1# -*- Mode: Python -*- 2# vim: filetype=python 3# 4 5## 6# = Cryptography 7## 8 9## 10# @QCryptoTLSCredsEndpoint: 11# 12# The type of network endpoint that will be using the credentials. 13# Most types of credential require different setup / structures 14# depending on whether they will be used in a server versus a client. 15# 16# @client: the network endpoint is acting as the client 17# 18# @server: the network endpoint is acting as the server 19# 20# Since: 2.5 21## 22{ 'enum': 'QCryptoTLSCredsEndpoint', 23 'data': ['client', 'server']} 24 25## 26# @QCryptoSecretFormat: 27# 28# The data format that the secret is provided in 29# 30# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences 31# can be used 32# 33# @base64: arbitrary base64 encoded binary data 34# 35# Since: 2.6 36## 37{ 'enum': 'QCryptoSecretFormat', 38 'data': ['raw', 'base64']} 39 40## 41# @QCryptoHashAlgo: 42# 43# The supported algorithms for computing content digests 44# 45# @md5: MD5. Should not be used in any new code, legacy compat only 46# 47# @sha1: SHA-1. Should not be used in any new code, legacy compat only 48# 49# @sha224: SHA-224. (since 2.7) 50# 51# @sha256: SHA-256. Current recommended strong hash. 52# 53# @sha384: SHA-384. (since 2.7) 54# 55# @sha512: SHA-512. (since 2.7) 56# 57# @ripemd160: RIPEMD-160. (since 2.7) 58# 59# @sm3: SM3. (since 9.2.0) 60# 61# Since: 2.6 62## 63{ 'enum': 'QCryptoHashAlgo', 64 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160', 'sm3']} 65 66## 67# @QCryptoCipherAlgo: 68# 69# The supported algorithms for content encryption ciphers 70# 71# @aes-128: AES with 128 bit / 16 byte keys 72# 73# @aes-192: AES with 192 bit / 24 byte keys 74# 75# @aes-256: AES with 256 bit / 32 byte keys 76# 77# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. 78# (since 6.1) 79# 80# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) 81# 82# @cast5-128: Cast5 with 128 bit / 16 byte keys 83# 84# @serpent-128: Serpent with 128 bit / 16 byte keys 85# 86# @serpent-192: Serpent with 192 bit / 24 byte keys 87# 88# @serpent-256: Serpent with 256 bit / 32 byte keys 89# 90# @twofish-128: Twofish with 128 bit / 16 byte keys 91# 92# @twofish-192: Twofish with 192 bit / 24 byte keys 93# 94# @twofish-256: Twofish with 256 bit / 32 byte keys 95# 96# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0) 97# 98# Since: 2.6 99## 100{ 'enum': 'QCryptoCipherAlgo', 101 'data': ['aes-128', 'aes-192', 'aes-256', 102 'des', '3des', 103 'cast5-128', 104 'serpent-128', 'serpent-192', 'serpent-256', 105 'twofish-128', 'twofish-192', 'twofish-256', 106 'sm4']} 107 108## 109# @QCryptoCipherMode: 110# 111# The supported modes for content encryption ciphers 112# 113# @ecb: Electronic Code Book 114# 115# @cbc: Cipher Block Chaining 116# 117# @xts: XEX with tweaked code book and ciphertext stealing 118# 119# @ctr: Counter (Since 2.8) 120# 121# Since: 2.6 122## 123{ 'enum': 'QCryptoCipherMode', 124 'data': ['ecb', 'cbc', 'xts', 'ctr']} 125 126## 127# @QCryptoIVGenAlgo: 128# 129# The supported algorithms for generating initialization vectors for 130# full disk encryption. The 'plain' generator should not be used for 131# disks with sector numbers larger than 2^32, except where 132# compatibility with pre-existing Linux dm-crypt volumes is required. 133# 134# @plain: 64-bit sector number truncated to 32-bits 135# 136# @plain64: 64-bit sector number 137# 138# @essiv: 64-bit sector number encrypted with a hash of the encryption 139# key 140# 141# Since: 2.6 142## 143{ 'enum': 'QCryptoIVGenAlgo', 144 'data': ['plain', 'plain64', 'essiv']} 145 146## 147# @QCryptoBlockFormat: 148# 149# The supported full disk encryption formats 150# 151# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for 152# liberating data from old images. 