1# -*- Mode: Python -*- 2# vim: filetype=python 3# 4 5## 6# = Cryptography 7## 8 9## 10# @QCryptoTLSCredsEndpoint: 11# 12# The type of network endpoint that will be using the credentials. 13# Most types of credential require different setup / structures 14# depending on whether they will be used in a server versus a client. 15# 16# @client: the network endpoint is acting as the client 17# 18# @server: the network endpoint is acting as the server 19# 20# Since: 2.5 21## 22{ 'enum': 'QCryptoTLSCredsEndpoint', 23 'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT', 24 'data': ['client', 'server']} 25 26## 27# @QCryptoSecretFormat: 28# 29# The data format that the secret is provided in 30# 31# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences 32# can be used 33# 34# @base64: arbitrary base64 encoded binary data 35# 36# Since: 2.6 37## 38{ 'enum': 'QCryptoSecretFormat', 39 'prefix': 'QCRYPTO_SECRET_FORMAT', 40 'data': ['raw', 'base64']} 41 42## 43# @QCryptoHashAlgorithm: 44# 45# The supported algorithms for computing content digests 46# 47# @md5: MD5. Should not be used in any new code, legacy compat only 48# 49# @sha1: SHA-1. Should not be used in any new code, legacy compat only 50# 51# @sha224: SHA-224. (since 2.7) 52# 53# @sha256: SHA-256. Current recommended strong hash. 54# 55# @sha384: SHA-384. (since 2.7) 56# 57# @sha512: SHA-512. (since 2.7) 58# 59# @ripemd160: RIPEMD-160. (since 2.7) 60# 61# Since: 2.6 62## 63{ 'enum': 'QCryptoHashAlgorithm', 64 'prefix': 'QCRYPTO_HASH_ALG', 65 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']} 66 67## 68# @QCryptoCipherAlgorithm: 69# 70# The supported algorithms for content encryption ciphers 71# 72# @aes-128: AES with 128 bit / 16 byte keys 73# 74# @aes-192: AES with 192 bit / 24 byte keys 75# 76# @aes-256: AES with 256 bit / 32 byte keys 77# 78# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. 79# (since 6.1) 80# 81# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) 82# 83# @cast5-128: Cast5 with 128 bit / 16 byte keys 84# 85# @serpent-128: Serpent with 128 bit / 16 byte keys 86# 87# @serpent-192: Serpent with 192 bit / 24 byte keys 88# 89# @serpent-256: Serpent with 256 bit / 32 byte keys 90# 91# @twofish-128: Twofish with 128 bit / 16 byte keys 92# 93# @twofish-192: Twofish with 192 bit / 24 byte keys 94# 95# @twofish-256: Twofish with 256 bit / 32 byte keys 96# 97# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0) 98# 99# Since: 2.6 100## 101{ 'enum': 'QCryptoCipherAlgorithm', 102 'prefix': 'QCRYPTO_CIPHER_ALG', 103 'data': ['aes-128', 'aes-192', 'aes-256', 104 'des', '3des', 105 'cast5-128', 106 'serpent-128', 'serpent-192', 'serpent-256', 107 'twofish-128', 'twofish-192', 'twofish-256', 108 'sm4']} 109 110## 111# @QCryptoCipherMode: 112# 113# The supported modes for content encryption ciphers 114# 115# @ecb: Electronic Code Book 116# 117# @cbc: Cipher Block Chaining 118# 119# @xts: XEX with tweaked code book and ciphertext stealing 120# 121# @ctr: Counter (Since 2.8) 122# 123# Since: 2.6 124## 125{ 'enum': 'QCryptoCipherMode', 126 'prefix': 'QCRYPTO_CIPHER_MODE', 127 'data': ['ecb', 'cbc', 'xts', 'ctr']} 128 129## 130# @QCryptoIVGenAlgorithm: 131# 132# The supported algorithms for generating initialization vectors for 133# full disk encryption. The 'plain' generator should not be used for 134# disks with sector numbers larger than 2^32, except where 135# compatibility with pre-existing Linux dm-crypt volumes is required. 