1# -*- Mode: Python -*- 2# vim: filetype=python 3# 4 5## 6# = Cryptography 7## 8 9## 10# @QCryptoTLSCredsEndpoint: 11# 12# The type of network endpoint that will be using the credentials. 13# Most types of credential require different setup / structures 14# depending on whether they will be used in a server versus a client. 15# 16# @client: the network endpoint is acting as the client 17# 18# @server: the network endpoint is acting as the server 19# 20# Since: 2.5 21## 22{ 'enum': 'QCryptoTLSCredsEndpoint', 23 'data': ['client', 'server']} 24 25## 26# @QCryptoSecretFormat: 27# 28# The data format that the secret is provided in 29# 30# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences 31# can be used 32# 33# @base64: arbitrary base64 encoded binary data 34# 35# Since: 2.6 36## 37{ 'enum': 'QCryptoSecretFormat', 38 'data': ['raw', 'base64']} 39 40## 41# @QCryptoHashAlgorithm: 42# 43# The supported algorithms for computing content digests 44# 45# @md5: MD5. Should not be used in any new code, legacy compat only 46# 47# @sha1: SHA-1. Should not be used in any new code, legacy compat only 48# 49# @sha224: SHA-224. (since 2.7) 50# 51# @sha256: SHA-256. Current recommended strong hash. 52# 53# @sha384: SHA-384. (since 2.7) 54# 55# @sha512: SHA-512. (since 2.7) 56# 57# @ripemd160: RIPEMD-160. (since 2.7) 58# 59# Since: 2.6 60## 61{ 'enum': 'QCryptoHashAlgorithm', 62 'prefix': 'QCRYPTO_HASH_ALG', 63 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']} 64 65## 66# @QCryptoCipherAlgorithm: 67# 68# The supported algorithms for content encryption ciphers 69# 70# @aes-128: AES with 128 bit / 16 byte keys 71# 72# @aes-192: AES with 192 bit / 24 byte keys 73# 74# @aes-256: AES with 256 bit / 32 byte keys 75# 76# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. 77# (since 6.1) 78# 79# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) 80# 81# @cast5-128: Cast5 with 128 bit / 16 byte keys 82# 83# @serpent-128: Serpent with 128 bit / 16 byte keys 84# 85# @serpent-192: Serpent with 192 bit / 24 byte keys 86# 87# @serpent-256: Serpent with 256 bit / 32 byte keys 88# 89# @twofish-128: Twofish with 128 bit / 16 byte keys 90# 91# @twofish-192: Twofish with 192 bit / 24 byte keys 92# 93# @twofish-256: Twofish with 256 bit / 32 byte keys 94# 95# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0) 96# 97# Since: 2.6 98## 99{ 'enum': 'QCryptoCipherAlgorithm', 100 'prefix': 'QCRYPTO_CIPHER_ALG', 101 'data': ['aes-128', 'aes-192', 'aes-256', 102 'des', '3des', 103 'cast5-128', 104 'serpent-128', 'serpent-192', 'serpent-256', 105 'twofish-128', 'twofish-192', 'twofish-256', 106 'sm4']} 107 108## 109# @QCryptoCipherMode: 110# 111# The supported modes for content encryption ciphers 112# 113# @ecb: Electronic Code Book 114# 115# @cbc: Cipher Block Chaining 116# 117# @xts: XEX with tweaked code book and ciphertext stealing 118# 119# @ctr: Counter (Since 2.8) 120# 121# Since: 2.6 122## 123{ 'enum': 'QCryptoCipherMode', 124 'data': ['ecb', 'cbc', 'xts', 'ctr']} 125 126## 127# @QCryptoIVGenAlgorithm: 128# 129# The supported algorithms for generating initialization vectors for 130# full disk encryption. The 'plain' generator should not be used for 131# disks with sector numbers larger than 2^32, except where 132# compatibility with pre-existing Linux dm-crypt volumes is required. 133# 134# @plain: 64-bit sector number truncated to 32-bits 135# 136# @plain64: 64-bit sector number 137# 138# @essiv: 64-bit sector number encrypted with a hash of the encryption 139# key 140# 141# Since: 2.6 142## 143{ 'enum': 'QCryptoIVGenAlgorithm', 144 'prefix': 'QCRYPTO_IVGEN_ALG', 145 'data': ['plain', 'plain64', 'essiv']} 146 147## 148# @QCryptoBlockFormat: 149# 150# The supported full disk encryption formats 151# 152# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for 153# liberating data from old images. 