block: add generic full disk encryption driver
Add a block driver that is capable of supporting any full disk
encryption format. This utilizes the previously added block
encryption code, and at this time supports the LUKS format.
The driver code is capable of supporting any format supported
by the QCryptoBlock module, so it registers one block driver
for each format. This patch only registers the "luks" driver
since the "qcow" driver is there only for back-compatibility
with existing qcow built-in encryption.
New LUKS compatible volumes can be formatted using qemu-img
with defaults for all settings.
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0 demo.luks 10G
Alternatively the cryptographic settings can be explicitly
set
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0,cipher-alg=aes-256,\
cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
demo.luks 10G
And query its size
$ qemu-img info demo.img
image: demo.img
file format: luks
virtual size: 10G (10737418240 bytes)
disk size: 132K
encrypted: yes
Note that it was not necessary to provide the password
when querying info for the volume. The password is only
required when performing I/O on the volume
All volumes created by this new 'luks' driver should be
capable of being opened by the kernel dm-crypt driver.
The only algorithms listed in the LUKS spec that are
not currently supported by this impl are sha512 and
ripemd160 hashes and cast6 cipher.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kwolf - Added #include to resolve conflict with da34e65c ]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-03-21 17:11:47 +03:00
|
|
|
/*
|
|
|
|
* QEMU block full disk encryption
|
|
|
|
*
|
|
|
|
* Copyright (c) 2015-2016 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "qemu/osdep.h"
|
|
|
|
|
|
|
|
#include "block/block_int.h"
|
|
|
|
#include "sysemu/block-backend.h"
|
|
|
|
#include "crypto/block.h"
|
|
|
|
#include "qapi/opts-visitor.h"
|
|
|
|
#include "qapi-visit.h"
|
|
|
|
#include "qapi/error.h"
|
|
|
|
|
|
|
|
#define BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET "key-secret"
|
|
|
|
#define BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG "cipher-alg"
|
|
|
|
#define BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE "cipher-mode"
|
|
|
|
#define BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG "ivgen-alg"
|
|
|
|
#define BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg"
|
|
|
|
#define BLOCK_CRYPTO_OPT_LUKS_HASH_ALG "hash-alg"
|
|
|
|
|
|
|
|
typedef struct BlockCrypto BlockCrypto;
|
|
|
|
|
|
|
|
struct BlockCrypto {
|
|
|
|
QCryptoBlock *block;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static int block_crypto_probe_generic(QCryptoBlockFormat format,
|
|
|
|
const uint8_t *buf,
|
|
|
|
int buf_size,
|
|
|
|
const char *filename)
|
|
|
|
{
|
|
|
|
if (qcrypto_block_has_format(format, buf, buf_size)) {
|
|
|
|
return 100;
|
|
|
|
} else {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static ssize_t block_crypto_read_func(QCryptoBlock *block,
|
|
|
|
size_t offset,
|
|
|
|
uint8_t *buf,
|
|
|
|
size_t buflen,
|
|
|
|
Error **errp,
|
|
|
|
void *opaque)
|
|
|
|
{
|
|
|
|
BlockDriverState *bs = opaque;
|
|
|
|
ssize_t ret;
|
|
|
|
|
|
|
|
ret = bdrv_pread(bs->file->bs, offset, buf, buflen);
|
|
|
|
if (ret < 0) {
|
|
|
|
error_setg_errno(errp, -ret, "Could not read encryption header");
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
struct BlockCryptoCreateData {
|
|
|
|
const char *filename;
|
|
|
|
QemuOpts *opts;
|
|
|
|
BlockBackend *blk;
|
|
|
|
uint64_t size;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static ssize_t block_crypto_write_func(QCryptoBlock *block,
|
|
|
|
size_t offset,
|
|
|
|
const uint8_t *buf,
|
|
|
|
size_t buflen,
|
|
|
|
Error **errp,
|
|
|
|
void *opaque)
|
|
|
|
{
|
|
|
|
struct BlockCryptoCreateData *data = opaque;
|
|
|
|
ssize_t ret;
|
|
|
|
|
2016-05-06 19:26:27 +03:00
|
|
|
ret = blk_pwrite(data->blk, offset, buf, buflen, 0);
|
block: add generic full disk encryption driver
Add a block driver that is capable of supporting any full disk
encryption format. This utilizes the previously added block
encryption code, and at this time supports the LUKS format.
The driver code is capable of supporting any format supported
by the QCryptoBlock module, so it registers one block driver
for each format. This patch only registers the "luks" driver
since the "qcow" driver is there only for back-compatibility
with existing qcow built-in encryption.
New LUKS compatible volumes can be formatted using qemu-img
with defaults for all settings.
