2009-08-19 19:50:10 +00:00
|
|
|
/*
|
2014-03-28 03:26:44 +00:00
|
|
|
* virstorageencryption.h: volume encryption information
|
2009-08-19 19:50:10 +00:00
|
|
|
*
|
2014-03-28 03:26:44 +00:00
|
|
|
* Copyright (C) 2009-2011, 2014 Red Hat, Inc.
|
2009-08-19 19:50:10 +00:00
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 22:30:55 +00:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 10:06:23 +00:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2009-08-19 19:50:10 +00:00
|
|
|
*
|
|
|
|
|
* Red Hat Author: Miloslav Trmač <mitr@redhat.com>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __VIR_STORAGE_ENCRYPTION_H__
|
2010-03-09 18:22:22 +00:00
|
|
|
# define __VIR_STORAGE_ENCRYPTION_H__
|
2009-08-19 19:50:10 +00:00
|
|
|
|
2010-03-09 18:22:22 +00:00
|
|
|
# include "internal.h"
|
2012-12-04 12:04:07 +00:00
|
|
|
# include "virbuffer.h"
|
2016-05-30 11:47:46 +00:00
|
|
|
# include "virsecret.h"
|
2012-12-13 17:44:57 +00:00
|
|
|
# include "virutil.h"
|
2009-08-19 19:50:10 +00:00
|
|
|
|
2010-03-09 18:22:22 +00:00
|
|
|
# include <libxml/tree.h>
|
2009-08-19 19:50:10 +00:00
|
|
|
|
2014-04-27 00:15:22 +00:00
|
|
|
typedef enum {
|
2009-08-19 19:50:10 +00:00
|
|
|
VIR_STORAGE_ENCRYPTION_SECRET_TYPE_PASSPHRASE = 0,
|
|
|
|
|
|
|
|
|
|
VIR_STORAGE_ENCRYPTION_SECRET_TYPE_LAST
|
2014-04-27 00:15:22 +00:00
|
|
|
} virStorageEncryptionSecretType;
|
2014-05-14 19:48:15 +00:00
|
|
|
VIR_ENUM_DECL(virStorageEncryptionSecret)
|
2009-08-19 19:50:10 +00:00
|
|
|
|
|
|
|
|
typedef struct _virStorageEncryptionSecret virStorageEncryptionSecret;
|
|
|
|
|
typedef virStorageEncryptionSecret *virStorageEncryptionSecretPtr;
|
|
|
|
|
struct _virStorageEncryptionSecret {
|
Revert "maint: prefer enum over int for virstoragefile structs"
This partially reverts commits b279e52f7 and ea18f8b2.
It turns out our code base is full of:
if ((struct.member = virBlahFromString(str)) < 0)
goto error;
Meanwhile, the C standard says it is up to the compiler whether
an enum is signed or unsigned when all of its declared values
happen to be positive. In my testing (Fedora 20, gcc 4.8.2),
the compiler picked signed, and nothing changed. But others
testing with gcc 4.7 got compiler warnings, because it picked
the enum to be unsigned, but no unsigned value is less than 0.
Even worse:
if ((struct.member = virBlahFromString(str)) <= 0)
goto error;
is silently compiled without warning, but incorrectly treats -1
from a bad parse as a large positive number with no warning; and
without the compiler's help to find these instances, it is a
nightmare to maintain correctly. We could force signed enums
with a dummy negative declaration in each enum, or cast the
result of virBlahFromString back to int after assigning to an
enum value, or use a temporary int for collecting results from
virBlahFromString, but those actions are all uglier than what we
were trying to cure by directly using enum types for struct
values in the first place. It's better off to just live with int
members, and use 'switch ((virFoo) struct.member)' where we want
the compiler to help, than to track down all the conversions from
string to enum and ensure they don't suffer from type problems.
* src/util/virstorageencryption.h: Revert back to int declarations
with comment about enum usage.
* src/util/virstoragefile.h: Likewise.
* src/conf/domain_conf.c: Restore back to casts in switches.
* src/qemu/qemu_driver.c: Likewise.