154# 155# @luks: LUKS encryption format. Recommended for new images 156# 157# Since: 2.6 158## 159{ 'enum': 'QCryptoBlockFormat', 160 'data': ['qcow', 'luks']} 161 162## 163# @QCryptoBlockOptionsBase: 164# 165# The common options that apply to all full disk encryption formats 166# 167# @format: the encryption format 168# 169# Since: 2.6 170## 171{ 'struct': 'QCryptoBlockOptionsBase', 172 'data': { 'format': 'QCryptoBlockFormat' }} 173 174## 175# @QCryptoBlockOptionsQCow: 176# 177# The options that apply to QCow/QCow2 AES-CBC encryption format 178# 179# @key-secret: the ID of a QCryptoSecret object providing the 180# decryption key. Mandatory except when probing image for 181# metadata only. 182# 183# Since: 2.6 184## 185{ 'struct': 'QCryptoBlockOptionsQCow', 186 'data': { '*key-secret': 'str' }} 187 188## 189# @QCryptoBlockOptionsLUKS: 190# 191# The options that apply to LUKS encryption format 192# 193# @key-secret: the ID of a QCryptoSecret object providing the 194# decryption key. Mandatory except when probing image for 195# metadata only. 196# 197# Since: 2.6 198## 199{ 'struct': 'QCryptoBlockOptionsLUKS', 200 'data': { '*key-secret': 'str' }} 201 202## 203# @QCryptoBlockCreateOptionsLUKS: 204# 205# The options that apply to LUKS encryption format initialization 206# 207# @cipher-alg: the cipher algorithm for data encryption Currently 208# defaults to 'aes-256'. 209# 210# @cipher-mode: the cipher mode for data encryption Currently defaults 211# to 'xts' 212# 213# @ivgen-alg: the initialization vector generator Currently defaults 214# to 'plain64' 215# 216# @ivgen-hash-alg: the initialization vector generator hash Currently 217# defaults to 'sha256' 218# 219# @hash-alg: the master key hash algorithm Currently defaults to 220# 'sha256' 221# 222# @iter-time: number of milliseconds to spend in PBKDF passphrase 223# processing. Currently defaults to 2000. (since 2.8) 224# 225# Since: 2.6 226## 227{ 'struct': 'QCryptoBlockCreateOptionsLUKS', 228 'base': 'QCryptoBlockOptionsLUKS', 229 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm', 230 '*cipher-mode': 'QCryptoCipherMode', 231 '*ivgen-alg': 'QCryptoIVGenAlgorithm', 232 '*ivgen-hash-alg': 'QCryptoHashAlgorithm', 233 '*hash-alg': 'QCryptoHashAlgorithm', 234 '*iter-time': 'int' }} 235 236## 237# @QCryptoBlockOpenOptions: 238# 239# The options that are available for all encryption formats when 240# opening an existing volume 241# 242# Since: 2.6 243## 244{ 'union': 'QCryptoBlockOpenOptions', 245 'base': 'QCryptoBlockOptionsBase', 246 'discriminator': 'format', 247 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 248 'luks': 'QCryptoBlockOptionsLUKS' } } 249 250## 251# @QCryptoBlockCreateOptions: 252# 253# The options that are available for all encryption formats when 254# initializing a new volume 255# 256# Since: 2.6 257## 258{ 'union': 'QCryptoBlockCreateOptions', 259 'base': 'QCryptoBlockOptionsBase', 260 'discriminator': 'format', 261 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 262 'luks': 'QCryptoBlockCreateOptionsLUKS' } } 263 264## 265# @QCryptoBlockInfoBase: 266# 267# The common information that applies to all full disk encryption 268# formats 269# 270# @format: the encryption format 271# 272# Since: 2.7 273## 274{ 'struct': 'QCryptoBlockInfoBase', 275 'data': { 'format': 'QCryptoBlockFormat' }} 276 277## 278# @QCryptoBlockInfoLUKSSlot: 279# 280# Information about the LUKS block encryption key slot options 281# 