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0 demo.luks 10G
Alternatively the cryptographic settings can be explicitly
set
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0,cipher-alg=aes-256,\
cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
demo.luks 10G
And query its size
$ qemu-img info demo.img
image: demo.img
file format: luks
virtual size: 10G (10737418240 bytes)
disk size: 132K
encrypted: yes
Note that it was not necessary to provide the password
when querying info for the volume. The password is only
required when performing I/O on the volume
All volumes created by this new 'luks' driver should be
capable of being opened by the kernel dm-crypt driver.
The only algorithms listed in the LUKS spec that are
not currently supported by this impl are sha512 and
ripemd160 hashes and cast6 cipher.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kwolf - Added #include to resolve conflict with da34e65c ]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-03-21 17:11:47 +03:00
|
|
|
if (ret < 0) {
|
|
|
|
error_setg_errno(errp, -ret, "Could not write encryption header");
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static ssize_t block_crypto_init_func(QCryptoBlock *block,
|
|
|
|
size_t headerlen,
|
|
|
|
Error **errp,
|
|
|
|
void *opaque)
|
|
|
|
{
|
|
|
|
struct BlockCryptoCreateData *data = opaque;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
/* User provided size should reflect amount of space made
|
|
|
|
* available to the guest, so we must take account of that
|
|
|
|
* which will be used by the crypto header
|
|
|
|
*/
|
|
|
|
data->size += headerlen;
|
|
|
|
|
|
|
|
qemu_opt_set_number(data->opts, BLOCK_OPT_SIZE, data->size, &error_abort);
|
|
|
|
ret = bdrv_create_file(data->filename, data->opts, errp);
|
|
|
|
if (ret < 0) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
data->blk = blk_new_open(data->filename, NULL, NULL,
|
2016-03-15 16:34:37 +03:00
|
|
|
BDRV_O_RDWR | BDRV_O_PROTOCOL, errp);
|
block: add generic full disk encryption driver
Add a block driver that is capable of supporting any full disk
encryption format. This utilizes the previously added block
encryption code, and at this time supports the LUKS format.
The driver code is capable of supporting any format supported
by the QCryptoBlock module, so it registers one block driver
for each format. This patch only registers the "luks" driver
since the "qcow" driver is there only for back-compatibility
with existing qcow built-in encryption.
New LUKS compatible volumes can be formatted using qemu-img
with defaults for all settings.
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0 demo.luks 10G
Alternatively the cryptographic settings can be explicitly
set
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0,cipher-alg=aes-256,\
cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
demo.luks 10G
And query its size
$ qemu-img info demo.img
image: demo.img
file format: luks
virtual size: 10G (10737418240 bytes)
disk size: 132K
encrypted: yes
Note that it was not necessary to provide the password
when querying info for the volume. The password is only
required when performing I/O on the volume
All volumes created by this new 'luks' driver should be
capable of being opened by the kernel dm-crypt driver.
The only algorithms listed in the LUKS spec that are
not currently supported by this impl are sha512 and
ripemd160 hashes and cast6 cipher.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kwolf - Added #include to resolve conflict with da34e65c ]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-03-21 17:11:47 +03:00
|
|
|
if (!data->blk) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static QemuOptsList block_crypto_runtime_opts_luks = {
|
|
|
|
.name = "crypto",
|
|
|
|
.head = QTAILQ_HEAD_INITIALIZER(block_crypto_runtime_opts_luks.head),
|
|
|
|
.desc = {
|
|
|
|
{
|
|
|
|
.name = BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET,
|
|
|
|
.type = QEMU_OPT_STRING,
|
|
|
|
.help = "ID of the secret that provides the encryption key",
|
|
|
|
},
|
|
|
|
{ /* end of list */ }
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static QemuOptsList block_crypto_create_opts_luks = {
|
|
|
|
.name = "crypto",
|
|
|
|
.head = QTAILQ_HEAD_INITIALIZER(block_crypto_create_opts_luks.head),
|
|
|
|
.desc = {
|
|
|
|
{
|
|
|
|
.name = BLOCK_OPT_SIZE,
|
|
|
|
.type = QEMU_OPT_SIZE,
|
|
|
|
.help = "Virtual disk size"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET,
|
|
|
|
.type = QEMU_OPT_STRING,
|
|
|
|
.help = "ID of the secret that provides the encryption key",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG,
|
|
|
|
.type = QEMU_OPT_STRING,
|
|
|
|
.help = "Name of encryption cipher algorithm",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE,
|
|
|
|
.type = QEMU_OPT_STRING,
|
|
|
|
.help = "Name of encryption cipher mode",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG,
|
|
|
|
.type = QEMU_OPT_STRING,
|
|
|
|
.help = "Name of IV generator algorithm",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG,
