6:59 a.m.
Starting from Ceph 0f93f745 (unreleased 18.0.0) and qemu b8f218ef (unreleased 8.0.0),
qemu and librbd users can use a wildcard format ("luks-any" in qemu,
"luks" in librbd).
This format can be used to parse the image as either LUKS or LUKS2, auto-detecting
the actual format from the on-disk header.
This patch series enables libvirt users to use this wildcard format as well
(for RBD images only, of course).
I manually patched the qemu 8.0.0 replies file to reflect relevant qemu support,
to allow my tests to run.
Note that any build qemu will not support this feature, unless compiled
while having a librbd that has this feature bundled.
Or Ozeri (3):
tests: qemucapabilitiesdata: Add luks-any encryption format
qemu: capabilities: Introduce QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY
capability
qemu: add luks-any encryption support for RBD images
docs/formatstorageencryption.rst | 9 ++++
src/conf/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/libvirt_private.syms | 1 +
src/qemu/qemu_block.c | 10 ++++-
src/qemu/qemu_capabilities.c | 2 +
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_domain.c | 32 +++++++++++++-
.../caps_8.0.0.x86_64.replies | 7 +++
.../caps_8.0.0.x86_64.xml | 1 +
...k-rbd-encryption-luks-any.x86_64-7.2.0.err | 1 +
...rbd-encryption-luks-any.x86_64-latest.args | 38 ++++++++++++++++
.../disk-network-rbd-encryption-luks-any.xml | 39 ++++++++++++++++
tests/qemuxml2argvtest.c | 2 +
...-rbd-encryption-luks-any.x86_64-latest.xml | 44 +++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
17 files changed, 187 insertions(+), 5 deletions(-)
create mode 100644
tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-7.2.0.err
create mode 100644
tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.xml
create mode 100644
tests/qemuxml2xmloutdata/disk-network-rbd-encryption-luks-any.x86_64-latest.xml
--
2.25.1
6:59 a.m.
New subject: [PATCH v1 1/3] tests: qemucapabilitiesdata: Add luks-any encryption format
luks-any encryption format for RBD images was added in b8f218ef.
Signed-off-by: Or Ozeri<oro(a)il.ibm.com>
---
tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies
b/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies
index a41b3e1825..ecf8852e03 100644
--- a/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies
+++ b/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies
@@ -17035,6 +17035,10 @@
{
"case": "luks2",
"type": "668"
+ },
+ {
+ "case": "luks-any",
+ "type": "668"
}
],
"members": [
@@ -20003,6 +20007,9 @@
},
{
"name": "luks2"
+ },
+ {
+ "name": "luks-any"
}
],
"meta-type": "enum",
--
2.25.1
4:04 a.m.
New subject: [PATCH v1 1/3] tests: qemucapabilitiesdata: Add luks-any encryption format
On Mon, Mar 06, 2023 at 06:59:34 -0600, Or Ozeri wrote:
luks-any encryption format for RBD images was added in b8f218ef.
Signed-off-by: Or Ozeri<oro(a)il.ibm.com>
---
tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies | 7 +++++++
1 file changed, 7 insertions(+)
As with the layered secret series, this patch is no longer required.
diff --git a/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies
b/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies
index a41b3e1825..ecf8852e03 100644
--- a/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies
+++ b/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.replies
@@ -17035,6 +17035,10 @@
{
"case": "luks2",
"type": "668"
+ },
+ {
+ "case": "luks-any",
+ "type": "668"
Note that this modification is not consistent with how the schema looks
after a real re-generation of the caps dump by a real qemu.
The 'luks-any' member has it's own type.
6:59 a.m.
New subject: [PATCH v1 2/3] qemu: capabilities: Introduce QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY capability
This capability represents that qemu supports the "luks-any" encryption
format for RBD images.
