5:18 a.m.
v3: rebased on master
v2: addressed (hopefully) all of Peter's v1 comments (thanks Peter!)
Or Ozeri (5):
qemu: add disk post parse to qemublocktest
qemu: add rbd encryption capability probing
conf: add luks2 encryption format
conf: add encryption engine property
qemu: add librbd encryption engine
docs/formatstorageencryption.html.in | 8 +-
docs/schemas/domainbackup.rng | 7 +
docs/schemas/storagecommon.rng | 9 +
src/conf/storage_encryption_conf.c | 33 +++-
src/conf/storage_encryption_conf.h | 11 ++
src/qemu/qemu_block.c | 33 ++++
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_domain.c | 37 +++-
src/qemu/qemu_domain.h | 3 +
tests/qemublocktest.c | 3 +
.../caps_6.1.0.x86_64.xml | 1 +
tests/qemustatusxml2xmldata/upgrade-out.xml | 6 +-
...sk-network-rbd-encryption.x86_64-6.0.0.err | 1 +
...-network-rbd-encryption.x86_64-latest.args | 49 ++++++
.../disk-network-rbd-encryption.xml | 75 +++++++++
tests/qemuxml2argvtest.c | 2 +
...k-network-rbd-encryption.x86_64-latest.xml | 83 +++++++++
tests/qemuxml2xmloutdata/disk-nvme.xml | 65 ++++++-
.../disk-slices.x86_64-latest.xml | 4 +-
.../encrypted-disk-usage.xml | 38 ++++-
tests/qemuxml2xmloutdata/encrypted-disk.xml | 2 +-
.../luks-disks-source-qcow2.x86_64-latest.xml | 14 +-
.../qemuxml2xmloutdata/luks-disks-source.xml | 10 +-
tests/qemuxml2xmloutdata/luks-disks.xml | 47 +++++-
tests/qemuxml2xmloutdata/user-aliases.xml | 159 +++++++++++++++++-
tests/qemuxml2xmltest.c | 1 +
27 files changed, 677 insertions(+), 27 deletions(-)
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
create mode 100644
tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/disk-nvme.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/luks-disks.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/user-aliases.xml
--
2.25.1
5:18 a.m.
New subject: [PATCH v3 1/5] qemu: add disk post parse to qemublocktest
The post parse callback is part of the real (non-test) processing flow.
This commit adds it (for disks) to the qemublocktest flow as well.
Specifically, this will be needed for tests that use luks encryption,
so that the default encryption engine (which is added in an upcoming commit)
will be overridden by qemu.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
src/qemu/qemu_domain.c | 2 +-
src/qemu/qemu_domain.h | 3 +++
tests/qemublocktest.c | 3 +++
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index a755f8678e..288a40bca6 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -5259,7 +5259,7 @@ qemuDomainDeviceDiskDefPostParseRestoreSecAlias(virDomainDiskDef
*disk,
}
-static int
+int
qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk,
unsigned int parseFlags)
{
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 64f92988b7..0642e44fbc 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -872,6 +872,9 @@ int qemuDomainSecretPrepare(virQEMUDriver *driver,
int qemuDomainDeviceDefValidateDisk(const virDomainDiskDef *disk,
virQEMUCaps *qemuCaps);
+int qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk,
+ unsigned int parseFlags);
+
int qemuDomainPrepareChannel(virDomainChrDef *chr,
const char *domainChannelTargetDir)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
diff --git a/tests/qemublocktest.c b/tests/qemublocktest.c
index 3e61e923a9..0e4bb146c9 100644
--- a/tests/qemublocktest.c
+++ b/tests/qemublocktest.c
@@ -276,6 +276,9 @@ testQemuDiskXMLToProps(const void *opaque)
VIR_DOMAIN_DEF_PARSE_STATUS)))
return -1;
+ if (qemuDomainDeviceDiskDefPostParse(disk, 0) < 0)
+ return -1;
+
if (!(vmdef = virDomainDefNew(data->driver->xmlopt)))
return -1;
--
2.25.1
2:24 a.m.
New subject: [PATCH v3 1/5] qemu: add disk post parse to qemublocktest
On Wed, Oct 06, 2021 at 05:18:42 -0500, Or Ozeri wrote:
The post parse callback is part of the real (non-test) processing
flow.
This commit adds it (for disks) to the qemublocktest flow as well.
Specifically, this will be needed for tests that use luks encryption,
so that the default encryption engine (which is added in an upcoming commit)
will be overridden by qemu.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
src/qemu/qemu_domain.c | 2 +-
src/qemu/qemu_domain.h | 3 +++
tests/qemublocktest.c | 3 +++
3 files changed, 7 insertions(+), 1 deletion(-)
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
5:18 a.m.
New subject: [PATCH v3 2/5] qemu: add rbd encryption capability probing
rbd encryption is new in qemu 6.1.0.
This commit adds capability probing for it.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
src/qemu/qemu_capabilities.c | 2 ++
src/qemu/qemu_capabilities.h | 1 +
tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 +
3 files changed, 4 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 82687dbf39..ea0734db15 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -644,6 +644,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
"virtio-mem-pci", /* QEMU_CAPS_DEVICE_VIRTIO_MEM_PCI */
"memory-backend-file.reserve", /*
QEMU_CAPS_MEMORY_BACKEND_RESERVE */
"piix4.acpi-root-pci-hotplug", /*
QEMU_CAPS_PIIX4_ACPI_ROOT_PCI_HOTPLUG */
+ "rbd-encryption", /* QEMU_CAPS_RBD_ENCRYPTION */
);
@@ -1565,6 +1566,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsQMPSchemaQueries[] =
{
{ "blockdev-add/arg-type/+file/$dynamic-auto-read-only",
QEMU_CAPS_BLOCK_FILE_AUTO_READONLY_DYNAMIC },
{ "blockdev-add/arg-type/+nvme", QEMU_CAPS_DRIVE_NVME },
{ "blockdev-add/arg-type/+file/aio/^io_uring", QEMU_CAPS_AIO_IO_URING },
+ { "blockdev-add/arg-type/+rbd/encrypt", QEMU_CAPS_RBD_ENCRYPTION },
{ "blockdev-add/arg-type/discard", QEMU_CAPS_DRIVE_DISCARD },
{ "blockdev-add/arg-type/detect-zeroes", QEMU_CAPS_DRIVE_DETECT_ZEROES },
{ "blockdev-backup", QEMU_CAPS_BLOCKDEV_BACKUP },
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index 2bbfc15dc4..674da98539 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -624,6 +624,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check
*/
QEMU_CAPS_DEVICE_VIRTIO_MEM_PCI, /* -device virtio-mem-pci */
QEMU_CAPS_MEMORY_BACKEND_RESERVE, /* -object memory-backend-*.reserve= */
QEMU_CAPS_PIIX4_ACPI_ROOT_PCI_HOTPLUG, /* -M pc PIIX4_PM.acpi-root-pci-hotplug */
+ QEMU_CAPS_RBD_ENCRYPTION, /* Ceph RBD encryption support */
QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags;
diff --git a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
index 87b37a2b7c..8180cfd6c2 100644
--- a/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml
@@ -243,6 +243,7 @@
<flag name='virtio-mem-pci'/>
<flag name='memory-backend-file.reserve'/>
<flag name='piix4.acpi-root-pci-hotplug'/>
+ <flag name='rbd-encryption'/>
<version>6001000</version>
<kvmVersion>0</kvmVersion>
<microcodeVersion>43100243</microcodeVersion>
--
2.25.1
2:25 a.m.