|
|
|
|
.type = QEMU_OPT_STRING,
|
|
|
|
.help = "Name of IV generator hash algorithm",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = BLOCK_CRYPTO_OPT_LUKS_HASH_ALG,
|
|
|
|
.type = QEMU_OPT_STRING,
|
|
|
|
.help = "Name of encryption hash algorithm",
|
|
|
|
},
|
|
|
|
{ /* end of list */ }
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static QCryptoBlockOpenOptions *
|
|
|
|
block_crypto_open_opts_init(QCryptoBlockFormat format,
|
|
|
|
QemuOpts *opts,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
OptsVisitor *ov;
|
|
|
|
QCryptoBlockOpenOptions *ret = NULL;
|
|
|
|
Error *local_err = NULL;
|
|
|
|
|
|
|
|
ret = g_new0(QCryptoBlockOpenOptions, 1);
|
|
|
|
ret->format = format;
|
|
|
|
|
|
|
|
ov = opts_visitor_new(opts);
|
|
|
|
|
|
|
|
visit_start_struct(opts_get_visitor(ov),
|
|
|
|
NULL, NULL, 0, &local_err);
|
|
|
|
if (local_err) {
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (format) {
|
|
|
|
case Q_CRYPTO_BLOCK_FORMAT_LUKS:
|
|
|
|
visit_type_QCryptoBlockOptionsLUKS_members(
|
|
|
|
opts_get_visitor(ov), &ret->u.luks, &local_err);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
error_setg(&local_err, "Unsupported block format %d", format);
|
|
|
|
break;
|
|
|
|
}
|
qapi: Split visit_end_struct() into pieces
As mentioned in previous patches, we want to call visit_end_struct()
functions unconditionally, so that visitors can release resources
tied up since the matching visit_start_struct() without also having
to worry about error priority if more than one error occurs.
Even though error_propagate() can be safely used to ignore a second
error during cleanup caused by a first error, it is simpler if the
cleanup cannot set an error. So, split out the error checking
portion (basically, input visitors checking for unvisited keys) into
a new function visit_check_struct(), which can be safely skipped if
any earlier errors are encountered, and leave the cleanup portion
(which never fails, but must be called unconditionally if
visit_start_struct() succeeded) in visit_end_struct().
Generated code in qapi-visit.c has diffs resembling:
|@@ -59,10 +59,12 @@ void visit_type_ACPIOSTInfo(Visitor *v,
| goto out_obj;
| }
| visit_type_ACPIOSTInfo_members(v, obj, &err);
|- error_propagate(errp, err);
|- err = NULL;
|+ if (err) {
|+ goto out_obj;
|+ }
|+ visit_check_struct(v, &err);
| out_obj:
|- visit_end_struct(v, &err);
|+ visit_end_struct(v);
| out:
and in qapi-event.c:
@@ -47,7 +47,10 @@ void qapi_event_send_acpi_device_ost(ACP
| goto out;
| }
| visit_type_q_obj_ACPI_DEVICE_OST_arg_members(v, ¶m, &err);
|- visit_end_struct(v, err ? NULL : &err);
|+ if (!err) {
|+ visit_check_struct(v, &err);
|+ }
|+ visit_end_struct(v);
| if (err) {
| goto out;
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1461879932-9020-20-git-send-email-eblake@redhat.com>
[Conflict with a doc fixup resolved]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-04-29 00:45:27 +03:00
|
|
|
if (!local_err) {
|
|
|
|
visit_check_struct(opts_get_visitor(ov), &local_err);
|
|
|
|
}
|
block: add generic full disk encryption driver
Add a block driver that is capable of supporting any full disk
encryption format. This utilizes the previously added block
encryption code, and at this time supports the LUKS format.
The driver code is capable of supporting any format supported
by the QCryptoBlock module, so it registers one block driver
for each format. This patch only registers the "luks" driver
since the "qcow" driver is there only for back-compatibility
with existing qcow built-in encryption.
New LUKS compatible volumes can be formatted using qemu-img
with defaults for all settings.
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0 demo.luks 10G
Alternatively the cryptographic settings can be explicitly
set
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0,cipher-alg=aes-256,\
cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
demo.luks 10G
And query its size
$ qemu-img info demo.img
image: demo.img
file format: luks
virtual size: 10G (10737418240 bytes)
disk size: 132K
encrypted: yes
Note that it was not necessary to provide the password
when querying info for the volume. The password is only
required when performing I/O on the volume
All volumes created by this new 'luks' driver should be
capable of being opened by the kernel dm-crypt driver.
The only algorithms listed in the LUKS spec that are
not currently supported by this impl are sha512 and
ripemd160 hashes and cast6 cipher.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kwolf - Added #include to resolve conflict with da34e65c ]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-03-21 17:11:47 +03:00
|
|
|
|
qapi: Split visit_end_struct() into pieces
As mentioned in previous patches, we want to call visit_end_struct()
functions unconditionally, so that visitors can release resources
tied up since the matching visit_start_struct() without also having
to worry about error priority if more than one error occurs.