Both LUKS and LUKS2 formats can be parsed using this wildcard format.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
src/qemu/qemu_capabilities.c | 2 ++
src/qemu/qemu_capabilities.h | 1 +
tests/qemucapabilitiesdata/caps_8.0.0.x86_64.xml | 1 +
3 files changed, 4 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 3cb5785baa..94df1fd8ed 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -690,6 +690,7 @@ VIR_ENUM_IMPL(virQEMUCaps,
/* 445 */
"netdev.stream.reconnect", /* QEMU_CAPS_NETDEV_STREAM_RECONNECT
*/
+ "rbd-encryption-luks-any", /* QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY
*/
);
@@ -1554,6 +1555,7 @@ static struct virQEMUCapsStringFlags virQEMUCapsQMPSchemaQueries[] =
{
{ "blockdev-add/arg-type/+nvme", QEMU_CAPS_DRIVE_NVME },
{ "blockdev-add/arg-type/+file/aio/^io_uring", QEMU_CAPS_AIO_IO_URING },
{ "blockdev-add/arg-type/+rbd/encrypt", QEMU_CAPS_RBD_ENCRYPTION },
+ { "blockdev-add/arg-type/+rbd/encrypt/format/^luks-any",
QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY },
{ "blockdev-add/arg-type/+nbd/tls-hostname",
QEMU_CAPS_BLOCKDEV_NBD_TLS_HOSTNAME },
{ "blockdev-snapshot/$allow-write-only-overlay",
QEMU_CAPS_BLOCKDEV_SNAPSHOT_ALLOW_WRITE_ONLY },
{ "chardev-add/arg-type/backend/+socket/data/reconnect",
QEMU_CAPS_CHARDEV_RECONNECT },
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index d049f79dd9..9bfa9addbc 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -669,6 +669,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check
*/
/* 445 */
QEMU_CAPS_NETDEV_STREAM_RECONNECT, /* -netdev stream supports reconnect */
+ QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY, /* luks-any (LUKS and LUKS2) encryption format for
Ceph RBD */
QEMU_CAPS_LAST /* this must always be the last item */
} virQEMUCapsFlags;
diff --git a/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.xml
index ce051d3f1c..3957cb0805 100644
--- a/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_8.0.0.x86_64.xml
@@ -206,6 +206,7 @@
<flag name='cryptodev-backend-lkcf'/>
<flag name='pvpanic-pci'/>
<flag name='netdev.stream.reconnect'/>
+ <flag name='rbd-encryption-luks-any'/>
<version>7002050</version>
<kvmVersion>0</kvmVersion>
<microcodeVersion>43100244</microcodeVersion>
--
2.25.1
4:06 a.m.
New subject: [PATCH v1 2/3] qemu: capabilities: Introduce QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY capability
On Mon, Mar 06, 2023 at 06:59:35 -0600, Or Ozeri wrote:
This capability represents that qemu supports the
"luks-any" encryption
format for RBD images.
Both LUKS and LUKS2 formats can be parsed using this wildcard format.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
src/qemu/qemu_capabilities.c | 2 ++
src/qemu/qemu_capabilities.h | 1 +
tests/qemucapabilitiesdata/caps_8.0.0.x86_64.xml | 1 +
3 files changed, 4 insertions(+)
Next time if you have two series that depend on each other it's better
to just send them as one. I had to rebase this to fit on top of you
previous posting.
Since a v2 of the secret layering series is needed please make sure to
post this and rebase it on top as part of that series.
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
6:51 a.m.
New subject: [PATCH v1 2/3] qemu: capabilities: Introduce QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY capability
-----Original Message-----
From: Peter Krempa <pkrempa(a)redhat.com>
Sent: Friday, 10 March 2023 12:06
To: Or Ozeri <ORO(a)il.ibm.com>
Cc: libvir-list(a)redhat.com; idryomov(a)gmail.com; Danny Harnik
<DANNYH(a)il.ibm.com>
Subject: [EXTERNAL] Re: [PATCH v1 2/3] qemu: capabilities: Introduce
QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY capability
Next time if you have two series that depend on each other it's better to just
send them as one. I had to rebase this to fit on top of you previous posting.