* src/qemu/qemu_command.c: Add cast rather than revert.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-05-17 00:50:03 +00:00
|
|
|
int type; /* virStorageEncryptionSecretType */
|
2016-05-30 11:47:46 +00:00
|
|
|
virSecretLookupTypeDef seclookupdef;
|
2009-08-19 19:50:10 +00:00
|
|
|
};
|
|
|
|
|
|
2016-06-01 23:21:26 +00:00
|
|
|
/* It's possible to dictate the cipher and if necessary iv */
|
|
|
|
|
typedef struct _virStorageEncryptionInfoDef virStorageEncryptionInfoDef;
|
|
|
|
|
typedef virStorageEncryptionInfoDef *virStorageEncryptionInfoDefPtr;
|
|
|
|
|
struct _virStorageEncryptionInfoDef {
|
|
|
|
|
unsigned int cipher_size;
|
|
|
|
|
char *cipher_name;
|
|
|
|
|
char *cipher_mode;
|
|
|
|
|
char *cipher_hash;
|
|
|
|
|
char *ivgen_name;
|
|
|
|
|
char *ivgen_hash;
|
|
|
|
|
};
|
|
|
|
|
|
2014-05-14 19:36:56 +00:00
|
|
|
typedef enum {
|
2009-08-19 19:50:10 +00:00
|
|
|
/* "default" is only valid for volume creation */
|
|
|
|
|
VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
|
|
|
|
|
VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
|
2016-06-01 19:01:31 +00:00
|
|
|
VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
|
2009-08-19 19:50:10 +00:00
|
|
|
|
|
|
|
|
VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
|
2014-05-14 19:36:56 +00:00
|
|
|
} virStorageEncryptionFormatType;
|
2009-08-19 19:50:10 +00:00
|
|
|
VIR_ENUM_DECL(virStorageEncryptionFormat)
|
|
|
|
|
|
|
|
|
|
typedef struct _virStorageEncryption virStorageEncryption;
|
|
|
|
|
typedef virStorageEncryption *virStorageEncryptionPtr;
|
|
|
|
|
struct _virStorageEncryption {
|
Revert "maint: prefer enum over int for virstoragefile structs"
This partially reverts commits b279e52f7 and ea18f8b2.
It turns out our code base is full of:
if ((struct.member = virBlahFromString(str)) < 0)
goto error;
Meanwhile, the C standard says it is up to the compiler whether
an enum is signed or unsigned when all of its declared values
happen to be positive. In my testing (Fedora 20, gcc 4.8.2),
the compiler picked signed, and nothing changed. But others
testing with gcc 4.7 got compiler warnings, because it picked
the enum to be unsigned, but no unsigned value is less than 0.
Even worse:
if ((struct.member = virBlahFromString(str)) <= 0)
goto error;
is silently compiled without warning, but incorrectly treats -1
from a bad parse as a large positive number with no warning; and
without the compiler's help to find these instances, it is a
nightmare to maintain correctly. We could force signed enums
with a dummy negative declaration in each enum, or cast the
result of virBlahFromString back to int after assigning to an
enum value, or use a temporary int for collecting results from
virBlahFromString, but those actions are all uglier than what we
were trying to cure by directly using enum types for struct
values in the first place. It's better off to just live with int
members, and use 'switch ((virFoo) struct.member)' where we want
the compiler to help, than to track down all the conversions from
string to enum and ensure they don't suffer from type problems.
* src/util/virstorageencryption.h: Revert back to int declarations
with comment about enum usage.
* src/util/virstoragefile.h: Likewise.
* src/conf/domain_conf.c: Restore back to casts in switches.
* src/qemu/qemu_driver.c: Likewise.
* src/qemu/qemu_command.c: Add cast rather than revert.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-05-17 00:50:03 +00:00
|
|
|
int format; /* virStorageEncryptionFormatType */
|
2017-03-24 13:26:17 +00:00
|
|
|
int payload_offset;
|
2009-08-19 19:50:10 +00:00
|
|
|
|
|
|
|
|
size_t nsecrets;
|
|
|
|
|
virStorageEncryptionSecretPtr *secrets;
|
2016-06-01 23:21:26 +00:00
|
|
|
|
|
|
|
|
virStorageEncryptionInfoDef encinfo;
|
2009-08-19 19:50:10 +00:00
|
|
|
};
|
|
|
|
|
|
2014-06-12 13:26:18 +00:00
|
|
|
virStorageEncryptionPtr virStorageEncryptionCopy(const virStorageEncryption *src)
|
|
|
|
|
ATTRIBUTE_NONNULL(1);
|
|
|
|
|
|
2009-08-19 19:50:10 +00:00
|
|
|
void virStorageEncryptionFree(virStorageEncryptionPtr enc);
|
Fix UUID handling in secrets/storage encryption APIs
Convert all the secret/storage encryption APIs / wire format to
handle UUIDs in raw format instead of non-canonical printable
format. Guarentees data format correctness.