153# 154# @luks: LUKS encryption format. Recommended for new images 155# 156# Since: 2.6 157## 158{ 'enum': 'QCryptoBlockFormat', 159 'data': ['qcow', 'luks']} 160 161## 162# @QCryptoBlockOptionsBase: 163# 164# The common options that apply to all full disk encryption formats 165# 166# @format: the encryption format 167# 168# Since: 2.6 169## 170{ 'struct': 'QCryptoBlockOptionsBase', 171 'data': { 'format': 'QCryptoBlockFormat' }} 172 173## 174# @QCryptoBlockOptionsQCow: 175# 176# The options that apply to QCow/QCow2 AES-CBC encryption format 177# 178# @key-secret: the ID of a QCryptoSecret object providing the 179# decryption key. Mandatory except when probing image for 180# metadata only. 181# 182# Since: 2.6 183## 184{ 'struct': 'QCryptoBlockOptionsQCow', 185 'data': { '*key-secret': 'str' }} 186 187## 188# @QCryptoBlockOptionsLUKS: 189# 190# The options that apply to LUKS encryption format 191# 192# @key-secret: the ID of a QCryptoSecret object providing the 193# decryption key. Mandatory except when probing image for 194# metadata only. 195# 196# Since: 2.6 197## 198{ 'struct': 'QCryptoBlockOptionsLUKS', 199 'data': { '*key-secret': 'str' }} 200 201## 202# @QCryptoBlockCreateOptionsLUKS: 203# 204# The options that apply to LUKS encryption format initialization 205# 206# @cipher-alg: the cipher algorithm for data encryption. Currently 207# defaults to 'aes-256'. 208# 209# @cipher-mode: the cipher mode for data encryption. Currently 210# defaults to 'xts' 211# 212# @ivgen-alg: the initialization vector generator. Currently defaults 213# to 'plain64' 214# 215# @ivgen-hash-alg: the initialization vector generator hash. 216# Currently defaults to 'sha256' 217# 218# @hash-alg: the master key hash algorithm. Currently defaults to 219# 'sha256' 220# 221# @iter-time: number of milliseconds to spend in PBKDF passphrase 222# processing. Currently defaults to 2000. (since 2.8) 223# 224# Since: 2.6 225## 226{ 'struct': 'QCryptoBlockCreateOptionsLUKS', 227 'base': 'QCryptoBlockOptionsLUKS', 228 'data': { '*cipher-alg': 'QCryptoCipherAlgo', 229 '*cipher-mode': 'QCryptoCipherMode', 230 '*ivgen-alg': 'QCryptoIVGenAlgo', 231 '*ivgen-hash-alg': 'QCryptoHashAlgo', 232 '*hash-alg': 'QCryptoHashAlgo', 233 '*iter-time': 'int' }} 234 235## 236# @QCryptoBlockOpenOptions: 237# 238# The options that are available for all encryption formats when 239# opening an existing volume 240# 241# Since: 2.6 242## 243{ 'union': 'QCryptoBlockOpenOptions', 244 'base': 'QCryptoBlockOptionsBase', 245 'discriminator': 'format', 246 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 247 'luks': 'QCryptoBlockOptionsLUKS' } } 248 249## 250# @QCryptoBlockCreateOptions: 251# 252# The options that are available for all encryption formats when 253# initializing a new volume 254# 255# Since: 2.6 256## 257{ 'union': 'QCryptoBlockCreateOptions', 258 'base': 'QCryptoBlockOptionsBase', 259 'discriminator': 'format', 260 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 261 'luks': 'QCryptoBlockCreateOptionsLUKS' } } 262 263## 264# @QCryptoBlockInfoBase: 265# 266# The common information that applies to all full disk encryption 267# formats 268# 269# @format: the encryption format 270# 271# Since: 2.7 272## 273{ 'struct': 'QCryptoBlockInfoBase', 274 'data': { 'format': 'QCryptoBlockFormat' }} 275 276## 277# @QCryptoBlockInfoLUKSSlot: 278# 279# Information about the LUKS block encryption key slot options 280# 281# @active: whether the key slot is currently in use 282# 283# @key-offset: offset to the key material in bytes 284# 285# @iters: number of PBKDF2 iterations for key material 286# 287# @stripes: number of stripes for splitting key material 288# 289# Since: 2.7 290## 291{ 'struct': 'QCryptoBlockInfoLUKSSlot', 292 'data': {'active': 'bool', 293 '*iters': 'int', 294 '*stripes': 'int', 295 'key-offset': 'int' } } 296 297## 298# @QCryptoBlockInfoLUKS: 299# 300# Information about the LUKS block encryption options 301# 302# @cipher-alg: the cipher algorithm for data encryption 303# 304# @cipher-mode: the cipher mode for data encryption 305# 306# @ivgen-alg: the initialization vector generator 307# 308# @ivgen-hash-alg: the initialization vector generator hash 309# 310# @hash-alg: the master key hash algorithm 311# 312# @detached-header: whether the LUKS header is detached (Since 9.0) 313# 314# @payload-offset: offset to the payload data in bytes 315# 316# @master-key-iters: number of PBKDF2 iterations for key material 317# 318# @uuid: unique identifier for the volume 319# 320# @slots: information about each key slot 321# 322# Since: 2.7 323## 324{ 'struct': 'QCryptoBlockInfoLUKS', 325 'data': {'cipher-alg': 'QCryptoCipherAlgo', 326 'cipher-mode': 'QCryptoCipherMode', 327 'ivgen-alg': 'QCryptoIVGenAlgo', 328 '*ivgen-hash-alg': 'QCryptoHashAlgo', 329 'hash-alg': 'QCryptoHashAlgo', 330 'detached-header': 'bool', 331 'payload-offset': 'int', 332 'master-key-iters': 'int', 333 'uuid': 'str', 334 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} 335 336## 337# @QCryptoBlockInfo: 338# 339# Information about the block encryption options 340# 341# Since: 2.7 342## 343{ 'union': 'QCryptoBlockInfo', 344 'base': 'QCryptoBlockInfoBase', 345 'discriminator': 'format', 346 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } 347 348## 349# @QCryptoBlockLUKSKeyslotState: 350# 351# Defines state of keyslots that are affected by the update 352# 353# @active: The slots contain the given password and marked as active 354# 355# @inactive: The slots are erased (contain garbage) and marked as 356# inactive 357# 358# Since: 5.1 359## 360{ 'enum': 'QCryptoBlockLUKSKeyslotState', 361 'data': [ 'active', 'inactive' ] } 362 363## 364# @QCryptoBlockAmendOptionsLUKS: 365# 366# This struct defines the update parameters that activate/de-activate 367# set of keyslots 368# 369# @state: the desired state of the keyslots 370# 371# @new-secret: The ID of a QCryptoSecret object providing the password 372# to be written into added active keyslots 373# 374# @old-secret: Optional (for deactivation only). If given will 375# deactivate all keyslots that match password located in 376# QCryptoSecret with this ID 377# 378# @iter-time: Optional (for activation only). Number of milliseconds to 379# spend in PBKDF passphrase processing for the newly activated 380# keyslot. Currently defaults to 2000. 381# 382# @keyslot: Optional. ID of the keyslot to activate/deactivate. For 383# keyslot activation, keyslot should not be active already (this 384# is unsafe to update an active keyslot), but possible if 'force' 385# parameter is given. If keyslot is not given, first free keyslot 386# will be written. 387# 388# For keyslot deactivation, this parameter specifies the exact 389# keyslot to deactivate 390# 391# @secret: Optional. The ID of a QCryptoSecret object providing the 392# password to use to retrieve current master key. Defaults to the 393# same secret that was used to open the image 394# 395# Since: 5.1 396## 397{ 'struct': 'QCryptoBlockAmendOptionsLUKS', 398 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', 399 '*new-secret': 'str', 400 '*old-secret': 'str', 401 '*keyslot': 'int', 402 '*iter-time': 'int', 403 '*secret': 'str' } } 404 405## 406# @QCryptoBlockAmendOptions: 407# 408# The options that are available for all encryption formats when 409# amending encryption settings 410# 411# Since: 5.1 412## 413{ 'union': 'QCryptoBlockAmendOptions', 414 'base': 'QCryptoBlockOptionsBase', 415 'discriminator': 'format', 416 'data': { 417 'luks': 'QCryptoBlockAmendOptionsLUKS' } } 418 419## 420# @SecretCommonProperties: 421# 422# Properties for objects of classes derived from secret-common. 423# 424# @format: the data format that the secret is provided in 425# (default: raw) 426# 427# @keyid: the name of another secret that should be used to decrypt 428# the provided data. If not present, the data is assumed to be 429# unencrypted. 430# 431# @iv: the random initialization vector used for encryption of this 432# particular secret. Should be a base64 encrypted string of the 433# 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is 434# absent. 435# 436# Since: 2.6 437## 438{ 'struct': 'SecretCommonProperties', 439 'data': { '*format': 'QCryptoSecretFormat', 440 '*keyid': 'str', 441 '*iv': 'str' } } 442 443## 444# @SecretProperties: 445# 446# Properties for secret objects. 