xref: /openbmc/qemu/block/crypto.h (revision 15dbbeaff3c696be8c9c236ffb25d25ce21cba38)
1 /*
2  * QEMU block full disk encryption
3  *
4  * Copyright (c) 2015-2017 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #ifndef BLOCK_CRYPTO_H
22 #define BLOCK_CRYPTO_H
23 
24 #define BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix, helpstr)                \
25     {                                                                   \
26         .name = prefix BLOCK_CRYPTO_OPT_QCOW_KEY_SECRET,                \
27         .type = QEMU_OPT_STRING,                                        \
28         .help = helpstr,                                                \
29     }
30 
31 #define BLOCK_CRYPTO_OPT_QCOW_KEY_SECRET "key-secret"
32 
33 #define BLOCK_CRYPTO_OPT_DEF_QCOW_KEY_SECRET(prefix)                    \
34     BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix,                             \
35         "ID of the secret that provides the AES encryption key")
36 
37 #define BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET "key-secret"
38 #define BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG "cipher-alg"
39 #define BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE "cipher-mode"
40 #define BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG "ivgen-alg"
41 #define BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg"
42 #define BLOCK_CRYPTO_OPT_LUKS_HASH_ALG "hash-alg"
43 #define BLOCK_CRYPTO_OPT_LUKS_ITER_TIME "iter-time"
44 #define BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER "detached-header"
45 #define BLOCK_CRYPTO_OPT_LUKS_KEYSLOT "keyslot"
46 #define BLOCK_CRYPTO_OPT_LUKS_STATE "state"
47 #define BLOCK_CRYPTO_OPT_LUKS_OLD_SECRET "old-secret"
48 #define BLOCK_CRYPTO_OPT_LUKS_NEW_SECRET "new-secret"
49 
50 
51 #define BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET(prefix)                    \
52     BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix,                             \
53         "ID of the secret that provides the keyslot passphrase")
54 
55 #define BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG(prefix)       \
56     {                                                      \
57         .name = prefix BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG,   \
58         .type = QEMU_OPT_STRING,                           \
59         .help = "Name of encryption cipher algorithm",     \
60     }
61 
62 #define BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE(prefix)      \
63     {                                                      \
64         .name = prefix BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE,  \
65         .type = QEMU_OPT_STRING,                           \
66         .help = "Name of encryption cipher mode",          \
67     }
68 
69 #define BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG(prefix)     \
70     {                                                   \
71         .name = prefix BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG, \
72         .type = QEMU_OPT_STRING,                        \
73         .help = "Name of IV generator algorithm",       \
74     }
75 
76 #define BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG(prefix)        \
77     {                                                           \
78         .name = prefix BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG,    \
79         .type = QEMU_OPT_STRING,                                \
80         .help = "Name of IV generator hash algorithm",          \
81     }
82 
83 #define BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG(prefix)       \
84     {                                                    \
85         .name = prefix BLOCK_CRYPTO_OPT_LUKS_HASH_ALG,   \
86         .type = QEMU_OPT_STRING,                         \
87         .help = "Name of encryption hash algorithm",     \
88     }
89 
90 #define BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(prefix)           \
91     {                                                         \
92         .name = prefix BLOCK_CRYPTO_OPT_LUKS_ITER_TIME,       \
93         .type = QEMU_OPT_NUMBER,                              \
94         .help = "Time to spend in PBKDF in milliseconds",     \
95     }
96 
97 #define BLOCK_CRYPTO_OPT_DEF_LUKS_STATE(prefix)                           \
98     {                                                                     \
99         .name = prefix BLOCK_CRYPTO_OPT_LUKS_STATE,                       \
100         .type = QEMU_OPT_STRING,                                          \
101         .help = "Select new state of affected keyslots (active/inactive)",\
102     }
103 
104 #define BLOCK_CRYPTO_OPT_DEF_LUKS_DETACHED_HEADER(prefix)     \
105     {                                                         \
106         .name = prefix BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER, \
107         .type = QEMU_OPT_BOOL,                                \
108         .help = "Create a detached LUKS header",              \
109     }
110 
111 #define BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT(prefix)              \
112     {                                                          \
113         .name = prefix BLOCK_CRYPTO_OPT_LUKS_KEYSLOT,          \
114         .type = QEMU_OPT_NUMBER,                               \
115         .help = "Select a single keyslot to modify explicitly",\
116     }
117 
118 #define BLOCK_CRYPTO_OPT_DEF_LUKS_OLD_SECRET(prefix)            \
119     {                                                           \
120         .name = prefix BLOCK_CRYPTO_OPT_LUKS_OLD_SECRET,        \
121         .type = QEMU_OPT_STRING,                                \
122         .help = "Select all keyslots that match this password", \
123     }
124 
125 #define BLOCK_CRYPTO_OPT_DEF_LUKS_NEW_SECRET(prefix)            \
126     {                                                           \
127         .name = prefix BLOCK_CRYPTO_OPT_LUKS_NEW_SECRET,        \
128         .type = QEMU_OPT_STRING,                                \
129         .help = "New secret to set in the matching keyslots. "  \
130                 "Empty string to erase",                        \
131     }
132 
133 QCryptoBlockCreateOptions *
134 block_crypto_create_opts_init(QDict *opts, Error **errp);
135 
136 QCryptoBlockAmendOptions *
137 block_crypto_amend_opts_init(QDict *opts, Error **errp);
138 
139 QCryptoBlockOpenOptions *
140 block_crypto_open_opts_init(QDict *opts, Error **errp);
141 
142 #endif /* BLOCK_CRYPTO_H */
143