xref: /openbmc/qemu/qapi/crypto.json (revision 8d3031fa)
1# -*- Mode: Python -*-
2# vim: filetype=python
3#
4
5##
6# = Cryptography
7##
8
9##
10# @QCryptoTLSCredsEndpoint:
11#
12# The type of network endpoint that will be using the credentials.
13# Most types of credential require different setup / structures
14# depending on whether they will be used in a server versus a client.
15#
16# @client: the network endpoint is acting as the client
17#
18# @server: the network endpoint is acting as the server
19#
20# Since: 2.5
21##
22{ 'enum': 'QCryptoTLSCredsEndpoint',
23  'data': ['client', 'server']}
24
25##
26# @QCryptoSecretFormat:
27#
28# The data format that the secret is provided in
29#
30# @raw: raw bytes.  When encoded in JSON only valid UTF-8 sequences
31#     can be used
32#
33# @base64: arbitrary base64 encoded binary data
34#
35# Since: 2.6
36##
37{ 'enum': 'QCryptoSecretFormat',
38  'data': ['raw', 'base64']}
39
40##
41# @QCryptoHashAlgo:
42#
43# The supported algorithms for computing content digests
44#
45# @md5: MD5.  Should not be used in any new code, legacy compat only
46#
47# @sha1: SHA-1.  Should not be used in any new code, legacy compat only
48#
49# @sha224: SHA-224.  (since 2.7)
50#
51# @sha256: SHA-256.  Current recommended strong hash.
52#
53# @sha384: SHA-384.  (since 2.7)
54#
55# @sha512: SHA-512.  (since 2.7)
56#
57# @ripemd160: RIPEMD-160.  (since 2.7)
58#
59# Since: 2.6
60##
61{ 'enum': 'QCryptoHashAlgo',
62  'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}
63
64##
65# @QCryptoCipherAlgo:
66#
67# The supported algorithms for content encryption ciphers
68#
69# @aes-128: AES with 128 bit / 16 byte keys
70#
71# @aes-192: AES with 192 bit / 24 byte keys
72#
73# @aes-256: AES with 256 bit / 32 byte keys
74#
75# @des: DES with 56 bit / 8 byte keys.  Do not use except in VNC.
76#     (since 6.1)
77#
78# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
79#
80# @cast5-128: Cast5 with 128 bit / 16 byte keys
81#
82# @serpent-128: Serpent with 128 bit / 16 byte keys
83#
84# @serpent-192: Serpent with 192 bit / 24 byte keys
85#
86# @serpent-256: Serpent with 256 bit / 32 byte keys
87#
88# @twofish-128: Twofish with 128 bit / 16 byte keys
89#
90# @twofish-192: Twofish with 192 bit / 24 byte keys
91#
92# @twofish-256: Twofish with 256 bit / 32 byte keys
93#
94# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0)
95#
96# Since: 2.6
97##
98{ 'enum': 'QCryptoCipherAlgo',
99  'data': ['aes-128', 'aes-192', 'aes-256',
100           'des', '3des',
101           'cast5-128',
102           'serpent-128', 'serpent-192', 'serpent-256',
103           'twofish-128', 'twofish-192', 'twofish-256',
104           'sm4']}
105
106##
107# @QCryptoCipherMode:
108#
109# The supported modes for content encryption ciphers
110#
111# @ecb: Electronic Code Book
112#
113# @cbc: Cipher Block Chaining
114#
115# @xts: XEX with tweaked code book and ciphertext stealing
116#
117# @ctr: Counter (Since 2.8)
118#
119# Since: 2.6
120##
121{ 'enum': 'QCryptoCipherMode',
122  'data': ['ecb', 'cbc', 'xts', 'ctr']}
123
124##
125# @QCryptoIVGenAlgo:
126#
127# The supported algorithms for generating initialization vectors for
128# full disk encryption.  The 'plain' generator should not be used for
129# disks with sector numbers larger than 2^32, except where
130# compatibility with pre-existing Linux dm-crypt volumes is required.
