From 060f344c8090c6c7af9cc57108d44aed0ed9a029 Mon Sep 17 00:00:00 2001
From: Or Ozeri <oro@il.ibm.com>
Date: Sun, 24 Oct 2021 04:51:30 -0500
Subject: [PATCH] conf: add luks2 encryption format

This commit extends libvirt XML configuration to support luks2 encryption format.
This means that <encryption format="luks2" engine="librbd"> becomes valid.
Currently librbd is the only engine that supports this new format.

Signed-off-by: Or Ozeri <oro@il.ibm.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 docs/formatstorageencryption.html.in             | 14 +++++++++++++-
 docs/schemas/storagecommon.rng                   |  1 +
 src/conf/storage_encryption_conf.c               |  2 +-
 src/conf/storage_encryption_conf.h               |  1 +
 src/qemu/qemu_block.c                            |  9 +++++++++
 src/qemu/qemu_domain.c                           |  9 ++++++++-
 ...isk-network-rbd-encryption.x86_64-latest.args | 16 ++++++++++------
 .../disk-network-rbd-encryption.xml              | 12 ++++++++++++
 ...disk-network-rbd-encryption.x86_64-latest.xml | 13 +++++++++++++
 9 files changed, 68 insertions(+), 9 deletions(-)

diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in
index fb04a6a0ad..86d884f93d 100644
--- a/docs/formatstorageencryption.html.in
+++ b/docs/formatstorageencryption.html.in
@@ -18,7 +18,7 @@
       is <code>encryption</code>, with a mandatory
       attribute <code>format</code>.  Currently defined values
       of <code>format</code> are <code>default</code>, <code>qcow</code>,
-      and <code>luks</code>.
+      <code>luks</code>, and <code>luks2</code>.
       Each value of <code>format</code> implies some expectations about the
       content of the <code>encryption</code> tag.  Other format values may be
       defined in the future.
@@ -125,6 +125,18 @@
       </dd>
     </dl>
 
+    <h3><a id="StorageEncryptionLuks2">"luks2" format</a></h3>
+    <p>
+      The <code>luks2</code> format is currently supported only by the
+      <code>librbd</code> engine, and can only be applied to RBD network disks.
+      Since the <code>librbd</code> engine is currently not supported by the
+      storage driver, you cannot use it to control such disks. However,
+      pre-formatted RBD luks2 disks can be loaded to a qemu VM using the qemu
+      VM driver.
+      A single
+      <code>&lt;secret type='passphrase'...&gt;</code> element is expected.
+    </p>
+
 
     <h2><a id="example">Examples</a></h2>
 
diff --git a/docs/schemas/storagecommon.rng b/docs/schemas/storagecommon.rng
index 3ddff02e43..591a158209 100644
--- a/docs/schemas/storagecommon.rng
+++ b/docs/schemas/storagecommon.rng
@@ -13,6 +13,7 @@
           <value>default</value>
           <value>qcow</value>
           <value>luks</value>
+          <value>luks2</value>
         </choice>
       </attribute>
       <optional>
diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c
index d45ad717a0..a65ef1f8a2 100644
--- a/src/conf/storage_encryption_conf.c
+++ b/src/conf/storage_encryption_conf.c
@@ -44,7 +44,7 @@ VIR_ENUM_IMPL(virStorageEncryptionSecret,
 
 VIR_ENUM_IMPL(virStorageEncryptionFormat,
               VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
-              "default", "qcow", "luks",
+              "default", "qcow", "luks", "luks2",
 );
 
 VIR_ENUM_IMPL(virStorageEncryptionEngine,
diff --git a/src/conf/storage_encryption_conf.h b/src/conf/storage_encryption_conf.h
index 0931618608..312599ad44 100644
--- a/src/conf/storage_encryption_conf.h
+++ b/src/conf/storage_encryption_conf.h
@@ -65,6 +65,7 @@ typedef enum {
     VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT = 0,
     VIR_STORAGE_ENCRYPTION_FORMAT_QCOW, /* Both qcow and qcow2 */
     VIR_STORAGE_ENCRYPTION_FORMAT_LUKS,
+    VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2,
 
     VIR_STORAGE_ENCRYPTION_FORMAT_LAST,
 } virStorageEncryptionFormatType;
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index 4af06aea1b..34fdec2c4b 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -908,6 +908,10 @@ qemuBlockStorageSourceGetRBDProps(virStorageSource *src,
                 encformat = "luks";
                 break;
 
+            case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+                encformat = "luks2";
+                break;
+
             case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
                 virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                                _("librbd encryption engine only supports luks/luks2 formats"));
@@ -1358,6 +1362,11 @@ qemuBlockStorageSourceGetCryptoProps(virStorageSource *src,
         encformat = "luks";
         break;
 