Even though error_propagate() can be safely used to ignore a second
error during cleanup caused by a first error, it is simpler if the
cleanup cannot set an error. So, split out the error checking
portion (basically, input visitors checking for unvisited keys) into
a new function visit_check_struct(), which can be safely skipped if
any earlier errors are encountered, and leave the cleanup portion
(which never fails, but must be called unconditionally if
visit_start_struct() succeeded) in visit_end_struct().
Generated code in qapi-visit.c has diffs resembling:
|@@ -59,10 +59,12 @@ void visit_type_ACPIOSTInfo(Visitor *v,
| goto out_obj;
| }
| visit_type_ACPIOSTInfo_members(v, obj, &err);
|- error_propagate(errp, err);
|- err = NULL;
|+ if (err) {
|+ goto out_obj;
|+ }
|+ visit_check_struct(v, &err);
| out_obj:
|- visit_end_struct(v, &err);
|+ visit_end_struct(v);
| out:
and in qapi-event.c:
@@ -47,7 +47,10 @@ void qapi_event_send_acpi_device_ost(ACP
| goto out;
| }
| visit_type_q_obj_ACPI_DEVICE_OST_arg_members(v, ¶m, &err);
|- visit_end_struct(v, err ? NULL : &err);
|+ if (!err) {
|+ visit_check_struct(v, &err);
|+ }
|+ visit_end_struct(v);
| if (err) {
| goto out;
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1461879932-9020-20-git-send-email-eblake@redhat.com>
[Conflict with a doc fixup resolved]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-04-29 00:45:27 +03:00
|
|
|
visit_end_struct(opts_get_visitor(ov));
|
block: add generic full disk encryption driver
Add a block driver that is capable of supporting any full disk
encryption format. This utilizes the previously added block
encryption code, and at this time supports the LUKS format.
The driver code is capable of supporting any format supported
by the QCryptoBlock module, so it registers one block driver
for each format. This patch only registers the "luks" driver
since the "qcow" driver is there only for back-compatibility
with existing qcow built-in encryption.
New LUKS compatible volumes can be formatted using qemu-img
with defaults for all settings.
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0 demo.luks 10G
Alternatively the cryptographic settings can be explicitly
set
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0,cipher-alg=aes-256,\
cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
demo.luks 10G
And query its size
$ qemu-img info demo.img
image: demo.img
file format: luks
virtual size: 10G (10737418240 bytes)
disk size: 132K
encrypted: yes
Note that it was not necessary to provide the password
when querying info for the volume. The password is only
required when performing I/O on the volume
All volumes created by this new 'luks' driver should be
capable of being opened by the kernel dm-crypt driver.
The only algorithms listed in the LUKS spec that are
not currently supported by this impl are sha512 and
ripemd160 hashes and cast6 cipher.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kwolf - Added #include to resolve conflict with da34e65c ]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-03-21 17:11:47 +03:00
|
|
|
|
|
|
|
out:
|
|
|
|
if (local_err) {
|
|
|
|
error_propagate(errp, local_err);
|
|
|
|
qapi_free_QCryptoBlockOpenOptions(ret);
|
|
|
|
ret = NULL;
|
|
|
|
}
|
|
|
|
opts_visitor_cleanup(ov);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static QCryptoBlockCreateOptions *
|
|
|
|
block_crypto_create_opts_init(QCryptoBlockFormat format,
|
|
|
|
QemuOpts *opts,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
OptsVisitor *ov;
|
|
|
|
QCryptoBlockCreateOptions *ret = NULL;
|
|
|
|
Error *local_err = NULL;
|
|
|
|
|
|
|
|
ret = g_new0(QCryptoBlockCreateOptions, 1);
|
|
|
|
ret->format = format;
|
|
|
|
|
|
|
|
ov = opts_visitor_new(opts);
|
|
|
|
|
|
|
|
visit_start_struct(opts_get_visitor(ov),
|
|
|
|
NULL, NULL, 0, &local_err);
|
|
|
|
if (local_err) {
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (format) {
|
|
|
|
case Q_CRYPTO_BLOCK_FORMAT_LUKS:
|
|
|
|
visit_type_QCryptoBlockCreateOptionsLUKS_members(
|
|
|
|
opts_get_visitor(ov), &ret->u.luks, &local_err);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
error_setg(&local_err, "Unsupported block format %d", format);
|
|
|
|
break;
|
|
|
|
}
|
qapi: Split visit_end_struct() into pieces
As mentioned in previous patches, we want to call visit_end_struct()
functions unconditionally, so that visitors can release resources
tied up since the matching visit_start_struct() without also having
to worry about error priority if more than one error occurs.