131#
132# @plain: 64-bit sector number truncated to 32-bits
133#
134# @plain64: 64-bit sector number
135#
136# @essiv: 64-bit sector number encrypted with a hash of the encryption
137#     key
138#
139# Since: 2.6
140##
141{ 'enum': 'QCryptoIVGenAlgo',
142  'data': ['plain', 'plain64', 'essiv']}
143
144##
145# @QCryptoBlockFormat:
146#
147# The supported full disk encryption formats
148#
149# @qcow: QCow/QCow2 built-in AES-CBC encryption.  Use only for
150#     liberating data from old images.
151#
152# @luks: LUKS encryption format.  Recommended for new images
153#
154# Since: 2.6
155##
156{ 'enum': 'QCryptoBlockFormat',
157  'data': ['qcow', 'luks']}
158
159##
160# @QCryptoBlockOptionsBase:
161#
162# The common options that apply to all full disk encryption formats
163#
164# @format: the encryption format
165#
166# Since: 2.6
167##
168{ 'struct': 'QCryptoBlockOptionsBase',
169  'data': { 'format': 'QCryptoBlockFormat' }}
170
171##
172# @QCryptoBlockOptionsQCow:
173#
174# The options that apply to QCow/QCow2 AES-CBC encryption format
175#
176# @key-secret: the ID of a QCryptoSecret object providing the
177#     decryption key.  Mandatory except when probing image for
178#     metadata only.
179#
180# Since: 2.6
181##
182{ 'struct': 'QCryptoBlockOptionsQCow',
183  'data': { '*key-secret': 'str' }}
184
185##
186# @QCryptoBlockOptionsLUKS:
187#
188# The options that apply to LUKS encryption format
189#
190# @key-secret: the ID of a QCryptoSecret object providing the
191#     decryption key.  Mandatory except when probing image for
192#     metadata only.
193#
194# Since: 2.6
195##
196{ 'struct': 'QCryptoBlockOptionsLUKS',
197  'data': { '*key-secret': 'str' }}
198
199##
200# @QCryptoBlockCreateOptionsLUKS:
201#
202# The options that apply to LUKS encryption format initialization
203#
204# @cipher-alg: the cipher algorithm for data encryption Currently
205#     defaults to 'aes-256'.
206#
207# @cipher-mode: the cipher mode for data encryption Currently defaults
208#     to 'xts'
209#
210# @ivgen-alg: the initialization vector generator Currently defaults
211#     to 'plain64'
212#
213# @ivgen-hash-alg: the initialization vector generator hash Currently
214#     defaults to 'sha256'
215#
216# @hash-alg: the master key hash algorithm Currently defaults to
217#     'sha256'
218#
219# @iter-time: number of milliseconds to spend in PBKDF passphrase
220#     processing.  Currently defaults to 2000.  (since 2.8)
221#
222# Since: 2.6
223##
224{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
225  'base': 'QCryptoBlockOptionsLUKS',
226  'data': { '*cipher-alg': 'QCryptoCipherAlgo',
227            '*cipher-mode': 'QCryptoCipherMode',
228            '*ivgen-alg': 'QCryptoIVGenAlgo',
229            '*ivgen-hash-alg': 'QCryptoHashAlgo',
230            '*hash-alg': 'QCryptoHashAlgo',
231            '*iter-time': 'int' }}
232
233##
234# @QCryptoBlockOpenOptions:
235#
236# The options that are available for all encryption formats when
237# opening an existing volume
238#
239# Since: 2.6
240##
241{ 'union': 'QCryptoBlockOpenOptions',
242  'base': 'QCryptoBlockOptionsBase',
243  'discriminator': 'format',
244  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
245            'luks': 'QCryptoBlockOptionsLUKS' } }
246
247##
248# @QCryptoBlockCreateOptions:
249#
250# The options that are available for all encryption formats when
251# initializing a new volume
252#
253# Since: 2.6
254##
255{ 'union': 'QCryptoBlockCreateOptions',
256  'base': 'QCryptoBlockOptionsBase',
257  'discriminator': 'format',
258  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
259            'luks': 'QCryptoBlockCreateOptionsLUKS' } }
260
261##
262# @QCryptoBlockInfoBase:
263#
