xref: /openbmc/qemu/qapi/crypto.json (revision 1bbbe7cf2df11a1bc334489a3b87ee23e13c3c29)
1# -*- Mode: Python -*-
2# vim: filetype=python
3#
4
5##
6# ************
7# Cryptography
8# ************
9##
10
11##
12# @QCryptoTLSCredsEndpoint:
13#
14# The type of network endpoint that will be using the credentials.
15# Most types of credential require different setup / structures
16# depending on whether they will be used in a server versus a client.
17#
18# @client: the network endpoint is acting as the client
19#
20# @server: the network endpoint is acting as the server
21#
22# Since: 2.5
23##
24{ 'enum': 'QCryptoTLSCredsEndpoint',
25  'data': ['client', 'server']}
26
27##
28# @QCryptoSecretFormat:
29#
30# The data format that the secret is provided in
31#
32# @raw: raw bytes.  When encoded in JSON only valid UTF-8 sequences
33#     can be used
34#
35# @base64: arbitrary base64 encoded binary data
36#
37# Since: 2.6
38##
39{ 'enum': 'QCryptoSecretFormat',
40  'data': ['raw', 'base64']}
41
42##
43# @QCryptoHashAlgo:
44#
45# The supported algorithms for computing content digests
46#
47# @md5: MD5.  Should not be used in any new code, legacy compat only
48#
49# @sha1: SHA-1.  Should not be used in any new code, legacy compat only
50#
51# @sha224: SHA-224.  (since 2.7)
52#
53# @sha256: SHA-256.  Current recommended strong hash.
54#
55# @sha384: SHA-384.  (since 2.7)
56#
57# @sha512: SHA-512.  (since 2.7)
58#
59# @ripemd160: RIPEMD-160.  (since 2.7)
60#
61# @sm3: SM3.  (since 9.2.0)
62#
63# Since: 2.6
64##
65{ 'enum': 'QCryptoHashAlgo',
66  'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160', 'sm3']}
67
68##
69# @QCryptoCipherAlgo:
70#
71# The supported algorithms for content encryption ciphers
72#
73# @aes-128: AES with 128 bit / 16 byte keys
74#
75# @aes-192: AES with 192 bit / 24 byte keys
76#
77# @aes-256: AES with 256 bit / 32 byte keys
78#
79# @des: DES with 56 bit / 8 byte keys.  Do not use except in VNC.
80#     (since 6.1)
81#
82# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
83#
84# @cast5-128: Cast5 with 128 bit / 16 byte keys
85#
86# @serpent-128: Serpent with 128 bit / 16 byte keys
87#
88# @serpent-192: Serpent with 192 bit / 24 byte keys
89#
90# @serpent-256: Serpent with 256 bit / 32 byte keys
91#
92# @twofish-128: Twofish with 128 bit / 16 byte keys
93#
94# @twofish-192: Twofish with 192 bit / 24 byte keys
95#
96# @twofish-256: Twofish with 256 bit / 32 byte keys
97#
98# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0)
99#
100# Since: 2.6
101##
102{ 'enum': 'QCryptoCipherAlgo',
103  'data': ['aes-128', 'aes-192', 'aes-256',
104           'des', '3des',
105           'cast5-128',
106           'serpent-128', 'serpent-192', 'serpent-256',
107           'twofish-128', 'twofish-192', 'twofish-256',
108           'sm4']}
109
110##
111# @QCryptoCipherMode:
112#
113# The supported modes for content encryption ciphers
114#
115# @ecb: Electronic Code Book
116#
117# @cbc: Cipher Block Chaining
118#
119# @xts: XEX with tweaked code book and ciphertext stealing
120#
121# @ctr: Counter (Since 2.8)
122#
123# Since: 2.6
124##
125{ 'enum': 'QCryptoCipherMode',
126  'data': ['ecb', 'cbc', 'xts', 'ctr']}
127
128##
129# @QCryptoIVGenAlgo:
130#
131# The supported algorithms for generating initialization vectors for
132# full disk encryption.  The 'plain' generator should not be used for
133# disks with sector numbers larger than 2^32, except where
134# compatibility with pre-existing Linux dm-crypt volumes is required.
135#
136# @plain: 64-bit sector number truncated to 32-bits
137#
138# @plain64: 64-bit sector number
139#
140# @essiv: 64-bit sector number encrypted with a hash of the encryption
141#     key
142#
143# Since: 2.6
144##
145{ 'enum': 'QCryptoIVGenAlgo',
146  'data': ['plain', 'plain64', 'essiv']}
147
148##
149# @QCryptoBlockFormat:
150#
151# The supported full disk encryption formats
152#
153# @qcow: QCow/QCow2 built-in AES-CBC encryption.  Use only for
154#     liberating data from old images.
