[libvirt] [PATCH RFC 00/16] Add support for LUKS encrypted devices

Daniel P. Berrange berrange at redhat.com
Wed Jun 8 08:20:12 UTC 2016 

On Tue, Jun 07, 2016 at 02:34:39PM -0400, John Ferlan wrote:
> 
> 
> On 06/07/2016 12:01 PM, Daniel P. Berrange wrote:
> > On Tue, Jun 07, 2016 at 10:45:29AM -0400, John Ferlan wrote:
> >> Patches 1-3 were posted separately:
> >>
> >> http://www.redhat.com/archives/libvir-list/2016-June/msg00256.html
> >>
> >> But perhaps seeing the final direction will make things more clear as
> >> to why a "real" flag system wasn't used and keeping the current paradigm
> >> of constant value returns still works just fine.
> >>
> >> Patches 4-5 were posted separately:
> >>
> >> http://www.redhat.com/archives/libvir-list/2016-June/msg00091.html  (4)
> >> http://www.redhat.com/archives/libvir-list/2016-June/msg00094.html  (5)
> >>
> >> Although at one point patch 4 had an ACK:
> >>
> >> http://www.redhat.com/archives/libvir-list/2016-May/msg02115.html
> >>
> >> It wasn't clear if the more recent review rescinded that, so it still
> >> remains "in the list". I understand the concern about adding secret to
> >> cfg.mk checking, but without a better idea of how to handle - I left
> >> things as they were.
> >>
> >> Patches 6-16 are all new. Some parts are separable, but rather than continue
> >> piecemeal I just figured going with an RFC will at least 
> >>
> >> Patch 6 is only there to "prove" that using the current encryption paradigm
> >> XML still works, although if I've read the tea leaves correctly, the qemu
> >> support isn't working as desired/expected.
> >>
> >> Patch 7 adds "usage" as an XML attribute for encryption and the associated
> >> tests with that. I've chosen to "reuse" the <encryption> XML element rather
> >> than inventing something new.  I'm not opposed to something new, but let's
> >> decide up a name quickly...
> >>
> >> Patch 8-9 adds the ability for the storage backend to create/recognize a
> >> luks volume
> >>
> >> Patches 10-13 adds support for luks encryption in the storage backend.
> >> The new "<secret>" format uses "luks" as the usage type and "<key>" as
> >> the 'name'. If those names cause angst, I'm fine with changing, but just
> >> give a better suggestion!  Adding <cipher> and <ivgen> were a result of
> >> using qemu constructs from qemu commit id '3e308f20'. Since we are parsing
> >> something new, I figure failing in the domain parse code for this new type
> >> was acceptible as opposed to some post processing check.
> >>
> >> Patches 14-16 adds support for luks encryption to the domain using
> >> <encryption type='luks'... <secret format='key' usage/uuid='xxx'>>
> >>
> >> I've tested using a "good" and "bad" password and got the expected results
> >> for starting a domain.  I did not add 'virsh vol-create-as' support just
> >> yet. I figured that would be less to go back and redo if the names of
> >> elements changes.  I've also run the changes through Coverity with no
> >> new issues detected.
> >>
> >> The whole series is a result of the following bz:
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1301021
> > 
> > BTW, one of the core reasons for the LUKS support in QEMU is to facilitate
> > use of LUKS with non-local-file based disks. eg, LUKS over RBD, or LUKS
> > over NBD or LUKS over iSCSI, etc.
> > 
> > The diffstat for the files shows you've wired up luks-over-plain-file
> > ok, but I'm wondering if the code posted here is also dealing with the
> > broader support, or if that's something to be addressed later.
> > 
> > No big deal either way, particularly since qemu-img can't actually
> > create LUKS volumes on anything other than plain files/block devs
> > yet.
> > 
> 
> Hmm, right, sigh, but I had to start somewhere. So rather than be
> either/or in qemuDomainSecretDiskPrepare and qemuBuildDriveStr, there
> would need to be a way to have multiple 'secinfo' structs per disk or
> maybe one for <auth> and one for <encrypt>. Can we predict the future
> and go with a list or just two secinfo's...  Any preference?

I'd suggest just two secinfos. Then again if we have a chain of backing
files that are encrpted or need authentication - of course I don't think
our XML lets us deal with that yet anyway.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list