Even though error_propagate() can be safely used to ignore a second
error during cleanup caused by a first error, it is simpler if the
cleanup cannot set an error. So, split out the error checking
portion (basically, input visitors checking for unvisited keys) into
a new function visit_check_struct(), which can be safely skipped if
any earlier errors are encountered, and leave the cleanup portion
(which never fails, but must be called unconditionally if
visit_start_struct() succeeded) in visit_end_struct().
Generated code in qapi-visit.c has diffs resembling:
|@@ -59,10 +59,12 @@ void visit_type_ACPIOSTInfo(Visitor *v,
| goto out_obj;
| }
| visit_type_ACPIOSTInfo_members(v, obj, &err);
|- error_propagate(errp, err);
|- err = NULL;
|+ if (err) {
|+ goto out_obj;
|+ }
|+ visit_check_struct(v, &err);
| out_obj:
|- visit_end_struct(v, &err);
|+ visit_end_struct(v);
| out:
and in qapi-event.c:
@@ -47,7 +47,10 @@ void qapi_event_send_acpi_device_ost(ACP
| goto out;
| }
| visit_type_q_obj_ACPI_DEVICE_OST_arg_members(v, ¶m, &err);
|- visit_end_struct(v, err ? NULL : &err);
|+ if (!err) {
|+ visit_check_struct(v, &err);
|+ }
|+ visit_end_struct(v);
| if (err) {
| goto out;
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1461879932-9020-20-git-send-email-eblake@redhat.com>
[Conflict with a doc fixup resolved]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-04-29 00:45:27 +03:00
|
|
|
if (!local_err) {
|
|
|
|
visit_check_struct(opts_get_visitor(ov), &local_err);
|
|
|
|
}
|
block: add generic full disk encryption driver
Add a block driver that is capable of supporting any full disk
encryption format. This utilizes the previously added block
encryption code, and at this time supports the LUKS format.
The driver code is capable of supporting any format supported
by the QCryptoBlock module, so it registers one block driver
for each format. This patch only registers the "luks" driver
since the "qcow" driver is there only for back-compatibility
with existing qcow built-in encryption.
New LUKS compatible volumes can be formatted using qemu-img
with defaults for all settings.
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0 demo.luks 10G
Alternatively the cryptographic settings can be explicitly
set
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0,cipher-alg=aes-256,\
cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
demo.luks 10G
And query its size
$ qemu-img info demo.img
image: demo.img
file format: luks
virtual size: 10G (10737418240 bytes)
disk size: 132K
encrypted: yes
Note that it was not necessary to provide the password
when querying info for the volume. The password is only
required when performing I/O on the volume
All volumes created by this new 'luks' driver should be
capable of being opened by the kernel dm-crypt driver.
The only algorithms listed in the LUKS spec that are
not currently supported by this impl are sha512 and
ripemd160 hashes and cast6 cipher.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kwolf - Added #include to resolve conflict with da34e65c ]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-03-21 17:11:47 +03:00
|
|
|
|
qapi: Split visit_end_struct() into pieces
As mentioned in previous patches, we want to call visit_end_struct()
functions unconditionally, so that visitors can release resources
tied up since the matching visit_start_struct() without also having
to worry about error priority if more than one error occurs.
Even though error_propagate() can be safely used to ignore a second
error during cleanup caused by a first error, it is simpler if the
cleanup cannot set an error. So, split out the error checking
portion (basically, input visitors checking for unvisited keys) into
a new function visit_check_struct(), which can be safely skipped if
any earlier errors are encountered, and leave the cleanup portion
(which never fails, but must be called unconditionally if
visit_start_struct() succeeded) in visit_end_struct().
Generated code in qapi-visit.c has diffs resembling:
|@@ -59,10 +59,12 @@ void visit_type_ACPIOSTInfo(Visitor *v,
| goto out_obj;
| }
| visit_type_ACPIOSTInfo_members(v, obj, &err);
|- error_propagate(errp, err);
|- err = NULL;
|+ if (err) {
|+ goto out_obj;
|+ }
|+ visit_check_struct(v, &err);
| out_obj:
|- visit_end_struct(v, &err);
|+ visit_end_struct(v);
| out:
and in qapi-event.c:
@@ -47,7 +47,10 @@ void qapi_event_send_acpi_device_ost(ACP
| goto out;
| }
| visit_type_q_obj_ACPI_DEVICE_OST_arg_members(v, ¶m, &err);
|- visit_end_struct(v, err ? NULL : &err);
|+ if (!err) {
|+ visit_check_struct(v, &err);
|+ }
|+ visit_end_struct(v);
| if (err) {
| goto out;
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1461879932-9020-20-git-send-email-eblake@redhat.com>
[Conflict with a doc fixup resolved]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
2016-04-29 00:45:27 +03:00
|
|
|
visit_end_struct(opts_get_visitor(ov));
|
block: add generic full disk encryption driver
Add a block driver that is capable of supporting any full disk
encryption format. This utilizes the previously added block
encryption code, and at this time supports the LUKS format.
