1 /* 2 * QEMU crypto secret support 3 * 4 * Copyright (c) 2015 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #ifndef QCRYPTO_SECRET_H__ 22 #define QCRYPTO_SECRET_H__ 23 24 #include "qemu-common.h" 25 #include "qapi/error.h" 26 #include "qom/object.h" 27 28 #define TYPE_QCRYPTO_SECRET "secret" 29 #define QCRYPTO_SECRET(obj) \ 30 OBJECT_CHECK(QCryptoSecret, (obj), TYPE_QCRYPTO_SECRET) 31 32 typedef struct QCryptoSecret QCryptoSecret; 33 typedef struct QCryptoSecretClass QCryptoSecretClass; 34 35 /** 36 * QCryptoSecret: 37 * 38 * The QCryptoSecret object provides storage of secrets, 39 * which may be user passwords, encryption keys or any 40 * other kind of sensitive data that is represented as 41 * a sequence of bytes. 42 * 43 * The sensitive data associated with the secret can 44 * be provided directly via the 'data' property, or 45 * indirectly via the 'file' property. In the latter 46 * case there is support for file descriptor passing 47 * via the usual /dev/fdset/NN syntax that QEMU uses. 48 * 49 * The data for a secret can be provided in two formats, 50 * either as a UTF-8 string (the default), or as base64 51 * encoded 8-bit binary data. The latter is appropriate 52 * for raw encryption keys, while the former is appropriate 53 * for user entered passwords. 54 * 55 * The data may be optionally encrypted with AES-256-CBC, 56 * and the decryption key provided by another 57 * QCryptoSecret instance identified by the 'keyid' 58 * property. When passing sensitive data directly 59 * via the 'data' property it is strongly recommended 60 * to use the AES encryption facility to prevent the 61 * sensitive data being exposed in the process listing 62 * or system log files. 63 * 64 * Providing data directly, insecurely (suitable for 65 * ad hoc developer testing only) 66 * 67 * $QEMU -object secret,id=sec0,data=letmein 68 * 69 * Providing data indirectly: 70 * 71 * # printf "letmein" > password.txt 72 * # $QEMU \ 73 * -object secret,id=sec0,file=password.txt 74 * 75 * Using a master encryption key with data. 76 * 77 * The master key needs to be created as 32 secure 78 * random bytes (optionally base64 encoded) 79 * 80 * # openssl rand -base64 32 > key.b64 81 * # KEY=$(base64 -d key.b64 | hexdump -v -e '/1 "%02X"') 82 * 83 * Each secret to be encrypted needs to have a random 84 * initialization vector generated. These do not need 85 * to be kept secret 86 * 87 * # openssl rand -base64 16 > iv.b64 88 * # IV=$(base64 -d iv.b64 | hexdump -v -e '/1 "%02X"') 89 * 90 * A secret to be defined can now be encrypted 91 * 92 * # SECRET=$(printf "letmein" | 93 * openssl enc -aes-256-cbc -a -K $KEY -iv $IV) 94 * 95 * When launching QEMU, create a master secret pointing 96 * to key.b64 and specify that to be used to decrypt 97 * the user password 98 * 99 * # $QEMU \ 100 * -object secret,id=secmaster0,format=base64,file=key.b64 \ 101 * -object secret,id=sec0,keyid=secmaster0,format=base64,\ 102 * data=$SECRET,iv=$(<iv.b64) 103 * 104 * When encrypting, the data can still be provided via an 105 * external file, in which case it is possible to use either 106 * raw binary data, or base64 encoded. This example uses 107 * raw format 108 * 109 * # printf "letmein" | 110 * openssl enc -aes-256-cbc -K $KEY -iv $IV -o pw.aes 111 * # $QEMU \ 112 * -object secret,id=secmaster0,format=base64,file=key.b64 \ 113 * -object secret,id=sec0,keyid=secmaster0,\ 114 * file=pw.aes,iv=$(<iv.b64) 115 * 116 * Note that the ciphertext can be in either raw or base64 117 * format, as indicated by the 'format' parameter, but the 118 * plaintext resulting from decryption is expected to always 119 * be in raw format. 120 */ 121 122 struct QCryptoSecret { 123 Object parent_obj; 124 uint8_t *rawdata; 125 size_t rawlen; 126 QCryptoSecretFormat format; 127 char *data; 128 char *file; 129 char *keyid; 130 char *iv; 131 }; 132 133 134 struct QCryptoSecretClass { 135 ObjectClass parent_class; 136 }; 137 138 139 extern int qcrypto_secret_lookup(const char *secretid, 140 uint8_t **data, 141 size_t *datalen, 142 Error **errp); 143 extern char *qcrypto_secret_lookup_as_utf8(const char *secretid, 144 Error **errp); 145 extern char *qcrypto_secret_lookup_as_base64(const char *secretid, 146 Error **errp); 147 148 #endif /* QCRYPTO_SECRET_H__ */ 149