1# -*- Mode: Python -*- 2# vim: filetype=python 3# 4 5## 6# ************ 7# Cryptography 8# ************ 9## 10 11## 12# @QCryptoTLSCredsEndpoint: 13# 14# The type of network endpoint that will be using the credentials. 15# Most types of credential require different setup / structures 16# depending on whether they will be used in a server versus a client. 17# 18# @client: the network endpoint is acting as the client 19# 20# @server: the network endpoint is acting as the server 21# 22# Since: 2.5 23## 24{ 'enum': 'QCryptoTLSCredsEndpoint', 25 'data': ['client', 'server']} 26 27## 28# @QCryptoSecretFormat: 29# 30# The data format that the secret is provided in 31# 32# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences 33# can be used 34# 35# @base64: arbitrary base64 encoded binary data 36# 37# Since: 2.6 38## 39{ 'enum': 'QCryptoSecretFormat', 40 'data': ['raw', 'base64']} 41 42## 43# @QCryptoHashAlgo: 44# 45# The supported algorithms for computing content digests 46# 47# @md5: MD5. Should not be used in any new code, legacy compat only 48# 49# @sha1: SHA-1. Should not be used in any new code, legacy compat 50# only 51# 52# @sha224: SHA-224. (since 2.7) 53# 54# @sha256: SHA-256. Current recommended strong hash. 55# 56# @sha384: SHA-384. (since 2.7) 57# 58# @sha512: SHA-512. (since 2.7) 59# 60# @ripemd160: RIPEMD-160. (since 2.7) 61# 62# @sm3: SM3. (since 9.2.0) 63# 64# Since: 2.6 65## 66{ 'enum': 'QCryptoHashAlgo', 67 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160', 'sm3']} 68 69## 70# @QCryptoCipherAlgo: 71# 72# The supported algorithms for content encryption ciphers 73# 74# @aes-128: AES with 128 bit / 16 byte keys 75# 76# @aes-192: AES with 192 bit / 24 byte keys 77# 78# @aes-256: AES with 256 bit / 32 byte keys 79# 80# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. 81# (since 6.1) 82# 83# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) 84# 85# @cast5-128: Cast5 with 128 bit / 16 byte keys 86# 87# @serpent-128: Serpent with 128 bit / 16 byte keys 88# 89# @serpent-192: Serpent with 192 bit / 24 byte keys 90# 91# @serpent-256: Serpent with 256 bit / 32 byte keys 92# 93# @twofish-128: Twofish with 128 bit / 16 byte keys 94# 95# @twofish-192: Twofish with 192 bit / 24 byte keys 96# 97# @twofish-256: Twofish with 256 bit / 32 byte keys 98# 99# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0) 100# 101# Since: 2.6 102## 103{ 'enum': 'QCryptoCipherAlgo', 104 'data': ['aes-128', 'aes-192', 'aes-256', 105 'des', '3des', 106 'cast5-128', 107 'serpent-128', 'serpent-192', 'serpent-256', 108 'twofish-128', 'twofish-192', 'twofish-256', 109 'sm4']} 110 111## 112# @QCryptoCipherMode: 113# 114# The supported modes for content encryption ciphers 115# 116# @ecb: Electronic Code Book 117# 118# @cbc: Cipher Block Chaining 119# 120# @xts: XEX with tweaked code book and ciphertext stealing 121# 122# @ctr: Counter (Since 2.8) 123# 124# Since: 2.6 125## 126{ 'enum': 'QCryptoCipherMode', 127 'data': ['ecb', 'cbc', 'xts', 'ctr']} 128 129## 130# @QCryptoIVGenAlgo: 131# 132# The supported algorithms for generating initialization vectors for 133# full disk encryption. The 'plain' generator should not be used for 134# disks with sector numbers larger than 2^32, except where 135# compatibility with pre-existing Linux dm-crypt volumes is required. 136# 137# @plain: 64-bit sector number truncated to 32-bits 138# 139# @plain64: 64-bit sector number 140# 141# @essiv: 64-bit sector number encrypted with a hash of the encryption 142# key 143# 144# Since: 2.6 145## 146{ 'enum': 'QCryptoIVGenAlgo', 147 'data': ['plain', 'plain64', 'essiv']} 148 149## 150# @QCryptoBlockFormat: 151# 152# The supported full disk encryption formats 153# 154# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for 155# liberating data from old images. 