New subject: [PATCH v3 2/5] qemu: add rbd encryption capability probing
On Wed, Oct 06, 2021 at 05:18:43 -0500, Or Ozeri wrote:
We prefer whent he capability name is in the commit message. I'll add it
before pushing if nothing major will need to change.
rbd encryption is new in qemu 6.1.0.
This commit adds capability probing for it.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
src/qemu/qemu_capabilities.c | 2 ++
src/qemu/qemu_capabilities.h | 1 +
tests/qemucapabilitiesdata/caps_6.1.0.x86_64.xml | 1 +
3 files changed, 4 insertions(+)
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
5:18 a.m.
New subject: [PATCH v3 3/5] conf: add luks2 encryption format
This commit extends libvirt XML configuration to support luks2 encryption format.
This means that <encryption format="luks2"> becomes valid.
Actual handler (other than returning "not supported") for this new format will
be added in an upcoming commit.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.html.in | 2 +-
docs/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/qemu/qemu_block.c | 1 +
src/qemu/qemu_domain.c | 3 ++-
6 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 7215c307d7..b2631ab25d 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -18,7 +18,7 @@
is <code>encryption</code>, with a mandatory
attribute <code>format</code>. Currently defined values
of <code>format</code> are <code>default</code>,
<code>qcow</code>,
- and <code>luks</code>.
+ <code>luks</code>, and <code>luks2</code>.
Each value of <code>format</code> implies some expectations about the
content of the <code>encryption</code> tag. Other format values may
be
defined in the future.
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index 9ebb27700d..7d1d066289 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -13,6 +13,7 @@
<value>default</value>
<value>qcow</value>
<value>luks</value>
+ <value>luks2</value>
</choice>
</attribute>
<interleave>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 9112b96cc7..2df4ec96af 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -44,7 +44,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
VIR_ENUM_IMPL(virStorageEncryptionFormat,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
- "default", "qcow", "luks",
+ "default", "qcow", "luks",
"luks2",
);
static void
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 34adbd5f7b..32e3a1243a 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -56,6 +56,7 @@ typedef enum {
VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
+ VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
} virStorageEncryptionFormatType;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 393d3f44d7..31b6b3566b 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1328,6 +1328,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
default:
virReportEnumRangeError(virStorageEncryptionFormatType,
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 288a40bca6..cd65e8b365 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1228,7 +1228,8 @@ static bool
qemuDomainDiskHasEncryptionSecret(virStorageSource *src)
{
if (!virStorageSourceIsEmpty(src) && src->encryption &&
- src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
+ (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS ||
+ src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2)
&&
src->encryption->nsecrets > 0)
return true;
--
2.25.1
2:31 a.m.
New subject: [PATCH v3 3/5] conf: add luks2 encryption format
On Wed, Oct 06, 2021 at 05:18:44 -0500, Or Ozeri wrote:
This commit extends libvirt XML configuration to support luks2
encryption format.
This means that <encryption format="luks2"> becomes valid.
Actual handler (other than returning "not supported") for this new format will
be added in an upcoming commit.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.html.in | 2 +-
docs/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/qemu/qemu_block.c | 1 +
src/qemu/qemu_domain.c | 3 ++-
6 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 7215c307d7..b2631ab25d 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -18,7 +18,7 @@
is <code>encryption</code>, with a mandatory
attribute <code>format</code>. Currently defined values
of <code>format</code> are <code>default</code>,
<code>qcow</code>,
- and <code>luks</code>.
+ <code>luks</code>, and <code>luks2</code>.
Each value of <code>format</code> implies some expectations about the
content of the <code>encryption</code> tag. Other format values may
be
defined in the future.
Note that this section you've added 'luks2' into is then followed by
sections on each encryption format.
E.g. direct link to the 'luks' section
https://www.libvirt.org/formatstorageencryption.html#StorageEncryptionLuks
You should add a similar section for luks2 outling that it's currently
supported only with librbd2 direct acess and not qcow2 images and
neither the storage driver so that it's clear.
The rest of the patch looks good.
3:04 a.m.
New subject: [PATCH v3 3/5] conf: add luks2 encryption format
On Wed, Oct 06, 2021 at 05:18:44 -0500, Or Ozeri wrote:
This commit extends libvirt XML configuration to support luks2
encryption format.
This means that <encryption format="luks2"> becomes valid.
Actual handler (other than returning "not supported") for this new format will
be added in an upcoming commit.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.html.in | 2 +-
docs/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/qemu/qemu_block.c | 1 +
src/qemu/qemu_domain.c | 3 ++-
6 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
[...]
index 393d3f44d7..31b6b3566b 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1328,6 +1328,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
default:
virReportEnumRangeError(virStorageEncryptionFormatType,
One more thing. We definitely want code in qemu_validate.c rejecting
LUKS2 as encryption format for qcow2 and all others that don't support
it.
Doing it here is too late as this code is called only when starting the
VM, but not when the XML is defined.
5:18 a.m.
New subject: [PATCH v3 4/5] conf: add encryption engine property
This commit extends libvirt XML configuration to support a custom encryption engine.
This means that <encryption format="luks" engine="qemu">
becomes valid.
The only engine for now is qemu. However, a new engine (librbd) will be added in an
upcoming commit.
If no engine is specified, qemu will be used (assuming qemu driver is used).
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.html.in | 6 +
docs/schemas/domainbackup.rng | 7 +
docs/schemas/storagecommon.rng | 7 +
src/conf/storage_encryption_conf.c | 31 +++-
src/conf/storage_encryption_conf.h | 9 +
src/qemu/qemu_block.c | 2 +
src/qemu/qemu_domain.c | 8 +
tests/qemustatusxml2xmldata/upgrade-out.xml | 6 +-
tests/qemuxml2xmloutdata/disk-nvme.xml | 65 ++++++-
.../disk-slices.x86_64-latest.xml | 4 +-
.../encrypted-disk-usage.xml | 38 ++++-
tests/qemuxml2xmloutdata/encrypted-disk.xml | 2 +-
.../luks-disks-source-qcow2.x86_64-latest.xml | 14 +-
.../qemuxml2xmloutdata/luks-disks-source.xml | 10 +-
tests/qemuxml2xmloutdata/luks-disks.xml | 47 +++++-
tests/qemuxml2xmloutdata/user-aliases.xml | 159 +++++++++++++++++-
16 files changed, 392 insertions(+), 23 deletions(-)
mode change 120000 => 100644 tests/qemuxml2xmloutdata/disk-nvme.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/luks-disks.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/user-aliases.xml
diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index b2631ab25d..5783381a4a 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -23,6 +23,12 @@
content of the <code>encryption</code> tag. Other format values may
be
defined in the future.
