1# -*- Mode: Python -*- 2# vim: filetype=python 3# 4 5## 6# = Cryptography 7## 8 9## 10# @QCryptoTLSCredsEndpoint: 11# 12# The type of network endpoint that will be using the credentials. 13# Most types of credential require different setup / structures 14# depending on whether they will be used in a server versus a client. 15# 16# @client: the network endpoint is acting as the client 17# 18# @server: the network endpoint is acting as the server 19# 20# Since: 2.5 21## 22{ 'enum': 'QCryptoTLSCredsEndpoint', 23 'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT', 24 'data': ['client', 'server']} 25 26## 27# @QCryptoSecretFormat: 28# 29# The data format that the secret is provided in 30# 31# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences 32# can be used 33# 34# @base64: arbitrary base64 encoded binary data 35# 36# Since: 2.6 37## 38{ 'enum': 'QCryptoSecretFormat', 39 'prefix': 'QCRYPTO_SECRET_FORMAT', 40 'data': ['raw', 'base64']} 41 42## 43# @QCryptoHashAlgorithm: 44# 45# The supported algorithms for computing content digests 46# 47# @md5: MD5. Should not be used in any new code, legacy compat only 48# 49# @sha1: SHA-1. Should not be used in any new code, legacy compat only 50# 51# @sha224: SHA-224. (since 2.7) 52# 53# @sha256: SHA-256. Current recommended strong hash. 54# 55# @sha384: SHA-384. (since 2.7) 56# 57# @sha512: SHA-512. (since 2.7) 58# 59# @ripemd160: RIPEMD-160. (since 2.7) 60# 61# Since: 2.6 62## 63{ 'enum': 'QCryptoHashAlgorithm', 64 'prefix': 'QCRYPTO_HASH_ALG', 65 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']} 66 67## 68# @QCryptoCipherAlgorithm: 69# 70# The supported algorithms for content encryption ciphers 71# 72# @aes-128: AES with 128 bit / 16 byte keys 73# 74# @aes-192: AES with 192 bit / 24 byte keys 75# 76# @aes-256: AES with 256 bit / 32 byte keys 77# 78# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. 79# (since 6.1) 80# 81# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) 82# 83# @cast5-128: Cast5 with 128 bit / 16 byte keys 84# 85# @serpent-128: Serpent with 128 bit / 16 byte keys 86# 87# @serpent-192: Serpent with 192 bit / 24 byte keys 88# 89# @serpent-256: Serpent with 256 bit / 32 byte keys 90# 91# @twofish-128: Twofish with 128 bit / 16 byte keys 92# 93# @twofish-192: Twofish with 192 bit / 24 byte keys 94# 95# @twofish-256: Twofish with 256 bit / 32 byte keys 96# 97# Since: 2.6 98## 99{ 'enum': 'QCryptoCipherAlgorithm', 100 'prefix': 'QCRYPTO_CIPHER_ALG', 101 'data': ['aes-128', 'aes-192', 'aes-256', 102 'des', '3des', 103 'cast5-128', 104 'serpent-128', 'serpent-192', 'serpent-256', 105 'twofish-128', 'twofish-192', 'twofish-256']} 106 107## 108# @QCryptoCipherMode: 109# 110# The supported modes for content encryption ciphers 111# 112# @ecb: Electronic Code Book 113# 114# @cbc: Cipher Block Chaining 115# 116# @xts: XEX with tweaked code book and ciphertext stealing 117# 118# @ctr: Counter (Since 2.8) 119# 120# Since: 2.6 121## 122{ 'enum': 'QCryptoCipherMode', 123 'prefix': 'QCRYPTO_CIPHER_MODE', 124 'data': ['ecb', 'cbc', 'xts', 'ctr']} 125 126## 127# @QCryptoIVGenAlgorithm: 128# 129# The supported algorithms for generating initialization vectors for 130# full disk encryption. The 'plain' generator should not be used for 131# disks with sector numbers larger than 2^32, except where 132# compatibility with pre-existing Linux dm-crypt volumes is required. 