The driver code is capable of supporting any format supported
by the QCryptoBlock module, so it registers one block driver
for each format. This patch only registers the "luks" driver
since the "qcow" driver is there only for back-compatibility
with existing qcow built-in encryption.
New LUKS compatible volumes can be formatted using qemu-img
with defaults for all settings.
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0 demo.luks 10G
Alternatively the cryptographic settings can be explicitly
set
$ qemu-img create --object secret,data=123456,id=sec0 \
-f luks -o key-secret=sec0,cipher-alg=aes-256,\
cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \
demo.luks 10G
And query its size
$ qemu-img info demo.img
image: demo.img
file format: luks
virtual size: 10G (10737418240 bytes)
disk size: 132K
encrypted: yes
Note that it was not necessary to provide the password
when querying info for the volume. The password is only
required when performing I/O on the volume
All volumes created by this new 'luks' driver should be
capable of being opened by the kernel dm-crypt driver.
The only algorithms listed in the LUKS spec that are
not currently supported by this impl are sha512 and
ripemd160 hashes and cast6 cipher.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kwolf - Added #include to resolve conflict with da34e65c ]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2016-03-21 17:11:47 +03:00
|
|
|
|
|
|
|
out:
|
|
|
|
if (local_err) {
|
|
|
|
error_propagate(errp, local_err);
|
|
|
|
qapi_free_QCryptoBlockCreateOptions(ret);
|
|
|
|
ret = NULL;
|
|
|
|
}
|
|
|
|
opts_visitor_cleanup(ov);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int block_crypto_open_generic(QCryptoBlockFormat format,
|
|
|
|
QemuOptsList *opts_spec,
|
|
|
|
BlockDriverState *bs,
|
|
|
|
QDict *options,
|
|
|
|
int flags,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
BlockCrypto *crypto = bs->opaque;
|
|
|
|
QemuOpts *opts = NULL;
|
|
|
|
Error *local_err = NULL;
|
|
|
|
int ret = -EINVAL;
|
|
|
|
QCryptoBlockOpenOptions *open_opts = NULL;
|
|
|
|
unsigned int cflags = 0;
|
|
|
|
|
|
|
|
opts = qemu_opts_create(opts_spec, NULL, 0, &error_abort);
|
|
|
|
qemu_opts_absorb_qdict(opts, options, &local_err);
|
|
|
|
if (local_err) {
|
|
|
|
error_propagate(errp, local_err);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
open_opts = block_crypto_open_opts_init(format, opts, errp);
|
|
|
|
if (!open_opts) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (flags & BDRV_O_NO_IO) {
|
|
|
|
cflags |= QCRYPTO_BLOCK_OPEN_NO_IO;
|
|
|
|
}
|
|
|
|
crypto->block = qcrypto_block_open(open_opts,
|
|
|
|
block_crypto_read_func,
|
|
|
|
bs,
|
|
|
|
cflags,
|
|
|
|
errp);
|
|
|
|
|
|
|
|
if (!crypto->block) {
|
|
|
|
ret = -EIO;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
bs->encrypted = 1;
|
|
|
|
bs->valid_key = 1;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
qapi_free_QCryptoBlockOpenOptions(open_opts);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int block_crypto_create_generic(QCryptoBlockFormat format,
|
|
|
|
const char *filename,
|
|
|
|
QemuOpts *opts,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
int ret = -EINVAL;
|
|
|
|
QCryptoBlockCreateOptions *create_opts = NULL;
|
|
|
|
QCryptoBlock *crypto = NULL;
|
|
|
|
struct BlockCryptoCreateData data = {
|
|
|
|
.size = ROUND_UP(qemu_opt_get_size_del(opts, BLOCK_OPT_SIZE, 0),
|
|
|
|
BDRV_SECTOR_SIZE),
|
|
|
|
.opts = opts,
|
|
|
|
.filename = filename,
|
|
|
|
};
|
|
|
|
|
|
|
|
create_opts = block_crypto_create_opts_init(format, opts, errp);
