[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 02/11] qcrypto-luks: extend the create options for upcomin
From: |
Kevin Wolf |
Subject: |
Re: [PATCH v2 02/11] qcrypto-luks: extend the create options for upcoming encryption key management |
Date: |
Thu, 10 Oct 2019 15:44:23 +0200 |
User-agent: |
Mutt/1.12.1 (2019-06-15) |
Am 13.09.2019 um 00:30 hat Maxim Levitsky geschrieben:
> Now you can specify which slot to put the encryption key to
> Plus add 'active' option which will let user erase the key secret
> instead of adding it.
> Check that active=true it when creating.
>
> Signed-off-by: Maxim Levitsky <address@hidden>
> diff --git a/qapi/crypto.json b/qapi/crypto.json
> index b2a4cff683..9b83a70634 100644
> --- a/qapi/crypto.json
> +++ b/qapi/crypto.json
> @@ -190,6 +190,20 @@
> # Currently defaults to 'sha256'
> # @hash-alg: the master key hash algorithm
> # Currently defaults to 'sha256'
> +#
> +# @active: Should the new secret be added (true) or erased (false)
> +# (amend only, since 4.2)
> +#
> +# @slot: The slot in which to put/erase the secret
> +# if not given, will select first free slot for secret addtion
> +# and erase all matching keyslots for erase. except last one
> +# (optional, since 4.2)
> +#
> +# @unlock-secret: The secret to use to unlock the image
> +# If not given, will use the secret that was used
> +# when opening the image.
> +# (optional, for amend only, since 4.2)
> +#
> # @iter-time: number of milliseconds to spend in
> # PBKDF passphrase processing. Currently defaults
> # to 2000. (since 2.8)
This approach doesn't look right to me. BlockdevCreateOptions should
describe the state of the image after the operation. You're describing
an update instead (and in a way that doesn't allow you to change
everything that you may want to change, so that you need to call the
operation multiple times).
I imagined the syntax of a blockdev-amend QMP command similar to
x-blockdev-reopen: Describe the full set of options that you want to
have in effect after the operation; if you don't want to change some
option, you just specify it again with its old value.
Specifically for luks, this probably means that you have a @slots, which
is a list that contains at least the secret for each slot, or JSON null
for a slot that should be left empty.
With the same approach, you don't have to make 'size' optional in later
patches, you can just require that the current size is re-specified. And
later, blockdev-amend could actually allow changing the size of images
if you provide a different value.
Kevin