</p>
+ <p>
+ The <code>encryption</code> tag supports an optional
<code>engine</code>
+ tag, which allows selecting which component actually handles
+ the encryption. Currently defined values of <code>engine</code> are
+ <code>qemu</code>.
+ </p>
<p>
The <code>encryption</code> tag can currently contain a sequence of
<code>secret</code> tags, each with mandatory attributes
<code>type</code>
diff --git a/docs/schemas/domainbackup.rng b/docs/schemas/domainbackup.rng
index c03455a5a7..05cc28ab00 100644
--- a/docs/schemas/domainbackup.rng
+++ b/docs/schemas/domainbackup.rng
@@ -14,6 +14,13 @@
<value>luks</value>
</choice>
</attribute>
+ <optional>
+ <attribute name="engine">
+ <choice>
+ <value>qemu</value>
+ </choice>
+ </attribute>
+ </optional>
<interleave>
<ref name="secret"/>
<optional>
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index 7d1d066289..b34577c582 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -16,6 +16,13 @@
<value>luks2</value>
</choice>
</attribute>
+ <optional>
+ <attribute name="engine">
+ <choice>
+ <value>qemu</value>
+ </choice>
+ </attribute>
+ </optional>
<interleave>
<ref name="secret"/>
<optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 2df4ec96af..e8da02b605 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -47,6 +47,11 @@ VIR_ENUM_IMPL(virStorageEncryptionFormat,
"default", "qcow", "luks",
"luks2",
);
+VIR_ENUM_IMPL(virStorageEncryptionEngine,
+ VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
+ "default", "qemu",
+);
+
static void
virStorageEncryptionInfoDefClear(virStorageEncryptionInfoDef *def)
{
@@ -120,6 +125,7 @@ virStorageEncryptionCopy(const virStorageEncryption *src)
ret->secrets = g_new0(virStorageEncryptionSecret *, src->nsecrets);
ret->nsecrets = src->nsecrets;
ret->format = src->format;
+ ret->engine = src->engine;
for (i = 0; i < src->nsecrets; i++) {
if (!(ret->secrets[i] = virStorageEncryptionSecretCopy(src->secrets[i])))
@@ -217,6 +223,7 @@ virStorageEncryptionParseNode(xmlNodePtr node,
xmlNodePtr *nodes = NULL;
virStorageEncryption *encdef = NULL;
virStorageEncryption *ret = NULL;
+ g_autofree char *engine_str = NULL;
g_autofree char *format_str = NULL;
int n;
size_t i;
@@ -239,6 +246,16 @@ virStorageEncryptionParseNode(xmlNodePtr node,
goto cleanup;
}
+ if ((engine_str = virXPathString("string(./@engine)", ctxt))) {
+ if ((encdef->engine =
+ virStorageEncryptionEngineTypeFromString(engine_str)) < 0) {
+ virReportError(VIR_ERR_XML_ERROR,
+ _("unknown volume encryption engine type %s"),
+ engine_str);
+ goto cleanup;
+ }
+ }
+
if ((n = virXPathNodeSet("./secret", ctxt, &nodes)) < 0)
goto cleanup;
@@ -327,6 +344,7 @@ int
virStorageEncryptionFormat(virBuffer *buf,
virStorageEncryption *enc)
{
+ const char *engine;
const char *format;
size_t i;
@@ -335,7 +353,18 @@ virStorageEncryptionFormat(virBuffer *buf,
"%s", _("unexpected encryption format"));
return -1;
}
- virBufferAsprintf(buf, "<encryption format='%s'>\n",
format);
+ if (enc->engine == VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT) {
+ virBufferAsprintf(buf, "<encryption format='%s'>\n",
format);
+ } else {
+ if (!(engine = virStorageEncryptionEngineTypeToString(enc->engine))) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("unexpected encryption engine"));
+ return -1;
+ }
+ virBufferAsprintf(buf, "<encryption format='%s'
engine='%s'>\n",
+ format, engine);
+ }
+
virBufferAdjustIndent(buf, 2);
for (i = 0; i < enc->nsecrets; i++) {
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 32e3a1243a..c722f832f5 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -51,6 +51,14 @@ struct _virStorageEncryptionInfoDef {
char *ivgen_hash;
};
+typedef enum {
+ VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT = 0,
+ VIR_STORAGE_ENCRYPTION_ENGINE_QEMU,
+
+ VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
+} virStorageEncryptionEngineType;
+VIR_ENUM_DECL(virStorageEncryptionEngine);
+
typedef enum {
/* "default" is only valid for volume creation */
VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
@@ -64,6 +72,7 @@ VIR_ENUM_DECL(virStorageEncryptionFormat);
typedef struct _virStorageEncryption virStorageEncryption;
struct _virStorageEncryption {
+ int engine; /* virStorageEncryptionEngineType */
int format; /* virStorageEncryptionFormatType */
int payload_offset;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 31b6b3566b..a43831ce18 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1314,6 +1314,7 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
*encprops = NULL;
if (!src->encryption ||
+ src->encryption->engine != VIR_STORAGE_ENCRYPTION_ENGINE_QEMU ||
!srcpriv ||
!srcpriv->encinfo)
return 0;
@@ -1449,6 +1450,7 @@ qemuBlockStorageSourceGetBlockdevFormatProps(virStorageSource *src)
* put a raw layer on top */
case VIR_STORAGE_FILE_RAW:
if (src->encryption &&
+ src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_QEMU
&&
src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
if (qemuBlockStorageSourceGetFormatLUKSProps(src, props) < 0)
return NULL;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index cd65e8b365..21099d7635 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -5264,6 +5264,8 @@ int
qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk,
unsigned int parseFlags)
{
+ virStorageSource *n;
+
/* set default disk types and drivers */
if (!virDomainDiskGetDriver(disk))
virDomainDiskSetDriver(disk, "qemu");
@@ -5278,6 +5280,12 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk,
disk->mirror->format == VIR_STORAGE_FILE_NONE)
disk->mirror->format = VIR_STORAGE_FILE_RAW;
+ /* default disk encryption engine */
+ for (n = disk->src; virStorageSourceIsBacking(n); n = n->backingStore) {
+ if (n->encryption && n->encryption->engine ==
VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT)
+ n->encryption->engine = VIR_STORAGE_ENCRYPTION_ENGINE_QEMU;
+ }
+
if (qemuDomainDeviceDiskDefPostParseRestoreSecAlias(disk, parseFlags) < 0)
return -1;
diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml
b/tests/qemustatusxml2xmldata/upgrade-out.xml
index f9476731f6..5218092cb9 100644
--- a/tests/qemustatusxml2xmldata/upgrade-out.xml
+++ b/tests/qemustatusxml2xmldata/upgrade-out.xml
@@ -316,7 +316,7 @@
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/b.qcow2'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
<privateData>
@@ -333,7 +333,7 @@
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/c.qcow2'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
<privateData>
@@ -354,7 +354,7 @@
<auth username='testuser-iscsi'>
<secret type='iscsi' usage='testuser-iscsi-secret'/>
</auth>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
<privateData>
diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml
b/tests/qemuxml2xmloutdata/disk-nvme.xml