+    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                       _("luks2 is currently not supported by the qemu encryption engine"));
+        return -1;
+
     case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
     case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
     default:
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 3309dd6cde..209337404a 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1188,7 +1188,8 @@ static bool
 qemuDomainDiskHasEncryptionSecret(virStorageSource *src)
 {
     if (!virStorageSourceIsEmpty(src) && src->encryption &&
-        src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
+        (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS ||
+         src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2) &&
         src->encryption->nsecrets > 0)
         return true;
 
@@ -4778,6 +4779,11 @@ qemuDomainValidateStorageSource(virStorageSource *src,
                     case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
                         break;
 
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
+                        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                                       _("luks2 is currently not supported by the qemu encryption engine"));
+                        return -1;
+
                     case VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT:
                     case VIR_STORAGE_ENCRYPTION_FORMAT_LAST:
                     default:
@@ -4796,6 +4802,7 @@ qemuDomainValidateStorageSource(virStorageSource *src,
 
                 switch ((virStorageEncryptionFormatType) src->encryption->format) {
                     case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS:
+                    case VIR_STORAGE_ENCRYPTION_FORMAT_LUKS2:
                         break;
 
                     case VIR_STORAGE_ENCRYPTION_FORMAT_QCOW:
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
index 474c245d60..00f6168e96 100644
--- a/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.x86_64-latest.args
@@ -27,18 +27,22 @@ XDG_CONFIG_HOME=/tmp/lib/domain--1-encryptdisk/.config \
 -no-acpi \
 -boot strict=on \
 -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
+-object '{"qom-type":"secret","id":"libvirt-4-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-4-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-4-format","read-only":false,"driver":"luks","key-secret":"libvirt-4-format-encryption-secret0","file":"libvirt-4-storage"}' \
+-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"libvirt-4-format","id":"virtio-disk0","bootindex":1}' \
 -object '{"qom-type":"secret","id":"libvirt-3-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
 -blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-3-storage","auto-read-only":true,"discard":"unmap"}' \
 -blockdev '{"node-name":"libvirt-3-format","read-only":false,"driver":"luks","key-secret":"libvirt-3-format-encryption-secret0","file":"libvirt-3-storage"}' \
--device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x2","drive":"libvirt-3-format","id":"virtio-disk0","bootindex":1}' \
+-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x4","drive":"libvirt-3-format","id":"virtio-disk1"}' \
 -object '{"qom-type":"secret","id":"libvirt-2-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
--blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"luks","key-secret":"libvirt-2-format-encryption-secret0","file":"libvirt-2-storage"}' \
--device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x4","drive":"libvirt-2-format","id":"virtio-disk1"}' \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-2-format-encryption-secret0"},"node-name":"libvirt-2-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"node-name":"libvirt-2-format","read-only":false,"driver":"raw","file":"libvirt-2-storage"}' \
+-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x5","drive":"libvirt-2-format","id":"virtio-disk2"}' \
 -object '{"qom-type":"secret","id":"libvirt-1-format-encryption-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--blockdev '{"driver":"rbd","pool":"pool","image":"image","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
+-blockdev '{"driver":"rbd","pool":"pool","image":"image2","server":[{"host":"mon1.example.org","port":"6321"},{"host":"mon2.example.org","port":"6322"},{"host":"mon3.example.org","port":"6322"}],"encrypt":{"format":"luks2","key-secret":"libvirt-1-format-encryption-secret0"},"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
 -blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw","file":"libvirt-1-storage"}' \
--device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x5","drive":"libvirt-1-format","id":"virtio-disk2"}' \
+-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x6","drive":"libvirt-1-format","id":"virtio-disk3"}' \
 -audiodev id=audio1,driver=none \
 -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","addr":"0x3"}' \
 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
diff --git a/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
index d8c2d3dbe2..eeadbfeeba 100644
--- a/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
+++ b/tests/qemuxml2argvdata/disk-network-rbd-encryption.xml
@@ -50,6 +50,18 @@
       </source>
       <target dev='vdc' bus='virtio'/>
     </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image2'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks2' engine='librbd'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vdd' bus='virtio'/>
+    </disk>
     <controller type='usb' index='0'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
     </controller>
diff --git a/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
index d4942718bb..a91504202a 100644
--- a/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
+++ b/tests/qemuxml2xmloutdata/disk-network-rbd-encryption.x86_64-latest.xml
@@ -56,6 +56,19 @@
       <target dev='vdc' bus='virtio'/>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
     </disk>
+    <disk type='network' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source protocol='rbd' name='pool/image2'>
+        <host name='mon1.example.org' port='6321'/>
+        <host name='mon2.example.org' port='6322'/>
+        <host name='mon3.example.org' port='6322'/>
+        <encryption format='luks2' engine='librbd'>
+          <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+        </encryption>
+      </source>
+      <target dev='vdd' bus='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+    </disk>
     <controller type='usb' index='0' model='piix3-uhci'>
       <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
     </controller>