* docs/schemas/storageencryption.rng: Make UUID mandatory for a secret
and validate fully
* docs/schemas/secret.rng: Fully validate UUID
* include/libvirt/libvirt.h, include/libvirt/libvirt.h.in, Add
virSecretLookupByUUID and virSecretGetUUID. Make
virSecretGetUUIDString follow normal API design pattern
* python/generator.py: Skip generation of virSecretGetUUID,
virSecretGetUUIDString and virSecretLookupByUUID
* python/libvir.c, python/libvirt-python-api.xml: Manual impl
of virSecretGetUUID,virSecretGetUUIDString and virSecretLookupByUUID
* qemud/remote.c: s/virSecretLookupByUUIDString/virSecretLookupByUUID/
Fix get_nonnull_secret/make_nonnull_secret to use unsigned char
* qemud/remote_protocol.x: Fix remote_nonnull_secret to use a
remote_uuid instead of remote_nonnull_string for UUID field.
Rename REMOTE_PROC_SECRET_LOOKUP_BY_UUID_STRING to
REMOTE_PROC_SECRET_LOOKUP_BY_UUID_STRING and make it take an
remote_uuid value
* qemud/remote_dispatch_args.h, qemud/remote_dispatch_prototypes.h,
qemud/remote_dispatch_ret.h, qemud/remote_dispatch_table.h,
qemud/remote_protocol.c, qemud/remote_protocol.h: Re-generate
* src/datatypes.h, src/datatypes.c: Store UUID in raw format instead
of printable. Change virGetSecret to use raw format UUID
* src/driver.h: Rename virDrvSecretLookupByUUIDString to
virDrvSecretLookupByUUID and use raw format UUID
* src/libvirt.c: Add virSecretLookupByUUID and virSecretGetUUID
and re-implement virSecretLookupByUUIDString and
virSecretGetUUIDString in terms of those
* src/libvirt_public.syms: Add virSecretLookupByUUID and
virSecretGetUUID
* src/remote_internal.c: Rename remoteSecretLookupByUUIDString
to remoteSecretLookupByUUID. Fix typo in args for
remoteSecretDefineXML impl. Use raw UUID format for
get_nonnull_secret and make_nonnull_secret
* src/storage_encryption_conf.c, src/storage_encryption_conf.h:
Storage UUID in raw format, and require it to be present in
XML. Use UUID parser to validate.
* secret_conf.h, secret_conf.c: Generate a UUID if none is provided.
Storage UUID in raw format.
* src/secret_driver.c: Adjust to deal with raw UUIDs. Save secrets
in a filed with printable UUID, instead of base64 UUID.
* src/virsh.c: Adjust for changed public API contract of
virSecretGetUUIDString.
* src/storage_Backend.c: DOn't undefine secret we just generated
upon successful volume creation. Fix to handle raw UUIDs. Generate
a non-clashing UUID
* src/qemu_driver.c: Change to use lookupByUUID instead of
lookupByUUIDString
2009-09-10 16:44:12 +00:00
|
|
|
|
2018-03-06 13:17:59 +00:00
|
|
|
virStorageEncryptionPtr virStorageEncryptionParseNode(xmlNodePtr node,
|
|
|
|
|
xmlXPathContextPtr ctxt);
|
2010-02-10 11:42:56 +00:00
|
|
|
int virStorageEncryptionFormat(virBufferPtr buf,
|
2011-09-22 18:16:26 +00:00
|
|
|
virStorageEncryptionPtr enc);
|
2009-08-19 19:50:10 +00:00
|
|
|
|
2009-08-14 18:06:59 +00:00
|
|
|
/* A helper for VIR_STORAGE_ENCRYPTION_FORMAT_QCOW */
|
|
|
|
|
enum {
|
|
|
|
|
VIR_STORAGE_QCOW_PASSPHRASE_SIZE = 16
|
|
|
|
|
};
|
|
|
|
|
|
2010-02-10 11:42:56 +00:00
|
|
|
int virStorageGenerateQcowPassphrase(unsigned char *dest);
|
2009-08-14 18:06:59 +00:00
|
|
|
|
2009-08-19 19:50:10 +00:00
|
|
|
#endif /* __VIR_STORAGE_ENCRYPTION_H__ */
|