282# @active: whether the key slot is currently in use 283# 284# @key-offset: offset to the key material in bytes 285# 286# @iters: number of PBKDF2 iterations for key material 287# 288# @stripes: number of stripes for splitting key material 289# 290# Since: 2.7 291## 292{ 'struct': 'QCryptoBlockInfoLUKSSlot', 293 'data': {'active': 'bool', 294 '*iters': 'int', 295 '*stripes': 'int', 296 'key-offset': 'int' } } 297 298## 299# @QCryptoBlockInfoLUKS: 300# 301# Information about the LUKS block encryption options 302# 303# @cipher-alg: the cipher algorithm for data encryption 304# 305# @cipher-mode: the cipher mode for data encryption 306# 307# @ivgen-alg: the initialization vector generator 308# 309# @ivgen-hash-alg: the initialization vector generator hash 310# 311# @hash-alg: the master key hash algorithm 312# 313# @detached-header: whether the LUKS header is detached (Since 9.0) 314# 315# @payload-offset: offset to the payload data in bytes 316# 317# @master-key-iters: number of PBKDF2 iterations for key material 318# 319# @uuid: unique identifier for the volume 320# 321# @slots: information about each key slot 322# 323# Since: 2.7 324## 325{ 'struct': 'QCryptoBlockInfoLUKS', 326 'data': {'cipher-alg': 'QCryptoCipherAlgorithm', 327 'cipher-mode': 'QCryptoCipherMode', 328 'ivgen-alg': 'QCryptoIVGenAlgorithm', 329 '*ivgen-hash-alg': 'QCryptoHashAlgorithm', 330 'hash-alg': 'QCryptoHashAlgorithm', 331 'detached-header': 'bool', 332 'payload-offset': 'int', 333 'master-key-iters': 'int', 334 'uuid': 'str', 335 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} 336 337## 338# @QCryptoBlockInfo: 339# 340# Information about the block encryption options 341# 342# Since: 2.7 343## 344{ 'union': 'QCryptoBlockInfo', 345 'base': 'QCryptoBlockInfoBase', 346 'discriminator': 'format', 347 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } 348 349## 350# @QCryptoBlockLUKSKeyslotState: 351# 352# Defines state of keyslots that are affected by the update 353# 354# @active: The slots contain the given password and marked as active 355# 356# @inactive: The slots are erased (contain garbage) and marked as 357# inactive 358# 359# Since: 5.1 360## 361{ 'enum': 'QCryptoBlockLUKSKeyslotState', 362 'data': [ 'active', 'inactive' ] } 363 364## 365# @QCryptoBlockAmendOptionsLUKS: 366# 367# This struct defines the update parameters that activate/de-activate 368# set of keyslots 369# 370# @state: the desired state of the keyslots 371# 372# @new-secret: The ID of a QCryptoSecret object providing the password 373# to be written into added active keyslots 374# 375# @old-secret: Optional (for deactivation only) If given will 376# deactivate all keyslots that match password located in 377# QCryptoSecret with this ID 378# 379# @iter-time: Optional (for activation only) Number of milliseconds to 380# spend in PBKDF passphrase processing for the newly activated 381# keyslot. Currently defaults to 2000. 382# 383# @keyslot: Optional. ID of the keyslot to activate/deactivate. For 384# keyslot activation, keyslot should not be active already (this 385# is unsafe to update an active keyslot), but possible if 'force' 386# parameter is given. If keyslot is not given, first free keyslot 387# will be written. 