1# -*- Mode: Python -*- 2# vim: filetype=python 3# 4 5## 6# = Cryptography 7## 8 9## 10# @QCryptoTLSCredsEndpoint: 11# 12# The type of network endpoint that will be using the credentials. 13# Most types of credential require different setup / structures 14# depending on whether they will be used in a server versus a 15# client. 16# 17# @client: the network endpoint is acting as the client 18# 19# @server: the network endpoint is acting as the server 20# 21# Since: 2.5 22## 23{ 'enum': 'QCryptoTLSCredsEndpoint', 24 'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT', 25 'data': ['client', 'server']} 26 27 28## 29# @QCryptoSecretFormat: 30# 31# The data format that the secret is provided in 32# 33# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences can be used 34# @base64: arbitrary base64 encoded binary data 35# 36# Since: 2.6 37## 38{ 'enum': 'QCryptoSecretFormat', 39 'prefix': 'QCRYPTO_SECRET_FORMAT', 40 'data': ['raw', 'base64']} 41 42 43## 44# @QCryptoHashAlgorithm: 45# 46# The supported algorithms for computing content digests 47# 48# @md5: MD5. Should not be used in any new code, legacy compat only 49# @sha1: SHA-1. Should not be used in any new code, legacy compat only 50# @sha224: SHA-224. (since 2.7) 51# @sha256: SHA-256. Current recommended strong hash. 52# @sha384: SHA-384. (since 2.7) 53# @sha512: SHA-512. (since 2.7) 54# @ripemd160: RIPEMD-160. (since 2.7) 55# 56# Since: 2.6 57## 58{ 'enum': 'QCryptoHashAlgorithm', 59 'prefix': 'QCRYPTO_HASH_ALG', 60 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']} 61 62 63## 64# @QCryptoCipherAlgorithm: 65# 66# The supported algorithms for content encryption ciphers 67# 68# @aes-128: AES with 128 bit / 16 byte keys 69# @aes-192: AES with 192 bit / 24 byte keys 70# @aes-256: AES with 256 bit / 32 byte keys 71# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. (since 6.1) 72# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) 73# @cast5-128: Cast5 with 128 bit / 16 byte keys 74# @serpent-128: Serpent with 128 bit / 16 byte keys 75# @serpent-192: Serpent with 192 bit / 24 byte keys 76# @serpent-256: Serpent with 256 bit / 32 byte keys 77# @twofish-128: Twofish with 128 bit / 16 byte keys 78# @twofish-192: Twofish with 192 bit / 24 byte keys 79# @twofish-256: Twofish with 256 bit / 32 byte keys 80# 81# Since: 2.6 82## 83{ 'enum': 'QCryptoCipherAlgorithm', 84 'prefix': 'QCRYPTO_CIPHER_ALG', 85 'data': ['aes-128', 'aes-192', 'aes-256', 86 'des', '3des', 87 'cast5-128', 88 'serpent-128', 'serpent-192', 'serpent-256', 89 'twofish-128', 'twofish-192', 'twofish-256']} 90 91 92## 93# @QCryptoCipherMode: 94# 95# The supported modes for content encryption ciphers 96# 97# @ecb: Electronic Code Book 98# @cbc: Cipher Block Chaining 99# @xts: XEX with tweaked code book and ciphertext stealing 100# @ctr: Counter (Since 2.8) 101# 102# Since: 2.6 103## 104{ 'enum': 'QCryptoCipherMode', 105 'prefix': 'QCRYPTO_CIPHER_MODE', 106 'data': ['ecb', 'cbc', 'xts', 'ctr']} 107 108 109## 110# @QCryptoIVGenAlgorithm: 111# 112# The supported algorithms for generating initialization 113# vectors for full disk encryption. The 'plain' generator 114# should not be used for disks with sector numbers larger 115# than 2^32, except where compatibility with pre-existing 116# Linux dm-crypt volumes is required. 117# 118# @plain: 64-bit sector number truncated to 32-bits 119# @plain64: 64-bit sector number 120# @essiv: 64-bit sector number encrypted with a hash of the encryption key 121# 122# Since: 2.6 123## 124{ 'enum': 'QCryptoIVGenAlgorithm', 125 'prefix': 'QCRYPTO_IVGEN_ALG', 126 'data': ['plain', 'plain64', 'essiv']} 127 128## 129# @QCryptoBlockFormat: 130# 131# The supported full disk encryption formats 132# 133# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only 134# for liberating data from old images. 