155#
156# @luks: LUKS encryption format.  Recommended for new images
157#
158# Since: 2.6
159##
160{ 'enum': 'QCryptoBlockFormat',
161  'data': ['qcow', 'luks']}
162
163##
164# @QCryptoBlockOptionsBase:
165#
166# The common options that apply to all full disk encryption formats
167#
168# @format: the encryption format
169#
170# Since: 2.6
171##
172{ 'struct': 'QCryptoBlockOptionsBase',
173  'data': { 'format': 'QCryptoBlockFormat' }}
174
175##
176# @QCryptoBlockOptionsQCow:
177#
178# The options that apply to QCow/QCow2 AES-CBC encryption format
179#
180# @key-secret: the ID of a QCryptoSecret object providing the
181#     decryption key.  Mandatory except when probing image for
182#     metadata only.
183#
184# Since: 2.6
185##
186{ 'struct': 'QCryptoBlockOptionsQCow',
187  'data': { '*key-secret': 'str' }}
188
189##
190# @QCryptoBlockOptionsLUKS:
191#
192# The options that apply to LUKS encryption format
193#
194# @key-secret: the ID of a QCryptoSecret object providing the
195#     decryption key.  Mandatory except when probing image for
196#     metadata only.
197#
198# Since: 2.6
199##
200{ 'struct': 'QCryptoBlockOptionsLUKS',
201  'data': { '*key-secret': 'str' }}
202
203##
204# @QCryptoBlockCreateOptionsLUKS:
205#
206# The options that apply to LUKS encryption format initialization
207#
208# @cipher-alg: the cipher algorithm for data encryption.  Currently
209#     defaults to 'aes-256'.
210#
211# @cipher-mode: the cipher mode for data encryption.  Currently
212#     defaults to 'xts'
213#
214# @ivgen-alg: the initialization vector generator.  Currently defaults
215#     to 'plain64'
216#
217# @ivgen-hash-alg: the initialization vector generator hash.
218#     Currently defaults to 'sha256'
219#
220# @hash-alg: the master key hash algorithm.  Currently defaults to
221#     'sha256'
222#
223# @iter-time: number of milliseconds to spend in PBKDF passphrase
224#     processing.  Currently defaults to 2000.  (since 2.8)
225#
226# Since: 2.6
227##
228{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
229  'base': 'QCryptoBlockOptionsLUKS',
230  'data': { '*cipher-alg': 'QCryptoCipherAlgo',
231            '*cipher-mode': 'QCryptoCipherMode',
232            '*ivgen-alg': 'QCryptoIVGenAlgo',
233            '*ivgen-hash-alg': 'QCryptoHashAlgo',
234            '*hash-alg': 'QCryptoHashAlgo',
235            '*iter-time': 'int' }}
236
237##
238# @QCryptoBlockOpenOptions:
239#
240# The options that are available for all encryption formats when
241# opening an existing volume
242#
243# Since: 2.6
244##
245{ 'union': 'QCryptoBlockOpenOptions',
246  'base': 'QCryptoBlockOptionsBase',
247  'discriminator': 'format',
248  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
249            'luks': 'QCryptoBlockOptionsLUKS' } }
250
251##
252# @QCryptoBlockCreateOptions:
253#
254# The options that are available for all encryption formats when
255# initializing a new volume
256#
257# Since: 2.6
258##
259{ 'union': 'QCryptoBlockCreateOptions',
260  'base': 'QCryptoBlockOptionsBase',
261  'discriminator': 'format',
262  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
263            'luks': 'QCryptoBlockCreateOptionsLUKS' } }
264
265##
266# @QCryptoBlockInfoBase:
267#
268# The common information that applies to all full disk encryption
269# formats
270#
271# @format: the encryption format
272#
273# Since: 2.7
274##
275{ 'struct': 'QCryptoBlockInfoBase',
276  'data': { 'format': 'QCryptoBlockFormat' }}
277
278##
279# @QCryptoBlockInfoLUKSSlot:
280#
281# Information about the LUKS block encryption key slot options
282#
283# @active: whether the key slot is currently in use
284#
285# @key-offset: offset to the key material in bytes
286#
287# @iters: number of PBKDF2 iterations for key material
288#
289# @stripes: number of stripes for splitting key material
290#
291# Since: 2.7
292##
293{ 'struct': 'QCryptoBlockInfoLUKSSlot',
294  'data': {'active': 'bool',
295           '*iters': 'int',
296           '*stripes': 'int',
297           'key-offset': 'int' } }
298
299##
300# @QCryptoBlockInfoLUKS:
301#
302# Information about the LUKS block encryption options
303#
304# @cipher-alg: the cipher algorithm for data encryption
305#
306# @cipher-mode: the cipher mode for data encryption
307#
308# @ivgen-alg: the initialization vector generator
309#
310# @ivgen-hash-alg: the initialization vector generator hash
311#
312# @hash-alg: the master key hash algorithm
313#