deleted file mode 120000
index ea9eb267ac..0000000000
--- a/tests/qemuxml2xmloutdata/disk-nvme.xml
+++ /dev/null
@@ -1 +0,0 @@
-../qemuxml2argvdata/disk-nvme.xml
\ No newline at end of file
diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml
b/tests/qemuxml2xmloutdata/disk-nvme.xml
new file mode 100644
index 0000000000..9a5fafce7d
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/disk-nvme.xml
@@ -0,0 +1,64 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-i386</emulator>
+ <disk type='nvme' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source type='pci' managed='yes' namespace='1'>
+ <address domain='0x0000' bus='0x01' slot='0x00'
function='0x0'/>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <disk type='nvme' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source type='pci' managed='yes' namespace='2'>
+ <address domain='0x0000' bus='0x01' slot='0x00'
function='0x0'/>
+ </source>
+ <target dev='vdb' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x05' function='0x0'/>
+ </disk>
+ <disk type='nvme' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source type='pci' managed='no' namespace='1'>
+ <address domain='0x0000' bus='0x02' slot='0x00'
function='0x0'/>
+ </source>
+ <target dev='vdc' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x06' function='0x0'/>
+ </disk>
+ <disk type='nvme' device='disk'>
+ <driver name='qemu' type='qcow2' cache='none'/>
+ <source type='pci' managed='no' namespace='2'>
+ <address domain='0x0001' bus='0x02' slot='0x00'
function='0x0'/>
+ <encryption format='luks' engine='qemu'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+ </encryption>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x07' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <controller type='scsi' index='0' model='virtio-scsi'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </controller>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <memballoon model='none'/>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
b/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
index be5cd25084..a058cbad61 100644
--- a/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/disk-slices.x86_64-latest.xml
@@ -49,7 +49,7 @@
<slices>
<slice type='storage' offset='1234' size='321'/>
</slices>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
</source>
@@ -75,7 +75,7 @@
<slices>
<slice type='storage' offset='1234' size='321'/>
</slices>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
</source>
diff --git a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
deleted file mode 120000
index a1a4f841e9..0000000000
--- a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
+++ /dev/null
@@ -1 +0,0 @@
-../qemuxml2argvdata/encrypted-disk-usage.xml
\ No newline at end of file
diff --git a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
new file mode 100644
index 0000000000..d2b87b94b6
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
@@ -0,0 +1,37 @@
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-i386</emulator>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='qcow2'/>
+ <source file='/storage/guest_disks/encryptdisk'/>
+ <target dev='vda' bus='virtio'/>
+ <encryption format='luks' engine='qemu'>
+ <secret type='passphrase'
usage='/storage/guest_disks/encryptdisk'/>
+ </encryption>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/encrypted-disk.xml
b/tests/qemuxml2xmloutdata/encrypted-disk.xml
index 06f2c5b47c..e30c8a36e8 100644
--- a/tests/qemuxml2xmloutdata/encrypted-disk.xml
+++ b/tests/qemuxml2xmloutdata/encrypted-disk.xml
@@ -18,7 +18,7 @@
<driver name='qemu' type='qcow2'/>
<source file='/storage/guest_disks/encryptdisk'/>
<target dev='vda' bus='virtio'/>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
diff --git a/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
b/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
index 5f600f5ba7..7f98dd597e 100644
--- a/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/luks-disks-source-qcow2.x86_64-latest.xml
@@ -20,7 +20,7 @@
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/storage/guest_disks/encryptdisk'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
</source>
@@ -30,7 +30,7 @@
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/storage/guest_disks/encryptdisk2'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
usage='/storage/guest_disks/encryptdisk2'/>
</encryption>
</source>
@@ -44,7 +44,7 @@
<auth username='myname'>
<secret type='iscsi'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
</auth>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
</encryption>
</source>
@@ -54,7 +54,7 @@
<disk type='volume' device='disk'>
<driver name='qemu' type='qcow2'/>
<source pool='pool-iscsi' volume='unit:0:0:3'
mode='direct'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
</encryption>
</source>
@@ -67,7 +67,7 @@
<host name='mon1.example.org' port='6321'/>
<host name='mon2.example.org' port='6322'/>
<host name='mon3.example.org' port='6322'/>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
</encryption>
</source>
@@ -77,14 +77,14 @@
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/storage/guest_disks/encryptdisk5'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
</source>
<backingStore type='file'>
<format type='qcow2'/>
<source file='/storage/guest_disks/base.qcow2'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
</source>
diff --git a/tests/qemuxml2xmloutdata/luks-disks-source.xml
b/tests/qemuxml2xmloutdata/luks-disks-source.xml
index 5333d4ac6e..891b5d9d17 100644
--- a/tests/qemuxml2xmloutdata/luks-disks-source.xml
+++ b/tests/qemuxml2xmloutdata/luks-disks-source.xml
@@ -17,7 +17,7 @@
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/storage/guest_disks/encryptdisk'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
</encryption>
</source>
@@ -27,7 +27,7 @@
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/storage/guest_disks/encryptdisk2'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
usage='/storage/guest_disks/encryptdisk2'/>
</encryption>
</source>
@@ -41,7 +41,7 @@
<auth username='myname'>
<secret type='iscsi'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
</auth>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
</encryption>
</source>
@@ -51,7 +51,7 @@
<disk type='volume' device='disk'>
<driver name='qemu' type='raw'/>
<source pool='pool-iscsi' volume='unit:0:0:3'
mode='direct'>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
</encryption>
</source>
@@ -64,7 +64,7 @@
<host name='mon1.example.org' port='6321'/>
<host name='mon2.example.org' port='6322'/>
<host name='mon3.example.org' port='6322'/>
- <encryption format='luks'>
+ <encryption format='luks' engine='qemu'>
<secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