135# @luks: LUKS encryption format. Recommended for new images 136# 137# Since: 2.6 138## 139{ 'enum': 'QCryptoBlockFormat', 140# 'prefix': 'QCRYPTO_BLOCK_FORMAT', 141 'data': ['qcow', 'luks']} 142 143## 144# @QCryptoBlockOptionsBase: 145# 146# The common options that apply to all full disk 147# encryption formats 148# 149# @format: the encryption format 150# 151# Since: 2.6 152## 153{ 'struct': 'QCryptoBlockOptionsBase', 154 'data': { 'format': 'QCryptoBlockFormat' }} 155 156## 157# @QCryptoBlockOptionsQCow: 158# 159# The options that apply to QCow/QCow2 AES-CBC encryption format 160# 161# @key-secret: the ID of a QCryptoSecret object providing the 162# decryption key. Mandatory except when probing image for 163# metadata only. 164# 165# Since: 2.6 166## 167{ 'struct': 'QCryptoBlockOptionsQCow', 168 'data': { '*key-secret': 'str' }} 169 170## 171# @QCryptoBlockOptionsLUKS: 172# 173# The options that apply to LUKS encryption format 174# 175# @key-secret: the ID of a QCryptoSecret object providing the 176# decryption key. Mandatory except when probing image for 177# metadata only. 178# 179# Since: 2.6 180## 181{ 'struct': 'QCryptoBlockOptionsLUKS', 182 'data': { '*key-secret': 'str' }} 183 184 185## 186# @QCryptoBlockCreateOptionsLUKS: 187# 188# The options that apply to LUKS encryption format initialization 189# 190# @cipher-alg: the cipher algorithm for data encryption 191# Currently defaults to 'aes-256'. 192# @cipher-mode: the cipher mode for data encryption 193# Currently defaults to 'xts' 194# @ivgen-alg: the initialization vector generator 195# Currently defaults to 'plain64' 196# @ivgen-hash-alg: the initialization vector generator hash 197# Currently defaults to 'sha256' 198# @hash-alg: the master key hash algorithm 199# Currently defaults to 'sha256' 200# @iter-time: number of milliseconds to spend in 201# PBKDF passphrase processing. Currently defaults 202# to 2000. (since 2.8) 203# 204# Since: 2.6 205## 206{ 'struct': 'QCryptoBlockCreateOptionsLUKS', 207 'base': 'QCryptoBlockOptionsLUKS', 208 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm', 209 '*cipher-mode': 'QCryptoCipherMode', 210 '*ivgen-alg': 'QCryptoIVGenAlgorithm', 211 '*ivgen-hash-alg': 'QCryptoHashAlgorithm', 212 '*hash-alg': 'QCryptoHashAlgorithm', 213 '*iter-time': 'int'}} 214 215 216## 217# @QCryptoBlockOpenOptions: 218# 219# The options that are available for all encryption formats 220# when opening an existing volume 221# 222# Since: 2.6 223## 224{ 'union': 'QCryptoBlockOpenOptions', 225 'base': 'QCryptoBlockOptionsBase', 226 'discriminator': 'format', 227 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 228 'luks': 'QCryptoBlockOptionsLUKS' } } 229 230 231## 232# @QCryptoBlockCreateOptions: 233# 234# The options that are available for all encryption formats 235# when initializing a new volume 236# 237# Since: 2.6 238## 239{ 'union': 'QCryptoBlockCreateOptions', 240 'base': 'QCryptoBlockOptionsBase', 241 'discriminator': 'format', 242 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 243 'luks': 'QCryptoBlockCreateOptionsLUKS' } } 244 245 246## 247# @QCryptoBlockInfoBase: 248# 249# The common information that applies to all full disk 250# encryption formats 251# 252# @format: the encryption format 253# 254# Since: 2.7 255## 256{ 'struct': 'QCryptoBlockInfoBase', 257 'data': { 'format': 'QCryptoBlockFormat' }} 258 259 260## 261# @QCryptoBlockInfoLUKSSlot: 262# 263# Information about the LUKS block encryption key 264# slot options 265# 266# @active: whether the key slot is currently in use 267# @key-offset: offset to the key material in bytes 268# @iters: number of PBKDF2 iterations for key material 269# @stripes: number of stripes for splitting key material 270# 271# Since: 2.7 272## 273{ 'struct': 'QCryptoBlockInfoLUKSSlot', 274 'data': {'active': 'bool', 275 '*iters': 'int', 276 '*stripes': 'int', 277 'key-offset': 'int' } } 278 279 280## 281# @QCryptoBlockInfoLUKS: 282# 283# Information about the LUKS block encryption options 284# 285# @cipher-alg: the cipher algorithm for data encryption 286# @cipher-mode: the cipher mode for data encryption 287# @ivgen-alg: the initialization vector generator 288# @ivgen-hash-alg: the initialization vector generator hash 289# @hash-alg: the master key hash algorithm 290# @payload-offset: offset to the payload data in bytes 291# @master-key-iters: number of PBKDF2 iterations for key material 