From patchwork Tue Jun 14 16:24:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 9176303 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0DD516021C for ; Tue, 14 Jun 2016 16:58:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F265321327 for ; Tue, 14 Jun 2016 16:58:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E76D928047; Tue, 14 Jun 2016 16:58:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=2.0 tests=BAYES_00,FSL_HELO_HOME, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4889821327 for ; Tue, 14 Jun 2016 16:58:34 +0000 (UTC) Received: from localhost ([::1]:36909 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCrfd-0004SL-G4 for patchwork-qemu-devel@patchwork.kernel.org; Tue, 14 Jun 2016 12:58:33 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56968) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCr97-0006LX-5D for qemu-devel@nongnu.org; Tue, 14 Jun 2016 12:24:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bCr92-0000eU-Pg for qemu-devel@nongnu.org; Tue, 14 Jun 2016 12:24:56 -0400 Received: from mx1.redhat.com ([209.132.183.28]:60153) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCr8u-0000ce-Ht; Tue, 14 Jun 2016 12:24:44 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1DD7BC05B1F5; Tue, 14 Jun 2016 16:24:44 +0000 (UTC) Received: from t530wlan.home.berrange.com.com (vpn1-5-35.ams2.redhat.com [10.36.5.35]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u5EGOe5v006359; Tue, 14 Jun 2016 12:24:42 -0400 From: "Daniel P. Berrange" To: qemu-devel@nongnu.org Date: Tue, 14 Jun 2016 17:24:36 +0100 Message-Id: <1465921477-9005-2-git-send-email-berrange@redhat.com> In-Reply-To: <1465921477-9005-1-git-send-email-berrange@redhat.com> References: <1465921477-9005-1-git-send-email-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 14 Jun 2016 16:24:44 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v3 1/2] crypto: add support for querying parameters for block encryption X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-block@nongnu.org, Max Reitz Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP When creating new block encryption volumes, we accept a list of parameters to control the formatting process. It is useful to be able to query what those parameters were for existing block devices. Add a qcrypto_block_get_info() method which returns a QCryptoBlockInfo instance to report this data. Signed-off-by: Daniel P. Berrange Reviewed-by: Max Reitz Reviewed-by: Eric Blake --- crypto/block-luks.c | 67 ++++++++++++++++++++++++++++++++++++++++++++ crypto/block.c | 17 +++++++++++ crypto/blockpriv.h | 4 +++ include/crypto/block.h | 16 +++++++++++ qapi/crypto.json | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 180 insertions(+) diff --git a/crypto/block-luks.c b/crypto/block-luks.c index 63649f1..6e940fb 100644 --- a/crypto/block-luks.c +++ b/crypto/block-luks.c @@ -201,6 +201,15 @@ QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSHeader) != 592); struct QCryptoBlockLUKS { QCryptoBlockLUKSHeader header; + + /* Cache parsed versions of what's in header fields, + * as we can't rely on QCryptoBlock.cipher being + * non-NULL */ + QCryptoCipherAlgorithm cipher_alg; + QCryptoCipherMode cipher_mode; + QCryptoIVGenAlgorithm ivgen_alg; + QCryptoHashAlgorithm ivgen_hash_alg; + QCryptoHashAlgorithm hash_alg; }; @@ -835,6 +844,12 @@ qcrypto_block_luks_open(QCryptoBlock *block, block->payload_offset = luks->header.payload_offset * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; + luks->cipher_alg = cipheralg; + luks->cipher_mode = ciphermode; + luks->ivgen_alg = ivalg; + luks->ivgen_hash_alg = ivhash; + luks->hash_alg = hash; + g_free(masterkey); g_free(password); @@ -1250,6 +1265,12 @@ qcrypto_block_luks_create(QCryptoBlock *block, goto error; } + luks->cipher_alg = luks_opts.cipher_alg; + luks->cipher_mode = luks_opts.cipher_mode; + luks->ivgen_alg = luks_opts.ivgen_alg; + luks->ivgen_hash_alg = luks_opts.ivgen_hash_alg; + luks->hash_alg = luks_opts.hash_alg; + memset(masterkey, 0, luks->header.key_bytes); g_free(masterkey); memset(slotkey, 0, luks->header.key_bytes); @@ -1284,6 +1305,51 @@ qcrypto_block_luks_create(QCryptoBlock *block, } +static int qcrypto_block_luks_get_info(QCryptoBlock *block, + QCryptoBlockInfo *info, + Error **errp) +{ + QCryptoBlockLUKS *luks = block->opaque; + QCryptoBlockInfoLUKSSlot *slot; + QCryptoBlockInfoLUKSSlotList *slots = NULL, **prev = &info->u.luks.slots; + size_t i; + + info->u.luks.cipher_alg = luks->cipher_alg; + info->u.luks.cipher_mode = luks->cipher_mode; + info->u.luks.ivgen_alg = luks->ivgen_alg; + if (info->u.luks.ivgen_alg == QCRYPTO_IVGEN_ALG_ESSIV) { + info->u.luks.has_ivgen_hash_alg = true; + info->u.luks.ivgen_hash_alg = luks->ivgen_hash_alg; + } + info->u.luks.hash_alg = luks->hash_alg; + info->u.luks.payload_offset = block->payload_offset; + info->u.luks.master_key_iters = luks->header.master_key_iterations; + info->u.luks.uuid = g_strndup((const char *)luks->header.uuid, + sizeof(luks->header.uuid)); + + for (i = 0; i < QCRYPTO_BLOCK_LUKS_NUM_KEY_SLOTS; i++) { + slots = g_new0(QCryptoBlockInfoLUKSSlotList, 1); + *prev = slots; + + slots->value = slot = g_new0(QCryptoBlockInfoLUKSSlot, 1); + slot->active = luks->header.key_slots[i].active == + QCRYPTO_BLOCK_LUKS_KEY_SLOT_ENABLED; + slot->key_offset = luks->header.key_slots[i].key_offset + * QCRYPTO_BLOCK_LUKS_SECTOR_SIZE; + if (slot->active) { + slot->has_iters = true; + slot->iters = luks->header.key_slots[i].iterations; + slot->has_stripes = true; + slot->stripes = luks->header.key_slots[i].stripes; + } + + prev = &slots->next; + } + + return 0; +} + + static void qcrypto_block_luks_cleanup(QCryptoBlock *block) { g_free(block->opaque); @@ -1321,6 +1387,7 @@ qcrypto_block_luks_encrypt(QCryptoBlock *block, const QCryptoBlockDriver qcrypto_block_driver_luks = { .open = qcrypto_block_luks_open, .create = qcrypto_block_luks_create, + .get_info = qcrypto_block_luks_get_info, .cleanup = qcrypto_block_luks_cleanup, .decrypt = qcrypto_block_luks_decrypt, .encrypt = qcrypto_block_luks_encrypt, diff --git a/crypto/block.c b/crypto/block.c index da60eba..be823ee 100644 --- a/crypto/block.c +++ b/crypto/block.c @@ -105,6 +105,23 @@ QCryptoBlock *qcrypto_block_create(QCryptoBlockCreateOptions *options, } +QCryptoBlockInfo *qcrypto_block_get_info(QCryptoBlock *block, + Error **errp) +{ + QCryptoBlockInfo *info = g_new0(QCryptoBlockInfo, 1); + + info->format = block->format; + + if (block->driver->get_info && + block->driver->get_info(block, info, errp) < 0) { + g_free(info); + return NULL; + } + + return info; +} + + int qcrypto_block_decrypt(QCryptoBlock *block, uint64_t startsector, uint8_t *buf, diff --git a/crypto/blockpriv.h b/crypto/blockpriv.h index 6297085..35217cd 