diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 22ef81052d..713d7aa88a 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -2974,6 +2974,10 @@ See the Storage Encryption page for more information. +

+ Note that the 'qcow' format of encryption is broken and thus is no + longer supported for use with disk images. + (Since libvirt 4.5.0)

reservations
Since libvirt 4.4.0, the diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in index 23efbf932e..434bdb609e 100644 --- a/docs/formatstorageencryption.html.in +++ b/docs/formatstorageencryption.html.in @@ -53,9 +53,8 @@ The qcow format specifies that the built-in encryption support in qcow- or qcow2-formatted volume images should be used. A single - <secret type='passphrase'> element is expected. If - the secret element is not present during volume creation, - a secret is automatically generated and attached to the volume. + <secret type='passphrase'> element is expected. Note + that this encryption is inherently broken and should not be used any more.

"luks" format

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 2792fa7569..96793a5046 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -4483,6 +4483,16 @@ qemuDomainValidateStorageSource(virStorageSourcePtr src, return -1; } + if ((src->format == VIR_STORAGE_FILE_QCOW || + src->format == VIR_STORAGE_FILE_QCOW2) && + src->encryption && + (src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_DEFAULT || + src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_QCOW)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("old qcow/qcow2 encryption is not supported")); + return -1; + } + if (src->format == VIR_STORAGE_FILE_QCOW2 && src->encryption && src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS && diff --git a/tests/qemuxml2argvdata/encrypted-disk-usage.args b/tests/qemuxml2argvdata/encrypted-disk-usage.args index 8c7ce3d653..32307cea71 100644 --- a/tests/qemuxml2argvdata/encrypted-disk-usage.args +++ b/tests/qemuxml2argvdata/encrypted-disk-usage.args @@ -7,6 +7,8 @@ QEMU_AUDIO_DRV=none \ /usr/bin/qemu-system-i686 \ -name encryptdisk \ -S \ +-object secret,id=masterKey0,format=raw,\ +file=/tmp/lib/domain--1-encryptdisk/master-key.aes \ -machine pc,accel=tcg,usb=off,dump-guest-core=off \ -m 1024 \ -smp 1,sockets=1,cores=1,threads=1 \ @@ -22,7 +24,11 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \ -no-acpi \ -boot c \ -usb \ --drive file=/storage/guest_disks/encryptdisk,format=qcow2,if=none,\ +-object secret,id=virtio-disk0-luks-secret0,\ +data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ +keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\ +encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\ id=drive-virtio-disk0 \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0 \ diff --git a/tests/qemuxml2argvdata/encrypted-disk-usage.xml b/tests/qemuxml2argvdata/encrypted-disk-usage.xml index ad8f17e3df..205283b59d 100644 --- a/tests/qemuxml2argvdata/encrypted-disk-usage.xml +++ b/tests/qemuxml2argvdata/encrypted-disk-usage.xml @@ -18,7 +18,7 @@ - +

diff --git a/tests/qemuxml2argvdata/encrypted-disk.args b/tests/qemuxml2argvdata/encrypted-disk.args index 8c7ce3d653..32307cea71 100644 --- a/tests/qemuxml2argvdata/encrypted-disk.args +++ b/tests/qemuxml2argvdata/encrypted-disk.args @@ -7,6 +7,8 @@ QEMU_AUDIO_DRV=none \ /usr/bin/qemu-system-i686 \ -name encryptdisk \ -S \ +-object secret,id=masterKey0,format=raw,\ +file=/tmp/lib/domain--1-encryptdisk/master-key.aes \ -machine pc,accel=tcg,usb=off,dump-guest-core=off \ -m 1024 \ -smp 1,sockets=1,cores=1,threads=1 \ @@ -22,7 +24,11 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \ -no-acpi \ -boot c \ -usb \ --drive file=/storage/guest_disks/encryptdisk,format=qcow2,if=none,\ +-object secret,id=virtio-disk0-luks-secret0,\ +data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ +keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ +-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\ +encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\ id=drive-virtio-disk0 \ -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\ id=virtio-disk0 \ diff --git a/tests/qemuxml2argvdata/encrypted-disk.xml b/tests/qemuxml2argvdata/encrypted-disk.xml index 391461b200..275724bdaf 100644 --- a/tests/qemuxml2argvdata/encrypted-disk.xml +++ b/tests/qemuxml2argvdata/encrypted-disk.xml @@ -18,7 +18,7 @@ - +
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 2d41f78f8b..64d112be36 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -1651,8 +1651,8 @@ mymain(void) DO_TEST("cpu-tsc-frequency", QEMU_CAPS_KVM); qemuTestSetHostCPU(driver.caps, NULL); - DO_TEST("encrypted-disk", NONE); - DO_TEST("encrypted-disk-usage", NONE); + DO_TEST("encrypted-disk", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET); + DO_TEST("encrypted-disk-usage", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET); # ifdef WITH_GNUTLS DO_TEST("luks-disks", QEMU_CAPS_OBJECT_SECRET); DO_TEST("luks-disks-source", QEMU_CAPS_OBJECT_SECRET); diff --git a/tests/qemuxml2xmloutdata/encrypted-disk.xml b/tests/qemuxml2xmloutdata/encrypted-disk.xml index 45b9fcca55..3c9d2fbafc 100644 --- a/tests/qemuxml2xmloutdata/encrypted-disk.xml +++ b/tests/qemuxml2xmloutdata/encrypted-disk.xml @@ -18,7 +18,7 @@ - +
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 66b8238906..56b666256f 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -482,8 +482,8 @@ mymain(void) DO_TEST("pci-rom-disabled-invalid", NONE); DO_TEST("pci-serial-dev-chardev", NONE); - DO_TEST("encrypted-disk", NONE); - DO_TEST("encrypted-disk-usage", NONE); + DO_TEST("encrypted-disk", QEMU_CAPS_QCOW2_LUKS); + DO_TEST("encrypted-disk-usage", QEMU_CAPS_QCOW2_LUKS); DO_TEST("luks-disks", NONE); DO_TEST("luks-disks-source", NONE); DO_TEST("memtune", NONE);