attribute matching the key that was specified in the
secret object.
</dd>
+ <dd><span class="since">Since libvirt 3.9.0</span>, the
+ <code>encryption</code> can be a sub-element of the
+ <code>source</code> element for encrypted storage sources.
+ If present, specifies how the storage source is encrypted
+ See the
+ <a href="formatstorageencryption.html">Storage Encryption</a>
+ page for more information.
+ </dd>
</dl>
<p>
<span class="since">Since 0.8.8</span>
</dd>
<dt><code>encryption</code></dt>
- <dd>If present, specifies how the volume is encrypted. See
- the <a href="formatstorageencryption.html">Storage Encryption</a> page
+ <dd>Starting with <span class="since">libvirt 3.9.0</span> the
+ <code>encryption</code> element is preferred to be a sub-element
+ of the <code>source</code> element. If present, specifies how the
+ volume is encrypted using "qcow". See the
+ <a href="formatstorageencryption.html">Storage Encryption</a> page
for more information.
</dd>
<dt><code>readonly</code></dt>
<optional>
<ref name="storageStartupPolicy"/>
</optional>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
<zeroOrMore>
<ref name='devSeclabel'/>
</zeroOrMore>
<optional>
<ref name="storageStartupPolicy"/>
</optional>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
<zeroOrMore>
<ref name='devSeclabel'/>
</zeroOrMore>
<optional>
<ref name="storageStartupPolicy"/>
</optional>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
<empty/>
</element>
</optional>
<optional>
<ref name="diskAuth"/>
</optional>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
<empty/>
</interleave>
</element>
<optional>
<ref name="diskAuth"/>
</optional>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
</element>
</define>
</attribute>
<attribute name="name"/>
<ref name="diskSourceNetworkHost"/>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
</element>
</define>
</attribute>
<attribute name="name"/>
<ref name="diskSourceNetworkHost"/>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
</element>
</define>
<attribute name="name"/>
</optional>
<ref name="diskSourceNetworkHost"/>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
</element>
</define>
<oneOrMore>
<ref name="diskSourceNetworkHost"/>
</oneOrMore>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
</element>
</define>
<optional>
<ref name="storageStartupPolicy"/>
</optional>
+ <optional>
+ <ref name="encryption"/>
+ </optional>
<zeroOrMore>
<ref name='devSeclabel'/>
</zeroOrMore>
}
+static int
+virDomainDiskSourceEncryptionParse(xmlNodePtr node,
+ virStorageEncryptionPtr *encryptionsrc)
+{
+ xmlNodePtr child;
+ virStorageEncryptionPtr encryption = NULL;
+
+ for (child = node->children; child; child = child->next) {
+ if (child->type == XML_ELEMENT_NODE &&
+ virXMLNodeNameEqual(child, "encryption")) {
+
+ if (!(encryption = virStorageEncryptionParseNode(node->doc, child)))
+ return -1;
+
+ *encryptionsrc = encryption;
+ return 0;
+ }
+ }
+
+ return 0;
+}
+
+
int
virDomainDiskSourceParse(xmlNodePtr node,
xmlXPathContextPtr ctxt,
if (virDomainDiskSourceAuthParse(node, &src->auth) < 0)
goto cleanup;
+ if (virDomainDiskSourceEncryptionParse(node, &src->encryption) < 0)
+ goto cleanup;
+
/* People sometimes pass a bogus '' source path when they mean to omit the
* source element completely (e.g. CDROM without media). This is just a
* little compatibility check to help those broken apps */
if (def->src->auth)
def->src->authInherited = true;
+ /* Similarly for <encryption> - it's a child of <source> too
+ * and we cannot find in both places */
+ if (encryption && def->src->encryption) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("an <encryption> definition already found for "
+ "the <disk> definition"));
+ goto error;
+ }
+
+ if (def->src->encryption)
+ def->src->encryptionInherited = true;
+
source = true;
startupPolicy = virXMLPropString(cur, "startupPolicy");
virXMLNodeNameEqual(cur, "state")) {
/* Legacy back-compat. Don't add any more attributes here */
devaddr = virXMLPropString(cur, "devaddr");
- } else if (encryption == NULL &&
+ } else if (!encryption &&
virXMLNodeNameEqual(cur, "encryption")) {
- encryption = virStorageEncryptionParseNode(node->doc,
- cur);
- if (encryption == NULL)
+ /* If we've already parsed <source> and found an <encryption> child,
