xref: /openbmc/qemu/qapi/crypto.json (revision fb6051e7)
1# -*- Mode: Python -*-
2# vim: filetype=python
3#
4
5##
6# = Cryptography
7##
8
9##
10# @QCryptoTLSCredsEndpoint:
11#
12# The type of network endpoint that will be using the credentials.
13# Most types of credential require different setup / structures
14# depending on whether they will be used in a server versus a client.
15#
16# @client: the network endpoint is acting as the client
17#
18# @server: the network endpoint is acting as the server
19#
20# Since: 2.5
21##
22{ 'enum': 'QCryptoTLSCredsEndpoint',
23  'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
24  'data': ['client', 'server']}
25
26##
27# @QCryptoSecretFormat:
28#
29# The data format that the secret is provided in
30#
31# @raw: raw bytes.  When encoded in JSON only valid UTF-8 sequences
32#     can be used
33#
34# @base64: arbitrary base64 encoded binary data
35#
36# Since: 2.6
37##
38{ 'enum': 'QCryptoSecretFormat',
39  'prefix': 'QCRYPTO_SECRET_FORMAT',
40  'data': ['raw', 'base64']}
41
42##
43# @QCryptoHashAlgorithm:
44#
45# The supported algorithms for computing content digests
46#
47# @md5: MD5.  Should not be used in any new code, legacy compat only
48#
49# @sha1: SHA-1.  Should not be used in any new code, legacy compat only
50#
51# @sha224: SHA-224.  (since 2.7)
52#
53# @sha256: SHA-256.  Current recommended strong hash.
54#
55# @sha384: SHA-384.  (since 2.7)
56#
57# @sha512: SHA-512.  (since 2.7)
58#
59# @ripemd160: RIPEMD-160.  (since 2.7)
60#
61# Since: 2.6
62##
63{ 'enum': 'QCryptoHashAlgorithm',
64  'prefix': 'QCRYPTO_HASH_ALG',
65  'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}
66
67##
68# @QCryptoCipherAlgorithm:
69#
70# The supported algorithms for content encryption ciphers
71#
72# @aes-128: AES with 128 bit / 16 byte keys
73#
74# @aes-192: AES with 192 bit / 24 byte keys
75#
76# @aes-256: AES with 256 bit / 32 byte keys
77#
78# @des: DES with 56 bit / 8 byte keys.  Do not use except in VNC.
79#     (since 6.1)
80#
81# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
82#
83# @cast5-128: Cast5 with 128 bit / 16 byte keys
84#
85# @serpent-128: Serpent with 128 bit / 16 byte keys
86#
87# @serpent-192: Serpent with 192 bit / 24 byte keys
88#
89# @serpent-256: Serpent with 256 bit / 32 byte keys
90#
91# @twofish-128: Twofish with 128 bit / 16 byte keys
92#
93# @twofish-192: Twofish with 192 bit / 24 byte keys
94#
95# @twofish-256: Twofish with 256 bit / 32 byte keys
96#
97# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0)
98#
99# Since: 2.6
100##
101{ 'enum': 'QCryptoCipherAlgorithm',
102  'prefix': 'QCRYPTO_CIPHER_ALG',
103  'data': ['aes-128', 'aes-192', 'aes-256',
104           'des', '3des',
105           'cast5-128',
106           'serpent-128', 'serpent-192', 'serpent-256',
107           'twofish-128', 'twofish-192', 'twofish-256',
108           'sm4']}
109
110##
111# @QCryptoCipherMode:
112#
113# The supported modes for content encryption ciphers
114#
115# @ecb: Electronic Code Book
116#
117# @cbc: Cipher Block Chaining
118#
119# @xts: XEX with tweaked code book and ciphertext stealing
120#
121# @ctr: Counter (Since 2.8)
122#
123# Since: 2.6
124##
125{ 'enum': 'QCryptoCipherMode',
126  'prefix': 'QCRYPTO_CIPHER_MODE',
127  'data': ['ecb', 'cbc', 'xts', 'ctr']}
128
129##
130# @QCryptoIVGenAlgorithm:
131#
132# The supported algorithms for generating initialization vectors for
133# full disk encryption.  The 'plain' generator should not be used for
134# disks with sector numbers larger than 2^32, except where
135# compatibility with pre-existing Linux dm-crypt volumes is required.