This patch series is actually independent of the previous one.
I did group them together to one patch in qemu for non-technical reasons.
Anyways, I don't mind grouping them here as well.
Since a v2 of the secret layering series is needed please make sure
to post
this and rebase it on top as part of that series.
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
3:44 a.m.
New subject: [PATCH v1 2/3] qemu: capabilities: Introduce QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY capability
On Sun, Mar 12, 2023 at 11:51:44 +0000, Or Ozeri wrote:
> -----Original Message-----
> From: Peter Krempa <pkrempa(a)redhat.com>
> Sent: Friday, 10 March 2023 12:06
> To: Or Ozeri <ORO(a)il.ibm.com>
> Cc: libvir-list(a)redhat.com; idryomov(a)gmail.com; Danny Harnik
> <DANNYH(a)il.ibm.com>
> Subject: [EXTERNAL] Re: [PATCH v1 2/3] qemu: capabilities: Introduce
> QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY capability
>
> Next time if you have two series that depend on each other it's better to just
> send them as one. I had to rebase this to fit on top of you previous posting.
>
This patch series is actually independent of the previous one.
I did group them together to one patch in qemu for non-technical reasons.
Anyways, I don't mind grouping them here as well.
I didn't mean to do it in one patch, but in one series. You save
yourself rebasing it once one part of them gets pushed.
Similarly if you'd post v2 of both separately again it would mean that
either I have to rebase it once I push the other series or I have to
tell you to po st a rebased version.
This is simply to not waste time by having to rebase it.
6:59 a.m.
New subject: [PATCH v1 3/3] qemu: add luks-any encryption support for RBD images
The newly added luks-any rbd encryption format in qemu
allows for opening both LUKS and LUKS2 encryption formats.
This commit enables libvirt uses to use this wildcard format.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.rst | 9 ++++
src/conf/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/libvirt_private.syms | 1 +
src/qemu/qemu_block.c | 10 ++++-
src/qemu/qemu_domain.c | 32 +++++++++++++-
...k-rbd-encryption-luks-any.x86_64-7.2.0.err | 1 +
...rbd-encryption-luks-any.x86_64-latest.args | 38 ++++++++++++++++
.../disk-network-rbd-encryption-luks-any.xml | 39 ++++++++++++++++
tests/qemuxml2argvtest.c | 2 +
...-rbd-encryption-luks-any.x86_64-latest.xml | 44 +++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
13 files changed, 176 insertions(+), 5 deletions(-)
create mode 100644
tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-7.2.0.err
create mode 100644
tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.xml
create mode 100644
tests/qemuxml2xmloutdata/disk-network-rbd-encryption-luks-any.x86_64-latest.xml
diff --git a/docs/formatstorageencryption.rst b/docs/formatstorageencryption.rst
index 2c19473d6b..c58d088403 100644
--- a/docs/formatstorageencryption.rst
+++ b/docs/formatstorageencryption.rst
@@ -104,6 +104,15 @@ it to control such disks. However, pre-formatted RBD luks2 disks can
be loaded
to a qemu VM using the qemu VM driver. A single
``<secret type='passphrase'...>`` element is expected.
+``luks-any`` format
+~~~~~~~~~~~~~~~~~~~
+
+The ``luks-any`` format is currently supported only by the ``librbd`` engine,
+and can only be applied to RBD network disks (RBD images). This format will try
+to parse the disk as either LUKS or LUKS2, depending on the actual on-disk
+format. A single ``<secret type='passphrase'...>`` element is expected
(except
+for the case of RBD layered encryption mentioned above) :since:`Since 9.3.0` .