</encryption>
</source>
diff --git a/tests/qemuxml2xmloutdata/luks-disks.xml
b/tests/qemuxml2xmloutdata/luks-disks.xml
deleted file mode 120000
index d65e470c32..0000000000
--- a/tests/qemuxml2xmloutdata/luks-disks.xml
+++ /dev/null
@@ -1 +0,0 @@
-../qemuxml2argvdata/luks-disks.xml
\ No newline at end of file
diff --git a/tests/qemuxml2xmloutdata/luks-disks.xml
b/tests/qemuxml2xmloutdata/luks-disks.xml
new file mode 100644
index 0000000000..1c76f0dc26
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/luks-disks.xml
@@ -0,0 +1,46 @@
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk'/>
+ <target dev='vda' bus='virtio'/>
+ <encryption format='luks' engine='qemu'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+ </encryption>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk2'/>
+ <target dev='vdb' bus='virtio'/>
+ <encryption format='luks' engine='qemu'>
+ <secret type='passphrase'
usage='/storage/guest_disks/encryptdisk2'/>
+ </encryption>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x05' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/user-aliases.xml
b/tests/qemuxml2xmloutdata/user-aliases.xml
deleted file mode 120000
index b5a27f08cd..0000000000
--- a/tests/qemuxml2xmloutdata/user-aliases.xml
+++ /dev/null
@@ -1 +0,0 @@
-../qemuxml2argvdata/user-aliases.xml
\ No newline at end of file
diff --git a/tests/qemuxml2xmloutdata/user-aliases.xml
b/tests/qemuxml2xmloutdata/user-aliases.xml
new file mode 100644
index 0000000000..10b7749521
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/user-aliases.xml
@@ -0,0 +1,158 @@
+<domain type='kvm'>
+ <name>gentoo</name>
+ <uuid>a75aca4b-a02f-2bcb-4a91-c93cd848c34b</uuid>
+ <memory unit='KiB'>4194304</memory>
+ <currentMemory unit='KiB'>4194304</currentMemory>
+ <memoryBacking>
+ <hugepages>
+ <page size='1048576' unit='KiB' nodeset='0-3'/>
+ </hugepages>
+ </memoryBacking>
+ <vcpu placement='static'>4</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-1.4'>hvm</type>
+ <boot dev='hd'/>
+ <boot dev='cdrom'/>
+ </os>
+ <features>
+ <acpi/>
+ <apic/>
+ <pae/>
+ </features>
+ <cpu>
+ <numa>
+ <cell id='0' cpus='0' memory='1048576'
unit='KiB'/>
+ <cell id='1' cpus='1' memory='1048576'
unit='KiB'/>
+ <cell id='2' cpus='2' memory='1048576'
unit='KiB'/>
+ <cell id='3' cpus='3' memory='1048576'
unit='KiB'/>
+ </numa>
+ </cpu>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>restart</on_crash>
+ <pm>
+ <suspend-to-mem enabled='yes'/>
+ <suspend-to-disk enabled='yes'/>
+ </pm>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='file' device='floppy'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source file='/var/lib/libvirt/images/fd.img'/>
+ <target dev='fda' bus='fdc'/>
+ <alias name='ua-myDisk1'/>
+ <address type='drive' controller='0' bus='0'
target='0' unit='0'/>
+ </disk>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='qcow2'/>
+ <source file='/var/lib/libvirt/images/gentoo.qcow2'/>
+ <target dev='vda' bus='virtio'/>
+ <alias name='ua-myDisk2'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x05' function='0x0'/>
+ </disk>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='qcow2'/>
+ <source file='/var/lib/libvirt/images/OtherDemo.img'/>
+ <target dev='vdb' bus='virtio'/>
+ <encryption format='luks' engine='qemu'>
+ <secret type='passphrase'
uuid='e78d4b51-a2af-485f-b0f5-afca709a80f4'/>
+ </encryption>
+ <alias name='ua-myEncryptedDisk1'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x07' function='0x0'/>
+ </disk>
+ <disk type='file' device='cdrom'>
+ <driver name='qemu' type='raw' cache='none'/>
+ <source file='/home/zippy/tmp/install-amd64-minimal-20140619.iso'/>
+ <target dev='hdc' bus='ide'/>
+ <readonly/>
+ <shareable/>
+ <alias name='ua-WhatAnAwesomeCDROM'/>
+ <address type='drive' controller='0' bus='1'
target='0' unit='0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <alias name='ua-SomeWeirdController'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'>
+ <alias name='ua-MyPCIRootController'/>
+ </controller>
+ <controller type='ide' index='0'>
+ <alias name='ua-DoesAnybodyStillUseIDE'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x1'/>
+ </controller>
+ <controller type='virtio-serial' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x08' function='0x0'/>
+ </controller>
+ <controller type='fdc' index='0'/>
+ <controller type='ccid' index='0'>
+ <alias name='ua-myCCID'/>
+ <address type='usb' bus='0' port='1'/>
+ </controller>
+ <controller type='ccid' index='1'>
+ <alias name='ua-myCCID2'/>
+ <address type='usb' bus='0' port='2'/>
+ </controller>
+ <interface type='ethernet'>
+ <mac address='52:54:00:d6:c0:0b'/>
+ <model type='virtio'/>
+ <alias name='ua-CheckoutThisNIC'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </interface>
+ <interface type='server'>
+ <mac address='52:54:00:22:c9:42'/>
+ <source address='127.0.0.1' port='1234'/>
+ <bandwidth>
+ <inbound average='1234'/>
+ <outbound average='5678'/>
+ </bandwidth>
+ <model type='rtl8139'/>
+ <alias name='ua-WeCanAlsoDoServerMode'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x09' function='0x0'/>
+ </interface>
+ <interface type='client'>
+ <mac address='52:54:00:8c:b1:f8'/>
+ <source address='127.0.0.1' port='1234'/>
+ <model type='rtl8139'/>
+ <alias name='ua-AndAlsoClientMode'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x0a' function='0x0'/>
+ </interface>
+ <smartcard mode='host'>
+ <address type='ccid' controller='0' slot='0'/>
+ </smartcard>
+ <serial type='pty'>
+ <target type='isa-serial' port='0'>
+ <model name='isa-serial'/>
+ </target>
+ </serial>
+ <serial type='pty'>
+ <target type='isa-serial' port='1'>
+ <model name='isa-serial'/>
+ </target>
+ </serial>
+ <console type='pty'>
+ <target type='serial' port='0'/>
+ </console>
+ <channel type='unix'>
+ <source mode='bind'
path='/var/lib/libvirt/qemu/channel/target/gentoo.org.qemu.guest_agent.0'/>
+ <target type='virtio' name='org.qemu.guest_agent.0'/>
+ <address type='virtio-serial' controller='0' bus='0'
port='1'/>
+ </channel>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <graphics type='vnc' port='-1' autoport='yes'>
+ <listen type='address'/>
+ </graphics>
+ <sound model='ich6'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </sound>
+ <audio id='1' type='none'/>
+ <video>
+ <model type='cirrus' vram='16384' heads='1'
primary='yes'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x02' function='0x0'/>
+ </video>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x06' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
--
2.25.1
2:43 a.m.
New subject: [PATCH v3 4/5] conf: add encryption engine property
On Wed, Oct 06, 2021 at 05:18:45 -0500, Or Ozeri wrote:
This commit extends libvirt XML configuration to support a custom
encryption engine.