136# 137# @plain: 64-bit sector number truncated to 32-bits 138# 139# @plain64: 64-bit sector number 140# 141# @essiv: 64-bit sector number encrypted with a hash of the encryption 142# key 143# 144# Since: 2.6 145## 146{ 'enum': 'QCryptoIVGenAlgorithm', 147 'prefix': 'QCRYPTO_IVGEN_ALG', 148 'data': ['plain', 'plain64', 'essiv']} 149 150## 151# @QCryptoBlockFormat: 152# 153# The supported full disk encryption formats 154# 155# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for 156# liberating data from old images. 157# 158# @luks: LUKS encryption format. Recommended for new images 159# 160# Since: 2.6 161## 162{ 'enum': 'QCryptoBlockFormat', 163# 'prefix': 'QCRYPTO_BLOCK_FORMAT', 164 'data': ['qcow', 'luks']} 165 166## 167# @QCryptoBlockOptionsBase: 168# 169# The common options that apply to all full disk encryption formats 170# 171# @format: the encryption format 172# 173# Since: 2.6 174## 175{ 'struct': 'QCryptoBlockOptionsBase', 176 'data': { 'format': 'QCryptoBlockFormat' }} 177 178## 179# @QCryptoBlockOptionsQCow: 180# 181# The options that apply to QCow/QCow2 AES-CBC encryption format 182# 183# @key-secret: the ID of a QCryptoSecret object providing the 184# decryption key. Mandatory except when probing image for 185# metadata only. 186# 187# Since: 2.6 188## 189{ 'struct': 'QCryptoBlockOptionsQCow', 190 'data': { '*key-secret': 'str' }} 191 192## 193# @QCryptoBlockOptionsLUKS: 194# 195# The options that apply to LUKS encryption format 196# 197# @key-secret: the ID of a QCryptoSecret object providing the 198# decryption key. Mandatory except when probing image for 199# metadata only. 200# 201# Since: 2.6 202## 203{ 'struct': 'QCryptoBlockOptionsLUKS', 204 'data': { '*key-secret': 'str' }} 205 206## 207# @QCryptoBlockCreateOptionsLUKS: 208# 209# The options that apply to LUKS encryption format initialization 210# 211# @cipher-alg: the cipher algorithm for data encryption Currently 212# defaults to 'aes-256'. 213# 214# @cipher-mode: the cipher mode for data encryption Currently defaults 215# to 'xts' 216# 217# @ivgen-alg: the initialization vector generator Currently defaults 218# to 'plain64' 219# 220# @ivgen-hash-alg: the initialization vector generator hash Currently 221# defaults to 'sha256' 222# 223# @hash-alg: the master key hash algorithm Currently defaults to 224# 'sha256' 225# 226# @iter-time: number of milliseconds to spend in PBKDF passphrase 227# processing. Currently defaults to 2000. (since 2.8) 228# 229# @detached-header: create a detached LUKS header. (since 9.0) 230# 231# Since: 2.6 232## 233{ 'struct': 'QCryptoBlockCreateOptionsLUKS', 234 'base': 'QCryptoBlockOptionsLUKS', 235 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm', 236 '*cipher-mode': 'QCryptoCipherMode', 237 '*ivgen-alg': 'QCryptoIVGenAlgorithm', 238 '*ivgen-hash-alg': 'QCryptoHashAlgorithm', 239 '*hash-alg': 'QCryptoHashAlgorithm', 240 '*iter-time': 'int', 241 '*detached-header': 'bool'}} 242 243## 244# @QCryptoBlockOpenOptions: 245# 246# The options that are available for all encryption formats when 247# opening an existing volume 248# 249# Since: 2.6 250## 251{ 'union': 'QCryptoBlockOpenOptions', 252 'base': 'QCryptoBlockOptionsBase', 253 'discriminator': 'format', 254 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 255 'luks': 'QCryptoBlockOptionsLUKS' } } 256 257## 258# @QCryptoBlockCreateOptions: 259# 260# The options that are available for all encryption formats when 261# initializing a new volume 262# 263# Since: 2.6 264## 265{ 'union': 'QCryptoBlockCreateOptions', 266 'base': 'QCryptoBlockOptionsBase', 267 'discriminator': 'format', 268 'data': { 'qcow': 'QCryptoBlockOptionsQCow', 269 'luks': 'QCryptoBlockCreateOptionsLUKS' } } 270 271## 272# @QCryptoBlockInfoBase: 273# 274# The common information that applies to all full disk encryption 275# formats 276# 277# @format: the encryption format 278# 279# Since: 2.7 280## 281{ 'struct': 