136#
137# @plain: 64-bit sector number truncated to 32-bits
138#
139# @plain64: 64-bit sector number
140#
141# @essiv: 64-bit sector number encrypted with a hash of the encryption
142#     key
143#
144# Since: 2.6
145##
146{ 'enum': 'QCryptoIVGenAlgorithm',
147  'prefix': 'QCRYPTO_IVGEN_ALG',
148  'data': ['plain', 'plain64', 'essiv']}
149
150##
151# @QCryptoBlockFormat:
152#
153# The supported full disk encryption formats
154#
155# @qcow: QCow/QCow2 built-in AES-CBC encryption.  Use only for
156#     liberating data from old images.
157#
158# @luks: LUKS encryption format.  Recommended for new images
159#
160# Since: 2.6
161##
162{ 'enum': 'QCryptoBlockFormat',
163#  'prefix': 'QCRYPTO_BLOCK_FORMAT',
164  'data': ['qcow', 'luks']}
165
166##
167# @QCryptoBlockOptionsBase:
168#
169# The common options that apply to all full disk encryption formats
170#
171# @format: the encryption format
172#
173# Since: 2.6
174##
175{ 'struct': 'QCryptoBlockOptionsBase',
176  'data': { 'format': 'QCryptoBlockFormat' }}
177
178##
179# @QCryptoBlockOptionsQCow:
180#
181# The options that apply to QCow/QCow2 AES-CBC encryption format
182#
183# @key-secret: the ID of a QCryptoSecret object providing the
184#     decryption key.  Mandatory except when probing image for
185#     metadata only.
186#
187# Since: 2.6
188##
189{ 'struct': 'QCryptoBlockOptionsQCow',
190  'data': { '*key-secret': 'str' }}
191
192##
193# @QCryptoBlockOptionsLUKS:
194#
195# The options that apply to LUKS encryption format
196#
197# @key-secret: the ID of a QCryptoSecret object providing the
198#     decryption key.  Mandatory except when probing image for
199#     metadata only.
200#
201# Since: 2.6
202##
203{ 'struct': 'QCryptoBlockOptionsLUKS',
204  'data': { '*key-secret': 'str' }}
205
206##
207# @QCryptoBlockCreateOptionsLUKS:
208#
209# The options that apply to LUKS encryption format initialization
210#
211# @cipher-alg: the cipher algorithm for data encryption Currently
212#     defaults to 'aes-256'.
213#
214# @cipher-mode: the cipher mode for data encryption Currently defaults
215#     to 'xts'
216#
217# @ivgen-alg: the initialization vector generator Currently defaults
218#     to 'plain64'
219#
220# @ivgen-hash-alg: the initialization vector generator hash Currently
221#     defaults to 'sha256'
222#
223# @hash-alg: the master key hash algorithm Currently defaults to
224#     'sha256'
225#
226# @iter-time: number of milliseconds to spend in PBKDF passphrase
227#     processing.  Currently defaults to 2000.  (since 2.8)
228#
229# Since: 2.6
230##
231{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
232  'base': 'QCryptoBlockOptionsLUKS',
233  'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
234            '*cipher-mode': 'QCryptoCipherMode',
235            '*ivgen-alg': 'QCryptoIVGenAlgorithm',
236            '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
237            '*hash-alg': 'QCryptoHashAlgorithm',
238            '*iter-time': 'int' }}
239
240##
241# @QCryptoBlockOpenOptions:
242#
243# The options that are available for all encryption formats when
244# opening an existing volume
245#
246# Since: 2.6
247##
248{ 'union': 'QCryptoBlockOpenOptions',
249  'base': 'QCryptoBlockOptionsBase',
250  'discriminator': 'format',
251  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
252            'luks': 'QCryptoBlockOptionsLUKS' } }
253
254##
255# @QCryptoBlockCreateOptions:
256#
257# The options that are available for all encryption formats when
258# initializing a new volume
259#
260# Since: 2.6
261##
262{ 'union': 'QCryptoBlockCreateOptions',
263  'base': 'QCryptoBlockOptionsBase',
264  'discriminator': 'format',
265  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
266            'luks': 'QCryptoBlockCreateOptionsLUKS' } }
267
268##
