1# -*- Mode: Python -*- 2# vim: filetype=python 3# 4 5## 6# = Cryptography 7## 8 9## 10# @QCryptoTLSCredsEndpoint: 11# 12# The type of network endpoint that will be using the credentials. 13# Most types of credential require different setup / structures 14# depending on whether they will be used in a server versus a client. 15# 16# @client: the network endpoint is acting as the client 17# 18# @server: the network endpoint is acting as the server 19# 20# Since: 2.5 21## 22{ 'enum': 'QCryptoTLSCredsEndpoint', 23 'data': ['client', 'server']} 24 25## 26# @QCryptoSecretFormat: 27# 28# The data format that the secret is provided in 29# 30# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences 31# can be used 32# 33# @base64: arbitrary base64 encoded binary data 34# 35# Since: 2.6 36## 37{ 'enum': 'QCryptoSecretFormat', 38 'data': ['raw', 'base64']} 39 40## 41# @QCryptoHashAlgo: 42# 43# The supported algorithms for computing content digests 44# 45# @md5: MD5. Should not be used in any new code, legacy compat only 46# 47# @sha1: SHA-1. Should not be used in any new code, legacy compat only 48# 49# @sha224: SHA-224. (since 2.7) 50# 51# @sha256: SHA-256. Current recommended strong hash. 52# 53# @sha384: SHA-384. (since 2.7) 54# 55# @sha512: SHA-512. (since 2.7) 56# 57# @ripemd160: RIPEMD-160. (since 2.7) 58# @sm3: SM3. (since 9.2.0) 59# 60# Since: 2.6 61## 62{ 'enum': 'QCryptoHashAlgo', 63 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160', 'sm3']} 64 65## 66# @QCryptoCipherAlgo: 67# 68# The supported algorithms for content encryption ciphers 69# 70# @aes-128: AES with 128 bit / 16 byte keys 71# 72# @aes-192: AES with 192 bit / 24 byte keys 73# 74# @aes-256: AES with 256 bit / 32 byte keys 75# 76# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. 77# (since 6.1) 78# 79# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) 80# 81# @cast5-128: Cast5 with 128 bit / 16 byte keys 82# 83# @serpent-128: Serpent with 128 bit / 16 byte keys 84# 85# @serpent-192: Serpent with 192 bit / 24 byte keys 86# 87# @serpent-256: Serpent with 256 bit / 32 byte keys 88# 89# @twofish-128: Twofish with 128 bit / 16 byte keys 90# 91# @twofish-192: Twofish with 192 bit / 24 byte keys 92# 93# @twofish-256: Twofish with 256 bit / 32 byte keys 94# 95# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0) 96# 97# Since: 2.6 98## 99{ 'enum': 'QCryptoCipherAlgo', 100 'data': ['aes-128', 'aes-192', 'aes-256', 101 'des', '3des', 102 'cast5-128', 103 'serpent-128', 'serpent-192', 'serpent-256', 104 'twofish-128', 'twofish-192', 'twofish-256', 105 'sm4']} 106 107## 108# @QCryptoCipherMode: 109# 110# The supported modes for content encryption ciphers 111# 112# @ecb: Electronic Code Book 113# 114# @cbc: Cipher Block Chaining 115# 116# @xts: XEX with tweaked code book and ciphertext stealing 117# 118# @ctr: Counter (Since 2.8) 119# 120# Since: 2.6 121## 122{ 'enum': 'QCryptoCipherMode', 123 'data': ['ecb', 'cbc', 'xts', 'ctr']} 124 125## 126# @QCryptoIVGenAlgo: 127# 128# The supported algorithms for generating initialization vectors for 129# full disk encryption. The 'plain' generator should not be used for 130# disks with sector numbers larger than 2^32, except where 131# compatibility with pre-existing Linux dm-crypt volumes is required. 132# 133# @plain: 64-bit sector number truncated to 32-bits 134# 135# @plain64: 64-bit sector number 136# 137# @essiv: 64-bit sector number encrypted with a hash of the encryption 138# key 139# 140# Since: 2.6 141## 142{ 'enum': 'QCryptoIVGenAlgo', 143 'data': ['plain', 'plain64', 'essiv']} 144 145## 146# @QCryptoBlockFormat: 147# 148# The supported full disk encryption formats 149# 150# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for 151# liberating data from old images. 