From: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Two new domain configuration XML elements have been added to enable/disable
the protected key management operations for a guest:
<domain>
...
<keywrap>
<cipher name='aes|dea' state='on|off'/>
</keywrap>
...
</domain>
Signed-off-by: Tony Krowiak <akrowiak(a)linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov(a)de.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
docs/formatdomain.html.in | 37 +++++++++++++++++++++++++++++++++++++
docs/schemas/domaincommon.rng | 24 ++++++++++++++++++++++++
2 files changed, 61 insertions(+)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index e0b6ba7..db3c81c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6227,6 +6227,43 @@ qemu-kvm -net nic,model=? /dev/null
being on a file system that lacks security labeling.
</p>
+ <h3><a name="keywrap" shape="rect"
id="keywrap">Key Wrap</a></h3>
+
+ <p>The content of the optional <code>keywrap</code> element
specifies
+ whether the guest will be allowed to perform the S390 cryptographic key
+ management operations. A clear key can be protected by encrypting it
+ under a unique wrapping key that is generated for each guest VM running
+ on the host. Two variations of wrapping keys are generated: one version
+ for encrypting protected keys using the DEA/TDEA algorithm, and another
+ version for keys encrypted using the AES algorithm. If a
+ <code>keywrap</code> element is not included, the guest will be
granted
+ access to both AES and DEA/TDEA key wrapping by default.</p>
+
+ <pre xml:space="preserve">
+<domain>
+ ...
+ <keywrap>
+ <cipher name='aes' state='off'/>
+ <keywrap/>
+ ...
+</domain>
+</pre>
+ <p>At least one <code>cipher</code> element must be nested within
the
+ <code>keywrap</code> element.</p>
+ <dl><dt><code>cipher</code></dt>
+ <dd>The <code>name</code> attribute identifies the algorithm
+ for encrypting a protected key. The values supported for this attribute
+ are <code>aes</code> for encryption under the AES wrapping key, or
+ <code>dea</code> for encryption under the DEA/TDEA wrapping key. The
+ <code>state</code> attribute indicates whether the cryptographic key
+ management operations should be turned on for the specified encryption
+ algorithm. The value can be set to <code>on</code> or
<code>off</code>.
+ A default state of <code>on</code> will be assumed if a
+ <code>cipher</code> element is not included for the AES or DEA/TDEA
+ encryption algorithm.
+ </dd></dl>
+
+ Note: DEA/TDEA is synonymous with DES/TDES.
<h2><a name="examples">Example configs</a></h2>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index c151e92..1e67776 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -67,6 +67,9 @@
<optional>
<ref name='qemucmdline'/>
</optional>
+ <optional>
+ <ref name='keywrap'/>
+ </optional>
</interleave>
</element>
</define>
@@ -382,6 +385,27 @@
</element>
</define>
+ <define name="keywrap">
+ <element name="keywrap">
+ <oneOrMore>
+ <element name="cipher">
+ <attribute name="name">
+ <choice>
+ <value>aes</value>
+ <value>dea</value>
+ </choice>
+ </attribute>
+ <attribute name="state">
+ <choice>
+ <value>on</value>
+ <value>off</value>
+ </choice>
+ </attribute>
+ </element>
+ </oneOrMore>
+ </element>
+ </define>
+
<!--
The Identifiers can be:
- an optional id attribute with a number on the domain element
--
2.3.6