[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: API definition for LUKS key management [V2]
From: |
Kevin Wolf |
Subject: |
Re: API definition for LUKS key management [V2] |
Date: |
Tue, 26 Nov 2019 15:24:25 +0100 |
User-agent: |
Mutt/1.12.1 (2019-06-15) |
Am 25.11.2019 um 19:45 hat Max Reitz geschrieben:
> On 22.11.19 15:22, Maxim Levitsky wrote:
> > Hi!
> >
> > This is the second version of the proposed QMP API for key management,
> > after discussion with Keven and Max.
> >
> > Will this work?
> >
> > Adding Peter Krempa to CC, to hear his opinion from the
> > libvirt side.
> >
> > Best regards,
> > Maxim Levitsky
>
> Looks good to me overall. I don’t think we need to overly push having
> the same interface for create and amend, because I don’t see much to be
> gained from it.
>
> [...]
>
> > diff --git a/qapi/crypto.json b/qapi/crypto.json
> > index b2a4cff683..019db682cd 100644
> > --- a/qapi/crypto.json
> > +++ b/qapi/crypto.json
> > @@ -309,3 +309,56 @@
> > 'base': 'QCryptoBlockInfoBase',
> > 'discriminator': 'format',
> > 'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
> > +
> > +
> > +##
> > +# @LUKSKeyslotUpdate:
> > +#
> > +# @keyslot: If specified, will update only keyslot with this index
> > +#
> > +# @old-secret: If specified, will only update keyslots that
> > +# can be opened with password which is contained in
> > +# QCryptoSecret with @old-secret ID
> > +#
> > +# If neither @keyslot nor @old-secret is specified,
> > +# first empty keyslot is selected for the update
> > +#
> > +# @new-secret: The ID of a QCryptoSecret object providing a new
> > decryption
> > +# key to place in all matching keyslots. Empty string
> > erases the
> > +# keyslot.
>
> Hm... Can’t we make this some string-or-null alternate type so that
> null will erase the keyslot? That would make more sense to me.
The only problem is that it doesn't map nicely to the command line.
Kevin
signature.asc
Description: PGP signature
Re: API definition for LUKS key management, Daniel P . Berrangé, 2019/11/12