On Mon, Mar 06, 2023 at 06:59:36 -0600, Or Ozeri wrote:
The newly added luks-any rbd encryption format in qemu allows for opening both LUKS and LUKS2 encryption formats. This commit enables libvirt uses to use this wildcard format.
Signed-off-by: Or Ozeri <oro@il.ibm.com> --- docs/formatstorageencryption.rst | 9 ++++ src/conf/schemas/storagecommon.rng | 1 + src/conf/storage_encryption_conf.c | 2 +- src/conf/storage_encryption_conf.h | 1 + src/libvirt_private.syms | 1 + src/qemu/qemu_block.c | 10 ++++- src/qemu/qemu_domain.c | 32 +++++++++++++- ...k-rbd-encryption-luks-any.x86_64-7.2.0.err | 1 + ...rbd-encryption-luks-any.x86_64-latest.args | 38 ++++++++++++++++ .../disk-network-rbd-encryption-luks-any.xml | 39 ++++++++++++++++ tests/qemuxml2argvtest.c | 2 + ...-rbd-encryption-luks-any.x86_64-latest.xml | 44 +++++++++++++++++++ tests/qemuxml2xmltest.c | 1 + 13 files changed, 176 insertions(+), 5 deletions(-) create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-7.2.0.err create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-latest.args create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.xml create mode 100644 tests/qemuxml2xmloutdata/disk-network-rbd-encryption-luks-any.x86_64-latest.xml
diff --git a/docs/formatstorageencryption.rst b/docs/formatstorageencryption.rst index 2c19473d6b..c58d088403 100644 --- a/docs/formatstorageencryption.rst +++ b/docs/formatstorageencryption.rst @@ -104,6 +104,15 @@ it to control such disks. However, pre-formatted RBD luks2 disks can be loaded to a qemu VM using the qemu VM driver. A single ``<secret type='passphrase'...>`` element is expected.
+``luks-any`` format +~~~~~~~~~~~~~~~~~~~ + +The ``luks-any`` format is currently supported only by the ``librbd`` engine, +and can only be applied to RBD network disks (RBD images). This format will try +to parse the disk as either LUKS or LUKS2, depending on the actual on-disk +format. A single ``<secret type='passphrase'...>`` element is expected (except +for the case of RBD layered encryption mentioned above) :since:`Since 9.3.0` . + Examples --------
diff --git a/src/conf/schemas/storagecommon.rng b/src/conf/schemas/storagecommon.rng index 4d6e646c9a..aef1bd969c 100644 --- a/src/conf/schemas/storagecommon.rng +++ b/src/conf/schemas/storagecommon.rng @@ -14,6 +14,7 @@ <value>qcow</value> <value>luks</value> <value>luks2</value> + <value>luks-any</value> </choice> </attribute> <optional> diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c index 3651ff8cfd..639cbf2e58 100644 --- a/src/conf/storage_encryption_conf.c +++ b/src/conf/storage_encryption_conf.c @@ -41,7 +41,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
VIR_ENUM_IMPL(virStorageEncryptionFormat, VIR_STORAGE_ENCRYPTION_FORMAT_LAST, - "default", "qcow", "luks", "luks2", + "default", "qcow", "luks", "luks2", "luks-any", );
VIR_ENUM_IMPL(virStorageEncryptionEngine, diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h index 312599ad44..03f0e60feb 100644 --- a/src/conf/storage_encryption_conf.h +++ b/src/conf/storage_encryption_conf.h @@ -66,6 +66,7 @@ typedef enum { VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */ VIR_STORAGE_ENCRYPTION_FORMAT_LUKS, VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2, + VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST, } virStorageEncryptionFormatType; diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index b249dcc85c..eb3ff37b81 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1095,6 +1095,7 @@ virStorageVolTypeToString;
# conf/storage_encryption_conf.h virStorageEncryptionFormat; +virStorageEncryptionFormatTypeToString; virStorageEncryptionFree; virStorageEncryptionParseNode;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 5e700eff99..254d82df41 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -572,6 +572,10 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src, encformat = "luks2"; break;
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY: + encformat = "luks-any"; + break; + case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW: case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT: case VIR_STORAGE_ENCRYPTION_FORMAT_LAST: @@ -1040,8 +1044,10 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src, break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2: - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("luks2 is currently not supported by the qemu encryption engine")); + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY: + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("%s is currently not supported by the qemu encryption engine"), + virStorageEncryptionFormatTypeToString(src->encryption->format)); return -1;
I'd add a comment here instead saying that these were caught by the validation code as this is simply dead code.
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT: diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index f5fd140c85..94ea482363 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -5136,8 +5136,10 @@ qemuDomainValidateStorageSource(virStorageSource *src, break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2: - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("luks2 is currently not supported by the qemu encryption engine")); + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY: + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("%s is currently not supported by the qemu encryption engine"),
Add quotes around substitutions: '%s' encryption format is ....
+ virStorageEncryptionFormatTypeToString(src->encryption->format)); return -1;
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT: @@ -5163,6 +5165,32 @@ qemuDomainValidateStorageSource(virStorageSource *src, _("librbd encryption is supported only with RBD backed disks")); return -1; } + + switch ((virStorageEncryptionFormatType) src->encryption->format) { + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS: + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2: + break; + + case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY: + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("luks-any encryption is not supported by this QEMU binary")); + return -1; + } + break; + + case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW: + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("qcow encryption format is not supported by the librbd encryption engine"));
This is dead code (and subsequently a unnecessary translatable string), a check above completely denies VIR_STORAGE_ENCRYPTION_FORMAT_QCOW for any other cases.
+ return -1; + + case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT: + case VIR_STORAGE_ENCRYPTION_FORMAT_LAST: + default: + virReportEnumRangeError(virStorageEncryptionFormatType, + src->encryption->format); + return -1; + } break;
case VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT: