| blob | 7a65e8e402a4e72ad1e6874f1e4b8d3ad0408b2e |
1 /*
2 * QEMU Crypto block device encryption
3 *
4 * Copyright (c) 2015-2016 Red Hat, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 *
19 */
21 #ifndef QCRYPTO_BLOCK_H
22 #define QCRYPTO_BLOCK_H
29 /* See also QCryptoBlockFormat, QCryptoBlockCreateOptions
30 * and QCryptoBlockOpenOptions in qapi/crypto.json */
51 /**
52 * qcrypto_block_has_format:
53 * @format: the encryption format
54 * @buf: the data from head of the volume
55 * @len: the length of @buf in bytes
56 *
57 * Given @len bytes of data from the head of a storage volume
58 * in @buf, probe to determine if the volume has the encryption
59 * format specified in @format.
60 *
61 * Returns: true if the data in @buf matches @format
62 */
71 /**
72 * qcrypto_block_open:
73 * @options: the encryption options
74 * @optprefix: name prefix for options
75 * @readfunc: callback for reading data from the volume
76 * @opaque: data to pass to @readfunc
77 * @flags: bitmask of QCryptoBlockOpenFlags values
78 * @n_threads: allow concurrent I/O from up to @n_threads threads
79 * @errp: pointer to a NULL-initialized error object
80 *
81 * Create a new block encryption object for an existing
82 * storage volume encrypted with format identified by
83 * the parameters in @options.
84 *
85 * This will use @readfunc to initialize the encryption
86 * context based on the volume header(s), extracting the
87 * master key(s) as required.
88 *
89 * If @flags contains QCRYPTO_BLOCK_OPEN_NO_IO then
90 * the open process will be optimized to skip any parts
91 * that are only required to perform I/O. In particular
92 * this would usually avoid the need to decrypt any
93 * master keys. The only thing that can be done with
94 * the resulting QCryptoBlock object would be to query
95 * metadata such as the payload offset. There will be
96 * no cipher or ivgen objects available.
97 *
98 * If any part of initializing the encryption context
99 * fails an error will be returned. This could be due
100 * to the volume being in the wrong format, a cipher
101 * or IV generator algorithm that is not supported,
102 * or incorrect passphrases.
103 *
104 * Returns: a block encryption format, or NULL on error
105 */
108 QCryptoBlockReadFunc readfunc,
114 /**
115 * qcrypto_block_create:
116 * @options: the encryption options
117 * @optprefix: name prefix for options
118 * @initfunc: callback for initializing volume header
119 * @writefunc: callback for writing data to the volume header
120 * @opaque: data to pass to @initfunc and @writefunc
121 * @errp: pointer to a NULL-initialized error object
122 *
123 * Create a new block encryption object for initializing
124 * a storage volume to be encrypted with format identified
125 * by the parameters in @options.
126 *
127 * This method will allocate space for a new volume header
128 * using @initfunc and then write header data using @writefunc,
129 * generating new master keys, etc as required. Any existing
130 * data present on the volume will be irrevocably destroyed.
131 *
132 * If any part of initializing the encryption context
133 * fails an error will be returned. This could be due
134 * to the volume being in the wrong format, a cipher
135 * or IV generator algorithm that is not supported,
136 * or incorrect passphrases.
137 *
138 * Returns: a block encryption format, or NULL on error
139 */
142 QCryptoBlockInitFunc initfunc,
143 QCryptoBlockWriteFunc writefunc,
147 /**
148 * qcrypto_block_amend_options:
149 * @block: the block encryption object
150 *
151 * @readfunc: callback for reading data from the volume header
152 * @writefunc: callback for writing data to the volume header
153 * @opaque: data to pass to @readfunc and @writefunc
154 * @options: the new/amended encryption options
155 * @force: hint for the driver to allow unsafe operation
156 * @errp: error pointer
157 *
158 * Changes the crypto options of the encryption format
159 *
160 */
162 QCryptoBlockReadFunc readfunc,
163 QCryptoBlockWriteFunc writefunc,
170 /**
171 * qcrypto_block_calculate_payload_offset:
172 * @create_opts: the encryption options
173 * @optprefix: name prefix for options
174 * @len: output for number of header bytes before payload
175 * @errp: pointer to a NULL-initialized error object
176 *
177 * Calculate the number of header bytes before the payload in an encrypted
178 * storage volume. The header is an area before the payload that is reserved
179 * for encryption metadata.
180 *
181 * Returns: true on success, false on error
182 */
183 bool
190 /**
191 * qcrypto_block_get_info:
192 * @block: the block encryption object
193 * @errp: pointer to a NULL-initialized error object
194 *
195 * Get information about the configuration options for the
196 * block encryption object. This includes details such as
197 * the cipher algorithms, modes, and initialization vector
198 * generators.
199 *
200 * Returns: a block encryption info object, or NULL on error
201 */
205 /**
206 * @qcrypto_block_decrypt:
207 * @block: the block encryption object
208 * @offset: the position at which @iov was read
209 * @buf: the buffer to decrypt
210 * @len: the length of @buf in bytes
211 * @errp: pointer to a NULL-initialized error object
212 *
213 * Decrypt @len bytes of cipher text in @buf, writing
214 * plain text back into @buf. @len and @offset must be
215 * a multiple of the encryption format sector size.
216 *
217 * Returns 0 on success, -1 on failure
218 */
225 /**
226 * @qcrypto_block_encrypt:
227 * @block: the block encryption object
228 * @offset: the position at which @iov will be written
229 * @buf: the buffer to decrypt
230 * @len: the length of @buf in bytes
231 * @errp: pointer to a NULL-initialized error object
232 *
233 * Encrypt @len bytes of plain text in @buf, writing
234 * cipher text back into @buf. @len and @offset must be
235 * a multiple of the encryption format sector size.
236 *
237 * Returns 0 on success, -1 on failure
238 */
245 /**
246 * qcrypto_block_get_cipher:
247 * @block: the block encryption object
248 *
249 * Get the cipher to use for payload encryption
250 *
251 * Returns: the cipher object
252 */
255 /**
256 * qcrypto_block_get_ivgen:
257 * @block: the block encryption object
258 *
259 * Get the initialization vector generator to use for
260 * payload encryption
261 *
262 * Returns: the IV generator object
263 */
267 /**
268 * qcrypto_block_get_kdf_hash:
269 * @block: the block encryption object
270 *
271 * Get the hash algorithm used with the key derivation
272 * function
273 *
274 * Returns: the hash algorithm
275 */
278 /**
279 * qcrypto_block_get_payload_offset:
280 * @block: the block encryption object
281 *
282 * Get the offset to the payload indicated by the
283 * encryption header, in bytes.
284 *
285 * Returns: the payload offset in bytes
286 */
289 /**
290 * qcrypto_block_get_sector_size:
291 * @block: the block encryption object
292 *
293 * Get the size of sectors used for payload encryption. A new
294 * IV is used at the start of each sector. The encryption
295 * sector size is not required to match the sector size of the
296 * underlying storage. For example LUKS will always use a 512
297 * byte sector size, even if the volume is on a disk with 4k
298 * sectors.
299 *
300 * Returns: the sector in bytes
301 */
304 /**
305 * qcrypto_block_free:
306 * @block: the block encryption object
307 *
308 * Release all resources associated with the encryption
309 * object
310 */