133# 134# @plain: 64-bit sector number truncated to 32-bits 135# 136# @plain64: 64-bit sector number 137# 138# @essiv: 64-bit sector number encrypted with a hash of the encryption 139# key 140# 141# Since: 2.6 142## 143{ 'enum': 'QCryptoIVGenAlgorithm', 144 'prefix': 'QCRYPTO_IVGEN_ALG', 145 'data': ['plain', 'plain64', 'essiv']} 146 147## 148# @QCryptoBlockFormat: 149# 150# The supported full disk encryption formats 151# 152# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for 153# liberating data from old images. 154# 155# @luks: LUKS encryption format. Recommended for new images 156# 157# Since: 2.6 158## 159{ 'enum': 'QCryptoBlockFormat', 160# 'prefix': 'QCRYPTO_BLOCK_FORMAT', 161 'data': ['qcow', 'luks']} 162 163## 164# @QCryptoBlockOptionsBase: 165# 166# The common options that apply to all full disk encryption formats 167# 168# @format: the encryption format 169# 170# Since: 2.6 171## 172{ 'struct': 'QCryptoBlockOptionsBase', 173 'data': { 'format': 'QCryptoBlockFormat' }} 174 175## 176# @QCryptoBlockOptionsQCow: 177# 178# The options that apply to QCow/QCow2 AES-CBC encryption format 179# 180# @key-secret: the ID of a QCryptoSecret object providing the 181# decryption key. Mandatory except when probing image for 182# metadata only. 183# 184# Since: 2.6 185## 186{ 'struct': 'QCryptoBlockOptionsQCow', 187 'data': { '*key-secret': 'str' }} 188 189## 190# @QCryptoBlockOptionsLUKS: 191# 192# The options that apply to LUKS encryption format 193# 194# @key-secret: the ID of a QCryptoSecret object providing the 195# decryption key. Mandatory except when probing image for 196# metadata only. 197# 198# Since: 2.6 199## 200{ 'struct': 'QCryptoBlockOptionsLUKS', 201 'data': { '*key-secret': 'str' }} 202 203## 204# @QCryptoBlockCreateOptionsLUKS: 205# 206# The options that apply to LUKS encryption format initialization 207# 208# @cipher-alg: the cipher algorithm for data encryption Currently 209# defaults to 'aes-256'. 210# 211# @cipher-mode: the cipher mode for data encryption Currently defaults 212# to 'xts' 213# 214# @ivgen-alg: the initialization vector generator Currently defaults 215# to 'plain64' 216# 217# @ivgen-hash-alg: the initialization vector generator hash Currently 218# defaults to 'sha256' 219# 220# @hash-alg: the master key hash algorithm Currently defaults to 221# 'sha256' 222# 223# @iter-time: number of milliseconds to spend in PBKDF passphrase 224# processing. Currently defaults to 2000. (since 2.8) 225# 226# Since: 2.6 227## 228{ 'struct': 'QCryptoBlockCreateOptionsLUKS', 229 'base': 'QCryptoBlockOptionsLUKS', 230 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm', 231 '*cipher-mode': 'QCryptoCipherMode', 232 '*ivgen-alg': 'QCryptoIVGenAlgorithm', 233 '*ivgen-hash-alg': 'QCryptoHashAlgorithm', 234 '*hash-alg': 'QCryptoHashAlgorithm', 235 '*iter-time': 'int'}} 236 237## 238# @QCryptoBlockOpenOptions: 239# 240# The options that are available for all encryption formats when 241# opening an existing volume 242# 243# Since: 2.6 244## 245{ 'union': 'QCryptoBlockOpenOptions', 246 'base': 'QCryptoBlockOptionsBase', 247 'discriminator': 'format', 248 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 249 'luks': 'QCryptoBlockOptionsLUKS' } } 250 251## 252# @QCryptoBlockCreateOptions: 253# 254# The options that are available for all encryption formats when 255# initializing a new volume 256# 257# Since: 2.6 258## 259{ 'union': 'QCryptoBlockCreateOptions', 260 'base': 'QCryptoBlockOptionsBase', 261 'discriminator': 'format', 262 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 263 'luks': 'QCryptoBlockCreateOptionsLUKS' } } 264 265## 266# @QCryptoBlockInfoBase: 267# 268# The common information that applies to all full disk encryption 269# formats 270# 271# @format: the encryption format 272# 273# Since: 2.7 274## 275{ 'struct': 'QCryptoBlockInfoBase', 276 'data': { 'format': 'QCryptoBlockFormat' }} 277 278## 279# @QCryptoBlockInfoLUKSSlot: 280# 281# Information about the LUKS block encryption key slot options 282# 283# @active: whether the key slot is currently in use 284# 285# @key-offset: offset to the key material in bytes 286# 287# @iters: number of PBKDF2 iterations for key material 288# 289# @stripes: number of stripes for splitting key material 290# 291# Since: 2.7 292## 293{ 'struct': 'QCryptoBlockInfoLUKSSlot', 294 'data': {'active': 'bool', 295 '*iters': 'int', 296 '*stripes': 'int', 297 'key-offset': 'int' } } 298 299## 300# @QCryptoBlockInfoLUKS: 301# 302# Information about the LUKS block encryption options 303# 304# @cipher-alg: the cipher algorithm for data encryption 305# 306# @cipher-mode: the cipher mode for data encryption 307# 308# @ivgen-alg: the initialization vector generator 309# 310# @ivgen-hash-alg: the initialization vector generator hash 311# 312# @hash-alg: the master key hash algorithm 313# 314# @payload-offset: offset to the payload data in bytes 315# 316# @master-key-iters: number of PBKDF2 iterations for key material 317# 318# @uuid: unique identifier for the volume 319# 320# @slots: information about each key slot 321# 322# Since: 2.7 323## 324{ 'struct': 'QCryptoBlockInfoLUKS', 325 'data': {'cipher-alg': 'QCryptoCipherAlgorithm', 326 'cipher-mode': 'QCryptoCipherMode', 327 'ivgen-alg': 'QCryptoIVGenAlgorithm', 328 '*ivgen-hash-alg': 'QCryptoHashAlgorithm', 329 'hash-alg': 'QCryptoHashAlgorithm', 330 'payload-offset': 'int', 331 'master-key-iters': 'int', 332 'uuid': 'str', 333 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} 334 335## 336# @QCryptoBlockInfo: 337# 338# Information about the block encryption options 339# 340# Since: 2.7 341## 342{ 'union': 'QCryptoBlockInfo', 343 'base': 'QCryptoBlockInfoBase', 344 'discriminator': 'format', 345 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } 346 347## 348# @QCryptoBlockLUKSKeyslotState: 349# 350# Defines state of keyslots that are affected by the update 351# 352# @active: The slots contain the given password and marked as active 353# 354# @inactive: The slots are erased (contain garbage) and marked as 355# inactive 356# 357# Since: 5.1 358## 359{ 'enum': 'QCryptoBlockLUKSKeyslotState', 360 'data': [ 'active', 'inactive' ] } 361 362## 363# @QCryptoBlockAmendOptionsLUKS: 364# 365# This struct defines the update parameters that activate/de-activate 366# set of keyslots 367# 368# @state: the desired state of the keyslots 369# 370# @new-secret: The ID of a QCryptoSecret object providing the password 371# to be written into added active keyslots 372# 373# @old-secret: Optional (for deactivation only) If given will 374# deactivate all keyslots that match password located in 375# QCryptoSecret with this ID 376# 377# @iter-time: Optional (for activation only) Number of milliseconds to 378# spend in PBKDF passphrase processing for the newly activated 379# keyslot. Currently defaults to 2000. 380# 381# @keyslot: Optional. ID of the keyslot to activate/deactivate. For 382# keyslot activation, keyslot should not be active already (this 383# is unsafe to update an active keyslot), but possible if 'force' 384# parameter is given. If keyslot is not given, first free keyslot 385# will be written. 