152# 153# @luks: LUKS encryption format. Recommended for new images 154# 155# Since: 2.6 156## 157{ 'enum': 'QCryptoBlockFormat', 158 'data': ['qcow', 'luks']} 159 160## 161# @QCryptoBlockOptionsBase: 162# 163# The common options that apply to all full disk encryption formats 164# 165# @format: the encryption format 166# 167# Since: 2.6 168## 169{ 'struct': 'QCryptoBlockOptionsBase', 170 'data': { 'format': 'QCryptoBlockFormat' }} 171 172## 173# @QCryptoBlockOptionsQCow: 174# 175# The options that apply to QCow/QCow2 AES-CBC encryption format 176# 177# @key-secret: the ID of a QCryptoSecret object providing the 178# decryption key. Mandatory except when probing image for 179# metadata only. 180# 181# Since: 2.6 182## 183{ 'struct': 'QCryptoBlockOptionsQCow', 184 'data': { '*key-secret': 'str' }} 185 186## 187# @QCryptoBlockOptionsLUKS: 188# 189# The options that apply to LUKS encryption format 190# 191# @key-secret: the ID of a QCryptoSecret object providing the 192# decryption key. Mandatory except when probing image for 193# metadata only. 194# 195# Since: 2.6 196## 197{ 'struct': 'QCryptoBlockOptionsLUKS', 198 'data': { '*key-secret': 'str' }} 199 200## 201# @QCryptoBlockCreateOptionsLUKS: 202# 203# The options that apply to LUKS encryption format initialization 204# 205# @cipher-alg: the cipher algorithm for data encryption Currently 206# defaults to 'aes-256'. 207# 208# @cipher-mode: the cipher mode for data encryption Currently defaults 209# to 'xts' 210# 211# @ivgen-alg: the initialization vector generator Currently defaults 212# to 'plain64' 213# 214# @ivgen-hash-alg: the initialization vector generator hash Currently 215# defaults to 'sha256' 216# 217# @hash-alg: the master key hash algorithm Currently defaults to 218# 'sha256' 219# 220# @iter-time: number of milliseconds to spend in PBKDF passphrase 221# processing. Currently defaults to 2000. (since 2.8) 222# 223# Since: 2.6 224## 225{ 'struct': 'QCryptoBlockCreateOptionsLUKS', 226 'base': 'QCryptoBlockOptionsLUKS', 227 'data': { '*cipher-alg': 'QCryptoCipherAlgo', 228 '*cipher-mode': 'QCryptoCipherMode', 229 '*ivgen-alg': 'QCryptoIVGenAlgo', 230 '*ivgen-hash-alg': 'QCryptoHashAlgo', 231 '*hash-alg': 'QCryptoHashAlgo', 232 '*iter-time': 'int' }} 233 234## 235# @QCryptoBlockOpenOptions: 236# 237# The options that are available for all encryption formats when 238# opening an existing volume 239# 240# Since: 2.6 241## 242{ 'union': 'QCryptoBlockOpenOptions', 243 'base': 'QCryptoBlockOptionsBase', 244 'discriminator': 'format', 245 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 246 'luks': 'QCryptoBlockOptionsLUKS' } } 247 248## 249# @QCryptoBlockCreateOptions: 250# 251# The options that are available for all encryption formats when 252# initializing a new volume 253# 254# Since: 2.6 255## 256{ 'union': 'QCryptoBlockCreateOptions', 257 'base': 'QCryptoBlockOptionsBase', 258 'discriminator': 'format', 259 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 260 'luks': 'QCryptoBlockCreateOptionsLUKS' } } 261 262## 263# @QCryptoBlockInfoBase: 264# 265# The common information that applies to all full disk encryption 266# formats 267# 268# @format: the encryption format 269# 270# Since: 2.7 271## 272{ 'struct': 'QCryptoBlockInfoBase', 273 'data': { 'format': 'QCryptoBlockFormat' }} 274 275## 276# @QCryptoBlockInfoLUKSSlot: 277# 278# Information about the LUKS block encryption key slot options 279# 280# @active: whether the key slot is currently in use 281# 282# @key-offset: offset to the key material in bytes 283# 284# @iters: number of PBKDF2 iterations for key material 285# 286# @stripes: number of stripes for splitting key material 287# 288# Since: 2.7 289## 290{ 'struct': 'QCryptoBlockInfoLUKSSlot', 291 'data': {'active': 'bool', 292 '*iters': 'int', 293 '*stripes': 'int', 294 'key-offset': 'int' } } 295 296## 297# @QCryptoBlockInfoLUKS: 298# 299# Information about the LUKS block encryption options 300# 301# @cipher-alg: the cipher algorithm for data encryption 302# 303# @cipher-mode: the cipher mode for data encryption 304# 305# @ivgen-alg: the initialization vector generator 306# 307# @ivgen-hash-alg: the initialization vector generator hash 308# 309# @hash-alg: the master key hash algorithm 310# 311# @detached-header: whether the LUKS header is detached (Since 9.0) 312# 313# @payload-offset: offset to the payload data in bytes 314# 315# @master-key-iters: number