[libvirt] [PATCH v2 1/4] libvirt: docs: XML to enable/disable protected key mgmt ops
Ján Tomko
jtomko at redhat.com
Fri May 15 15:59:29 UTC 2015
On Fri, May 15, 2015 at 04:43:27PM +0200, Michal Privoznik wrote:
> From: Tony Krowiak <akrowiak at linux.vnet.ibm.com>
>
> Two new domain configuration XML elements have been added to enable/disable
They haven't been added yet :)
This should be squashed in with the patch implementing XML parsing and
formatting of the attributes.
> the protected key management operations for a guest:
>
> <domain>
> ...
> <keywrap>
> <cipher name='aes|dea' state='on|off'/>
> </keywrap>
> ...
> </domain>
>
> Signed-off-by: Tony Krowiak <akrowiak at linux.vnet.ibm.com>
> Signed-off-by: Viktor Mihajlovski <mihajlov at de.ibm.com>
> Reviewed-by: Boris Fiuczynski <fiuczy at linux.vnet.ibm.com>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> docs/formatdomain.html.in | 37 +++++++++++++++++++++++++++++++++++++
> docs/schemas/domaincommon.rng | 24 ++++++++++++++++++++++++
> 2 files changed, 61 insertions(+)
>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index e0b6ba7..db3c81c 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -6227,6 +6227,43 @@ qemu-kvm -net nic,model=? /dev/null
> being on a file system that lacks security labeling.
> </p>
>
> + <h3><a name="keywrap" shape="rect" id="keywrap">Key Wrap</a></h3>
Is the shape attribute needed here? We don't use it for other 'a name's.
> +
> + <p>The content of the optional <code>keywrap</code> element specifies
> + whether the guest will be allowed to perform the S390 cryptographic key
> + management operations. A clear key can be protected by encrypting it
> + under a unique wrapping key that is generated for each guest VM running
> + on the host. Two variations of wrapping keys are generated: one version
> + for encrypting protected keys using the DEA/TDEA algorithm, and another
> + version for keys encrypted using the AES algorithm. If a
> + <code>keywrap</code> element is not included, the guest will be granted
> + access to both AES and DEA/TDEA key wrapping by default.</p>
> +
> + <pre xml:space="preserve">
Same question about this attribute.
> +<domain>
> + ...
> + <keywrap>
> + <cipher name='aes' state='off'/>
> + <keywrap/>
The / needs to be before the tag name.
> + ...
> +</domain>
> +</pre>
> + <p>At least one <code>cipher</code> element must be nested within the
> + <code>keywrap</code> element.</p>
> + <dl><dt><code>cipher</code></dt>
> + <dd>The <code>name</code> attribute identifies the algorithm
> + for encrypting a protected key. The values supported for this attribute
> + are <code>aes</code> for encryption under the AES wrapping key, or
> + <code>dea</code> for encryption under the DEA/TDEA wrapping key. The
> + <code>state</code> attribute indicates whether the cryptographic key
> + management operations should be turned on for the specified encryption
> + algorithm. The value can be set to <code>on</code> or <code>off</code>.
> + A default state of <code>on</code> will be assumed if a
> + <code>cipher</code> element is not included for the AES or DEA/TDEA
> + encryption algorithm.
> + </dd></dl>
> +
> + Note: DEA/TDEA is synonymous with DES/TDES.
> <h2><a name="examples">Example configs</a></h2>
>
> <p>
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index c151e92..1e67776 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -67,6 +67,9 @@
> <optional>
> <ref name='qemucmdline'/>
> </optional>
> + <optional>
> + <ref name='keywrap'/>
> + </optional>
> </interleave>
> </element>
> </define>
> @@ -382,6 +385,27 @@
> </element>
> </define>
>
> + <define name="keywrap">
> + <element name="keywrap">
> + <oneOrMore>
> + <element name="cipher">
> + <attribute name="name">
> + <choice>
> + <value>aes</value>
> + <value>dea</value>
> + </choice>
> + </attribute>
> + <attribute name="state">
> + <choice>
> + <value>on</value>
> + <value>off</value>
> + </choice>
<ref name='virOnOff'/> can be used here
> + </attribute>
> + </element>
> + </oneOrMore>
> + </element>
> + </define>
> +
> <!--
> The Identifiers can be:
> - an optional id attribute with a number on the domain element
ACK with the attributes removed. (and squashing it with the XML
parser/formatter)
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150515/d13117c4/attachment-0001.sig>
More information about the libvir-list
mailing list