156# 157# @luks: LUKS encryption format. Recommended for new images 158# 159# Since: 2.6 160## 161{ 'enum': 'QCryptoBlockFormat', 162 'data': ['qcow', 'luks']} 163 164## 165# @QCryptoBlockOptionsBase: 166# 167# The common options that apply to all full disk encryption formats 168# 169# @format: the encryption format 170# 171# Since: 2.6 172## 173{ 'struct': 'QCryptoBlockOptionsBase', 174 'data': { 'format': 'QCryptoBlockFormat' }} 175 176## 177# @QCryptoBlockOptionsQCow: 178# 179# The options that apply to QCow/QCow2 AES-CBC encryption format 180# 181# @key-secret: the ID of a QCryptoSecret object providing the 182# decryption key. Mandatory except when probing image for 183# metadata only. 184# 185# Since: 2.6 186## 187{ 'struct': 'QCryptoBlockOptionsQCow', 188 'data': { '*key-secret': 'str' }} 189 190## 191# @QCryptoBlockOptionsLUKS: 192# 193# The options that apply to LUKS encryption format 194# 195# @key-secret: the ID of a QCryptoSecret object providing the 196# decryption key. Mandatory except when probing image for 197# metadata only. 198# 199# Since: 2.6 200## 201{ 'struct': 'QCryptoBlockOptionsLUKS', 202 'data': { '*key-secret': 'str' }} 203 204## 205# @QCryptoBlockCreateOptionsLUKS: 206# 207# The options that apply to LUKS encryption format initialization 208# 209# @cipher-alg: the cipher algorithm for data encryption. Currently 210# defaults to 'aes-256'. 211# 212# @cipher-mode: the cipher mode for data encryption. Currently 213# defaults to 'xts' 214# 215# @ivgen-alg: the initialization vector generator. Currently defaults 216# to 'plain64' 217# 218# @ivgen-hash-alg: the initialization vector generator hash. 219# Currently defaults to 'sha256' 220# 221# @hash-alg: the master key hash algorithm. Currently defaults to 222# 'sha256' 223# 224# @iter-time: number of milliseconds to spend in PBKDF passphrase 225# processing. Currently defaults to 2000. (since 2.8) 226# 227# Since: 2.6 228## 229{ 'struct': 'QCryptoBlockCreateOptionsLUKS', 230 'base': 'QCryptoBlockOptionsLUKS', 231 'data': { '*cipher-alg': 'QCryptoCipherAlgo', 232 '*cipher-mode': 'QCryptoCipherMode', 233 '*ivgen-alg': 'QCryptoIVGenAlgo', 234 '*ivgen-hash-alg': 'QCryptoHashAlgo', 235 '*hash-alg': 'QCryptoHashAlgo', 236 '*iter-time': 'int' }} 237 238## 239# @QCryptoBlockOpenOptions: 240# 241# The options that are available for all encryption formats when 242# opening an existing volume 243# 244# Since: 2.6 245## 246{ 'union': 'QCryptoBlockOpenOptions', 247 'base': 'QCryptoBlockOptionsBase', 248 'discriminator': 'format', 249 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 250 'luks': 'QCryptoBlockOptionsLUKS' } } 251 252## 253# @QCryptoBlockCreateOptions: 254# 255# The options that are available for all encryption formats when 256# initializing a new volume 257# 258# Since: 2.6 259## 260{ 'union': 'QCryptoBlockCreateOptions', 261 'base': 'QCryptoBlockOptionsBase', 262 'discriminator': 'format', 263 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 264 'luks': 'QCryptoBlockCreateOptionsLUKS' } } 265 266## 267# @QCryptoBlockInfoBase: 268# 269# The common information that applies to all full disk encryption 270# formats 271# 272# @format: the encryption format 273# 274# Since: 2.7 275## 276{ 'struct': 'QCryptoBlockInfoBase', 277 'data': { 'format': 'QCryptoBlockFormat' }} 278 279## 280# @QCryptoBlockInfoLUKSSlot: 281# 282# Information about the LUKS block encryption key slot options 283# 284# @active: whether the key slot is currently in use 285# 286# @key-offset: offset to the key material in bytes 287# 288# @iters: number of PBKDF2 iterations for key material 289# 290# @stripes: number of stripes for splitting key material 291# 292# Since: 2.7 293## 294{ 'struct': 'QCryptoBlockInfoLUKSSlot', 295 'data': {'active': 'bool', 296 '*iters': 'int', 297 '*stripes': 'int', 298 'key-offset': 'int' } } 299 300## 301# @QCryptoBlockInfoLUKS: 302# 303# Information about the LUKS block encryption options 304# 305# @cipher-alg: the cipher algorithm for data encryption 306# 307# @cipher-mode: the cipher mode for data encryption 308# 309# @ivgen-alg: the initialization vector generator 310# 311# @ivgen-hash-alg: the initialization vector generator hash 312# 313# @hash-alg: the master key hash algorithm 314# 315# @detached-header: whether the LUKS header is detached (Since 9.0) 316# 317# @payload-offset: offset to the payload data in bytes 318# 