447# 448# Either @data or @file must be provided, but not both. 449# 450# @data: the associated with the secret from 451# 452# @file: the filename to load the data associated with the secret from 453# 454# Since: 2.6 455## 456{ 'struct': 'SecretProperties', 457 'base': 'SecretCommonProperties', 458 'data': { '*data': 'str', 459 '*file': 'str' } } 460 461## 462# @SecretKeyringProperties: 463# 464# Properties for secret_keyring objects. 465# 466# @serial: serial number that identifies a key to get from the kernel 467# 468# Since: 5.1 469## 470{ 'struct': 'SecretKeyringProperties', 471 'base': 'SecretCommonProperties', 472 'data': { 'serial': 'int32' }, 473 'if': 'CONFIG_SECRET_KEYRING' } 474 475## 476# @TlsCredsProperties: 477# 478# Properties for objects of classes derived from tls-creds. 479# 480# @verify-peer: if true the peer credentials will be verified once the 481# handshake is completed. This is a no-op for anonymous 482# credentials. (default: true) 483# 484# @dir: the path of the directory that contains the credential files 485# 486# @endpoint: whether the QEMU network backend that uses the 487# credentials will be acting as a client or as a server 488# (default: client) 489# 490# @priority: a gnutls priority string as described at 491# https://gnutls.org/manual/html_node/Priority-Strings.html 492# 493# Since: 2.5 494## 495{ 'struct': 'TlsCredsProperties', 496 'data': { '*verify-peer': 'bool', 497 '*dir': 'str', 498 '*endpoint': 'QCryptoTLSCredsEndpoint', 499 '*priority': 'str' } } 500 501## 502# @TlsCredsAnonProperties: 503# 504# Properties for tls-creds-anon objects. 505# 506# Since: 2.5 507## 508{ 'struct': 'TlsCredsAnonProperties', 509 'base': 'TlsCredsProperties', 510 'data': { } } 511 512## 513# @TlsCredsPskProperties: 514# 515# Properties for tls-creds-psk objects. 516# 517# @username: the username which will be sent to the server. For 518# clients only. If absent, "qemu" is sent and the property will 519# read back as an empty string. 520# 521# Since: 3.0 522## 523{ 'struct': 'TlsCredsPskProperties', 524 'base': 'TlsCredsProperties', 525 'data': { '*username': 'str' } } 526 527## 528# @TlsCredsX509Properties: 529# 530# Properties for tls-creds-x509 objects. 531# 532# @sanity-check: if true, perform some sanity checks before using the 533# credentials (default: true) 534# 535# @passwordid: For the server-key.pem and client-key.pem files which 536# contain sensitive private keys, it is possible to use an 537# encrypted version by providing the @passwordid parameter. This 538# provides the ID of a previously created secret object containing 539# the password for decryption. 540# 541# Since: 2.5 542## 543{ 'struct': 'TlsCredsX509Properties', 544 'base': 'TlsCredsProperties', 545 'data': { '*sanity-check': 'bool', 546 '*passwordid': 'str' } } 547## 548# @QCryptoAkCipherAlgo: 549# 550# The supported algorithms for asymmetric encryption ciphers 551# 552# @rsa: RSA algorithm 553# 554# Since: 7.1 555## 556{ 'enum': 'QCryptoAkCipherAlgo', 557 'data': ['rsa']} 558 559## 560# @QCryptoAkCipherKeyType: 561# 562# The type of asymmetric keys. 563# 564# @public: public key 565# 566# @private: private key 567# 568# Since: 7.1 569## 570{ 'enum': 'QCryptoAkCipherKeyType', 571 'data': ['public', 'private']} 572 573## 574# @QCryptoRSAPaddingAlgo: 575# 576# The padding algorithm for RSA. 577# 578# @raw: no padding used 579# 580# @pkcs1: pkcs1#v1.5 581# 582# Since: 7.1 583## 584{ 'enum': 'QCryptoRSAPaddingAlgo', 585 'data': ['raw', 'pkcs1']} 586 587## 588# @QCryptoAkCipherOptionsRSA: 589# 590# Specific parameters for RSA algorithm. 591# 592# @hash-alg: QCryptoHashAlgo 593# 594# @padding-alg: QCryptoRSAPaddingAlgo 595# 596# Since: 7.1 597## 598{ 'struct': 'QCryptoAkCipherOptionsRSA', 599 'data': { 'hash-alg':'QCryptoHashAlgo', 600 'padding-alg': 'QCryptoRSAPaddingAlgo'}} 601 602## 603# @QCryptoAkCipherOptions: 604# 605# The options that are available for all asymmetric key algorithms 606# when creating a new QCryptoAkCipher. 607# 608# @alg: encryption cipher algorithm 609# 610# Since: 7.1 611## 612{ 'union': 'QCryptoAkCipherOptions', 613 'base': { 'alg': 'QCryptoAkCipherAlgo' }, 614 'discriminator': 'alg', 615 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }} 616