264# The common information that applies to all full disk encryption
265# formats
266#
267# @format: the encryption format
268#
269# Since: 2.7
270##
271{ 'struct': 'QCryptoBlockInfoBase',
272  'data': { 'format': 'QCryptoBlockFormat' }}
273
274##
275# @QCryptoBlockInfoLUKSSlot:
276#
277# Information about the LUKS block encryption key slot options
278#
279# @active: whether the key slot is currently in use
280#
281# @key-offset: offset to the key material in bytes
282#
283# @iters: number of PBKDF2 iterations for key material
284#
285# @stripes: number of stripes for splitting key material
286#
287# Since: 2.7
288##
289{ 'struct': 'QCryptoBlockInfoLUKSSlot',
290  'data': {'active': 'bool',
291           '*iters': 'int',
292           '*stripes': 'int',
293           'key-offset': 'int' } }
294
295##
296# @QCryptoBlockInfoLUKS:
297#
298# Information about the LUKS block encryption options
299#
300# @cipher-alg: the cipher algorithm for data encryption
301#
302# @cipher-mode: the cipher mode for data encryption
303#
304# @ivgen-alg: the initialization vector generator
305#
306# @ivgen-hash-alg: the initialization vector generator hash
307#
308# @hash-alg: the master key hash algorithm
309#
310# @detached-header: whether the LUKS header is detached (Since 9.0)
311#
312# @payload-offset: offset to the payload data in bytes
313#
314# @master-key-iters: number of PBKDF2 iterations for key material
315#
316# @uuid: unique identifier for the volume
317#
318# @slots: information about each key slot
319#
320# Since: 2.7
321##
322{ 'struct': 'QCryptoBlockInfoLUKS',
323  'data': {'cipher-alg': 'QCryptoCipherAlgo',
324           'cipher-mode': 'QCryptoCipherMode',
325           'ivgen-alg': 'QCryptoIVGenAlgo',
326           '*ivgen-hash-alg': 'QCryptoHashAlgo',
327           'hash-alg': 'QCryptoHashAlgo',
328           'detached-header': 'bool',
329           'payload-offset': 'int',
330           'master-key-iters': 'int',
331           'uuid': 'str',
332           'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
333
334##
335# @QCryptoBlockInfo:
336#
337# Information about the block encryption options
338#
339# Since: 2.7
340##
341{ 'union': 'QCryptoBlockInfo',
342  'base': 'QCryptoBlockInfoBase',
343  'discriminator': 'format',
344  'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
345
346##
347# @QCryptoBlockLUKSKeyslotState:
348#
349# Defines state of keyslots that are affected by the update
350#
351# @active: The slots contain the given password and marked as active
352#
353# @inactive: The slots are erased (contain garbage) and marked as
354#     inactive
355#
356# Since: 5.1
357##
358{ 'enum': 'QCryptoBlockLUKSKeyslotState',
359  'data': [ 'active', 'inactive' ] }
360
361##
362# @QCryptoBlockAmendOptionsLUKS:
363#
364# This struct defines the update parameters that activate/de-activate
365# set of keyslots
366#
367# @state: the desired state of the keyslots
368#
369# @new-secret: The ID of a QCryptoSecret object providing the password
370#     to be written into added active keyslots
371#
372# @old-secret: Optional (for deactivation only) If given will
373#     deactivate all keyslots that match password located in
374#     QCryptoSecret with this ID
375#
376# @iter-time: Optional (for activation only) Number of milliseconds to
377#     spend in PBKDF passphrase processing for the newly activated
378#     keyslot.  Currently defaults to 2000.
379#
380# @keyslot: Optional.  ID of the keyslot to activate/deactivate.  For
381#     keyslot activation, keyslot should not be active already (this
382#     is unsafe to update an active keyslot), but possible if 'force'
383#     parameter is given.  If keyslot is not given, first free keyslot
384#     will be written.