This means that <encryption format="luks" engine="qemu">
becomes valid.
The only engine for now is qemu. However, a new engine (librbd) will be added in an
upcoming commit.
If no engine is specified, qemu will be used (assuming qemu driver is used).
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.html.in | 6 +
docs/schemas/domainbackup.rng | 7 +
docs/schemas/storagecommon.rng | 7 +
src/conf/storage_encryption_conf.c | 31 +++-
src/conf/storage_encryption_conf.h | 9 +
src/qemu/qemu_block.c | 2 +
src/qemu/qemu_domain.c | 8 +
tests/qemustatusxml2xmldata/upgrade-out.xml | 6 +-
tests/qemuxml2xmloutdata/disk-nvme.xml | 65 ++++++-
.../disk-slices.x86_64-latest.xml | 4 +-
.../encrypted-disk-usage.xml | 38 ++++-
tests/qemuxml2xmloutdata/encrypted-disk.xml | 2 +-
.../luks-disks-source-qcow2.x86_64-latest.xml | 14 +-
.../qemuxml2xmloutdata/luks-disks-source.xml | 10 +-
tests/qemuxml2xmloutdata/luks-disks.xml | 47 +++++-
tests/qemuxml2xmloutdata/user-aliases.xml | 159 +++++++++++++++++-
16 files changed, 392 insertions(+), 23 deletions(-)
mode change 120000 => 100644 tests/qemuxml2xmloutdata/disk-nvme.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/luks-disks.xml
mode change 120000 => 100644 tests/qemuxml2xmloutdata/user-aliases.xml
[...]
diff --git a/src/conf/storage_encryption_conf.c
b/src/conf/storage_encryption_conf.c
index 2df4ec96af..e8da02b605 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -47,6 +47,11 @@ VIR_ENUM_IMPL(virStorageEncryptionFormat,
"default", "qcow", "luks",
"luks2",
);
+VIR_ENUM_IMPL(virStorageEncryptionEngine,
+ VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
+ "default", "qemu",
+);
+
static void
virStorageEncryptionInfoDefClear(virStorageEncryptionInfoDef *def)
{
@@ -120,6 +125,7 @@ virStorageEncryptionCopy(const virStorageEncryption *src)
ret->secrets = g_new0(virStorageEncryptionSecret *, src->nsecrets);
ret->nsecrets = src->nsecrets;
ret->format = src->format;
+ ret->engine = src->engine;
for (i = 0; i < src->nsecrets; i++) {
if (!(ret->secrets[i] = virStorageEncryptionSecretCopy(src->secrets[i])))
@@ -217,6 +223,7 @@ virStorageEncryptionParseNode(xmlNodePtr node,
xmlNodePtr *nodes = NULL;
virStorageEncryption *encdef = NULL;
virStorageEncryption *ret = NULL;
+ g_autofree char *engine_str = NULL;
g_autofree char *format_str = NULL;
int n;
size_t i;
@@ -239,6 +246,16 @@ virStorageEncryptionParseNode(xmlNodePtr node,
goto cleanup;
}
+ if ((engine_str = virXPathString("string(./@engine)", ctxt))) {
+ if ((encdef->engine =
+ virStorageEncryptionEngineTypeFromString(engine_str)) < 0) {
'default' must not be an allowed value, thus <=
+ virReportError(VIR_ERR_XML_ERROR,
+ _("unknown volume encryption engine type %s"),
+ engine_str);
+ goto cleanup;
+ }
+ }
But you can replace all of above and parse this as:
if (virXMLPropEnum(node, "engine",
virStorageEncryptionEngineTypeFromString,
VIR_XML_PROP_NONZERO,
&encdef->engine) < 0)
goto cleanup;
This does the proper type check and everything internally and doesn't
require temp variables. Additionally it allows you to declare 'engine'
as the correct enum type [1].
+
if ((n = virXPathNodeSet("./secret", ctxt, &nodes)) < 0)
goto cleanup;
[...]
diff --git a/src/conf/storage_encryption_conf.h
b/src/conf/storage_encryption_conf.h
index 32e3a1243a..c722f832f5 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
[...]
@@ -64,6 +72,7 @@ VIR_ENUM_DECL(virStorageEncryptionFormat);
typedef struct _virStorageEncryption virStorageEncryption;
struct _virStorageEncryption {
+ int engine; /* virStorageEncryptionEngineType */
[1]
Declare this as:
virStorageEncryptionEngine engine;
rather than using integer.
int format; /* virStorageEncryptionFormatType */
int payload_offset;
[...]
diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml
b/tests/qemuxml2xmloutdata/disk-nvme.xml
deleted file mode 120000
index ea9eb267ac..0000000000
--- a/tests/qemuxml2xmloutdata/disk-nvme.xml
+++ /dev/null
@@ -1 +0,0 @@
-../qemuxml2argvdata/disk-nvme.xml
Files that were originally symlinks ...
\ No newline at end of file
diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml
b/tests/qemuxml2xmloutdata/disk-nvme.xml
new file mode 100644
index 0000000000..9a5fafce7d
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/disk-nvme.xml
... must not be expanded to full files. That is a drawback of using sed
-i to do the conversion.
@@ -0,0 +1,64 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
index be5cd25084..a058cbad61 100644
[..]
diff --git a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
deleted file mode 120000
index a1a4f841e9..0000000000
--- a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
+++ /dev/null
@@ -1 +0,0 @@
-../qemuxml2argvdata/encrypted-disk-usage.xml
symlink ...
\ No newline at end of file
diff --git a/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
new file mode 100644
index 0000000000..d2b87b94b6
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/encrypted-disk-usage.xml
@@ -0,0 +1,37 @@
+<domain type='qemu'>
+ <name>encryptdisk</name>
[...]
diff --git a/tests/qemuxml2xmloutdata/luks-disks.xml
b/tests/qemuxml2xmloutdata/luks-disks.xml
deleted file mode 120000
index d65e470c32..0000000000
--- a/tests/qemuxml2xmloutdata/luks-disks.xml
+++ /dev/null
@@ -1 +0,0 @@
-../qemuxml2argvdata/luks-disks.xml
\ No newline at end of file
symlink
diff --git a/tests/qemuxml2xmloutdata/luks-disks.xml
b/tests/qemuxml2xmloutdata/luks-disks.xml
new file mode 100644
index 0000000000..1c76f0dc26
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/luks-disks.xml
@@ -0,0 +1,46 @@
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
[...]
diff --git a/tests/qemuxml2xmloutdata/user-aliases.xml
b/tests/qemuxml2xmloutdata/user-aliases.xml
deleted file mode 120000
index b5a27f08cd..0000000000
--- a/tests/qemuxml2xmloutdata/user-aliases.xml
+++ /dev/null
@@ -1 +0,0 @@
-../qemuxml2argvdata/user-aliases.xml
symlink
\ No newline at end of file
diff --git a/tests/qemuxml2xmloutdata/user-aliases.xml
b/tests/qemuxml2xmloutdata/user-aliases.xml
new file mode 100644
index 0000000000..10b7749521
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/user-aliases.xml
@@ -0,0 +1,158 @@
+<domain type='kvm'>
+ <name>gentoo</name>
+ <uuid>a75aca4b-a02f-2bcb-4a91-c93cd848c34b</uuid>
+ <memory unit='KiB'>4194304</memory>
7:26 a.m.