'QCryptoBlockInfoBase', 282 'data': { 'format': 'QCryptoBlockFormat' }} 283 284## 285# @QCryptoBlockInfoLUKSSlot: 286# 287# Information about the LUKS block encryption key slot options 288# 289# @active: whether the key slot is currently in use 290# 291# @key-offset: offset to the key material in bytes 292# 293# @iters: number of PBKDF2 iterations for key material 294# 295# @stripes: number of stripes for splitting key material 296# 297# Since: 2.7 298## 299{ 'struct': 'QCryptoBlockInfoLUKSSlot', 300 'data': {'active': 'bool', 301 '*iters': 'int', 302 '*stripes': 'int', 303 'key-offset': 'int' } } 304 305## 306# @QCryptoBlockInfoLUKS: 307# 308# Information about the LUKS block encryption options 309# 310# @cipher-alg: the cipher algorithm for data encryption 311# 312# @cipher-mode: the cipher mode for data encryption 313# 314# @ivgen-alg: the initialization vector generator 315# 316# @ivgen-hash-alg: the initialization vector generator hash 317# 318# @hash-alg: the master key hash algorithm 319# 320# @detached-header: whether the LUKS header is detached (Since 9.0) 321# 322# @payload-offset: offset to the payload data in bytes 323# 324# @master-key-iters: number of PBKDF2 iterations for key material 325# 326# @uuid: unique identifier for the volume 327# 328# @slots: information about each key slot 329# 330# Since: 2.7 331## 332{ 'struct': 'QCryptoBlockInfoLUKS', 333 'data': {'cipher-alg': 'QCryptoCipherAlgorithm', 334 'cipher-mode': 'QCryptoCipherMode', 335 'ivgen-alg': 'QCryptoIVGenAlgorithm', 336 '*ivgen-hash-alg': 'QCryptoHashAlgorithm', 337 'hash-alg': 'QCryptoHashAlgorithm', 338 'detached-header': 'bool', 339 'payload-offset': 'int', 340 'master-key-iters': 'int', 341 'uuid': 'str', 342 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} 343 344## 345# @QCryptoBlockInfo: 346# 347# Information about the block encryption options 348# 349# Since: 2.7 350## 351{ 'union': 'QCryptoBlockInfo', 352 'base': 'QCryptoBlockInfoBase', 353 'discriminator': 'format', 354 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } 355 356## 357# @QCryptoBlockLUKSKeyslotState: 358# 359# Defines state of keyslots that are affected by the update 360# 361# @active: The slots contain the given password and marked as active 362# 363# @inactive: The slots are erased (contain garbage) and marked as 364# inactive 365# 366# Since: 5.1 367## 368{ 'enum': 'QCryptoBlockLUKSKeyslotState', 369 'data': [ 'active', 'inactive' ] } 370 371## 372# @QCryptoBlockAmendOptionsLUKS: 373# 374# This struct defines the update parameters that activate/de-activate 375# set of keyslots 376# 377# @state: the desired state of the keyslots 378# 379# @new-secret: The ID of a QCryptoSecret object providing the password 380# to be written into added active keyslots 381# 382# @old-secret: Optional (for deactivation only) If given will 383# deactivate all keyslots that match password located in 384# QCryptoSecret with this ID 385# 386# @iter-time: Optional (for activation only) Number of milliseconds to 387# spend in PBKDF passphrase processing for the newly activated 388# keyslot. Currently defaults to 2000. 389# 390# @keyslot: Optional. ID of the keyslot to activate/deactivate. For 391# keyslot activation, keyslot should not be active already (this 392# is unsafe to update an active keyslot), but possible if 'force' 393# parameter is given. If keyslot is not given, first free keyslot 394# will be written. 