+ * then generate an error to avoid ambiguity */
+ if (def->src->encryptionInherited) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("an <encryption> definition already found for "
+ "disk source"));
+ goto error;
+ }
+
+ if (!(encryption = virStorageEncryptionParseNode(node->doc, cur)))
goto error;
} else if (!serial &&
virXMLNodeNameEqual(cur, "serial")) {
target = NULL;
if (authdef)
VIR_STEAL_PTR(def->src->auth, authdef);
- def->src->encryption = encryption;
- encryption = NULL;
+ if (encryption)
+ VIR_STEAL_PTR(def->src->encryption, encryption);
def->domain_name = domain_name;
domain_name = NULL;
def->serial = serial;
goto error;
}
+ /* If we found encryption as a child of <source>, then format it
+ * as we found it. */
+ if (src->encryption && src->encryptionInherited &&
+ virStorageEncryptionFormat(&childBuf, src->encryption) < 0)
+ return -1;
+
if (virXMLFormatElement(buf, "source", &attrBuf, &childBuf) < 0)
goto error;
}
virBufferEscapeString(buf, "<wwn>%s</wwn>\n", def->wwn);
virBufferEscapeString(buf, "<vendor>%s</vendor>\n", def->vendor);
virBufferEscapeString(buf, "<product>%s</product>\n", def->product);
- if (def->src->encryption &&
+
+ /* If originally found as a child of <disk>, then format thusly;
+ * otherwise, will be formatted as child of <source> */
+ if (def->src->encryption && !def->src->encryptionInherited &&
virStorageEncryptionFormat(buf, def->src->encryption) < 0)
return -1;
virDomainDeviceInfoFormat(buf, &def->info,
virStorageAuthDefPtr auth;
bool authInherited;
virStorageEncryptionPtr encryption;
+ bool encryptionInherited;
virObjectPtr privateData;
--- /dev/null
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk'>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+ </encryption>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+ </encryption>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
--- /dev/null
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-x86_64 \
+-name encryptdisk \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-encryptdisk/master-key.aes \
+-M pc-i440fx-2.1 \
+-m 1024 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid 496898a6-e6ff-f7c8-5dc2-3cf410945ee9 \
+-nographic \
+-nodefaults \
+-chardev socket,id=charmonitor,\
+path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=readline \
+-no-acpi \
+-boot c \
+-usb \
+-object secret,id=virtio-disk0-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=/storage/guest_disks/encryptdisk,\
+key-secret=virtio-disk0-luks-secret0,format=luks,if=none,id=drive-virtio-disk0 \
+-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
+id=virtio-disk0 \
+-object secret,id=virtio-disk1-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=/storage/guest_disks/encryptdisk2,\
+key-secret=virtio-disk1-luks-secret0,format=luks,if=none,id=drive-virtio-disk1 \
+-device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,\
+id=virtio-disk1 \
+-object secret,id=virtio-disk2-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=iscsi://myname:AQCVn5hO6HzFAhAAq0NCv8jtJcIcE+HOBlMQ1A@example.org:\
+6000/iqn.1992-01.com.example%3Astorage/1,key-secret=virtio-disk2-luks-secret0,\
+format=luks,if=none,id=drive-virtio-disk2 \
+-device virtio-blk-pci,bus=pci.0,addr=0x6,drive=drive-virtio-disk2,\
+id=virtio-disk2 \
+-object secret,id=virtio-disk3-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=iscsi://iscsi.example.com:3260/demo-target/3,\
+key-secret=virtio-disk3-luks-secret0,format=luks,if=none,id=drive-virtio-disk3 \
+-device virtio-blk-pci,bus=pci.0,addr=0x7,drive=drive-virtio-disk3,\
+id=virtio-disk3 \
+-object secret,id=virtio-disk4-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive 'file=rbd:pool/image:auth_supported=none:mon_host=mon1.example.org\:\
+6321\;mon2.example.org\:6322\;mon3.example.org\:6322,\
+key-secret=virtio-disk4-luks-secret0,format=luks,if=none,\
+id=drive-virtio-disk4' \
+-device virtio-blk-pci,bus=pci.0,addr=0x8,drive=drive-virtio-disk4,\
+id=virtio-disk4 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
--- /dev/null
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk'>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+ </encryption>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+ </disk>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk2'>
+ <encryption format='luks'>