292# @uuid: unique identifier for the volume 293# @slots: information about each key slot 294# 295# Since: 2.7 296## 297{ 'struct': 'QCryptoBlockInfoLUKS', 298 'data': {'cipher-alg': 'QCryptoCipherAlgorithm', 299 'cipher-mode': 'QCryptoCipherMode', 300 'ivgen-alg': 'QCryptoIVGenAlgorithm', 301 '*ivgen-hash-alg': 'QCryptoHashAlgorithm', 302 'hash-alg': 'QCryptoHashAlgorithm', 303 'payload-offset': 'int', 304 'master-key-iters': 'int', 305 'uuid': 'str', 306 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} 307 308## 309# @QCryptoBlockInfo: 310# 311# Information about the block encryption options 312# 313# Since: 2.7 314## 315{ 'union': 'QCryptoBlockInfo', 316 'base': 'QCryptoBlockInfoBase', 317 'discriminator': 'format', 318 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } 319 320## 321# @QCryptoBlockLUKSKeyslotState: 322# 323# Defines state of keyslots that are affected by the update 324# 325# @active: The slots contain the given password and marked as active 326# @inactive: The slots are erased (contain garbage) and marked as inactive 327# 328# Since: 5.1 329## 330{ 'enum': 'QCryptoBlockLUKSKeyslotState', 331 'data': [ 'active', 'inactive' ] } 332 333 334## 335# @QCryptoBlockAmendOptionsLUKS: 336# 337# This struct defines the update parameters that activate/de-activate set 338# of keyslots 339# 340# @state: the desired state of the keyslots 341# 342# @new-secret: The ID of a QCryptoSecret object providing the password to be 343# written into added active keyslots 344# 345# @old-secret: Optional (for deactivation only) 346# If given will deactivate all keyslots that 347# match password located in QCryptoSecret with this ID 348# 349# @iter-time: Optional (for activation only) 350# Number of milliseconds to spend in 351# PBKDF passphrase processing for the newly activated keyslot. 352# Currently defaults to 2000. 353# 354# @keyslot: Optional. ID of the keyslot to activate/deactivate. 355# For keyslot activation, keyslot should not be active already 356# (this is unsafe to update an active keyslot), 357# but possible if 'force' parameter is given. 358# If keyslot is not given, first free keyslot will be written. 359# 360# For keyslot deactivation, this parameter specifies the exact 361# keyslot to deactivate 362# 363# @secret: Optional. The ID of a QCryptoSecret object providing the 364# password to use to retrieve current master key. 365# Defaults to the same secret that was used to open the image 366# 367# Since: 5.1 368## 369{ 'struct': 'QCryptoBlockAmendOptionsLUKS', 370 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', 371 '*new-secret': 'str', 372 '*old-secret': 'str', 373 '*keyslot': 'int', 374 '*iter-time': 'int', 375 '*secret': 'str' } } 376 377## 378# @QCryptoBlockAmendOptions: 379# 380# The options that are available for all encryption formats 381# when amending encryption settings 382# 383# Since: 5.1 384## 385{ 'union': 'QCryptoBlockAmendOptions', 386 'base': 'QCryptoBlockOptionsBase', 387 'discriminator': 'format', 388 'data': { 389 'luks': 'QCryptoBlockAmendOptionsLUKS' } } 390 391## 392# @SecretCommonProperties: 393# 394# Properties for objects of classes derived from secret-common. 395# 396# @loaded: if true, the secret is loaded immediately when applying this option 397# and will probably fail when processing the next option. Don't use; 398# only provided for compatibility. (default: false) 399# 400# @format: the data format that the secret is provided in (default: raw) 401# 402# @keyid: the name of another secret that should be used to decrypt the 403# provided data. If not present, the data is assumed to be unencrypted. 404# 405# @iv: the random initialization vector used for encryption of this particular 406# secret. Should be a base64 encrypted string of the 16-byte IV. Mandatory 407# if @keyid is given. Ignored if @keyid is absent. 408# 409# Features: 410# @deprecated: Member @loaded is deprecated. Setting true doesn't make sense, 411# and false is already the default. 