269# @QCryptoBlockInfoBase:
270#
271# The common information that applies to all full disk encryption
272# formats
273#
274# @format: the encryption format
275#
276# Since: 2.7
277##
278{ 'struct': 'QCryptoBlockInfoBase',
279  'data': { 'format': 'QCryptoBlockFormat' }}
280
281##
282# @QCryptoBlockInfoLUKSSlot:
283#
284# Information about the LUKS block encryption key slot options
285#
286# @active: whether the key slot is currently in use
287#
288# @key-offset: offset to the key material in bytes
289#
290# @iters: number of PBKDF2 iterations for key material
291#
292# @stripes: number of stripes for splitting key material
293#
294# Since: 2.7
295##
296{ 'struct': 'QCryptoBlockInfoLUKSSlot',
297  'data': {'active': 'bool',
298           '*iters': 'int',
299           '*stripes': 'int',
300           'key-offset': 'int' } }
301
302##
303# @QCryptoBlockInfoLUKS:
304#
305# Information about the LUKS block encryption options
306#
307# @cipher-alg: the cipher algorithm for data encryption
308#
309# @cipher-mode: the cipher mode for data encryption
310#
311# @ivgen-alg: the initialization vector generator
312#
313# @ivgen-hash-alg: the initialization vector generator hash
314#
315# @hash-alg: the master key hash algorithm
316#
317# @detached-header: whether the LUKS header is detached (Since 9.0)
318#
319# @payload-offset: offset to the payload data in bytes
320#
321# @master-key-iters: number of PBKDF2 iterations for key material
322#
323# @uuid: unique identifier for the volume
324#
325# @slots: information about each key slot
326#
327# Since: 2.7
328##
329{ 'struct': 'QCryptoBlockInfoLUKS',
330  'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
331           'cipher-mode': 'QCryptoCipherMode',
332           'ivgen-alg': 'QCryptoIVGenAlgorithm',
333           '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
334           'hash-alg': 'QCryptoHashAlgorithm',
335           'detached-header': 'bool',
336           'payload-offset': 'int',
337           'master-key-iters': 'int',
338           'uuid': 'str',
339           'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
340
341##
342# @QCryptoBlockInfo:
343#
344# Information about the block encryption options
345#
346# Since: 2.7
347##
348{ 'union': 'QCryptoBlockInfo',
349  'base': 'QCryptoBlockInfoBase',
350  'discriminator': 'format',
351  'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
352
353##
354# @QCryptoBlockLUKSKeyslotState:
355#
356# Defines state of keyslots that are affected by the update
357#
358# @active: The slots contain the given password and marked as active
359#
360# @inactive: The slots are erased (contain garbage) and marked as
361#     inactive
362#
363# Since: 5.1
364##
365{ 'enum': 'QCryptoBlockLUKSKeyslotState',
366  'data': [ 'active', 'inactive' ] }
367
368##
369# @QCryptoBlockAmendOptionsLUKS:
370#
371# This struct defines the update parameters that activate/de-activate
372# set of keyslots
373#
374# @state: the desired state of the keyslots
375#
376# @new-secret: The ID of a QCryptoSecret object providing the password
377#     to be written into added active keyslots
378#
379# @old-secret: Optional (for deactivation only) If given will
380#     deactivate all keyslots that match password located in
381#     QCryptoSecret with this ID
382#
383# @iter-time: Optional (for activation only) Number of milliseconds to
384#     spend in PBKDF passphrase processing for the newly activated
385#     keyslot.  Currently defaults to 2000.
386#
387# @keyslot: Optional.  ID of the keyslot to activate/deactivate.  For
388#     keyslot activation, keyslot should not be active already (this
389#     is unsafe to update an active keyslot), but possible if 'force'
390#     parameter is given.  If keyslot is not given, first free keyslot
391#     will be written.