New subject: [PATCH v3 4/5] conf: add encryption engine property
On Thu, Oct 07, 2021 at 11:31:42 +0000, Or Ozeri wrote:
-----"Peter Krempa" <[1]pkrempa(a)redhat.com> wrote:
-----
>> diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml
>b/tests/qemuxml2xmloutdata/disk-nvme.xml
>> deleted file mode 120000
>> index ea9eb267ac..0000000000
>> --- a/tests/qemuxml2xmloutdata/disk-nvme.xml
>> +++ /dev/null
>> @@ -1 +0,0 @@
>> -../qemuxml2argvdata/disk-nvme.xml
>
>Files that were originally symlinks ...
>
>> \ No newline at end of file
>> diff --git a/tests/qemuxml2xmloutdata/disk-nvme.xml
>b/tests/qemuxml2xmloutdata/disk-nvme.xml
>> new file mode 100644
>> index 0000000000..9a5fafce7d
>> --- /dev/null
>> +++ b/tests/qemuxml2xmloutdata/disk-nvme.xml
>
>... must not be expanded to full files. That is a drawback of using
>sed
>-i to do the conversion.
Should I create a new file
e.g. tests/qemuxml2xmloutdata/disk-nvme-content.xml
and point the disk-nvme.xml symlink to it?
No just keep symlinks as symlinks. You are not changing anything that
would warant a change to full output file. Namely if the output file is
a symlink to the input file, then the change to the input file should be
sufficient as the output file is the same one.
7:56 a.m.
New subject: [PATCH v3 4/5] conf: add encryption engine property
On Thu, Oct 07, 2021 at 12:41:52 +0000, Or Ozeri wrote:
But that means changing the input file from using the default
engine, to
using "qemu" explicitly.
I was thinking that keeping the input xml unchanged gets a stronger test,
since it also checks that default uses qemu.
I think there's plenty of those. You are also adding one yourself in the
last patch.
Also since most users will still not use the new engine property,
so
keeping the input xml unchanged also tests the more common workload.
That's happening in some of the other tests. There's no need to change
it everywhere.
For the two files which use symlinks just keep them as they are.
3:07 a.m.
New subject: [PATCH v3 4/5] conf: add encryption engine property
On Wed, Oct 06, 2021 at 05:18:45 -0500, Or Ozeri wrote:
This commit extends libvirt XML configuration to support a custom
encryption engine.
This means that <encryption format="luks" engine="qemu">
becomes valid.
The only engine for now is qemu. However, a new engine (librbd) will be added in an
upcoming commit.
If no engine is specified, qemu will be used (assuming qemu driver is used).
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
[...]
Same note as with previous patch. this will need code in qemu_validate.c
rejecting non-qemu backend for stuff which doesn't support it.
Use a switch statement, with a correct type so that the complier forces
any new additions to the enum to be included in the validation code.
5:18 a.m.
New subject: [PATCH v3 5/5] qemu: add librbd encryption engine
rbd encryption is new in qemu 6.1.0.
This commit adds a new encryption engine property which
allows the user to use this new encryption engine.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.html.in | 2 +-
docs/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/qemu/qemu_block.c | 30 +++++++
src/qemu/qemu_domain.c | 24 ++++++
...sk-network-rbd-encryption.x86_64-6.0.0.err | 1 +
...-network-rbd-encryption.x86_64-latest.args | 49 +++++++++++
.../disk-network-rbd-encryption.xml | 75 +++++++++++++++++
tests/qemuxml2argvtest.c | 2 +
...k-network-rbd-encryption.x86_64-latest.xml | 83 +++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
12 files changed, 269 insertions(+), 2 deletions(-)
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
create mode 100644
tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 5783381a4a..31ec2698a1 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -27,7 +27,7 @@
The <code>encryption</code> tag supports an optional
<code>engine</code>
tag, which allows selecting which component actually handles
the encryption. Currently defined values of <code>engine</code> are
- <code>qemu</code>.
+ <code>qemu</code> and <code>librbd</code>.
</p>
<p>
The <code>encryption</code> tag can currently contain a sequence of
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index b34577c582..591a158209 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -20,6 +20,7 @@
<attribute name="engine">
<choice>
<value>qemu</value>
+ <value>librbd</value>
</choice>
</attribute>
</optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index e8da02b605..2639b43119 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -49,7 +49,7 @@ VIR_ENUM_IMPL(virStorageEncryptionFormat,
VIR_ENUM_IMPL(virStorageEncryptionEngine,
VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
- "default", "qemu",
+ "default", "qemu", "librbd",
);
static void
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index c722f832f5..2e6f9193bd 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -54,6 +54,7 @@ struct _virStorageEncryptionInfoDef {
typedef enum {
VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT = 0,
VIR_STORAGE_ENCRYPTION_ENGINE_QEMU,
+ VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD,
VIR_STORAGE_ENCRYPTION_ENGINE_LAST,
} virStorageEncryptionEngineType;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index a43831ce18..62c40d39d1 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -875,6 +875,8 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
qemuDomainStorageSourcePrivate *srcPriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
g_autoptr(virJSONValue) servers = NULL;
virJSONValue *ret = NULL;
+ g_autoptr(virJSONValue) encrypt = NULL;
+ const char *encformat;
const char *username = NULL;
g_autoptr(virJSONValue) authmodes = NULL;
g_autoptr(virJSONValue) mode = NULL;
@@ -899,12 +901,40 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
return NULL;
}
+ if (src->encryption &&
+ src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD) {
+ switch ((virStorageEncryptionFormatType) src->encryption->format) {
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+ encformat = "luks";
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+ encformat = "luks2";
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+ default:
+ virReportEnumRangeError(virStorageEncryptionFormatType,
+ src->encryption->format);
+ return NULL;
+ }
+
+ if (virJSONValueObjectCreate(&encrypt,
+ "s:format", encformat,
+ "s:key-secret",
srcPriv->encinfo->alias,
+ NULL) < 0)
+ return NULL;
+ }
+
if (virJSONValueObjectCreate(&ret,
"s:pool", src->volume,
"s:image", src->path,
"S:snapshot", src->snapshot,
"S:conf", src->configFile,
"A:server", &servers,
+ "A:encrypt", &encrypt,
"S:user", username,
"A:auth-client-required", &authmodes,
"S:key-secret", keysecret,
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 21099d7635..871a708a19 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -4812,6 +4812,30 @@ qemuDomainValidateStorageSource(virStorageSource *src,
}
}
+ if (src->encryption &&
+ src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD) {
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("librbd encryption is not supported by this QEMU
binary"));
+ return -1;
+ }
+
+ switch ((virStorageEncryptionFormatType) src->encryption->format) {
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+ default:
+ virReportEnumRangeError(virStorageEncryptionFormatType,
+ src->encryption->format);
+ return -1;
+ }
+ }
+
+
return 0;
}
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
new file mode 100644
index 0000000000..edd8481a20
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
@@ -0,0 +1 @@
+unsupported configuration: librbd encryption is not supported by this QEMU binary
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
new file mode 100644
index 0000000000..9b3e8d31b8