+
Examples
--------
diff --git a/src/conf/schemas/storagecommon.rng b/src/conf/schemas/storagecommon.rng
index 4d6e646c9a..aef1bd969c 100644
--- a/src/conf/schemas/storagecommon.rng
+++ b/src/conf/schemas/storagecommon.rng
@@ -14,6 +14,7 @@
<value>qcow</value>
<value>luks</value>
<value>luks2</value>
+ <value>luks-any</value>
</choice>
</attribute>
<optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 3651ff8cfd..639cbf2e58 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -41,7 +41,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
VIR_ENUM_IMPL(virStorageEncryptionFormat,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
- "default", "qcow", "luks",
"luks2",
+ "default", "qcow", "luks", "luks2",
"luks-any",
);
VIR_ENUM_IMPL(virStorageEncryptionEngine,
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 312599ad44..03f0e60feb 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -66,6 +66,7 @@ typedef enum {
VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
+ VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
} virStorageEncryptionFormatType;
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index b249dcc85c..eb3ff37b81 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1095,6 +1095,7 @@ virStorageVolTypeToString;
# conf/storage_encryption_conf.h
virStorageEncryptionFormat;
+virStorageEncryptionFormatTypeToString;
virStorageEncryptionFree;
virStorageEncryptionParseNode;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 5e700eff99..254d82df41 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -572,6 +572,10 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
encformat = "luks2";
break;
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
+ encformat = "luks-any";
+ break;
+
case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
@@ -1040,8 +1044,10 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("luks2 is currently not supported by the qemu encryption
engine"));
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("%s is currently not supported by the qemu encryption
engine"),
+
virStorageEncryptionFormatTypeToString(src->encryption->format));
return -1;
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index f5fd140c85..94ea482363 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -5136,8 +5136,10 @@ qemuDomainValidateStorageSource(virStorageSource *src,
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("luks2 is currently not supported by the
qemu encryption engine"));
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("%s is currently not supported by the qemu
encryption engine"),
+
virStorageEncryptionFormatTypeToString(src->encryption->format));
return -1;
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
@@ -5163,6 +5165,32 @@ qemuDomainValidateStorageSource(virStorageSource *src,
_("librbd encryption is supported only with RBD
backed disks"));
return -1;
}
+
+ switch ((virStorageEncryptionFormatType) src->encryption->format)
{
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY))
{
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("luks-any encryption is not supported
by this QEMU binary"));
+ return -1;
+ }
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("qcow encryption format is not supported by
the librbd encryption engine"));
+ return -1;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+ default:
+ virReportEnumRangeError(virStorageEncryptionFormatType,
+ src->encryption->format);
+ return -1;
+ }
break;
case VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT:
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-7.2.0.err
b/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-7.2.0.err
new file mode 100644
index 0000000000..66b2a65ac1
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-7.2.0.err
@@ -0,0 +1 @@
+unsupported configuration: luks-any encryption is not supported by this QEMU binary
diff --git
a/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-latest.args
b/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-latest.args
new file mode 100644
index 0000000000..90f17eca1a
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-latest.args
@@ -0,0 +1,38 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-encryptdisk \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-encryptdisk/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-encryptdisk/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-encryptdisk/.config \
+/usr/bin/qemu-system-x86_64 \
+-name guest=encryptdisk,debug-threads=on \
+-S \
+-object
'{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-encryptdisk/master-key.aes"}'
\
+-machine pc-i440fx-2.1,usb=off,dump-guest-core=off,memory-backend=pc.ram \
+-accel tcg \
+-cpu qemu64 \
+-m 1024 \
+-object
'{"qom-type":"memory-backend-ram","id":"pc.ram","size":1073741824}'
