[libvirt] [PATCH v2 1/4] libvirt: docs: XML to enable/disable protected key mgmt ops

Ján Tomko jtomko at redhat.com
Fri May 15 15:59:29 UTC 2015 

On Fri, May 15, 2015 at 04:43:27PM +0200, Michal Privoznik wrote:
> From: Tony Krowiak <akrowiak at linux.vnet.ibm.com>
> 
> Two new domain configuration XML elements have been added to enable/disable

They haven't been added yet :)

This should be squashed in with the patch implementing XML parsing and
formatting of the attributes.

> the protected key management operations for a guest:
> 
>     <domain>
>       ...
>       <keywrap>
>         <cipher name='aes|dea' state='on|off'/>
>       </keywrap>
>       ...
>     </domain>
> 
> Signed-off-by: Tony Krowiak <akrowiak at linux.vnet.ibm.com>
> Signed-off-by: Viktor Mihajlovski <mihajlov at de.ibm.com>
> Reviewed-by: Boris Fiuczynski <fiuczy at linux.vnet.ibm.com>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
>  docs/formatdomain.html.in     | 37 +++++++++++++++++++++++++++++++++++++
>  docs/schemas/domaincommon.rng | 24 ++++++++++++++++++++++++
>  2 files changed, 61 insertions(+)
> 
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index e0b6ba7..db3c81c 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -6227,6 +6227,43 @@ qemu-kvm -net nic,model=? /dev/null
>        being on a file system that lacks security labeling.
>      </p>
>  
> +    <h3><a name="keywrap" shape="rect" id="keywrap">Key Wrap</a></h3>

Is the shape attribute needed here? We don't use it for other 'a name's.

> +
> +       <p>The content of the optional <code>keywrap</code> element specifies
> +        whether the guest will be allowed to perform the S390 cryptographic key
> +        management operations. A clear key can be protected by encrypting it
> +        under a unique wrapping key that is generated for each guest VM running
> +        on the host. Two variations of wrapping keys are generated: one version
> +        for encrypting protected keys using the DEA/TDEA algorithm, and another
> +        version for keys encrypted using the AES algorithm. If a
> +        <code>keywrap</code> element is not included, the guest will be granted
> +        access to both AES and DEA/TDEA key wrapping by default.</p>
> +
> +        <pre xml:space="preserve">

Same question about this attribute.

> +<domain>
> +  ...
> +  <keywrap>
> +    <cipher name='aes' state='off'/>
> +  <keywrap/>

The / needs to be before the tag name.

> +  ...
> +</domain>
> +</pre>
> +    <p>At least one <code>cipher</code> element must be nested within the
> +    <code>keywrap</code> element.</p>
> +        <dl><dt><code>cipher</code></dt>
> +        <dd>The <code>name</code> attribute identifies the algorithm
> +        for encrypting a protected key. The values supported for this attribute
> +        are <code>aes</code> for encryption under the AES wrapping key, or
> +        <code>dea</code> for encryption under the DEA/TDEA wrapping key. The
> +        <code>state</code> attribute indicates whether the cryptographic key
> +        management operations should be turned on for the specified encryption
> +        algorithm. The value can be set to <code>on</code> or <code>off</code>.
> +        A default state of <code>on</code> will be assumed if a
> +        <code>cipher</code> element is not included for the AES or DEA/TDEA
> +        encryption algorithm.
> +        </dd></dl>
> +
> +    Note: DEA/TDEA is synonymous with DES/TDES.
>      <h2><a name="examples">Example configs</a></h2>
>  
>      <p>
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index c151e92..1e67776 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -67,6 +67,9 @@
>          <optional>
>            <ref name='qemucmdline'/>
>          </optional>
> +        <optional>
> +          <ref name='keywrap'/>
> +        </optional>
>        </interleave>
>      </element>
>    </define>
> @@ -382,6 +385,27 @@
>      </element>
>    </define>
>  
> +  <define name="keywrap">
> +    <element name="keywrap">
> +      <oneOrMore>
> +        <element name="cipher">
> +          <attribute name="name">
> +            <choice>
> +              <value>aes</value>
> +              <value>dea</value>
> +            </choice>
> +          </attribute>
> +          <attribute name="state">


> +            <choice>
> +                <value>on</value>
> +                <value>off</value>
> +            </choice>

<ref name='virOnOff'/> can be used here

> +          </attribute>
> +        </element>
> +      </oneOrMore>
> +    </element>
> +  </define>
> +
>    <!--
>        The Identifiers can be:
>        - an optional id attribute with a number on the domain element

ACK with the attributes removed. (and squashing it with the XML
parser/formatter)

Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150515/d13117c4/attachment-0001.sig>

More information about the libvir-list mailing list