385#
386#     For keyslot deactivation, this parameter specifies the exact
387#     keyslot to deactivate
388#
389# @secret: Optional.  The ID of a QCryptoSecret object providing the
390#     password to use to retrieve current master key.  Defaults to the
391#     same secret that was used to open the image
392#
393# Since: 5.1
394##
395{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
396  'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
397            '*new-secret': 'str',
398            '*old-secret': 'str',
399            '*keyslot': 'int',
400            '*iter-time': 'int',
401            '*secret': 'str' } }
402
403##
404# @QCryptoBlockAmendOptions:
405#
406# The options that are available for all encryption formats when
407# amending encryption settings
408#
409# Since: 5.1
410##
411{ 'union': 'QCryptoBlockAmendOptions',
412  'base': 'QCryptoBlockOptionsBase',
413  'discriminator': 'format',
414  'data': {
415          'luks': 'QCryptoBlockAmendOptionsLUKS' } }
416
417##
418# @SecretCommonProperties:
419#
420# Properties for objects of classes derived from secret-common.
421#
422# @loaded: if true, the secret is loaded immediately when applying
423#     this option and will probably fail when processing the next
424#     option.  Don't use; only provided for compatibility.
425#     (default: false)
426#
427# @format: the data format that the secret is provided in
428#     (default: raw)
429#
430# @keyid: the name of another secret that should be used to decrypt
431#     the provided data.  If not present, the data is assumed to be
432#     unencrypted.
433#
434# @iv: the random initialization vector used for encryption of this
435#     particular secret.  Should be a base64 encrypted string of the
436#     16-byte IV.  Mandatory if @keyid is given.  Ignored if @keyid is
437#     absent.
438#
439# Features:
440#
441# @deprecated: Member @loaded is deprecated.  Setting true doesn't
442#     make sense, and false is already the default.
443#
444# Since: 2.6
445##
446{ 'struct': 'SecretCommonProperties',
447  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
448            '*format': 'QCryptoSecretFormat',
449            '*keyid': 'str',
450            '*iv': 'str' } }
451
452##
453# @SecretProperties:
454#
455# Properties for secret objects.
456#
457# Either @data or @file must be provided, but not both.
458#
459# @data: the associated with the secret from
460#
461# @file: the filename to load the data associated with the secret from
462#
463# Since: 2.6
464##
465{ 'struct': 'SecretProperties',
466  'base': 'SecretCommonProperties',
467  'data': { '*data': 'str',
468            '*file': 'str' } }
469
470##
471# @SecretKeyringProperties:
472#
473# Properties for secret_keyring objects.
474#
475# @serial: serial number that identifies a key to get from the kernel
476#
477# Since: 5.1
478##
479{ 'struct': 'SecretKeyringProperties',
480  'base': 'SecretCommonProperties',
481  'data': { 'serial': 'int32' },
482  'if': 'CONFIG_SECRET_KEYRING' }
483
484##
485# @TlsCredsProperties:
486#
487# Properties for objects of classes derived from tls-creds.
488#
489# @verify-peer: if true the peer credentials will be verified once the
490#     handshake is completed.  This is a no-op for anonymous
491#     credentials.  (default: true)
492#
493# @dir: the path of the directory that contains the credential files
494#
495# @endpoint: whether the QEMU network backend that uses the
496#     credentials will be acting as a client or as a server
497#     (default: client)
498#
499# @priority: a gnutls priority string as described at
500#     https://gnutls.org/manual/html_node/Priority-Strings.html
501#
502# Since: 2.5
503##
504{ 'struct': 'TlsCredsProperties',
505  'data': { '*verify-peer': 'bool',
506            '*dir': 'str',
507            '*endpoint': 'QCryptoTLSCredsEndpoint',
508            '*priority': 'str' } }
509
510##
511# @TlsCredsAnonProperties:
512#
513# Properties for tls-creds-anon objects.
514#
515# @loaded: if true, the credentials are loaded immediately when
516#     applying this option and will ignore options that are processed
517#     later.  Don't use; only provided for compatibility.