\
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server=on,wait=off \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-device
'{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}'
\
+-object
'{"qom-type":"secret","id":"libvirt-1-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}'
\
+-blockdev
'{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks-any","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}'
\
+-device
'{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"libvirt-1-format","id":"virtio-disk0","bootindex":1}'
\
+-audiodev
'{"id":"audio1","driver":"none"}' \
+-device
'{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","addr":"0x3"}'
\
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.xml
b/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.xml
new file mode 100644
index 0000000000..37d9900e74
--- /dev/null
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.xml
@@ -0,0 +1,39 @@
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks-any' engine='librbd'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index f46fc29f32..7f2dd2780d 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1277,6 +1277,8 @@ mymain(void)
DO_TEST_CAPS_LATEST("disk-network-rbd");
DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-rbd-encryption",
"6.0.0");
DO_TEST_CAPS_LATEST("disk-network-rbd-encryption");
+ DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-rbd-encryption-luks-any",
"7.2.0");
+ DO_TEST_CAPS_LATEST("disk-network-rbd-encryption-luks-any");
DO_TEST_CAPS_LATEST_PARSE_ERROR("disk-encryption-wrong");
DO_TEST_CAPS_LATEST("disk-network-rbd-no-colon");
/* qemu-6.0 is the last qemu version supporting sheepdog */
diff --git
a/tests/qemuxml2xmloutdata/disk-network-rbd-encryption-luks-any.x86_64-latest.xml
b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption-luks-any.x86_64-latest.xml
new file mode 100644
index 0000000000..d9f4ad17d9
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption-luks-any.x86_64-latest.xml
@@ -0,0 +1,44 @@
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <cpu mode='custom' match='exact' check='none'>
+ <model fallback='forbid'>qemu64</model>
+ </cpu>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks-any' engine='librbd'>
+ <secret type='passphrase'
uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x02' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0' model='piix3-uhci'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <audio id='1' type='none'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 69bff80376..17d2e9e41f 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -329,6 +329,7 @@ mymain(void)
DO_TEST_NOCAPS("disk-network-gluster");
DO_TEST_NOCAPS("disk-network-rbd");
DO_TEST_CAPS_LATEST("disk-network-rbd-encryption");
+ DO_TEST_CAPS_LATEST("disk-network-rbd-encryption-luks-any");
DO_TEST_NOCAPS("disk-network-source-auth");
DO_TEST_NOCAPS("disk-network-sheepdog");
DO_TEST_NOCAPS("disk-network-vxhs");
--
2.25.1
4:12 a.m.
New subject: [PATCH v1 3/3] qemu: add luks-any encryption support for RBD images
On Mon, Mar 06, 2023 at 06:59:36 -0600, Or Ozeri wrote:
The newly added luks-any rbd encryption format in qemu
allows for opening both LUKS and LUKS2 encryption formats.
This commit enables libvirt uses to use this wildcard format.
Signed-off-by: Or Ozeri <oro(a)il.ibm.com>
---
docs/formatstorageencryption.rst | 9 ++++
src/conf/schemas/storagecommon.rng | 1 +
src/conf/storage_encryption_conf.c | 2 +-
src/conf/storage_encryption_conf.h | 1 +
src/libvirt_private.syms | 1 +
src/qemu/qemu_block.c | 10 ++++-
src/qemu/qemu_domain.c | 32 +++++++++++++-
...k-rbd-encryption-luks-any.x86_64-7.2.0.err | 1 +
...rbd-encryption-luks-any.x86_64-latest.args | 38 ++++++++++++++++
.../disk-network-rbd-encryption-luks-any.xml | 39 ++++++++++++++++
tests/qemuxml2argvtest.c | 2 +
...-rbd-encryption-luks-any.x86_64-latest.xml | 44 +++++++++++++++++++
tests/qemuxml2xmltest.c | 1 +
13 files changed, 176 insertions(+), 5 deletions(-)
create mode 100644
tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-7.2.0.err
create mode 100644
tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.x86_64-latest.args
create mode 100644 tests/qemuxml2argvdata/disk-network-rbd-encryption-luks-any.xml
create mode 100644
tests/qemuxml2xmloutdata/disk-network-rbd-encryption-luks-any.x86_64-latest.xml
diff --git a/docs/formatstorageencryption.rst b/docs/formatstorageencryption.rst
index 2c19473d6b..c58d088403 100644
--- a/docs/formatstorageencryption.rst
+++ b/docs/formatstorageencryption.rst
@@ -104,6 +104,15 @@ it to control such disks. However, pre-formatted RBD luks2 disks can
be loaded
to a qemu VM using the qemu VM driver. A single
``<secret type='passphrase'...>`` element is expected.