392#
393#     For keyslot deactivation, this parameter specifies the exact
394#     keyslot to deactivate
395#
396# @secret: Optional.  The ID of a QCryptoSecret object providing the
397#     password to use to retrieve current master key.  Defaults to the
398#     same secret that was used to open the image
399#
400# Since: 5.1
401##
402{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
403  'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
404            '*new-secret': 'str',
405            '*old-secret': 'str',
406            '*keyslot': 'int',
407            '*iter-time': 'int',
408            '*secret': 'str' } }
409
410##
411# @QCryptoBlockAmendOptions:
412#
413# The options that are available for all encryption formats when
414# amending encryption settings
415#
416# Since: 5.1
417##
418{ 'union': 'QCryptoBlockAmendOptions',
419  'base': 'QCryptoBlockOptionsBase',
420  'discriminator': 'format',
421  'data': {
422          'luks': 'QCryptoBlockAmendOptionsLUKS' } }
423
424##
425# @SecretCommonProperties:
426#
427# Properties for objects of classes derived from secret-common.
428#
429# @loaded: if true, the secret is loaded immediately when applying
430#     this option and will probably fail when processing the next
431#     option.  Don't use; only provided for compatibility.
432#     (default: false)
433#
434# @format: the data format that the secret is provided in
435#     (default: raw)
436#
437# @keyid: the name of another secret that should be used to decrypt
438#     the provided data.  If not present, the data is assumed to be
439#     unencrypted.
440#
441# @iv: the random initialization vector used for encryption of this
442#     particular secret.  Should be a base64 encrypted string of the
443#     16-byte IV.  Mandatory if @keyid is given.  Ignored if @keyid is
444#     absent.
445#
446# Features:
447#
448# @deprecated: Member @loaded is deprecated.  Setting true doesn't
449#     make sense, and false is already the default.
450#
451# Since: 2.6
452##
453{ 'struct': 'SecretCommonProperties',
454  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
455            '*format': 'QCryptoSecretFormat',
456            '*keyid': 'str',
457            '*iv': 'str' } }
458
459##
460# @SecretProperties:
461#
462# Properties for secret objects.
463#
464# Either @data or @file must be provided, but not both.
465#
466# @data: the associated with the secret from
467#
468# @file: the filename to load the data associated with the secret from
469#
470# Since: 2.6
471##
472{ 'struct': 'SecretProperties',
473  'base': 'SecretCommonProperties',
474  'data': { '*data': 'str',
475            '*file': 'str' } }
476
477##
478# @SecretKeyringProperties:
479#
480# Properties for secret_keyring objects.
481#
482# @serial: serial number that identifies a key to get from the kernel
483#
484# Since: 5.1
485##
486{ 'struct': 'SecretKeyringProperties',
487  'base': 'SecretCommonProperties',
488  'data': { 'serial': 'int32' },
489  'if': 'CONFIG_SECRET_KEYRING' }
490
491##
492# @TlsCredsProperties:
493#
494# Properties for objects of classes derived from tls-creds.
495#
496# @verify-peer: if true the peer credentials will be verified once the
497#     handshake is completed.  This is a no-op for anonymous
498#     credentials.  (default: true)
499#
500# @dir: the path of the directory that contains the credential files
501#
502# @endpoint: whether the QEMU network backend that uses the
503#     credentials will be acting as a client or as a server
504#     (default: client)
505#
506# @priority: a gnutls priority string as described at
507#     https://gnutls.org/manual/html_node/Priority-Strings.html
508#
509# Since: 2.5
510##
511{ 'struct': 'TlsCredsProperties',
512  'data': { '*verify-peer': 'bool',
513            '*dir': 'str',
514            '*endpoint': 'QCryptoTLSCredsEndpoint',
515            '*priority': 'str' } }
516
517##
518# @TlsCredsAnonProperties:
519#
520# Properties for tls-creds-anon objects.
521#
522# @loaded: if true, the credentials are loaded immediately when
523#     applying this option and will ignore options that are processed
524#     later.  Don't use; only provided for compatibility.
525#     (default: false)
526#
527# Features:
528#
529# @deprecated: Member @loaded is deprecated.  Setting true doesn't
530#     make sense, and false is already the default.