388# 389# For keyslot deactivation, this parameter specifies the exact 390# keyslot to deactivate 391# 392# @secret: Optional. The ID of a QCryptoSecret object providing the 393# password to use to retrieve current master key. Defaults to the 394# same secret that was used to open the image 395# 396# Since: 5.1 397## 398{ 'struct': 'QCryptoBlockAmendOptionsLUKS', 399 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', 400 '*new-secret': 'str', 401 '*old-secret': 'str', 402 '*keyslot': 'int', 403 '*iter-time': 'int', 404 '*secret': 'str' } } 405 406## 407# @QCryptoBlockAmendOptions: 408# 409# The options that are available for all encryption formats when 410# amending encryption settings 411# 412# Since: 5.1 413## 414{ 'union': 'QCryptoBlockAmendOptions', 415 'base': 'QCryptoBlockOptionsBase', 416 'discriminator': 'format', 417 'data': { 418 'luks': 'QCryptoBlockAmendOptionsLUKS' } } 419 420## 421# @SecretCommonProperties: 422# 423# Properties for objects of classes derived from secret-common. 424# 425# @loaded: if true, the secret is loaded immediately when applying 426# this option and will probably fail when processing the next 427# option. Don't use; only provided for compatibility. 428# (default: false) 429# 430# @format: the data format that the secret is provided in 431# (default: raw) 432# 433# @keyid: the name of another secret that should be used to decrypt 434# the provided data. If not present, the data is assumed to be 435# unencrypted. 436# 437# @iv: the random initialization vector used for encryption of this 438# particular secret. Should be a base64 encrypted string of the 439# 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is 440# absent. 441# 442# Features: 443# 444# @deprecated: Member @loaded is deprecated. Setting true doesn't 445# make sense, and false is already the default. 446# 447# Since: 2.6 448## 449{ 'struct': 'SecretCommonProperties', 450 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 451 '*format': 'QCryptoSecretFormat', 452 '*keyid': 'str', 453 '*iv': 'str' } } 454 455## 456# @SecretProperties: 457# 458# Properties for secret objects. 459# 460# Either @data or @file must be provided, but not both. 461# 462# @data: the associated with the secret from 463# 464# @file: the filename to load the data associated with the secret from 465# 466# Since: 2.6 467## 468{ 'struct': 'SecretProperties', 469 'base': 'SecretCommonProperties', 470 'data': { '*data': 'str', 471 '*file': 'str' } } 472 473## 474# @SecretKeyringProperties: 475# 476# Properties for secret_keyring objects. 477# 478# @serial: serial number that identifies a key to get from the kernel 479# 480# Since: 5.1 481## 482{ 'struct': 'SecretKeyringProperties', 483 'base': 'SecretCommonProperties', 484 'data': { 'serial': 'int32' }, 485 'if': 'CONFIG_SECRET_KEYRING' } 486 487## 488# @TlsCredsProperties: 489# 490# Properties for objects of classes derived from tls-creds. 491# 492# @verify-peer: if true the peer credentials will be verified once the 493# handshake is completed. This is a no-op for anonymous 494# credentials. (default: true) 495# 496# @dir: the path of the directory that contains the credential files 497# 498# @endpoint: whether the QEMU network backend that uses the 499# credentials will be acting as a client or as a server 500# (default: client) 501# 502# @priority: a gnutls priority string as described at 503# https://gnutls.org/manual/html_node/Priority-Strings.html 504# 505# Since: 2.5 506## 507{ 'struct': 'TlsCredsProperties', 508 'data': { '*verify-peer': 'bool', 509 '*dir': 'str', 510 '*endpoint': 'QCryptoTLSCredsEndpoint', 511 '*priority': 'str' } } 512 513## 514# @TlsCredsAnonProperties: 515# 516# Properties for tls-creds-anon objects. 517# 518# @loaded: if true, the credentials are loaded immediately when 519# applying this option and will ignore options that are processed 520# later. Don't use; only provided for compatibility. 521# (default: false) 522# 523# Features: 524# 525# @deprecated: Member @loaded is deprecated. Setting true doesn't 526# make sense, and false is already the default. 