On Sun, Mar 08, 2020 at 05:18:56PM +0200, Maxim Levitsky wrote: > This implements the encryption key management using the generic code in > qcrypto layer and exposes it to the user via qemu-img > > This code adds another 'write_func' because the initialization > write_func works directly on the underlying file, and amend > works on instance of luks device. > > This commit also adds a 'hack/workaround' I and Kevin Wolf (thanks) > made to make the driver both support write sharing (to avoid breaking the > users), > and be safe against concurrent metadata update (the keyslots) > > Eventually the write sharing for luks driver will be deprecated > and removed together with this hack. > > The hack is that we ask (as a format driver) for BLK_PERM_CONSISTENT_READ > and then when we want to update the keys, we unshare that permission. > So if someone else has the image open, even readonly, encryption > key update will fail gracefully. > > Also thanks to Daniel Berrange for the idea of > unsharing read, rather that write permission which allows > to avoid cases when the other user had opened the image read-only. > > Signed-off-by: Maxim Levitsky <[email protected]> > --- > block/crypto.c | 127 +++++++++++++++++++++++++++++++++++++++++++++++-- > block/crypto.h | 44 +++++++++++++++-- > 2 files changed, 163 insertions(+), 8 deletions(-)
Reviewed-by: Daniel P. Berrangé <[email protected]> > @@ -661,6 +693,95 @@ block_crypto_get_specific_info_luks(BlockDriverState > *bs, Error **errp) > return spec_info; > } > > +static int > +block_crypto_amend_options_luks(BlockDriverState *bs, > + QemuOpts *opts, > + BlockDriverAmendStatusCB *status_cb, > + void *cb_opaque, > + bool force, > + Error **errp) Nitpick - align options after the "(" > @@ -81,11 +86,40 @@ > .help = "Name of encryption hash algorithm", \ > } > > -#define BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(prefix) \ > - { \ > - .name = prefix BLOCK_CRYPTO_OPT_LUKS_ITER_TIME, \ > - .type = QEMU_OPT_NUMBER, \ > - .help = "Time to spend in PBKDF in milliseconds", \ > +#define BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(prefix) \ > + { \ > + .name = prefix BLOCK_CRYPTO_OPT_LUKS_ITER_TIME, \ > + .type = QEMU_OPT_NUMBER, \ > + .help = "Time to spend in PBKDF in milliseconds", \ > + } Nitpick - no need to change whitespace here Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