395# 396# For keyslot deactivation, this parameter specifies the exact 397# keyslot to deactivate 398# 399# @secret: Optional. The ID of a QCryptoSecret object providing the 400# password to use to retrieve current master key. Defaults to the 401# same secret that was used to open the image 402# 403# Since: 5.1 404## 405{ 'struct': 'QCryptoBlockAmendOptionsLUKS', 406 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', 407 '*new-secret': 'str', 408 '*old-secret': 'str', 409 '*keyslot': 'int', 410 '*iter-time': 'int', 411 '*secret': 'str' } } 412 413## 414# @QCryptoBlockAmendOptions: 415# 416# The options that are available for all encryption formats when 417# amending encryption settings 418# 419# Since: 5.1 420## 421{ 'union': 'QCryptoBlockAmendOptions', 422 'base': 'QCryptoBlockOptionsBase', 423 'discriminator': 'format', 424 'data': { 425 'luks': 'QCryptoBlockAmendOptionsLUKS' } } 426 427## 428# @SecretCommonProperties: 429# 430# Properties for objects of classes derived from secret-common. 431# 432# @loaded: if true, the secret is loaded immediately when applying 433# this option and will probably fail when processing the next 434# option. Don't use; only provided for compatibility. 435# (default: false) 436# 437# @format: the data format that the secret is provided in 438# (default: raw) 439# 440# @keyid: the name of another secret that should be used to decrypt 441# the provided data. If not present, the data is assumed to be 442# unencrypted. 443# 444# @iv: the random initialization vector used for encryption of this 445# particular secret. Should be a base64 encrypted string of the 446# 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is 447# absent. 448# 449# Features: 450# 451# @deprecated: Member @loaded is deprecated. Setting true doesn't 452# make sense, and false is already the default. 453# 454# Since: 2.6 455## 456{ 'struct': 'SecretCommonProperties', 457 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 458 '*format': 'QCryptoSecretFormat', 459 '*keyid': 'str', 460 '*iv': 'str' } } 461 462## 463# @SecretProperties: 464# 465# Properties for secret objects. 466# 467# Either @data or @file must be provided, but not both. 468# 469# @data: the associated with the secret from 470# 471# @file: the filename to load the data associated with the secret from 472# 473# Since: 2.6 474## 475{ 'struct': 'SecretProperties', 476 'base': 'SecretCommonProperties', 477 'data': { '*data': 'str', 478 '*file': 'str' } } 479 480## 481# @SecretKeyringProperties: 482# 483# Properties for secret_keyring objects. 484# 485# @serial: serial number that identifies a key to get from the kernel 486# 487# Since: 5.1 488## 489{ 'struct': 'SecretKeyringProperties', 490 'base': 'SecretCommonProperties', 491 'data': { 'serial': 'int32' } } 492 493## 494# @TlsCredsProperties: 495# 496# Properties for objects of classes derived from tls-creds. 497# 498# @verify-peer: if true the peer credentials will be verified once the 499# handshake is completed. This is a no-op for anonymous 500# credentials. (default: true) 501# 502# @dir: the path of the directory that contains the credential files 503# 504# @endpoint: whether the QEMU network backend that uses the 505# credentials will be acting as a client or as a server 506# (default: client) 507# 508# @priority: a gnutls priority string as described at 509# https://gnutls.org/manual/html_node/Priority-Strings.html 510# 511# Since: 2.5 512## 513{ 'struct': 'TlsCredsProperties', 514 'data': { '*verify-peer': 'bool', 515 '*dir': 'str', 516 '*endpoint': 'QCryptoTLSCredsEndpoint', 517 '*priority': 'str' } } 518 519## 520# @TlsCredsAnonProperties: 521# 522# Properties for tls-creds-anon objects. 523# 524# @loaded: if true, the credentials are loaded immediately when 525# applying this option and will ignore options that are processed 526# later. Don't use; only provided for compatibility. 