+``luks-any`` format
+~~~~~~~~~~~~~~~~~~~
+
+The ``luks-any`` format is currently supported only by the ``librbd`` engine,
+and can only be applied to RBD network disks (RBD images). This format will try
+to parse the disk as either LUKS or LUKS2, depending on the actual on-disk
+format. A single ``<secret type='passphrase'...>`` element is expected
(except
+for the case of RBD layered encryption mentioned above) :since:`Since 9.3.0` .
+
Examples
--------
diff --git a/src/conf/schemas/storagecommon.rng b/src/conf/schemas/storagecommon.rng
index 4d6e646c9a..aef1bd969c 100644
--- a/src/conf/schemas/storagecommon.rng
+++ b/src/conf/schemas/storagecommon.rng
@@ -14,6 +14,7 @@
<value>qcow</value>
<value>luks</value>
<value>luks2</value>
+ <value>luks-any</value>
</choice>
</attribute>
<optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index 3651ff8cfd..639cbf2e58 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -41,7 +41,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
VIR_ENUM_IMPL(virStorageEncryptionFormat,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
- "default", "qcow", "luks",
"luks2",
+ "default", "qcow", "luks",
"luks2", "luks-any",
);
VIR_ENUM_IMPL(virStorageEncryptionEngine,
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 312599ad44..03f0e60feb 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -66,6 +66,7 @@ typedef enum {
VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
+ VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY,
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
} virStorageEncryptionFormatType;
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index b249dcc85c..eb3ff37b81 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1095,6 +1095,7 @@ virStorageVolTypeToString;
# conf/storage_encryption_conf.h
virStorageEncryptionFormat;
+virStorageEncryptionFormatTypeToString;
virStorageEncryptionFree;
virStorageEncryptionParseNode;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 5e700eff99..254d82df41 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -572,6 +572,10 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
encformat = "luks2";
break;
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
+ encformat = "luks-any";
+ break;
+
case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
@@ -1040,8 +1044,10 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("luks2 is currently not supported by the qemu encryption
engine"));
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("%s is currently not supported by the qemu encryption
engine"),
+
virStorageEncryptionFormatTypeToString(src->encryption->format));
return -1;
I'd add a comment here instead saying that these were caught by the
validation code as this is simply dead code.
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index f5fd140c85..94ea482363 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -5136,8 +5136,10 @@ qemuDomainValidateStorageSource(virStorageSource *src,
break;
case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("luks2 is currently not supported by the
qemu encryption engine"));
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("%s is currently not supported by the qemu
encryption engine"),
Add quotes around substitutions: '%s' encryption format is ....
+
virStorageEncryptionFormatTypeToString(src->encryption->format));
return -1;
case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
@@ -5163,6 +5165,32 @@ qemuDomainValidateStorageSource(virStorageSource *src,
_("librbd encryption is supported only with RBD
backed disks"));
return -1;
}
+
+ switch ((virStorageEncryptionFormatType) src->encryption->format)
{
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS_ANY:
+ if (!virQEMUCapsGet(qemuCaps,
QEMU_CAPS_RBD_ENCRYPTION_LUKS_ANY)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("luks-any encryption is not supported
by this QEMU binary"));
+ return -1;
+ }
+ break;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("qcow encryption format is not supported
by the librbd encryption engine"));
This is dead code (and subsequently a unnecessary translatable string),
a check above completely denies VIR_STORAGE_ENCRYPTION_FORMAT_QCOW for
any other cases.
+ return -1;
+
+ case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
+ case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
+ default:
+ virReportEnumRangeError(virStorageEncryptionFormatType,
+ src->encryption->format);
+ return -1;
+ }
break;
case VIR_STORAGE_ENCRYPTION_ENGINE_DEFAULT:
620
days inactive
627
days old
8 comments
3 participants
participants (3)
-
Or Ozeri -
Or Ozeri
-
Peter Krempa