[libvirt] [PATCH v2 1/4] libvirt: docs: XML to enable/disable protected key mgmt ops

Michal Privoznik mprivozn at redhat.com
Fri May 15 14:43:27 UTC 2015

From: Tony Krowiak <akrowiak at linux.vnet.ibm.com>

Two new domain configuration XML elements have been added to enable/disable
the protected key management operations for a guest:

        <cipher name='aes|dea' state='on|off'/>

Signed-off-by: Tony Krowiak <akrowiak at linux.vnet.ibm.com>
Signed-off-by: Viktor Mihajlovski <mihajlov at de.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy at linux.vnet.ibm.com>
Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
 docs/formatdomain.html.in     | 37 +++++++++++++++++++++++++++++++++++++
 docs/schemas/domaincommon.rng | 24 ++++++++++++++++++++++++
 2 files changed, 61 insertions(+)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index e0b6ba7..db3c81c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6227,6 +6227,43 @@ qemu-kvm -net nic,model=? /dev/null
       being on a file system that lacks security labeling.
+    <h3><a name="keywrap" shape="rect" id="keywrap">Key Wrap</a></h3>
+       <p>The content of the optional <code>keywrap</code> element specifies
+        whether the guest will be allowed to perform the S390 cryptographic key
+        management operations. A clear key can be protected by encrypting it
+        under a unique wrapping key that is generated for each guest VM running
+        on the host. Two variations of wrapping keys are generated: one version
+        for encrypting protected keys using the DEA/TDEA algorithm, and another
+        version for keys encrypted using the AES algorithm. If a
+        <code>keywrap</code> element is not included, the guest will be granted
+        access to both AES and DEA/TDEA key wrapping by default.</p>
+        <pre xml:space="preserve">
+  ...
+  <keywrap>
+    <cipher name='aes' state='off'/>
+  <keywrap/>
+  ...
+    <p>At least one <code>cipher</code> element must be nested within the
+    <code>keywrap</code> element.</p>
+        <dl><dt><code>cipher</code></dt>
+        <dd>The <code>name</code> attribute identifies the algorithm
+        for encrypting a protected key. The values supported for this attribute
+        are <code>aes</code> for encryption under the AES wrapping key, or
+        <code>dea</code> for encryption under the DEA/TDEA wrapping key. The
+        <code>state</code> attribute indicates whether the cryptographic key
+        management operations should be turned on for the specified encryption
+        algorithm. The value can be set to <code>on</code> or <code>off</code>.
+        A default state of <code>on</code> will be assumed if a
+        <code>cipher</code> element is not included for the AES or DEA/TDEA
+        encryption algorithm.
+        </dd></dl>
+    Note: DEA/TDEA is synonymous with DES/TDES.
     <h2><a name="examples">Example configs</a></h2>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index c151e92..1e67776 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -67,6 +67,9 @@
           <ref name='qemucmdline'/>
+        <optional>
+          <ref name='keywrap'/>
+        </optional>
@@ -382,6 +385,27 @@
+  <define name="keywrap">
+    <element name="keywrap">
+      <oneOrMore>
+        <element name="cipher">
+          <attribute name="name">
+            <choice>
+              <value>aes</value>
+              <value>dea</value>
+            </choice>
+          </attribute>
+          <attribute name="state">
+            <choice>
+                <value>on</value>
+                <value>off</value>
+            </choice>
+          </attribute>
+        </element>
+      </oneOrMore>
+    </element>
+  </define>
       The Identifiers can be:
       - an optional id attribute with a number on the domain element

More information about the libvir-list mailing list