of PBKDF2 iterations for key material 316# 317# @uuid: unique identifier for the volume 318# 319# @slots: information about each key slot 320# 321# Since: 2.7 322## 323{ 'struct': 'QCryptoBlockInfoLUKS', 324 'data': {'cipher-alg': 'QCryptoCipherAlgo', 325 'cipher-mode': 'QCryptoCipherMode', 326 'ivgen-alg': 'QCryptoIVGenAlgo', 327 '*ivgen-hash-alg': 'QCryptoHashAlgo', 328 'hash-alg': 'QCryptoHashAlgo', 329 'detached-header': 'bool', 330 'payload-offset': 'int', 331 'master-key-iters': 'int', 332 'uuid': 'str', 333 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} 334 335## 336# @QCryptoBlockInfo: 337# 338# Information about the block encryption options 339# 340# Since: 2.7 341## 342{ 'union': 'QCryptoBlockInfo', 343 'base': 'QCryptoBlockInfoBase', 344 'discriminator': 'format', 345 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } 346 347## 348# @QCryptoBlockLUKSKeyslotState: 349# 350# Defines state of keyslots that are affected by the update 351# 352# @active: The slots contain the given password and marked as active 353# 354# @inactive: The slots are erased (contain garbage) and marked as 355# inactive 356# 357# Since: 5.1 358## 359{ 'enum': 'QCryptoBlockLUKSKeyslotState', 360 'data': [ 'active', 'inactive' ] } 361 362## 363# @QCryptoBlockAmendOptionsLUKS: 364# 365# This struct defines the update parameters that activate/de-activate 366# set of keyslots 367# 368# @state: the desired state of the keyslots 369# 370# @new-secret: The ID of a QCryptoSecret object providing the password 371# to be written into added active keyslots 372# 373# @old-secret: Optional (for deactivation only) If given will 374# deactivate all keyslots that match password located in 375# QCryptoSecret with this ID 376# 377# @iter-time: Optional (for activation only) Number of milliseconds to 378# spend in PBKDF passphrase processing for the newly activated 379# keyslot. Currently defaults to 2000. 380# 381# @keyslot: Optional. ID of the keyslot to activate/deactivate. For 382# keyslot activation, keyslot should not be active already (this 383# is unsafe to update an active keyslot), but possible if 'force' 384# parameter is given. If keyslot is not given, first free keyslot 385# will be written. 386# 387# For keyslot deactivation, this parameter specifies the exact 388# keyslot to deactivate 389# 390# @secret: Optional. The ID of a QCryptoSecret object providing the 391# password to use to retrieve current master key. Defaults to the 392# same secret that was used to open the image 393# 394# Since: 5.1 395## 396{ 'struct': 'QCryptoBlockAmendOptionsLUKS', 397 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', 398 '*new-secret': 'str', 399 '*old-secret': 'str', 400 '*keyslot': 'int', 401 '*iter-time': 'int', 402 '*secret': 'str' } } 403 404## 405# @QCryptoBlockAmendOptions: 406# 407# The options that are available for all encryption formats when 408# amending encryption settings 409# 410# Since: 5.1 411## 412{ 'union': 'QCryptoBlockAmendOptions', 413 'base': 'QCryptoBlockOptionsBase', 414 'discriminator': 'format', 415 'data': { 416 'luks': 'QCryptoBlockAmendOptionsLUKS' } } 417 418## 419# @SecretCommonProperties: 420# 421# Properties for objects of classes derived from secret-common. 422# 423# @format: the data format that the secret is provided in 424# (default: raw) 425# 426# @keyid: the name of another secret that should be used to decrypt 427# the provided data. If not present, the data is assumed to be 428# unencrypted. 429# 430# @iv: the random initialization vector used for encryption of this 431# particular secret. Should be a base64 encrypted string of the 432# 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is 433# absent. 434# 435# Since: 2.6 436## 437{ 'struct': 'SecretCommonProperties', 438 'data': { '*format': 'QCryptoSecretFormat', 439 '*keyid': 'str', 440 '*iv': 'str' } } 441 442## 443# @SecretProperties: 444# 445# Properties for secret objects. 