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
@@ -0,0 +1,49 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-encryptdisk \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-encryptdisk/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-encryptdisk/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-encryptdisk/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=encryptdisk,debug-threads=on \
+-S \
+-object
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-encryptdisk/master-key.aes"}'
\
+-machine pc-i440fx-2.1,accel=tcg,usb=off,dump-guest-core=off,memory-backend=pc.ram \
+-cpu qemu64 \
+-m 1024 \
+-object
'{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}'
\
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
+-object
'{"qom-type":"secret","id":"libvirt-4-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}'
\
+-blockdev
'{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-4-format","read-only":false,"driver":"luks","key-secret":"libvirt-4-format-encryption-secret0","file":"libvirt-4-storage"}'
\
+-device
virtio-blk-pci,bus=pci.0,addr=0x2,drive=libvirt-4-format,id=virtio-disk0,bootindex=1 \
+-object
'{"qom-type":"secret","id":"libvirt-3-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}'
\
+-blockdev
'{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-3-format","read-only":false,"driver":"luks","key-secret":"libvirt-3-format-encryption-secret0","file":"libvirt-3-storage"}'
\
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=libvirt-3-format,id=virtio-disk1 \
+-object
'{"qom-type":"secret","id":"libvirt-2-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}'
\
+-blockdev
'{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-2-format-encryption-secret0"},"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-2-format","read-only":false,"driver":"raw","file":"libvirt-2-storage"}'
\
+-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=libvirt-2-format,id=virtio-disk2 \
+-object
'{"qom-type":"secret","id":"libvirt-1-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}'
\
+-blockdev
'{"driver":"rbd","pool":"pool","image":"image2","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks2","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}'
\
+-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=libvirt-1-format,id=virtio-disk3 \
+-audiodev id=audio1,driver=none \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
new file mode 100644
index 0000000000..eeadbfeeba
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
@@ -0,0 +1,75 @@
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks' engine='qemu'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vdb' bus='virtio'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks' engine='librbd'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vdc' bus='virtio'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image2'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks2' engine='librbd'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 94aaa2f53e..b14154fd0c 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1349,6 +1349,8 @@ mymain(void)
DO_TEST_CAPS_LATEST("disk-network-gluster");
DO_TEST_CAPS_VER("disk-network-rbd", "2.12.0");
DO_TEST_CAPS_LATEST("disk-network-rbd");
+ DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-rbd-encryption",
"6.0.0");
+ DO_TEST_CAPS_LATEST("disk-network-rbd-encryption");
DO_TEST_CAPS_VER_FAILURE("disk-network-rbd-no-colon", "4.1.0");
DO_TEST_CAPS_LATEST("disk-network-rbd-no-colon");
DO_TEST_CAPS_VER("disk-network-sheepdog", "2.12.0");
diff --git a/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
new file mode 100644
index 0000000000..a91504202a
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
@@ -0,0 +1,83 @@
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <cpu mode='custom' match='exact' check='none'>
+ <model fallback='forbid'>qemu64</model>
+ </cpu>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks' engine='qemu'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x02' function='0x0'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks' engine='qemu'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vdb' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x04' function='0x0'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks' engine='librbd'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vdc' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x05' function='0x0'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image2'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks2' engine='librbd'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x06' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0' model='piix3-uhci'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 69363ef85c..290ab1bed1 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -315,6 +315,7 @@ mymain(void)
QEMU_CAPS_SCSI_BLOCK);
DO_TEST_NOCAPS("disk-network-gluster");
DO_TEST_NOCAPS("disk-network-rbd");
+ DO_TEST_CAPS_LATEST("disk-network-rbd-encryption");
DO_TEST_NOCAPS("disk-network-source-auth");
DO_TEST_NOCAPS("disk-network-sheepdog");
DO_TEST_NOCAPS("disk-network-vxhs");
--
2.25.1
3:13 a.m.
New subject: [PATCH v3 5/5] qemu: add librbd encryption engine
On Wed, Oct 06, 2021 at 05:18:46 -0500, Or Ozeri wrote:
rbd encryption is new in qemu 6.1.0.
This commit adds a new encryption engine property which
allows the user to use this new encryption engine.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.html.in | 2 +-
docs/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/qemu/qemu_block.c | 30 +++++++
src/qemu/qemu_domain.c | 24 ++++++
...sk-network-rbd-encryption.x86_64-6.0.0.err | 1 +
...-network-rbd-encryption.x86_64-latest.args | 49 +++++++++++
.../disk-network-rbd-encryption.xml | 75 +++++++++++++++++
tests/qemuxml2argvtest.c | 2 +
...k-network-rbd-encryption.x86_64-latest.xml | 83 +++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
12 files changed, 269 insertions(+), 2 deletions(-)
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-6.0.0.err
create mode 100644
tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
create mode 100644
tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index 5783381a4a..31ec2698a1 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -27,7 +27,7 @@
The <code>encryption</code> tag supports an optional
<code>engine</code>
tag, which allows selecting which component actually handles
the encryption. Currently defined values of <code>engine</code> are
- <code>qemu</code>.
+ <code>qemu</code> and <code>librbd</code>.
Some more explanation might be a good thing to avoid user confusion.
</p>
<p>
The <code>encryption</code> tag can currently contain a sequence of
[...]
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 21099d7635..871a708a19 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -4812,6 +4812,30 @@ qemuDomainValidateStorageSource(virStorageSource *src,
}
}
+ if (src->encryption &&
+ src->encryption->engine == VIR_STORAGE_ENCRYPTION_ENGINE_LIBRBD) {
[1]
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("librbd encryption is not supported by this QEMU
binary"));
+ return -1;
+ }
+
+ switch ((virStorageEncryptionFormatType) src->encryption->format) {
So something like this definitely belongs in one of the previous
commits, but it must also care about the 'qemu' encryption driver and
the corresponding protocols and formats where it supported.
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+ default:
+ virReportEnumRangeError(virStorageEncryptionFormatType,
+ src->encryption->format);
+ return -1;
+ }
+ }
[...]
The rest looks good. Good test coverage!
1217
days inactive
1218
days old
16 comments
3 participants
participants (3)
-
Or Ozeri -
Or Ozeri
-
Peter Krempa