+ <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
+ </encryption>
+ </source>
+ <target dev='vdb' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='iscsi' name='iqn.1992-01.com.example:storage/1'>
+ <host name='example.org' port='6000'/>
+ <auth username='myname'>
+ <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
+ </auth>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
+ </encryption>
+ </source>
+ <target dev='vdc' bus='virtio'/>
+ </disk>
+ <disk type='volume' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
+ </encryption>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vde' bus='virtio'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
DO_TEST("encrypted-disk-usage", NONE);
# ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
DO_TEST("luks-disks", QEMU_CAPS_OBJECT_SECRET);
+ DO_TEST("luks-disks-source", QEMU_CAPS_OBJECT_SECRET);
# else
DO_TEST_FAILURE("luks-disks", QEMU_CAPS_OBJECT_SECRET);
# endif
DO_TEST_PARSE_ERROR("luks-disk-invalid", NONE);
+ DO_TEST_PARSE_ERROR("luks-disks-source-both", QEMU_CAPS_OBJECT_SECRET);
DO_TEST("memtune", NONE);
DO_TEST("memtune-unlimited", NONE);
--- /dev/null
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk'>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+ </encryption>
+ </source>
+ <target dev='vda' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+ </disk>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk2'>
+ <encryption format='luks'>
+ <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
+ </encryption>
+ </source>
+ <target dev='vdb' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='iscsi' name='iqn.1992-01.com.example:storage/1'>
+ <host name='example.org' port='6000'/>
+ <auth username='myname'>
+ <secret type='iscsi' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80e80'/>
+ </auth>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f77'/>
+ </encryption>
+ </source>
+ <target dev='vdc' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
+ </disk>
+ <disk type='volume' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source pool='pool-iscsi' volume='unit:0:0:3' mode='direct'>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80f80'/>
+ </encryption>
+ </source>
+ <target dev='vdd' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
+ </disk>
+ <disk type='network' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source protocol='rbd' name='pool/image'>
+ <host name='mon1.example.org' port='6321'/>
+ <host name='mon2.example.org' port='6322'/>
+ <host name='mon3.example.org' port='6322'/>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80fb0'/>
+ </encryption>
+ </source>
+ <target dev='vde' bus='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
+++ /dev/null
-../qemuxml2argvdata/qemuxml2argv-luks-disks.xml
\ No newline at end of file
--- /dev/null
+<domain type='qemu'>
+ <name>encryptdisk</name>
+ <uuid>496898a6-e6ff-f7c8-5dc2-3cf410945ee9</uuid>
+ <memory unit='KiB'>1048576</memory>
+ <currentMemory unit='KiB'>524288</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64' machine='pc-i440fx-2.1'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu-system-x86_64</emulator>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk'/>
+ <target dev='vda' bus='virtio'/>
+ <encryption format='luks'>
+ <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
+ </encryption>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+ </disk>
+ <disk type='file' device='disk'>
+ <driver name='qemu' type='raw'/>
+ <source file='/storage/guest_disks/encryptdisk2'/>
+ <target dev='vdb' bus='virtio'/>
+ <encryption format='luks'>
+ <secret type='passphrase' usage='/storage/guest_disks/encryptdisk2'/>
+ </encryption>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
+ </disk>
+ <controller type='usb' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+ </controller>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+ <input type='keyboard' bus='ps2'/>
+ <memballoon model='virtio'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </memballoon>
+ </devices>
+</domain>
DO_TEST("encrypted-disk", NONE);
DO_TEST("encrypted-disk-usage", NONE);
DO_TEST("luks-disks", NONE);
+ DO_TEST("luks-disks-source", NONE);
DO_TEST("memtune", NONE);
DO_TEST("memtune-unlimited", NONE);
DO_TEST("blkiotune", NONE);
projects / thirdparty / libvirt.git / commitdiff