100644 --- a/crypto/blockpriv.h +++ b/crypto/blockpriv.h @@ -53,6 +53,10 @@ struct QCryptoBlockDriver { void *opaque, Error **errp); + int (*get_info)(QCryptoBlock *block, + QCryptoBlockInfo *info, + Error **errp); + void (*cleanup)(QCryptoBlock *block); int (*encrypt)(QCryptoBlock *block, diff --git a/include/crypto/block.h b/include/crypto/block.h index a21e11f..369d2a0 100644 --- a/include/crypto/block.h +++ b/include/crypto/block.h @@ -138,6 +138,22 @@ QCryptoBlock *qcrypto_block_create(QCryptoBlockCreateOptions *options, void *opaque, Error **errp); + +/** + * qcrypto_block_get_info: + * @block: the block encryption object + * @errp: pointer to a NULL-initialized error object + * + * Get information about the configuration options for the + * block encryption object. This includes details such as + * the cipher algorithms, modes, and initialization vector + * generators. + * + * Returns: a block encryption info object, or NULL on error + */ +QCryptoBlockInfo *qcrypto_block_get_info(QCryptoBlock *block, + Error **errp); + /** * @qcrypto_block_decrypt: * @block: the block encryption object diff --git a/qapi/crypto.json b/qapi/crypto.json index 760d0c0..2c7465a 100644 --- a/qapi/crypto.json +++ b/qapi/crypto.json @@ -220,3 +220,79 @@ 'discriminator': 'format', 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 'luks': 'QCryptoBlockCreateOptionsLUKS' } } + + +## +# QCryptoBlockInfoBase: +# +# The common information that applies to all full disk +# encryption formats +# +# @format: the encryption format +# +# Since: 2.7 +## +{ 'struct': 'QCryptoBlockInfoBase', + 'data': { 'format': 'QCryptoBlockFormat' }} + + +## +# QCryptoBlockInfoLUKSSlot: +# +# Information about the LUKS block encryption key +# slot options +# +# @active: whether the key slot is currently in use +# @key-offset: offset to the key material in bytes +# @iters: #optional number of PBKDF2 iterations for key material +# @stripes: #optional number of stripes for splitting key material +# +# Since: 2.7 +## +{ 'struct': 'QCryptoBlockInfoLUKSSlot', + 'data': {'active': 'bool', + '*iters': 'int', + '*stripes': 'int', + 'key-offset': 'int' } } + + +## +# QCryptoBlockInfoLUKS: +# +# Information about the LUKS block encryption options +# +# @cipher-alg: the cipher algorithm for data encryption +# @cipher-mode: the cipher mode for data encryption +# @ivgen-alg: the initialization vector generator +# @ivgen-hash-alg: #optional the initialization vector generator hash +# @hash-alg: the master key hash algorithm +# @payload-offset: offset to the payload data in bytes +# @master-key-iters: number of PBKDF2 iterations for key material +# @uuid: unique identifier for the volume +# @slots: information about each key slot +# +# Since: 2.7 +## +{ 'struct': 'QCryptoBlockInfoLUKS', + 'data': {'cipher-alg': 'QCryptoCipherAlgorithm', + 'cipher-mode': 'QCryptoCipherMode', + 'ivgen-alg': 'QCryptoIVGenAlgorithm', + '*ivgen-hash-alg': 'QCryptoHashAlgorithm', + 'hash-alg': 'QCryptoHashAlgorithm', + 'payload-offset': 'int', + 'master-key-iters': 'int', + 'uuid': 'str', + 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} + + +## +# QCryptoBlockInfo: +# +# Information about the block encryption options +# +# Since: 2.7 +## +{ 'union': 'QCryptoBlockInfo', + 'base': 'QCryptoBlockInfoBase', + 'discriminator': 'format', + 'data': { 'luks': 'QCryptoBlockInfoLUKS' } }