527# 528# Since: 2.5 529## 530{ 'struct': 'TlsCredsAnonProperties', 531 'base': 'TlsCredsProperties', 532 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } } 533 534## 535# @TlsCredsPskProperties: 536# 537# Properties for tls-creds-psk objects. 538# 539# @loaded: if true, the credentials are loaded immediately when 540# applying this option and will ignore options that are processed 541# later. Don't use; only provided for compatibility. 542# (default: false) 543# 544# @username: the username which will be sent to the server. For 545# clients only. If absent, "qemu" is sent and the property will 546# read back as an empty string. 547# 548# Features: 549# 550# @deprecated: Member @loaded is deprecated. Setting true doesn't 551# make sense, and false is already the default. 552# 553# Since: 3.0 554## 555{ 'struct': 'TlsCredsPskProperties', 556 'base': 'TlsCredsProperties', 557 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 558 '*username': 'str' } } 559 560## 561# @TlsCredsX509Properties: 562# 563# Properties for tls-creds-x509 objects. 564# 565# @loaded: if true, the credentials are loaded immediately when 566# applying this option and will ignore options that are processed 567# later. Don't use; only provided for compatibility. 568# (default: false) 569# 570# @sanity-check: if true, perform some sanity checks before using the 571# credentials (default: true) 572# 573# @passwordid: For the server-key.pem and client-key.pem files which 574# contain sensitive private keys, it is possible to use an 575# encrypted version by providing the @passwordid parameter. This 576# provides the ID of a previously created secret object containing 577# the password for decryption. 578# 579# Features: 580# 581# @deprecated: Member @loaded is deprecated. Setting true doesn't 582# make sense, and false is already the default. 583# 584# Since: 2.5 585## 586{ 'struct': 'TlsCredsX509Properties', 587 'base': 'TlsCredsProperties', 588 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 589 '*sanity-check': 'bool', 590 '*passwordid': 'str' } } 591## 592# @QCryptoAkCipherAlgorithm: 593# 594# The supported algorithms for asymmetric encryption ciphers 595# 596# @rsa: RSA algorithm 597# 598# Since: 7.1 599## 600{ 'enum': 'QCryptoAkCipherAlgorithm', 601 'prefix': 'QCRYPTO_AKCIPHER_ALG', 602 'data': ['rsa']} 603 604## 605# @QCryptoAkCipherKeyType: 606# 607# The type of asymmetric keys. 608# 609# Since: 7.1 610## 611{ 'enum': 'QCryptoAkCipherKeyType', 612 'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE', 613 'data': ['public', 'private']} 614 615## 616# @QCryptoRSAPaddingAlgorithm: 617# 618# The padding algorithm for RSA. 619# 620# @raw: no padding used 621# 622# @pkcs1: pkcs1#v1.5 623# 624# Since: 7.1 625## 626{ 'enum': 'QCryptoRSAPaddingAlgorithm', 627 'prefix': 'QCRYPTO_RSA_PADDING_ALG', 628 'data': ['raw', 'pkcs1']} 629 630## 631# @QCryptoAkCipherOptionsRSA: 632# 633# Specific parameters for RSA algorithm. 634# 635# @hash-alg: QCryptoHashAlgorithm 636# 637# @padding-alg: QCryptoRSAPaddingAlgorithm 638# 639# Since: 7.1 640## 641{ 'struct': 'QCryptoAkCipherOptionsRSA', 642 'data': { 'hash-alg':'QCryptoHashAlgorithm', 643 'padding-alg': 'QCryptoRSAPaddingAlgorithm'}} 644 645## 646# @QCryptoAkCipherOptions: 647# 648# The options that are available for all asymmetric key algorithms 649# when creating a new QCryptoAkCipher. 650# 651# @alg: encryption cipher algorithm 652# 653# Since: 7.1 654## 655{ 'union': 'QCryptoAkCipherOptions', 656 'base': { 'alg': 'QCryptoAkCipherAlgorithm' }, 657 'discriminator': 'alg', 658 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }} 659