386# 387# For keyslot deactivation, this parameter specifies the exact 388# keyslot to deactivate 389# 390# @secret: Optional. The ID of a QCryptoSecret object providing the 391# password to use to retrieve current master key. Defaults to the 392# same secret that was used to open the image 393# 394# Since: 5.1 395## 396{ 'struct': 'QCryptoBlockAmendOptionsLUKS', 397 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', 398 '*new-secret': 'str', 399 '*old-secret': 'str', 400 '*keyslot': 'int', 401 '*iter-time': 'int', 402 '*secret': 'str' } } 403 404## 405# @QCryptoBlockAmendOptions: 406# 407# The options that are available for all encryption formats when 408# amending encryption settings 409# 410# Since: 5.1 411## 412{ 'union': 'QCryptoBlockAmendOptions', 413 'base': 'QCryptoBlockOptionsBase', 414 'discriminator': 'format', 415 'data': { 416 'luks': 'QCryptoBlockAmendOptionsLUKS' } } 417 418## 419# @SecretCommonProperties: 420# 421# Properties for objects of classes derived from secret-common. 422# 423# @loaded: if true, the secret is loaded immediately when applying 424# this option and will probably fail when processing the next 425# option. Don't use; only provided for compatibility. 426# (default: false) 427# 428# @format: the data format that the secret is provided in 429# (default: raw) 430# 431# @keyid: the name of another secret that should be used to decrypt 432# the provided data. If not present, the data is assumed to be 433# unencrypted. 434# 435# @iv: the random initialization vector used for encryption of this 436# particular secret. Should be a base64 encrypted string of the 437# 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is 438# absent. 439# 440# Features: 441# 442# @deprecated: Member @loaded is deprecated. Setting true doesn't 443# make sense, and false is already the default. 444# 445# Since: 2.6 446## 447{ 'struct': 'SecretCommonProperties', 448 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 449 '*format': 'QCryptoSecretFormat', 450 '*keyid': 'str', 451 '*iv': 'str' } } 452 453## 454# @SecretProperties: 455# 456# Properties for secret objects. 457# 458# Either @data or @file must be provided, but not both. 459# 460# @data: the associated with the secret from 461# 462# @file: the filename to load the data associated with the secret from 463# 464# Since: 2.6 465## 466{ 'struct': 'SecretProperties', 467 'base': 'SecretCommonProperties', 468 'data': { '*data': 'str', 469 '*file': 'str' } } 470 471## 472# @SecretKeyringProperties: 473# 474# Properties for secret_keyring objects. 475# 476# @serial: serial number that identifies a key to get from the kernel 477# 478# Since: 5.1 479## 480{ 'struct': 'SecretKeyringProperties', 481 'base': 'SecretCommonProperties', 482 'data': { 'serial': 'int32' } } 483 484## 485# @TlsCredsProperties: 486# 487# Properties for objects of classes derived from tls-creds. 488# 489# @verify-peer: if true the peer credentials will be verified once the 490# handshake is completed. This is a no-op for anonymous 491# credentials. (default: true) 492# 493# @dir: the path of the directory that contains the credential files 494# 495# @endpoint: whether the QEMU network backend that uses the 496# credentials will be acting as a client or as a server 497# (default: client) 498# 499# @priority: a gnutls priority string as described at 500# https://gnutls.org/manual/html_node/Priority-Strings.html 501# 502# Since: 2.5 503## 504{ 'struct': 'TlsCredsProperties', 505 'data': { '*verify-peer': 'bool', 506 '*dir': 'str', 507 '*endpoint': 'QCryptoTLSCredsEndpoint', 508 '*priority': 'str' } } 509 510## 511# @TlsCredsAnonProperties: 512# 513# Properties for tls-creds-anon objects. 514# 515# @loaded: if true, the credentials are loaded immediately when 516# applying this option and will ignore options that are processed 517# later. Don't use; only provided for compatibility. 518# (default: false) 519# 520# Features: 521# 522# @deprecated: Member @loaded is deprecated. Setting true doesn't 523# make sense, and false is already the default. 