block/crypto.h

   1 /*
   2  * QEMU block full disk encryption
   3  *
   4  * Copyright (c) 2015-2017 Red Hat, Inc.
   5  *
   6  * This library is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 2.1 of the License, or (at your option) any later version.
  10  *
  11  * This library is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public
  17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  18  *
  19  */
  20
  21 #ifndef BLOCK_CRYPTO_H
  22 #define BLOCK_CRYPTO_H
  23
  24 #define BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix, helpstr)                \
  25     {                                                                   \
  26         .name = prefix BLOCK_CRYPTO_OPT_QCOW_KEY_SECRET,                \
  27         .type = QEMU_OPT_STRING,                                        \
  28         .help = helpstr,                                                \
  29     }
  30
  31 #define BLOCK_CRYPTO_OPT_QCOW_KEY_SECRET "key-secret"
  32
  33 #define BLOCK_CRYPTO_OPT_DEF_QCOW_KEY_SECRET(prefix)                    \
  34     BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix,                             \
  35         "ID of the secret that provides the AES encryption key")
  36
  37 #define BLOCK_CRYPTO_OPT_LUKS_KEY_SECRET "key-secret"
  38 #define BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG "cipher-alg"
  39 #define BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE "cipher-mode"
  40 #define BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG "ivgen-alg"
  41 #define BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG "ivgen-hash-alg"
  42 #define BLOCK_CRYPTO_OPT_LUKS_HASH_ALG "hash-alg"
  43 #define BLOCK_CRYPTO_OPT_LUKS_ITER_TIME "iter-time"
  44 #define BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER "detached-header"
  45 #define BLOCK_CRYPTO_OPT_LUKS_KEYSLOT "keyslot"
  46 #define BLOCK_CRYPTO_OPT_LUKS_STATE "state"
  47 #define BLOCK_CRYPTO_OPT_LUKS_OLD_SECRET "old-secret"
  48 #define BLOCK_CRYPTO_OPT_LUKS_NEW_SECRET "new-secret"
  49
  50
  51 #define BLOCK_CRYPTO_OPT_DEF_LUKS_KEY_SECRET(prefix)                    \
  52     BLOCK_CRYPTO_OPT_DEF_KEY_SECRET(prefix,                             \
  53         "ID of the secret that provides the keyslot passphrase")
  54
  55 #define BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_ALG(prefix)       \
  56     {                                                      \
  57         .name = prefix BLOCK_CRYPTO_OPT_LUKS_CIPHER_ALG,   \
  58         .type = QEMU_OPT_STRING,                           \
  59         .help = "Name of encryption cipher algorithm",     \
  60     }
  61
  62 #define BLOCK_CRYPTO_OPT_DEF_LUKS_CIPHER_MODE(prefix)      \
  63     {                                                      \
  64         .name = prefix BLOCK_CRYPTO_OPT_LUKS_CIPHER_MODE,  \
  65         .type = QEMU_OPT_STRING,                           \
  66         .help = "Name of encryption cipher mode",          \
  67     }
  68
  69 #define BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_ALG(prefix)     \
  70     {                                                   \
  71         .name = prefix BLOCK_CRYPTO_OPT_LUKS_IVGEN_ALG, \
  72         .type = QEMU_OPT_STRING,                        \
  73         .help = "Name of IV generator algorithm",       \
  74     }
  75
  76 #define BLOCK_CRYPTO_OPT_DEF_LUKS_IVGEN_HASH_ALG(prefix)        \
  77     {                                                           \
  78         .name = prefix BLOCK_CRYPTO_OPT_LUKS_IVGEN_HASH_ALG,    \
  79         .type = QEMU_OPT_STRING,                                \
  80         .help = "Name of IV generator hash algorithm",          \
  81     }
  82
  83 #define BLOCK_CRYPTO_OPT_DEF_LUKS_HASH_ALG(prefix)       \
  84     {                                                    \
  85         .name = prefix BLOCK_CRYPTO_OPT_LUKS_HASH_ALG,   \
  86         .type = QEMU_OPT_STRING,                         \
  87         .help = "Name of encryption hash algorithm",     \
  88     }
  89
  90 #define BLOCK_CRYPTO_OPT_DEF_LUKS_ITER_TIME(prefix)           \
  91     {                                                         \
  92         .name = prefix BLOCK_CRYPTO_OPT_LUKS_ITER_TIME,       \
  93         .type = QEMU_OPT_NUMBER,                              \
  94         .help = "Time to spend in PBKDF in milliseconds",     \
  95     }
  96
  97 #define BLOCK_CRYPTO_OPT_DEF_LUKS_STATE(prefix)                           \
  98     {                                                                     \
  99         .name = prefix BLOCK_CRYPTO_OPT_LUKS_STATE,                       \
 100         .type = QEMU_OPT_STRING,                                          \
 101         .help = "Select new state of affected keyslots (active/inactive)",\
 102     }
 103
 104 #define BLOCK_CRYPTO_OPT_DEF_LUKS_DETACHED_HEADER(prefix)     \
 105     {                                                         \
 106         .name = prefix BLOCK_CRYPTO_OPT_LUKS_DETACHED_HEADER, \
 107         .type = QEMU_OPT_BOOL,                                \
 108         .help = "Create a detached LUKS header",              \
 109     }
 110
 111 #define BLOCK_CRYPTO_OPT_DEF_LUKS_KEYSLOT(prefix)              \
 112     {                                                          \
 113         .name = prefix BLOCK_CRYPTO_OPT_LUKS_KEYSLOT,          \
 114         .type = QEMU_OPT_NUMBER,                               \
 115         .help = "Select a single keyslot to modify explicitly",\
 116     }
 117
 118 #define BLOCK_CRYPTO_OPT_DEF_LUKS_OLD_SECRET(prefix)            \
 119     {                                                           \
 120         .name = prefix BLOCK_CRYPTO_OPT_LUKS_OLD_SECRET,        \
 121         .type = QEMU_OPT_STRING,                                \
 122         .help = "Select all keyslots that match this password", \
 123     }
 124
 125 #define BLOCK_CRYPTO_OPT_DEF_LUKS_NEW_SECRET(prefix)            \
 126     {                                                           \
 127         .name = prefix BLOCK_CRYPTO_OPT_LUKS_NEW_SECRET,        \
 128         .type = QEMU_OPT_STRING,                                \
 129         .help = "New secret to set in the matching keyslots. "  \
 130                 "Empty string to erase",                        \
 131     }
 132
 133 QCryptoBlockCreateOptions *
 134 block_crypto_create_opts_init(QDict *opts, Error **errp);
 135
 136 QCryptoBlockAmendOptions *
 137 block_crypto_amend_opts_init(QDict *opts, Error **errp);
 138
 139 QCryptoBlockOpenOptions *
 140 block_crypto_open_opts_init(QDict *opts, Error **errp);
 141
 142 #endif /* BLOCK_CRYPTO_H */