Re: [PATCH v4 5/7] block: Support detached LUKS header creation using qe

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 5/7] block: Support detached LUKS header creation using qe

From:	Markus Armbruster
Subject:	Re: [PATCH v4 5/7] block: Support detached LUKS header creation using qemu-img
Date:	Mon, 19 Feb 2024 15:24:50 +0100
User-agent:	Gnus/5.13 (Gnus v5.13)

yong.huang@smartx.com writes:

> From: Hyman Huang <yong.huang@smartx.com>
>
> Even though a LUKS header might be created with cryptsetup,
> qemu-img should be enhanced to accommodate it as well.
>
> Add the 'detached-header' option to specify the creation of
> a detached LUKS header. This is how it is used:
> $ qemu-img create --object secret,id=sec0,data=abc123 -f luks
>> -o cipher-alg=aes-256,cipher-mode=xts -o key-secret=sec0
>> -o detached-header=true header.luks
>
> Using qemu-img or cryptsetup tools to query information of
> an LUKS header image as follows:
>
> Assume a detached LUKS header image has been created by:
> $ dd if=/dev/zero of=test-header.img bs=1M count=32
> $ dd if=/dev/zero of=test-payload.img bs=1M count=1000
> $ cryptsetup luksFormat --header test-header.img test-payload.img
>> --force-password --type luks1
>
> Header image information could be queried using cryptsetup:
> $ cryptsetup luksDump test-header.img
>
> or qemu-img:
> $ qemu-img info 'json:{"driver":"luks","file":{"filename":
>> "test-payload.img"},"header":{"filename":"test-header.img"}}'
>
> When using qemu-img, keep in mind that the entire disk
> information specified by the JSON-format string above must be
> supplied on the commandline; if not, an overlay check will reveal
> a problem with the LUKS volume check logic.
>
> Signed-off-by: Hyman Huang <yong.huang@smartx.com>

[...]

> diff --git a/qapi/crypto.json b/qapi/crypto.json
> index fd3d46ebd1..62fd145223 100644
> --- a/qapi/crypto.json
> +++ b/qapi/crypto.json
> @@ -223,6 +223,8 @@
>  # @iter-time: number of milliseconds to spend in PBKDF passphrase
>  #     processing.  Currently defaults to 2000. (since 2.8)
>  #
> +# @detached-header: create a detached LUKS header. (since 9.0)
> +#

Behavior when @detached-header is present vs. behavior when it's absent?

>  # Since: 2.6
>  ##
>  { 'struct': 'QCryptoBlockCreateOptionsLUKS',
> @@ -232,7 +234,8 @@
>              '*ivgen-alg': 'QCryptoIVGenAlgorithm',
>              '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
>              '*hash-alg': 'QCryptoHashAlgorithm',
> -            '*iter-time': 'int'}}
> +            '*iter-time': 'int',
> +            '*detached-header': 'bool'}}
>  
>  ##
>  # @QCryptoBlockOpenOptions:

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH v4 5/7] block: Support detached LUKS header creation using qemu-img, Daniel P . Berrangé, 2024/02/09
- Re: [PATCH v4 5/7] block: Support detached LUKS header creation using qemu-img, Markus Armbruster <=

Prev by Date: Re: [PATCH v4 4/7] block: Support detached LUKS header creation using blockdev-create
Next by Date: Re: [PATCH 1/6] hw/arm: Inline sysbus_create_simple(PL110 / PL111)
Previous by thread: Re: [PATCH v4 5/7] block: Support detached LUKS header creation using qemu-img
Next by thread: Re: [PATCH v3] blockcommit: Reopen base image as RO after abort
Index(es):
- Date
- Thread