|
|
|
|
if (!create_opts) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
crypto = qcrypto_block_create(create_opts,
|
|
|
|
block_crypto_init_func,
|
|
|
|
block_crypto_write_func,
|
|
|
|
&data,
|
|
|
|
errp);
|
|
|
|
|
|
|
|
if (!crypto) {
|
|
|
|
ret = -EIO;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
qcrypto_block_free(crypto);
|
|
|
|
blk_unref(data.blk);
|
|
|
|
qapi_free_QCryptoBlockCreateOptions(create_opts);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int block_crypto_truncate(BlockDriverState *bs, int64_t offset)
|
|
|
|
{
|
|
|
|
BlockCrypto *crypto = bs->opaque;
|
|
|
|
size_t payload_offset =
|
|
|
|
qcrypto_block_get_payload_offset(crypto->block);
|
|
|
|
|
|
|
|
offset += payload_offset;
|
|
|
|
|
|
|
|
return bdrv_truncate(bs->file->bs, offset);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void block_crypto_close(BlockDriverState *bs)
|
|
|
|
{
|
|
|
|
BlockCrypto *crypto = bs->opaque;
|
|
|
|
qcrypto_block_free(crypto->block);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#define BLOCK_CRYPTO_MAX_SECTORS 32
|
|
|
|
|
|
|
|
static coroutine_fn int
|
|
|
|
block_crypto_co_readv(BlockDriverState *bs, int64_t sector_num,
|
|
|
|
int remaining_sectors, QEMUIOVector *qiov)
|
|
|
|
{
|
|
|
|
BlockCrypto *crypto = bs->opaque;
|
|
|
|
int cur_nr_sectors; /* number of sectors in current iteration */
|
|
|
|
uint64_t bytes_done = 0;
|
|
|
|
uint8_t *cipher_data = NULL;
|
|
|
|
QEMUIOVector hd_qiov;
|
|
|
|
int ret = 0;
|
|
|
|
size_t payload_offset =
|
|
|
|
qcrypto_block_get_payload_offset(crypto->block) / 512;
|
|
|
|
|
|
|
|
qemu_iovec_init(&hd_qiov, qiov->niov);
|
|
|
|
|
|
|
|
/* Bounce buffer so we have a linear mem region for
|
|
|
|
* entire sector. XXX optimize so we avoid bounce
|
|
|
|
* buffer in case that qiov->niov == 1
|
|
|
|
*/
|
|
|
|
cipher_data =
|
|
|
|
qemu_try_blockalign(bs->file->bs, MIN(BLOCK_CRYPTO_MAX_SECTORS * 512,
|
|
|
|
qiov->size));
|
|
|
|
if (cipher_data == NULL) {
|
|
|
|
ret = -ENOMEM;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (remaining_sectors) {
|
|
|
|
cur_nr_sectors = remaining_sectors;
|
|
|
|
|
|
|
|
if (cur_nr_sectors > BLOCK_CRYPTO_MAX_SECTORS) {
|
|
|
|
cur_nr_sectors = BLOCK_CRYPTO_MAX_SECTORS;
|
|
|
|
}
|
|
|
|
|
|
|
|
qemu_iovec_reset(&hd_qiov);
|
|
|
|
qemu_iovec_add(&hd_qiov, cipher_data, cur_nr_sectors * 512);
|
|
|
|
|
|
|
|
ret = bdrv_co_readv(bs->file->bs,
|
|
|
|
payload_offset + sector_num,
|
|
|
|
cur_nr_sectors, &hd_qiov);
|
|
|
|
if (ret < 0) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (qcrypto_block_decrypt(crypto->block,
|
|
|
|
sector_num,
|
|
|
|
cipher_data, cur_nr_sectors * 512,
|
|
|
|
NULL) < 0) {
|
|
|
|
ret = -EIO;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
qemu_iovec_from_buf(qiov, bytes_done,
|
|
|
|
cipher_data, cur_nr_sectors * 512);
|
|
|
|
|
|
|
|
remaining_sectors -= cur_nr_sectors;
|
|
|
|
sector_num += cur_nr_sectors;
|
|
|
|
bytes_done += cur_nr_sectors * 512;
|
|
|
|
}
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
qemu_iovec_destroy(&hd_qiov);
|
|
|
|
qemu_vfree(cipher_data);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static coroutine_fn int
|
|
|
|
block_crypto_co_writev(BlockDriverState *bs, int64_t sector_num,
|
|
|
|
int remaining_sectors, QEMUIOVector *qiov)
|
|
|
|
{
|
|
|
|
BlockCrypto *crypto = bs->opaque;
|
|
|
|
int cur_nr_sectors; /* number of sectors in current iteration */
|
|
|
|
uint64_t bytes_done = 0;
|
|
|
|
uint8_t *cipher_data = NULL;
|
|
|
|
QEMUIOVector hd_qiov;
|
|
|
|
int ret = 0;
|
|
