_init(crypto_opts_dict, errp); + qobject_unref(crypto_opts_dict); - /* Build QCryptoBlockCreateOptions object from qdict */ - qdict_put_str(cryptoopts_qdict, "format", "luks"); - cryptoopts = block_crypto_create_opts_init(cryptoopts_qdict, errp); - qobject_unref(cryptoopts_qdict); if (!cryptoopts) { return false; } @@ -5083,6 +5094,7 @@ typedef enum Qcow2AmendOperation { QCOW2_NO_OPERATION = 0, QCOW2_UPGRADING, + QCOW2_UPDATING_ENCRYPTION, QCOW2_CHANGING_REFCOUNT_ORDER, QCOW2_DOWNGRADING, } Qcow2AmendOperation; @@ -5167,6 +5179,7 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts, int ret; QemuOptDesc *desc = opts->list->desc; Qcow2AmendHelperCBInfo helper_cb_info; + bool encryption_update = false; while (desc && desc->name) { if (!qemu_opt_find(opts, desc->name)) { @@ -5215,9 +5228,17 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts, return -ENOTSUP; } } else if (g_str_has_prefix(desc->name, "encrypt.")) { - error_setg(errp, - "Changing the encryption parameters is not supported"); - return -ENOTSUP; + if (!s->crypto) { + error_setg(errp, + "Can't amend encryption options - encryption not present"); + return -EINVAL; + } + if (s->crypt_method_header != QCOW_CRYPT_LUKS) { + error_setg(errp, + "Only LUKS encryption options can be amended"); + return -ENOTSUP; + } + encryption_update = true; } else if (!strcmp(desc->name, BLOCK_OPT_CLUSTER_SIZE)) { cluster_size = qemu_opt_get_size(opts, BLOCK_OPT_CLUSTER_SIZE, cluster_size); @@ -5267,7 +5288,8 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts, .original_status_cb = status_cb, .original_cb_opaque = cb_opaque, .total_operations = (new_version != old_version) - + (s->refcount_bits != refcount_bits) + + (s->refcount_bits != refcount_bits) + + (encryption_update == true) }; /* Upgrade first (some features may require compat=1.1) */ @@ -5280,6 +5302,33 @@ static int qcow2_amend_options(BlockDriverState *bs, QemuOpts *opts, } } + if (encryption_update) { + QDict *amend_opts_dict; + QCryptoBlockAmendOptions *amend_opts; + + helper_cb_info.current_operation = QCOW2_UPDATING_ENCRYPTION; + amend_opts_dict = qcow2_extract_crypto_opts(opts, "luks", errp); + if (!amend_opts_dict) { + return -EINVAL; + } + amend_opts = block_crypto_amend_opts_init(amend_opts_dict, errp); + qobject_unref(amend_opts_dict); + if (!amend_opts) { + return -EINVAL; + } + ret = qcrypto_block_amend_options(s->crypto, + qcow2_crypto_hdr_read_func, + qcow2_crypto_hdr_write_func, + bs, + amend_opts, + force, + errp); + qapi_free_QCryptoBlockAmendOptions(amend_opts); + if (ret < 0) { + return ret; + } + } + if (s->refcount_bits != refcount_bits) { int refcount_order = ctz32(refcount_bits); @@ -5488,14 +5537,6 @@ void qcow2_signal_corruption(BlockDriverState *bs, bool fatal, int64_t offset, .type = QEMU_OPT_STRING, \ .help = "Encrypt the image, format choices: 'aes', 'luks'", \ }, \ - BLOCK_CRYPTO_OPT_DEF_KEY_SECRET("encrypt.", \ - "ID of secret providing qcow AES key or LUKS passphrase"), \ - BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG("encrypt."), \ - BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE("encrypt."), \ - BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG("encrypt."), \ - BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG("encrypt."), \ - BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG("encrypt."), \ - BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME("encrypt."), \ { \ .name = BLOCK_OPT_CLUSTER_SIZE, \ .type = QEMU_OPT_SIZE, \ @@ -5526,6 +5567,14 @@ static QemuOptsList qcow2_create_opts = { .head = QTAILQ_HEAD_INITIALIZER(qcow2_create_opts.head), .desc = { QCOW_COMMON_OPTIONS, + BLOCK_CRYPTO_OPT_DEF_KEY_SECRET("encrypt.", + "ID of secret providing qcow AES key or LUKS passphrase"), + BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG("encrypt."), + BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE("encrypt."), + BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG("encrypt."), + BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG("encrypt."), + BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG("encrypt."), + BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME("encrypt."), { /* end of list */ } } }; @@ -5535,6 +5584,14 @@ static QemuOptsList qcow2_amend_opts = { .head = QTAILQ_HEAD_INITIALIZER(qcow2_amend_opts.head), .desc = { QCOW_COMMON_OPTIONS, + BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT_UPDATE("encrypt.keys.0."), + BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT_UPDATE("encrypt.keys.1."), + BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT_UPDATE("encrypt.keys.2."), + BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT_UPDATE("encrypt.keys.3."), + BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT_UPDATE("encrypt.keys.4."), + BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT_UPDATE("encrypt.keys.5."), + BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT_UPDATE("encrypt.keys.6."), + BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT_UPDATE("encrypt.keys.7."), { /* end of list */ } } };