531#
532# Since: 2.5
533##
534{ 'struct': 'TlsCredsAnonProperties',
535  'base': 'TlsCredsProperties',
536  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }
537
538##
539# @TlsCredsPskProperties:
540#
541# Properties for tls-creds-psk objects.
542#
543# @loaded: if true, the credentials are loaded immediately when
544#     applying this option and will ignore options that are processed
545#     later.  Don't use; only provided for compatibility.
546#     (default: false)
547#
548# @username: the username which will be sent to the server.  For
549#     clients only.  If absent, "qemu" is sent and the property will
550#     read back as an empty string.
551#
552# Features:
553#
554# @deprecated: Member @loaded is deprecated.  Setting true doesn't
555#     make sense, and false is already the default.
556#
557# Since: 3.0
558##
559{ 'struct': 'TlsCredsPskProperties',
560  'base': 'TlsCredsProperties',
561  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
562            '*username': 'str' } }
563
564##
565# @TlsCredsX509Properties:
566#
567# Properties for tls-creds-x509 objects.
568#
569# @loaded: if true, the credentials are loaded immediately when
570#     applying this option and will ignore options that are processed
571#     later.  Don't use; only provided for compatibility.
572#     (default: false)
573#
574# @sanity-check: if true, perform some sanity checks before using the
575#     credentials (default: true)
576#
577# @passwordid: For the server-key.pem and client-key.pem files which
578#     contain sensitive private keys, it is possible to use an
579#     encrypted version by providing the @passwordid parameter.  This
580#     provides the ID of a previously created secret object containing
581#     the password for decryption.
582#
583# Features:
584#
585# @deprecated: Member @loaded is deprecated.  Setting true doesn't
586#     make sense, and false is already the default.
587#
588# Since: 2.5
589##
590{ 'struct': 'TlsCredsX509Properties',
591  'base': 'TlsCredsProperties',
592  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
593            '*sanity-check': 'bool',
594            '*passwordid': 'str' } }
595##
596# @QCryptoAkCipherAlgorithm:
597#
598# The supported algorithms for asymmetric encryption ciphers
599#
600# @rsa: RSA algorithm
601#
602# Since: 7.1
603##
604{ 'enum': 'QCryptoAkCipherAlgorithm',
605  'prefix': 'QCRYPTO_AKCIPHER_ALG',
606  'data': ['rsa']}
607
608##
609# @QCryptoAkCipherKeyType:
610#
611# The type of asymmetric keys.
612#
613# Since: 7.1
614##
615{ 'enum': 'QCryptoAkCipherKeyType',
616  'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE',
617  'data': ['public', 'private']}
618
619##
620# @QCryptoRSAPaddingAlgorithm:
621#
622# The padding algorithm for RSA.
623#
624# @raw: no padding used
625#
626# @pkcs1: pkcs1#v1.5
627#
628# Since: 7.1
629##
630{ 'enum': 'QCryptoRSAPaddingAlgorithm',
631  'prefix': 'QCRYPTO_RSA_PADDING_ALG',
632  'data': ['raw', 'pkcs1']}
633
634##
635# @QCryptoAkCipherOptionsRSA:
636#
637# Specific parameters for RSA algorithm.
638#
639# @hash-alg: QCryptoHashAlgorithm
640#
641# @padding-alg: QCryptoRSAPaddingAlgorithm
642#
643# Since: 7.1
644##
645{ 'struct': 'QCryptoAkCipherOptionsRSA',
646  'data': { 'hash-alg':'QCryptoHashAlgorithm',
647            'padding-alg': 'QCryptoRSAPaddingAlgorithm'}}
648
649##
650# @QCryptoAkCipherOptions:
651#
652# The options that are available for all asymmetric key algorithms
653# when creating a new QCryptoAkCipher.
654#
655# @alg: encryption cipher algorithm
656#
657# Since: 7.1
658##
659{ 'union': 'QCryptoAkCipherOptions',
660  'base': { 'alg': 'QCryptoAkCipherAlgorithm' },
661  'discriminator': 'alg',
662  'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}
663