314# @detached-header: whether the LUKS header is detached (Since 9.0)
315#
316# @payload-offset: offset to the payload data in bytes
317#
318# @master-key-iters: number of PBKDF2 iterations for key material
319#
320# @uuid: unique identifier for the volume
321#
322# @slots: information about each key slot
323#
324# Since: 2.7
325##
326{ 'struct': 'QCryptoBlockInfoLUKS',
327  'data': {'cipher-alg': 'QCryptoCipherAlgo',
328           'cipher-mode': 'QCryptoCipherMode',
329           'ivgen-alg': 'QCryptoIVGenAlgo',
330           '*ivgen-hash-alg': 'QCryptoHashAlgo',
331           'hash-alg': 'QCryptoHashAlgo',
332           'detached-header': 'bool',
333           'payload-offset': 'int',
334           'master-key-iters': 'int',
335           'uuid': 'str',
336           'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
337
338##
339# @QCryptoBlockInfo:
340#
341# Information about the block encryption options
342#
343# Since: 2.7
344##
345{ 'union': 'QCryptoBlockInfo',
346  'base': 'QCryptoBlockInfoBase',
347  'discriminator': 'format',
348  'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
349
350##
351# @QCryptoBlockLUKSKeyslotState:
352#
353# Defines state of keyslots that are affected by the update
354#
355# @active: The slots contain the given password and marked as active
356#
357# @inactive: The slots are erased (contain garbage) and marked as
358#     inactive
359#
360# Since: 5.1
361##
362{ 'enum': 'QCryptoBlockLUKSKeyslotState',
363  'data': [ 'active', 'inactive' ] }
364
365##
366# @QCryptoBlockAmendOptionsLUKS:
367#
368# This struct defines the update parameters that activate/de-activate
369# set of keyslots
370#
371# @state: the desired state of the keyslots
372#
373# @new-secret: The ID of a QCryptoSecret object providing the password
374#     to be written into added active keyslots
375#
376# @old-secret: Optional (for deactivation only).  If given will
377#     deactivate all keyslots that match password located in
378#     QCryptoSecret with this ID
379#
380# @iter-time: Optional (for activation only).  Number of milliseconds to
381#     spend in PBKDF passphrase processing for the newly activated
382#     keyslot.  Currently defaults to 2000.
383#
384# @keyslot: Optional.  ID of the keyslot to activate/deactivate.  For
385#     keyslot activation, keyslot should not be active already (this
386#     is unsafe to update an active keyslot), but possible if 'force'
387#     parameter is given.  If keyslot is not given, first free keyslot
388#     will be written.
389#
390#     For keyslot deactivation, this parameter specifies the exact
391#     keyslot to deactivate
392#
393# @secret: Optional.  The ID of a QCryptoSecret object providing the
394#     password to use to retrieve current master key.  Defaults to the
395#     same secret that was used to open the image
396#
397# Since: 5.1
398##
399{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
400  'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
401            '*new-secret': 'str',
402            '*old-secret': 'str',
403            '*keyslot': 'int',
404            '*iter-time': 'int',
405            '*secret': 'str' } }
406
407##
408# @QCryptoBlockAmendOptions:
409#
410# The options that are available for all encryption formats when
411# amending encryption settings
412#
413# Since: 5.1
414##
415{ 'union': 'QCryptoBlockAmendOptions',
416  'base': 'QCryptoBlockOptionsBase',
417  'discriminator': 'format',
418  'data': {
419          'luks': 'QCryptoBlockAmendOptionsLUKS' } }
420
421##
422# @SecretCommonProperties:
423#
424# Properties for objects of classes derived from secret-common.
425#
426# @format: the data format that the secret is provided in
427#     (default: raw)
428#
429# @keyid: the name of another secret that should be used to decrypt
430#     the provided data.  If not present, the data is assumed to be
431#     unencrypted.
432#
433# @iv: the random initialization vector used for encryption of this
434#     particular secret.  Should be a base64 encrypted string of the
435#     16-byte IV.  Mandatory if @keyid is given.  Ignored if @keyid is
436#     absent.
437#
438# Since: 2.6
439##
440{ 'struct': 'SecretCommonProperties',
441  'data': { '*format': 'QCryptoSecretFormat',
442            '*keyid': 'str',
443            '*iv': 'str' } }
444
445##
446# @SecretProperties:
447#
448# Properties for secret objects.
449#
450# Either @data or @file must be provided, but not both.