|
|
size_t payload_offset =
|
|
|
|
qcrypto_block_get_payload_offset(crypto->block) / 512;
|
|
|
|
|
|
|
|
qemu_iovec_init(&hd_qiov, qiov->niov);
|
|
|
|
|
|
|
|
/* Bounce buffer so we have a linear mem region for
|
|
|
|
* entire sector. XXX optimize so we avoid bounce
|
|
|
|
* buffer in case that qiov->niov == 1
|
|
|
|
*/
|
|
|
|
cipher_data =
|
|
|
|
qemu_try_blockalign(bs->file->bs, MIN(BLOCK_CRYPTO_MAX_SECTORS * 512,
|
|
|
|
qiov->size));
|
|
|
|
if (cipher_data == NULL) {
|
|
|
|
ret = -ENOMEM;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (remaining_sectors) {
|
|
|
|
cur_nr_sectors = remaining_sectors;
|
|
|
|
|
|
|
|
if (cur_nr_sectors > BLOCK_CRYPTO_MAX_SECTORS) {
|
|
|
|
cur_nr_sectors = BLOCK_CRYPTO_MAX_SECTORS;
|
|
|
|
}
|
|
|
|
|
|
|
|
qemu_iovec_to_buf(qiov, bytes_done,
|
|
|
|
cipher_data, cur_nr_sectors * 512);
|
|
|
|
|
|
|
|
if (qcrypto_block_encrypt(crypto->block,
|
|
|
|
sector_num,
|
|
|
|
cipher_data, cur_nr_sectors * 512,
|
|
|
|
NULL) < 0) {
|
|
|
|
ret = -EIO;
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
qemu_iovec_reset(&hd_qiov);
|
|
|
|
qemu_iovec_add(&hd_qiov, cipher_data, cur_nr_sectors * 512);
|
|
|
|
|
|
|
|
ret = bdrv_co_writev(bs->file->bs,
|
|
|
|
payload_offset + sector_num,
|
|
|
|
cur_nr_sectors, &hd_qiov);
|
|
|
|
if (ret < 0) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
remaining_sectors -= cur_nr_sectors;
|
|
|
|
sector_num += cur_nr_sectors;
|
|
|
|
bytes_done += cur_nr_sectors * 512;
|
|
|
|
}
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
qemu_iovec_destroy(&hd_qiov);
|
|
|
|
qemu_vfree(cipher_data);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int64_t block_crypto_getlength(BlockDriverState *bs)
|
|
|
|
{
|
|
|
|
BlockCrypto *crypto = bs->opaque;
|
|
|
|
int64_t len = bdrv_getlength(bs->file->bs);
|
|
|
|
|
|
|
|
ssize_t offset = qcrypto_block_get_payload_offset(crypto->block);
|
|
|
|
|
|
|
|
len -= offset;
|
|
|
|
|
|
|
|
return len;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int block_crypto_probe_luks(const uint8_t *buf,
|
|
|
|
int buf_size,
|
|
|
|
const char *filename) {
|
|
|
|
return block_crypto_probe_generic(Q_CRYPTO_BLOCK_FORMAT_LUKS,
|
|
|
|
buf, buf_size, filename);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int block_crypto_open_luks(BlockDriverState *bs,
|
|
|
|
QDict *options,
|
|
|
|
int flags,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
return block_crypto_open_generic(Q_CRYPTO_BLOCK_FORMAT_LUKS,
|
|
|
|
&block_crypto_runtime_opts_luks,
|
|
|
|
bs, options, flags, errp);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int block_crypto_create_luks(const char *filename,
|
|
|
|
QemuOpts *opts,
|
|
|
|
Error **errp)
|
|
|
|
{
|
|
|
|
return block_crypto_create_generic(Q_CRYPTO_BLOCK_FORMAT_LUKS,
|
|
|
|
filename, opts, errp);
|
|
|
|
}
|
|
|
|
|
|
|
|
BlockDriver bdrv_crypto_luks = {
|
|
|
|
.format_name = "luks",
|
|
|
|
.instance_size = sizeof(BlockCrypto),
|
|
|
|
.bdrv_probe = block_crypto_probe_luks,
|
|
|
|
.bdrv_open = block_crypto_open_luks,
|
|
|
|
.bdrv_close = block_crypto_close,
|
|
|
|
.bdrv_create = block_crypto_create_luks,
|
|
|
|
.bdrv_truncate = block_crypto_truncate,
|
|
|
|
.create_opts = &block_crypto_create_opts_luks,
|
|
|
|
|
|
|
|
.bdrv_co_readv = block_crypto_co_readv,
|
|
|
|
.bdrv_co_writev = block_crypto_co_writev,
|
|
|
|
.bdrv_getlength = block_crypto_getlength,
|
|
|
|
};
|
|
|
|
|
|
|
|
static void block_crypto_init(void)
|
|
|
|
{
|
|
|
|
bdrv_register(&bdrv_crypto_luks);
|
|
|
|
}
|
|
|
|
|
|
|
|
block_init(block_crypto_init);
|