412# 413# Since: 2.6 414## 415{ 'struct': 'SecretCommonProperties', 416 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 417 '*format': 'QCryptoSecretFormat', 418 '*keyid': 'str', 419 '*iv': 'str' } } 420 421## 422# @SecretProperties: 423# 424# Properties for secret objects. 425# 426# Either @data or @file must be provided, but not both. 427# 428# @data: the associated with the secret from 429# 430# @file: the filename to load the data associated with the secret from 431# 432# Since: 2.6 433## 434{ 'struct': 'SecretProperties', 435 'base': 'SecretCommonProperties', 436 'data': { '*data': 'str', 437 '*file': 'str' } } 438 439## 440# @SecretKeyringProperties: 441# 442# Properties for secret_keyring objects. 443# 444# @serial: serial number that identifies a key to get from the kernel 445# 446# Since: 5.1 447## 448{ 'struct': 'SecretKeyringProperties', 449 'base': 'SecretCommonProperties', 450 'data': { 'serial': 'int32' } } 451 452## 453# @TlsCredsProperties: 454# 455# Properties for objects of classes derived from tls-creds. 456# 457# @verify-peer: if true the peer credentials will be verified once the 458# handshake is completed. This is a no-op for anonymous 459# credentials. (default: true) 460# 461# @dir: the path of the directory that contains the credential files 462# 463# @endpoint: whether the QEMU network backend that uses the credentials will be 464# acting as a client or as a server (default: client) 465# 466# @priority: a gnutls priority string as described at 467# https://gnutls.org/manual/html_node/Priority-Strings.html 468# 469# Since: 2.5 470## 471{ 'struct': 'TlsCredsProperties', 472 'data': { '*verify-peer': 'bool', 473 '*dir': 'str', 474 '*endpoint': 'QCryptoTLSCredsEndpoint', 475 '*priority': 'str' } } 476 477## 478# @TlsCredsAnonProperties: 479# 480# Properties for tls-creds-anon objects. 481# 482# @loaded: if true, the credentials are loaded immediately when applying this 483# option and will ignore options that are processed later. Don't use; 484# only provided for compatibility. (default: false) 485# 486# Features: 487# @deprecated: Member @loaded is deprecated. Setting true doesn't make sense, 488# and false is already the default. 489# 490# Since: 2.5 491## 492{ 'struct': 'TlsCredsAnonProperties', 493 'base': 'TlsCredsProperties', 494 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } } 495 496## 497# @TlsCredsPskProperties: 498# 499# Properties for tls-creds-psk objects. 500# 501# @loaded: if true, the credentials are loaded immediately when applying this 502# option and will ignore options that are processed later. Don't use; 503# only provided for compatibility. (default: false) 504# 505# @username: the username which will be sent to the server. For clients only. 506# If absent, "qemu" is sent and the property will read back as an 507# empty string. 508# 509# Features: 510# @deprecated: Member @loaded is deprecated. Setting true doesn't make sense, 511# and false is already the default. 512# 513# Since: 3.0 514## 515{ 'struct': 'TlsCredsPskProperties', 516 'base': 'TlsCredsProperties', 517 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 518 '*username': 'str' } } 519 520## 521# @TlsCredsX509Properties: 522# 523# Properties for tls-creds-x509 objects. 524# 525# @loaded: if true, the credentials are loaded immediately when applying this 526# option and will ignore options that are processed later. Don't use; 527# only provided for compatibility. (default: false) 528# 529# @sanity-check: if true, perform some sanity checks before using the 530# credentials (default: true) 531# 532# @passwordid: For the server-key.pem and client-key.pem files which contain 533# sensitive private keys, it is possible to use an encrypted 534# version by providing the @passwordid parameter. This provides 535# the ID of a previously created secret object containing the 536# password for decryption. 537# 538# Features: 539# @deprecated: Member @loaded is deprecated. Setting true doesn't make sense, 540# and false is already the default. 541# 542# Since: 2.5 543## 544{ 'struct': 'TlsCredsX509Properties', 545 'base': 'TlsCredsProperties', 546 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 547 '*sanity-check': 'bool', 548 '*passwordid': 'str' } } 549