319# @master-key-iters: number of PBKDF2 iterations for key material 320# 321# @uuid: unique identifier for the volume 322# 323# @slots: information about each key slot 324# 325# Since: 2.7 326## 327{ 'struct': 'QCryptoBlockInfoLUKS', 328 'data': {'cipher-alg': 'QCryptoCipherAlgo', 329 'cipher-mode': 'QCryptoCipherMode', 330 'ivgen-alg': 'QCryptoIVGenAlgo', 331 '*ivgen-hash-alg': 'QCryptoHashAlgo', 332 'hash-alg': 'QCryptoHashAlgo', 333 'detached-header': 'bool', 334 'payload-offset': 'int', 335 'master-key-iters': 'int', 336 'uuid': 'str', 337 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} 338 339## 340# @QCryptoBlockInfo: 341# 342# Information about the block encryption options 343# 344# Since: 2.7 345## 346{ 'union': 'QCryptoBlockInfo', 347 'base': 'QCryptoBlockInfoBase', 348 'discriminator': 'format', 349 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } 350 351## 352# @QCryptoBlockLUKSKeyslotState: 353# 354# Defines state of keyslots that are affected by the update 355# 356# @active: The slots contain the given password and marked as active 357# 358# @inactive: The slots are erased (contain garbage) and marked as 359# inactive 360# 361# Since: 5.1 362## 363{ 'enum': 'QCryptoBlockLUKSKeyslotState', 364 'data': [ 'active', 'inactive' ] } 365 366## 367# @QCryptoBlockAmendOptionsLUKS: 368# 369# This struct defines the update parameters that activate/de-activate 370# set of keyslots 371# 372# @state: the desired state of the keyslots 373# 374# @new-secret: The ID of a QCryptoSecret object providing the password 375# to be written into added active keyslots 376# 377# @old-secret: Optional (for deactivation only). If given will 378# deactivate all keyslots that match password located in 379# QCryptoSecret with this ID 380# 381# @iter-time: Optional (for activation only). Number of milliseconds 382# to spend in PBKDF passphrase processing for the newly activated 383# keyslot. Currently defaults to 2000. 384# 385# @keyslot: Optional. ID of the keyslot to activate/deactivate. For 386# keyslot activation, keyslot should not be active already (this 387# is unsafe to update an active keyslot), but possible if 'force' 388# parameter is given. If keyslot is not given, first free keyslot 389# will be written. 390# 391# For keyslot deactivation, this parameter specifies the exact 392# keyslot to deactivate 393# 394# @secret: Optional. The ID of a QCryptoSecret object providing the 395# password to use to retrieve current master key. Defaults to the 396# same secret that was used to open the image 397# 398# Since: 5.1 399## 400{ 'struct': 'QCryptoBlockAmendOptionsLUKS', 401 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', 402 '*new-secret': 'str', 403 '*old-secret': 'str', 404 '*keyslot': 'int', 405 '*iter-time': 'int', 406 '*secret': 'str' } } 407 408## 409# @QCryptoBlockAmendOptions: 410# 411# The options that are available for all encryption formats when 412# amending encryption settings 413# 414# Since: 5.1 415## 416{ 'union': 'QCryptoBlockAmendOptions', 417 'base': 'QCryptoBlockOptionsBase', 418 'discriminator': 'format', 419 'data': { 420 'luks': 'QCryptoBlockAmendOptionsLUKS' } } 421 422## 423# @SecretCommonProperties: 424# 425# Properties for objects of classes derived from secret-common. 426# 427# @format: the data format that the secret is provided in 428# (default: raw) 429# 430# @keyid: the name of another secret that should be used to decrypt 431# the provided data. If not present, the data is assumed to be 432# unencrypted. 433# 434# @iv: the random initialization vector used for encryption of this 435# particular secret. Should be a base64 encrypted string of the 436# 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is 437# absent. 438# 439# Since: 2.6 440## 441{ 'struct': 'SecretCommonProperties', 442 'data': { '*format': 'QCryptoSecretFormat', 443 '*keyid': 'str', 444 '*iv': 'str' } } 445 446## 447# @SecretProperties: 448# 449# Properties for secret objects. 