518#     (default: false)
519#
520# Features:
521#
522# @deprecated: Member @loaded is deprecated.  Setting true doesn't
523#     make sense, and false is already the default.
524#
525# Since: 2.5
526##
527{ 'struct': 'TlsCredsAnonProperties',
528  'base': 'TlsCredsProperties',
529  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }
530
531##
532# @TlsCredsPskProperties:
533#
534# Properties for tls-creds-psk objects.
535#
536# @loaded: if true, the credentials are loaded immediately when
537#     applying this option and will ignore options that are processed
538#     later.  Don't use; only provided for compatibility.
539#     (default: false)
540#
541# @username: the username which will be sent to the server.  For
542#     clients only.  If absent, "qemu" is sent and the property will
543#     read back as an empty string.
544#
545# Features:
546#
547# @deprecated: Member @loaded is deprecated.  Setting true doesn't
548#     make sense, and false is already the default.
549#
550# Since: 3.0
551##
552{ 'struct': 'TlsCredsPskProperties',
553  'base': 'TlsCredsProperties',
554  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
555            '*username': 'str' } }
556
557##
558# @TlsCredsX509Properties:
559#
560# Properties for tls-creds-x509 objects.
561#
562# @loaded: if true, the credentials are loaded immediately when
563#     applying this option and will ignore options that are processed
564#     later.  Don't use; only provided for compatibility.
565#     (default: false)
566#
567# @sanity-check: if true, perform some sanity checks before using the
568#     credentials (default: true)
569#
570# @passwordid: For the server-key.pem and client-key.pem files which
571#     contain sensitive private keys, it is possible to use an
572#     encrypted version by providing the @passwordid parameter.  This
573#     provides the ID of a previously created secret object containing
574#     the password for decryption.
575#
576# Features:
577#
578# @deprecated: Member @loaded is deprecated.  Setting true doesn't
579#     make sense, and false is already the default.
580#
581# Since: 2.5
582##
583{ 'struct': 'TlsCredsX509Properties',
584  'base': 'TlsCredsProperties',
585  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
586            '*sanity-check': 'bool',
587            '*passwordid': 'str' } }
588##
589# @QCryptoAkCipherAlgo:
590#
591# The supported algorithms for asymmetric encryption ciphers
592#
593# @rsa: RSA algorithm
594#
595# Since: 7.1
596##
597{ 'enum': 'QCryptoAkCipherAlgo',
598  'data': ['rsa']}
599
600##
601# @QCryptoAkCipherKeyType:
602#
603# The type of asymmetric keys.
604#
605# @public: public key
606#
607# @private: private key
608#
609# Since: 7.1
610##
611{ 'enum': 'QCryptoAkCipherKeyType',
612  'data': ['public', 'private']}
613
614##
615# @QCryptoRSAPaddingAlgo:
616#
617# The padding algorithm for RSA.
618#
619# @raw: no padding used
620#
621# @pkcs1: pkcs1#v1.5
622#
623# Since: 7.1
624##
625{ 'enum': 'QCryptoRSAPaddingAlgo',
626  'data': ['raw', 'pkcs1']}
627
628##
629# @QCryptoAkCipherOptionsRSA:
630#
631# Specific parameters for RSA algorithm.
632#
633# @hash-alg: QCryptoHashAlgo
634#
635# @padding-alg: QCryptoRSAPaddingAlgo
636#
637# Since: 7.1
638##
639{ 'struct': 'QCryptoAkCipherOptionsRSA',
640  'data': { 'hash-alg':'QCryptoHashAlgo',
641            'padding-alg': 'QCryptoRSAPaddingAlgo'}}
642
643##
644# @QCryptoAkCipherOptions:
645#
646# The options that are available for all asymmetric key algorithms
647# when creating a new QCryptoAkCipher.
648#
649# @alg: encryption cipher algorithm
650#
651# Since: 7.1
652##
653{ 'union': 'QCryptoAkCipherOptions',
654  'base': { 'alg': 'QCryptoAkCipherAlgo' },
655  'discriminator': 'alg',
656  'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}
657