On Thu, Oct 21, 2021 at 11:40:20 +0000, Or Ozeri wrote:
Thanks for reviewing all of my patches! I'm fine with you making any of the changes you suggested. So the only change I need to make is "specify what's happening in the storage driver"? Can you elaborate what do you mean by that? I can add something like: For librbd engine, the encryption happens inside the librbd storage driver, so block read/write requests coming in from the hypervisor (qemu) are plaintext, but encrypted by the storage driver before being persisted. Is this the kind of thing you were thinking about?
I meant the libvirt storage driver, which provides the storage pool/volume functionality. The code in the storage driver can create encrypted qcow2 images. (not on RBD IIRC), but is using qemu-img to do that, which doesn't use the same code we use in the qemu driver to instantiate VMs. So while qemu-img could use the librbd encryption engine, the storage driver code can't control it in such way. Similarly the code doesn't share the 'qemu' validation/post-parse checks so the librbd and luks2 combinations are not rejected.