527# (default: false) 528# 529# Features: 530# 531# @deprecated: Member @loaded is deprecated. Setting true doesn't 532# make sense, and false is already the default. 533# 534# Since: 2.5 535## 536{ 'struct': 'TlsCredsAnonProperties', 537 'base': 'TlsCredsProperties', 538 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } } 539 540## 541# @TlsCredsPskProperties: 542# 543# Properties for tls-creds-psk objects. 544# 545# @loaded: if true, the credentials are loaded immediately when 546# applying this option and will ignore options that are processed 547# later. Don't use; only provided for compatibility. 548# (default: false) 549# 550# @username: the username which will be sent to the server. For 551# clients only. If absent, "qemu" is sent and the property will 552# read back as an empty string. 553# 554# Features: 555# 556# @deprecated: Member @loaded is deprecated. Setting true doesn't 557# make sense, and false is already the default. 558# 559# Since: 3.0 560## 561{ 'struct': 'TlsCredsPskProperties', 562 'base': 'TlsCredsProperties', 563 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 564 '*username': 'str' } } 565 566## 567# @TlsCredsX509Properties: 568# 569# Properties for tls-creds-x509 objects. 570# 571# @loaded: if true, the credentials are loaded immediately when 572# applying this option and will ignore options that are processed 573# later. Don't use; only provided for compatibility. 574# (default: false) 575# 576# @sanity-check: if true, perform some sanity checks before using the 577# credentials (default: true) 578# 579# @passwordid: For the server-key.pem and client-key.pem files which 580# contain sensitive private keys, it is possible to use an 581# encrypted version by providing the @passwordid parameter. This 582# provides the ID of a previously created secret object containing 583# the password for decryption. 584# 585# Features: 586# 587# @deprecated: Member @loaded is deprecated. Setting true doesn't 588# make sense, and false is already the default. 589# 590# Since: 2.5 591## 592{ 'struct': 'TlsCredsX509Properties', 593 'base': 'TlsCredsProperties', 594 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, 595 '*sanity-check': 'bool', 596 '*passwordid': 'str' } } 597## 598# @QCryptoAkCipherAlgorithm: 599# 600# The supported algorithms for asymmetric encryption ciphers 601# 602# @rsa: RSA algorithm 603# 604# Since: 7.1 605## 606{ 'enum': 'QCryptoAkCipherAlgorithm', 607 'prefix': 'QCRYPTO_AKCIPHER_ALG', 608 'data': ['rsa']} 609 610## 611# @QCryptoAkCipherKeyType: 612# 613# The type of asymmetric keys. 614# 615# Since: 7.1 616## 617{ 'enum': 'QCryptoAkCipherKeyType', 618 'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE', 619 'data': ['public', 'private']} 620 621## 622# @QCryptoRSAPaddingAlgorithm: 623# 624# The padding algorithm for RSA. 625# 626# @raw: no padding used 627# 628# @pkcs1: pkcs1#v1.5 629# 630# Since: 7.1 631## 632{ 'enum': 'QCryptoRSAPaddingAlgorithm', 633 'prefix': 'QCRYPTO_RSA_PADDING_ALG', 634 'data': ['raw', 'pkcs1']} 635 636## 637# @QCryptoAkCipherOptionsRSA: 638# 639# Specific parameters for RSA algorithm. 640# 641# @hash-alg: QCryptoHashAlgorithm 642# 643# @padding-alg: QCryptoRSAPaddingAlgorithm 644# 645# Since: 7.1 646## 647{ 'struct': 'QCryptoAkCipherOptionsRSA', 648 'data': { 'hash-alg':'QCryptoHashAlgorithm', 649 'padding-alg': 'QCryptoRSAPaddingAlgorithm'}} 650 651## 652# @QCryptoAkCipherOptions: 653# 654# The options that are available for all asymmetric key algorithms 655# when creating a new QCryptoAkCipher. 656# 657# Since: 7.1 658## 659{ 'union': 'QCryptoAkCipherOptions', 660 'base': { 'alg': 'QCryptoAkCipherAlgorithm' }, 661 'discriminator': 'alg', 662 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }} 663