446# 447# Either @data or @file must be provided, but not both. 448# 449# @data: the associated with the secret from 450# 451# @file: the filename to load the data associated with the secret from 452# 453# Since: 2.6 454## 455{ 'struct': 'SecretProperties', 456 'base': 'SecretCommonProperties', 457 'data': { '*data': 'str', 458 '*file': 'str' } } 459 460## 461# @SecretKeyringProperties: 462# 463# Properties for secret_keyring objects. 464# 465# @serial: serial number that identifies a key to get from the kernel 466# 467# Since: 5.1 468## 469{ 'struct': 'SecretKeyringProperties', 470 'base': 'SecretCommonProperties', 471 'data': { 'serial': 'int32' }, 472 'if': 'CONFIG_SECRET_KEYRING' } 473 474## 475# @TlsCredsProperties: 476# 477# Properties for objects of classes derived from tls-creds. 478# 479# @verify-peer: if true the peer credentials will be verified once the 480# handshake is completed. This is a no-op for anonymous 481# credentials. (default: true) 482# 483# @dir: the path of the directory that contains the credential files 484# 485# @endpoint: whether the QEMU network backend that uses the 486# credentials will be acting as a client or as a server 487# (default: client) 488# 489# @priority: a gnutls priority string as described at 490# https://gnutls.org/manual/html_node/Priority-Strings.html 491# 492# Since: 2.5 493## 494{ 'struct': 'TlsCredsProperties', 495 'data': { '*verify-peer': 'bool', 496 '*dir': 'str', 497 '*endpoint': 'QCryptoTLSCredsEndpoint', 498 '*priority': 'str' } } 499 500## 501# @TlsCredsAnonProperties: 502# 503# Properties for tls-creds-anon objects. 504# 505# Since: 2.5 506## 507{ 'struct': 'TlsCredsAnonProperties', 508 'base': 'TlsCredsProperties', 509 'data': { } } 510 511## 512# @TlsCredsPskProperties: 513# 514# Properties for tls-creds-psk objects. 515# 516# @username: the username which will be sent to the server. For 517# clients only. If absent, "qemu" is sent and the property will 518# read back as an empty string. 519# 520# Since: 3.0 521## 522{ 'struct': 'TlsCredsPskProperties', 523 'base': 'TlsCredsProperties', 524 'data': { '*username': 'str' } } 525 526## 527# @TlsCredsX509Properties: 528# 529# Properties for tls-creds-x509 objects. 530# 531# @sanity-check: if true, perform some sanity checks before using the 532# credentials (default: true) 533# 534# @passwordid: For the server-key.pem and client-key.pem files which 535# contain sensitive private keys, it is possible to use an 536# encrypted version by providing the @passwordid parameter. This 537# provides the ID of a previously created secret object containing 538# the password for decryption. 539# 540# Since: 2.5 541## 542{ 'struct': 'TlsCredsX509Properties', 543 'base': 'TlsCredsProperties', 544 'data': { '*sanity-check': 'bool', 545 '*passwordid': 'str' } } 546## 547# @QCryptoAkCipherAlgo: 548# 549# The supported algorithms for asymmetric encryption ciphers 550# 551# @rsa: RSA algorithm 552# 553# Since: 7.1 554## 555{ 'enum': 'QCryptoAkCipherAlgo', 556 'data': ['rsa']} 557 558## 559# @QCryptoAkCipherKeyType: 560# 561# The type of asymmetric keys. 562# 563# @public: public key 564# 565# @private: private key 566# 567# Since: 7.1 568## 569{ 'enum': 'QCryptoAkCipherKeyType', 570 'data': ['public', 'private']} 571 572## 573# @QCryptoRSAPaddingAlgo: 574# 575# The padding algorithm for RSA. 576# 577# @raw: no padding used 578# 579# @pkcs1: pkcs1#v1.5 580# 581# Since: 7.1 582## 583{ 'enum': 'QCryptoRSAPaddingAlgo', 584 'data': ['raw', 'pkcs1']} 585 586## 587# @QCryptoAkCipherOptionsRSA: 588# 589# Specific parameters for RSA algorithm. 590# 591# @hash-alg: QCryptoHashAlgo 592# 593# @padding-alg: QCryptoRSAPaddingAlgo 594# 595# Since: 7.1 596## 597{ 'struct': 'QCryptoAkCipherOptionsRSA', 598 'data': { 'hash-alg':'QCryptoHashAlgo', 599 'padding-alg': 'QCryptoRSAPaddingAlgo'}} 600 601## 602# @QCryptoAkCipherOptions: 603# 604# The options that are available for all asymmetric key algorithms 605# when creating a new QCryptoAkCipher. 606# 607# @alg: encryption cipher algorithm 608# 609# Since: 7.1 610## 611{ 'union': 'QCryptoAkCipherOptions', 612 'base': { 'alg': 'QCryptoAkCipherAlgo' }, 613 'discriminator': 'alg', 614 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }} 615