450# 451# Either @data or @file must be provided, but not both. 452# 453# @data: the associated with the secret from 454# 455# @file: the filename to load the data associated with the secret from 456# 457# Since: 2.6 458## 459{ 'struct': 'SecretProperties', 460 'base': 'SecretCommonProperties', 461 'data': { '*data': 'str', 462 '*file': 'str' } } 463 464## 465# @SecretKeyringProperties: 466# 467# Properties for secret_keyring objects. 468# 469# @serial: serial number that identifies a key to get from the kernel 470# 471# Since: 5.1 472## 473{ 'struct': 'SecretKeyringProperties', 474 'base': 'SecretCommonProperties', 475 'data': { 'serial': 'int32' }, 476 'if': 'CONFIG_SECRET_KEYRING' } 477 478## 479# @TlsCredsProperties: 480# 481# Properties for objects of classes derived from tls-creds. 482# 483# @verify-peer: if true the peer credentials will be verified once the 484# handshake is completed. This is a no-op for anonymous 485# credentials. (default: true) 486# 487# @dir: the path of the directory that contains the credential files 488# 489# @endpoint: whether the QEMU network backend that uses the 490# credentials will be acting as a client or as a server 491# (default: client) 492# 493# @priority: a gnutls priority string as described at 494# https://gnutls.org/manual/html_node/Priority-Strings.html 495# 496# Since: 2.5 497## 498{ 'struct': 'TlsCredsProperties', 499 'data': { '*verify-peer': 'bool', 500 '*dir': 'str', 501 '*endpoint': 'QCryptoTLSCredsEndpoint', 502 '*priority': 'str' } } 503 504## 505# @TlsCredsAnonProperties: 506# 507# Properties for tls-creds-anon objects. 508# 509# Since: 2.5 510## 511{ 'struct': 'TlsCredsAnonProperties', 512 'base': 'TlsCredsProperties', 513 'data': { } } 514 515## 516# @TlsCredsPskProperties: 517# 518# Properties for tls-creds-psk objects. 519# 520# @username: the username which will be sent to the server. For 521# clients only. If absent, "qemu" is sent and the property will 522# read back as an empty string. 523# 524# Since: 3.0 525## 526{ 'struct': 'TlsCredsPskProperties', 527 'base': 'TlsCredsProperties', 528 'data': { '*username': 'str' } } 529 530## 531# @TlsCredsX509Properties: 532# 533# Properties for tls-creds-x509 objects. 534# 535# @sanity-check: if true, perform some sanity checks before using the 536# credentials (default: true) 537# 538# @passwordid: For the server-key.pem and client-key.pem files which 539# contain sensitive private keys, it is possible to use an 540# encrypted version by providing the @passwordid parameter. This 541# provides the ID of a previously created secret object containing 542# the password for decryption. 543# 544# Since: 2.5 545## 546{ 'struct': 'TlsCredsX509Properties', 547 'base': 'TlsCredsProperties', 548 'data': { '*sanity-check': 'bool', 549 '*passwordid': 'str' } } 550 551## 552# @QCryptoAkCipherAlgo: 553# 554# The supported algorithms for asymmetric encryption ciphers 555# 556# @rsa: RSA algorithm 557# 558# Since: 7.1 559## 560{ 'enum': 'QCryptoAkCipherAlgo', 561 'data': ['rsa']} 562 563## 564# @QCryptoAkCipherKeyType: 565# 566# The type of asymmetric keys. 567# 568# @public: public key 569# 570# @private: private key 571# 572# Since: 7.1 573## 574{ 'enum': 'QCryptoAkCipherKeyType', 575 'data': ['public', 'private']} 576 577## 578# @QCryptoRSAPaddingAlgo: 579# 580# The padding algorithm for RSA. 581# 582# @raw: no padding used 583# 584# @pkcs1: pkcs1#v1.5 585# 586# Since: 7.1 587## 588{ 'enum': 'QCryptoRSAPaddingAlgo', 589 'data': ['raw', 'pkcs1']} 590 591## 592# @QCryptoAkCipherOptionsRSA: 593# 594# Specific parameters for RSA algorithm. 595# 596# @hash-alg: `QCryptoHashAlgo` 597# 598# @padding-alg: `QCryptoRSAPaddingAlgo` 599# 600# Since: 7.1 601## 602{ 'struct': 'QCryptoAkCipherOptionsRSA', 603 'data': { 'hash-alg':'QCryptoHashAlgo', 604 'padding-alg': 'QCryptoRSAPaddingAlgo'}} 605 606## 607# @QCryptoAkCipherOptions: 608# 609# The options that are available for all asymmetric key algorithms 610# when creating a new QCryptoAkCipher. 611# 612# @alg: encryption cipher algorithm 613# 614# Since: 7.1 615## 616{ 'union': 'QCryptoAkCipherOptions', 617 'base': { 'alg': 'QCryptoAkCipherAlgo' }, 618 'discriminator': 'alg', 619 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }} 620