@@ -312,6 +312,11 @@ static int bdrv_is_whitelisted(BlockDriver *drv, bool read_only)
return 0;
}
+bool bdrv_uses_whitelist(void)
+{
+ return use_bdrv_whitelist;
+}
+
typedef struct CreateCo {
BlockDriver *drv;
char *filename;
@@ -1021,13 +1026,6 @@ static int bdrv_open_common(BlockDriverState *bs, BdrvChild *file,
goto free_and_fail;
}
- if (bs->encrypted) {
- error_report("Encrypted images are deprecated");
- error_printf("Support for them will be removed in a future release.\n"
- "You can use 'qemu-img convert' to convert your image"
- " to an unencrypted one.\n");
- }
-
ret = refresh_total_sectors(bs, bs->total_sectors);
if (ret < 0) {
error_setg_errno(errp, -ret, "Could not refresh total sector count");
@@ -180,6 +180,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
s->crypt_method_header = header.crypt_method;
if (s->crypt_method_header) {
if (s->crypt_method_header == QCOW_CRYPT_AES) {
+ if (bdrv_uses_whitelist()) {
+ error_setg(errp,
+ "Use of AES-CBC encrypted qcow images is no longer "
+ "supported. Please use the qcow2 LUKS format instead.");
+ ret = -ENOSYS;
+ goto fail;
+ }
+
ov = opts_visitor_new(opts);
crypto_opts = g_new0(QCryptoBlockOpenOptions, 1);
@@ -1209,6 +1209,14 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
s->crypt_method_header = header.crypt_method;
if (s->crypt_method_header) {
+ if (bdrv_uses_whitelist() &&
+ s->crypt_method_header == QCOW_CRYPT_AES) {
+ error_setg(errp,
+ "Use of AES-CBC encrypted qcow2 images is no longer "
+ "supported. Please use the qcow2 LUKS format instead.");
+ ret = -ENOSYS;
+ goto fail;
+ }
bs->encrypted = 1;
}
@@ -190,6 +190,7 @@ void bdrv_io_limits_update_group(BlockDriverState *bs, const char *group);
void bdrv_init(void);
void bdrv_init_with_whitelist(void);
+bool bdrv_uses_whitelist(void);
BlockDriver *bdrv_find_protocol(const char *filename,
bool allow_protocol_prefix,
Error **errp);
@@ -187,9 +187,6 @@ qemu-img create -f qcow2 -o encryption=off TEST_DIR/t.qcow2 64M
Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
qemu-img create -f qcow2 --object secret,id=sec0,data=123456 -o encryption=on,key-secret=sec0 TEST_DIR/t.qcow2 64M
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 encryption=on cluster_size=65536 lazy_refcounts=off refcount_bits=16 key-secret=sec0
== Check lazy_refcounts option (only with v3) ==
@@ -38,17 +38,11 @@ QMP_VERSION
=== Encrypted image ===
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on key-secret=sec0
Testing: -S
QMP_VERSION
{"return": {}}
{"return": {}}
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
{"return": {}}
{"return": {}}
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN"}
@@ -57,9 +51,6 @@ Testing:
QMP_VERSION
{"return": {}}
{"return": {}}
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
{"return": {}}
{"return": {}}
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN"}
@@ -67,9 +58,6 @@ You can use 'qemu-img convert' to convert your image to an unencrypted one.
=== Missing driver ===
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on key-secret=sec0
Testing: -S
QMP_VERSION
@@ -1,27 +1,15 @@
QA output created by 134
-qemu-img: Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 encryption=on key-secret=sec0
== reading whole image ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== rewriting whole image ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
wrote 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
== verify pattern ==
-Encrypted images are deprecated
-Support for them will be removed in a future release.
-You can use 'qemu-img convert' to convert your image to an unencrypted one.
read 134217728/134217728 bytes at offset 0
128 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
Refuse to use images with the legacy AES-CBC encryption format in the system emulators. They are still fully supported in the qemu-img, qemu-io & qemu-nbd tools in order to allow data to be liberated and for compatibility with older QEMU versions. Continued support in these tools is not a notable burden with the new FDE framework. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- block.c | 12 +++++------- block/qcow.c | 8 ++++++++ block/qcow2.c | 8 ++++++++ include/block/block.h | 1 + tests/qemu-iotests/049.out | 3 --- tests/qemu-iotests/087.out | 12 ------------ tests/qemu-iotests/134.out | 12 ------------ 7 files changed, 22 insertions(+), 34 deletions(-)