qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH 00/13] RFC: luks/encrypted qcow2 key management

From: Maxim Levitsky
Subject: [Qemu-devel] [PATCH 00/13] RFC: luks/encrypted qcow2 key management
Date: Wed, 14 Aug 2019 23:22:06 +0300 
Hi!

This patch series implements key management for luks based encryption
It supports both raw luks images and qcow2 encrypted images.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1731898

There are still several issues that need to be figured out,
on which the feedback is very welcome, but other than that the code mostly 
works.

The main issues are:

1. Instead of the proposed blockdev-update-encryption/blockdev-erase-encryption
interface, it is probably better to implement 'blockdev-amend-options' in qmp,
and use this both for offline and online key update (with some translation
layer to convert the qemu-img 'options' to qmp structures)

This interface already exists for offline qcow2 format options update/

This is an issue that was raised today on IRC with Kevin Wolf. Really thanks
for the idea!

We agreed that this new qmp interface should take the same options as
blockdev-create does, however since we want to be able to edit the encryption
slots separately, this implies that we sort of need to allow this on creation
time as well.

Also the BlockdevCreateOptions is a union, which is specialized by the driver 
name
which is great for creation, but for update, the driver name is already known,
and thus the user should not be forced to pass it again.
However qmp doesn't seem to support union type guessing based on actual fields
given (this might not be desired either), which complicates this somewhat.

2. 'crypto' driver (the raw luks block device/file) has special behavior for

share-rw=on. write sharing usually is only allowed for raw files, files that
qemu doesn't itself touch, but only guest does. For such files a well behaved 
guests can
share the storage.

On the other hand most of the format drivers need to store the metadata, and we 
don't
have any format driver which implements some kind of sync vs other users of the 
same
file, thus this is not allowed.

However since for luks which is technically a format driver, the metadata is 
readonly,
such write sharing was allowed till now, and due to backward compatibility 
should
still be allowed in the future.

This causes an issue with online updating of the keys, and the solution that 
was suggested
by Keven that I implemented was to request the exclusive write access only 
during the key
update.

Testing. This was lightly tested with manual testing and with few iotests that 
I prepared.
I haven't yet tested fully the write sharing behavior, nor did I run the whole 
iotests
suite to see if this code causes some regressions. Since I will need probably
to rewrite some chunks of it to change to 'amend' interface, I decided to post 
it now,
to see if you have other ideas/comments to add.

Best regards,
        Maxim Levitsky

Maxim Levitsky (13):
  block-crypto: misc refactoring
  qcrypto-luks: misc refactoring
  qcrypto-luks: refactoring: extract load/store/check/parse header
    functions
  qcrypto-luks: refactoring: simplify the math used for keyslot
    locations
  qcrypto-luks: clear the masterkey and password before freeing them
    always
  qcrypto-luks: implement more rigorous header checking
  block: add manage-encryption command (qmp and blockdev)
  qcrypto: add the plumbing for encryption management
  qcrypto-luks: implement the encryption key management
  block/crypto: implement the encryption key management
  block/qcow2: implement the encryption key managment
  qemu-img: implement key management
  iotests : add tests for encryption key management

 block/block-backend.c            |    9 +
 block/crypto.c                   |  127 ++-
 block/crypto.h                   |    3 +
 block/io.c                       |   24 +
 block/qcow2.c                    |   27 +
 blockdev.c                       |   40 +
 crypto/block-luks.c              | 1673 ++++++++++++++++++++----------
 crypto/block.c                   |   29 +
 crypto/blockpriv.h               |    9 +
 include/block/block.h            |   12 +
 include/block/block_int.h        |   11 +
 include/crypto/block.h           |   27 +
 include/sysemu/block-backend.h   |    7 +
 qapi/block-core.json             |   36 +
 qapi/crypto.json                 |   26 +
 qemu-img-cmds.hx                 |   13 +
 qemu-img.c                       |  140 +++
 tests/qemu-iotests/257           |  197 ++++
 tests/qemu-iotests/257.out       |   96 ++
 tests/qemu-iotests/258           |   95 ++
 tests/qemu-iotests/258.out       |   30 +
 tests/qemu-iotests/259           |  199 ++++
 tests/qemu-iotests/259.out       |    5 +
 tests/qemu-iotests/common.filter |    5 +-
 tests/qemu-iotests/group         |    3 +
 25 files changed, 2286 insertions(+), 557 deletions(-)
 create mode 100755 tests/qemu-iotests/257
 create mode 100644 tests/qemu-iotests/257.out
 create mode 100755 tests/qemu-iotests/258
 create mode 100644 tests/qemu-iotests/258.out
 create mode 100644 tests/qemu-iotests/259
 create mode 100644 tests/qemu-iotests/259.out

-- 
2.17.2
reply via email to
[Prev in Thread] Current Thread [Next in Thread]