524# 525# Since: 2.5 526## 527{ 'struct': 'TlsCredsAnonProperties', 528 'base': 'TlsCredsProperties', 529 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } } 530 531## 532# @TlsCredsPskProperties: 533# 534# Properties for tls-creds-psk objects. 535# 536# @loaded: if true, the credentials are loaded immediately when 537# applying this option and will ignore options that are processed 538# later. Don't use; only provided for compatibility. 539# (default: false) 540# 541# @username: the username which will be sent to the server. For 542# clients only. If absent, "qemu" is sent and the property will 543# read back as an empty string. 544# 545# Features: 546# 547# @deprecated: Member @loaded is deprecated. Setting true doesn't 548# make sense, and false is already the default. 549# 550# Since: 3.0 551## 552{ 'struct': 'TlsCredsPskProperties', 553 'base': 'TlsCredsProperties', 554 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 555 '*username': 'str' } } 556 557## 558# @TlsCredsX509Properties: 559# 560# Properties for tls-creds-x509 objects. 561# 562# @loaded: if true, the credentials are loaded immediately when 563# applying this option and will ignore options that are processed 564# later. Don't use; only provided for compatibility. 565# (default: false) 566# 567# @sanity-check: if true, perform some sanity checks before using the 568# credentials (default: true) 569# 570# @passwordid: For the server-key.pem and client-key.pem files which 571# contain sensitive private keys, it is possible to use an 572# encrypted version by providing the @passwordid parameter. This 573# provides the ID of a previously created secret object containing 574# the password for decryption. 575# 576# Features: 577# 578# @deprecated: Member @loaded is deprecated. Setting true doesn't 579# make sense, and false is already the default. 580# 581# Since: 2.5 582## 583{ 'struct': 'TlsCredsX509Properties', 584 'base': 'TlsCredsProperties', 585 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 586 '*sanity-check': 'bool', 587 '*passwordid': 'str' } } 588## 589# @QCryptoAkCipherAlgorithm: 590# 591# The supported algorithms for asymmetric encryption ciphers 592# 593# @rsa: RSA algorithm 594# 595# Since: 7.1 596## 597{ 'enum': 'QCryptoAkCipherAlgorithm', 598 'prefix': 'QCRYPTO_AKCIPHER_ALG', 599 'data': ['rsa']} 600 601## 602# @QCryptoAkCipherKeyType: 603# 604# The type of asymmetric keys. 605# 606# Since: 7.1 607## 608{ 'enum': 'QCryptoAkCipherKeyType', 609 'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE', 610 'data': ['public', 'private']} 611 612## 613# @QCryptoRSAPaddingAlgorithm: 614# 615# The padding algorithm for RSA. 616# 617# @raw: no padding used 618# 619# @pkcs1: pkcs1#v1.5 620# 621# Since: 7.1 622## 623{ 'enum': 'QCryptoRSAPaddingAlgorithm', 624 'prefix': 'QCRYPTO_RSA_PADDING_ALG', 625 'data': ['raw', 'pkcs1']} 626 627## 628# @QCryptoAkCipherOptionsRSA: 629# 630# Specific parameters for RSA algorithm. 631# 632# @hash-alg: QCryptoHashAlgorithm 633# 634# @padding-alg: QCryptoRSAPaddingAlgorithm 635# 636# Since: 7.1 637## 638{ 'struct': 'QCryptoAkCipherOptionsRSA', 639 'data': { 'hash-alg':'QCryptoHashAlgorithm', 640 'padding-alg': 'QCryptoRSAPaddingAlgorithm'}} 641 642## 643# @QCryptoAkCipherOptions: 644# 645# The options that are available for all asymmetric key algorithms 646# when creating a new QCryptoAkCipher. 647# 648# Since: 7.1 649## 650{ 'union': 'QCryptoAkCipherOptions', 651 'base': { 'alg': 'QCryptoAkCipherAlgorithm' }, 652 'discriminator': 'alg', 653 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }} 654