451#
452# @data: the associated with the secret from
453#
454# @file: the filename to load the data associated with the secret from
455#
456# Since: 2.6
457##
458{ 'struct': 'SecretProperties',
459  'base': 'SecretCommonProperties',
460  'data': { '*data': 'str',
461            '*file': 'str' } }
462
463##
464# @SecretKeyringProperties:
465#
466# Properties for secret_keyring objects.
467#
468# @serial: serial number that identifies a key to get from the kernel
469#
470# Since: 5.1
471##
472{ 'struct': 'SecretKeyringProperties',
473  'base': 'SecretCommonProperties',
474  'data': { 'serial': 'int32' },
475  'if': 'CONFIG_SECRET_KEYRING' }
476
477##
478# @TlsCredsProperties:
479#
480# Properties for objects of classes derived from tls-creds.
481#
482# @verify-peer: if true the peer credentials will be verified once the
483#     handshake is completed.  This is a no-op for anonymous
484#     credentials.  (default: true)
485#
486# @dir: the path of the directory that contains the credential files
487#
488# @endpoint: whether the QEMU network backend that uses the
489#     credentials will be acting as a client or as a server
490#     (default: client)
491#
492# @priority: a gnutls priority string as described at
493#     https://gnutls.org/manual/html_node/Priority-Strings.html
494#
495# Since: 2.5
496##
497{ 'struct': 'TlsCredsProperties',
498  'data': { '*verify-peer': 'bool',
499            '*dir': 'str',
500            '*endpoint': 'QCryptoTLSCredsEndpoint',
501            '*priority': 'str' } }
502
503##
504# @TlsCredsAnonProperties:
505#
506# Properties for tls-creds-anon objects.
507#
508# Since: 2.5
509##
510{ 'struct': 'TlsCredsAnonProperties',
511  'base': 'TlsCredsProperties',
512  'data': { } }
513
514##
515# @TlsCredsPskProperties:
516#
517# Properties for tls-creds-psk objects.
518#
519# @username: the username which will be sent to the server.  For
520#     clients only.  If absent, "qemu" is sent and the property will
521#     read back as an empty string.
522#
523# Since: 3.0
524##
525{ 'struct': 'TlsCredsPskProperties',
526  'base': 'TlsCredsProperties',
527  'data': { '*username': 'str' } }
528
529##
530# @TlsCredsX509Properties:
531#
532# Properties for tls-creds-x509 objects.
533#
534# @sanity-check: if true, perform some sanity checks before using the
535#     credentials (default: true)
536#
537# @passwordid: For the server-key.pem and client-key.pem files which
538#     contain sensitive private keys, it is possible to use an
539#     encrypted version by providing the @passwordid parameter.  This
540#     provides the ID of a previously created secret object containing
541#     the password for decryption.
542#
543# Since: 2.5
544##
545{ 'struct': 'TlsCredsX509Properties',
546  'base': 'TlsCredsProperties',
547  'data': { '*sanity-check': 'bool',
548            '*passwordid': 'str' } }
549##
550# @QCryptoAkCipherAlgo:
551#
552# The supported algorithms for asymmetric encryption ciphers
553#
554# @rsa: RSA algorithm
555#
556# Since: 7.1
557##
558{ 'enum': 'QCryptoAkCipherAlgo',
559  'data': ['rsa']}
560
561##
562# @QCryptoAkCipherKeyType:
563#
564# The type of asymmetric keys.
565#
566# @public: public key
567#
568# @private: private key
569#
570# Since: 7.1
571##
572{ 'enum': 'QCryptoAkCipherKeyType',
573  'data': ['public', 'private']}
574
575##
576# @QCryptoRSAPaddingAlgo:
577#
578# The padding algorithm for RSA.
579#
580# @raw: no padding used
581#
582# @pkcs1: pkcs1#v1.5
583#
584# Since: 7.1
585##
586{ 'enum': 'QCryptoRSAPaddingAlgo',
587  'data': ['raw', 'pkcs1']}
588
589##
590# @QCryptoAkCipherOptionsRSA:
591#
592# Specific parameters for RSA algorithm.
593#
594# @hash-alg: `QCryptoHashAlgo`
595#
596# @padding-alg: `QCryptoRSAPaddingAlgo`
597#
598# Since: 7.1
599##
600{ 'struct': 'QCryptoAkCipherOptionsRSA',
601  'data': { 'hash-alg':'QCryptoHashAlgo',
602            'padding-alg': 'QCryptoRSAPaddingAlgo'}}
603
604##
605# @QCryptoAkCipherOptions:
606#
607# The options that are available for all asymmetric key algorithms
608# when creating a new QCryptoAkCipher.
609#
610# @alg: encryption cipher algorithm
611#
612# Since: 7.1
613##
614{ 'union': 'QCryptoAkCipherOptions',
615  'base': { 'alg': 'QCryptoAkCipherAlgo' },
616  'discriminator': 'alg',
617  'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}
618