[libvirt] [PATCH 3/3] storage: Allow inputvol to be encrypted

Michal Privoznik mprivozn at redhat.com
Tue Sep 11 11:16:16 UTC 2018 

On 08/21/2018 06:23 PM, John Ferlan wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1613737
> 
> When processing the inputvol for encryption, we need to handle
> the case where the inputvol is encrypted. This then allows for
> the encrypted inputvol to be used either for an output encrypted
> volume or an output volume of some XML provided type.
> 
> Add tests to show the various conversion options when either input
> or output is encrypted. This includes when both are encrypted.
> 
> Signed-off-by: John Ferlan <jferlan at redhat.com>
> ---
>  src/storage/storage_util.c                    | 62 ++++++++++++++++---
>  src/storage/storage_util.h                    |  1 +
>  .../luks-convert-encrypt.argv                 | 11 ++++
>  .../luks-convert-encrypt2fileqcow2.argv       |  7 +++
>  .../luks-convert-encrypt2fileraw.argv         |  7 +++
>  tests/storagevolxml2argvtest.c                | 15 ++++-
>  tests/storagevolxml2xmlin/vol-encrypt1.xml    | 21 +++++++
>  tests/storagevolxml2xmlin/vol-encrypt2.xml    | 21 +++++++
>  8 files changed, 137 insertions(+), 8 deletions(-)
>  create mode 100644 tests/storagevolxml2argvdata/luks-convert-encrypt.argv
>  create mode 100644 tests/storagevolxml2argvdata/luks-convert-encrypt2fileqcow2.argv
>  create mode 100644 tests/storagevolxml2argvdata/luks-convert-encrypt2fileraw.argv
>  create mode 100644 tests/storagevolxml2xmlin/vol-encrypt1.xml
>  create mode 100644 tests/storagevolxml2xmlin/vol-encrypt2.xml
> 
> diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c
> index cc49a5b9f7..3c1e875b27 100644
> --- a/src/storage/storage_util.c
> +++ b/src/storage/storage_util.c
> @@ -1084,6 +1084,7 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
>                                           unsigned int flags,
>                                           const char *create_tool,
>                                           const char *secretPath,
> +                                         const char *inputSecretPath,
>                                           virStorageVolEncryptConvertStep convertStep)
>  {
>      virCommandPtr cmd = NULL;
> @@ -1101,6 +1102,8 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
>          .secretAlias = NULL,
>      };
>      virStorageEncryptionPtr enc = vol->target.encryption;
> +    char *inputSecretAlias = NULL;
> +    virStorageEncryptionPtr inputenc = inputvol ? inputvol->target.encryption : NULL;
>      virStorageEncryptionInfoDefPtr encinfo = NULL;
>  
>      virCheckFlags(VIR_STORAGE_VOL_CREATE_PREALLOC_METADATA, NULL);
> @@ -1114,6 +1117,12 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
>          goto error;
>      }
>  
> +    if (inputenc && inputenc->format != VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
> +        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                       _("encryption format of inputvol must be LUKS"));
> +        goto error;
> +    }
> +
>      if (virStorageBackendCreateQemuImgSetInfo(pool, vol, inputvol,
>                                                convertStep, &info) < 0)
>          goto error;
> @@ -1153,6 +1162,20 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
>          encinfo = &enc->encinfo;
>      }
>  
> +    if (inputenc && convertStep == VIR_STORAGE_VOL_ENCRYPT_CONVERT) {
> +        if (!inputSecretPath) {
> +            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> +                           _("path to inputvol secret data file is required"));
> +            goto error;
> +        }
> +        if (virAsprintf(&inputSecretAlias, "%s_encrypt0",
> +                        inputvol->name) < 0)
> +            goto error;
> +        if (storageBackendCreateQemuImgSecretObject(cmd, inputSecretPath,
> +                                                    inputSecretAlias) < 0)
> +            goto error;
> +    }
> +
>      if (convertStep != VIR_STORAGE_VOL_ENCRYPT_CONVERT) {
>          if (storageBackendCreateQemuImgSetOptions(cmd, encinfo, info) < 0)
>              goto error;
> @@ -1163,19 +1186,32 @@ virStorageBackendCreateQemuImgCmdFromVol(virStoragePoolObjPtr pool,
>              virCommandAddArgFormat(cmd, "%lluK", info.size_arg);
>      } else {
>          /* source */
> -        virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s",
> -                               info.inputType, info.inputPath);
> +        if (inputenc)
> +            virCommandAddArgFormat(cmd,
> +                                   "driver=luks,file.filename=%s,key-secret=%s",
> +                                   info.inputPath, inputSecretAlias);
> +        else
> +            virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s",
> +                                   info.inputType, info.inputPath);
>  
>          /* dest */
> -        virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s,key-secret=%s",
> -                               info.type, info.path, info.secretAlias);
> +        if (enc)
> +            virCommandAddArgFormat(cmd,
> +                                   "driver=%s,file.filename=%s,key-secret=%s",
> +                                   info.type, info.path, info.secretAlias);
> +        else
> +            virCommandAddArgFormat(cmd, "driver=%s,file.filename=%s",
> +                                   info.type, info.path);
> +

Same comment here as in previous patch.

Michal

More information about the libvir-list mailing list