1 /* 2 * QEMU block full disk encryption 3 * 4 * Copyright (c) 2015-2017 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #ifndef BLOCK_CRYPTO_H 22 #define BLOCK_CRYPTO_H 23 24 #define BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix, helpstr) \ 25 { \ 26 .name = prefix BLOCK_CRYPTO_OPT_QCOW_KEY_SECRET, \ 27 .type = QEMU_OPT_STRING, \ 28 .help = helpstr, \ 29 } 30 31 #define BLOCK_CRYPTO_OPT_QCOW_KEY_SECRET "key-secret" 32 33 #define BLOCK_CRYPTO_OPT_DEF_QCOW_KEY_SECRET(prefix) \ 34 BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix, \ 35 "ID of the secret that provides the AES encryption key") 36 37 #define BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET "key-secret" 38 #define BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG "cipher-alg" 39 #define BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE "cipher-mode" 40 #define BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG "ivgen-alg" 41 #define BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg" 42 #define BLOCK_CRYPTO_OPT_LUKS_HASH_ALG "hash-alg" 43 #define BLOCK_CRYPTO_OPT_LUKS_ITER_TIME "iter-time" 44 #define BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER "detached-header" 45 #define BLOCK_CRYPTO_OPT_LUKS_KEYSLOT "keyslot" 46 #define BLOCK_CRYPTO_OPT_LUKS_STATE "state" 47 #define BLOCK_CRYPTO_OPT_LUKS_OLD_SECRET "old-secret" 48 #define BLOCK_CRYPTO_OPT_LUKS_NEW_SECRET "new-secret" 49 50 51 #define BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET(prefix) \ 52 BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix, \ 53 "ID of the secret that provides the keyslot passphrase") 54 55 #define BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG(prefix) \ 56 { \ 57 .name = prefix BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG, \ 58 .type = QEMU_OPT_STRING, \ 59 .help = "Name of encryption cipher algorithm", \ 60 } 61 62 #define BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE(prefix) \ 63 { \ 64 .name = prefix BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE, \ 65 .type = QEMU_OPT_STRING, \ 66 .help = "Name of encryption cipher mode", \ 67 } 68 69 #define BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG(prefix) \ 70 { \ 71 .name = prefix BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG, \ 72 .type = QEMU_OPT_STRING, \ 73 .help = "Name of IV generator algorithm", \ 74 } 75 76 #define BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG(prefix) \ 77 { \ 78 .name = prefix BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG, \ 79 .type = QEMU_OPT_STRING, \ 80 .help = "Name of IV generator hash algorithm", \ 81 } 82 83 #define BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG(prefix) \ 84 { \ 85 .name = prefix BLOCK_CRYPTO_OPT_LUKS_HASH_ALG, \ 86 .type = QEMU_OPT_STRING, \ 87 .help = "Name of encryption hash algorithm", \ 88 } 89 90 #define BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(prefix) \ 91 { \ 92 .name = prefix BLOCK_CRYPTO_OPT_LUKS_ITER_TIME, \ 93 .type = QEMU_OPT_NUMBER, \ 94 .help = "Time to spend in PBKDF in milliseconds", \ 95 } 96 97 #define BLOCK_CRYPTO_OPT_DEF_LUKS_STATE(prefix) \ 98 { \ 99 .name = prefix BLOCK_CRYPTO_OPT_LUKS_STATE, \ 100 .type = QEMU_OPT_STRING, \ 101 .help = "Select new state of affected keyslots (active/inactive)",\ 102 } 103 104 #define BLOCK_CRYPTO_OPT_DEF_LUKS_DETACHED_HEADER(prefix) \ 105 { \ 106 .name = prefix BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER, \ 107 .type = QEMU_OPT_BOOL, \ 108 .help = "Create a detached LUKS header", \ 109 } 110 111 #define BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT(prefix) \ 112 { \ 113 .name = prefix BLOCK_CRYPTO_OPT_LUKS_KEYSLOT, \ 114 .type = QEMU_OPT_NUMBER, \ 115 .help = "Select a single keyslot to modify explicitly",\ 116 } 117 118 #define BLOCK_CRYPTO_OPT_DEF_LUKS_OLD_SECRET(prefix) \ 119 { \ 120 .name = prefix BLOCK_CRYPTO_OPT_LUKS_OLD_SECRET, \ 121 .type = QEMU_OPT_STRING, \ 122 .help = "Select all keyslots that match this password", \ 123 } 124 125 #define BLOCK_CRYPTO_OPT_DEF_LUKS_NEW_SECRET(prefix) \ 126 { \ 127 .name = prefix BLOCK_CRYPTO_OPT_LUKS_NEW_SECRET, \ 128 .type = QEMU_OPT_STRING, \ 129 .help = "New secret to set in the matching keyslots. " \ 130 "Empty string to erase", \ 131 } 132 133 QCryptoBlockCreateOptions * 134 block_crypto_create_opts_init(QDict *opts, Error **errp); 135 136 QCryptoBlockAmendOptions * 137 block_crypto_amend_opts_init(QDict *opts, Error **errp); 138 139 QCryptoBlockOpenOptions * 140 block_crypto_open_opts_init(QDict *opts, Error **errp); 141 142 #endif /* BLOCK_CRYPTO_H */ 143