10 # @QCryptoTLSCredsEndpoint:
12 # The type of network endpoint that will be using the credentials.
13 # Most types of credential require different setup / structures
14 # depending on whether they will be used in a server versus a client.
16 # @client: the network endpoint is acting as the client
18 # @server: the network endpoint is acting as the server
22 { 'enum': 'QCryptoTLSCredsEndpoint',
23 'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
24 'data': ['client', 'server']}
27 # @QCryptoSecretFormat:
29 # The data format that the secret is provided in
31 # @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences
34 # @base64: arbitrary base64 encoded binary data
38 { 'enum': 'QCryptoSecretFormat',
39 'prefix': 'QCRYPTO_SECRET_FORMAT',
40 'data': ['raw', 'base64']}
43 # @QCryptoHashAlgorithm:
45 # The supported algorithms for computing content digests
47 # @md5: MD5. Should not be used in any new code, legacy compat only
49 # @sha1: SHA-1. Should not be used in any new code, legacy compat only
51 # @sha224: SHA-224. (since 2.7)
53 # @sha256: SHA-256. Current recommended strong hash.
55 # @sha384: SHA-384. (since 2.7)
57 # @sha512: SHA-512. (since 2.7)
59 # @ripemd160: RIPEMD-160. (since 2.7)
63 { 'enum': 'QCryptoHashAlgorithm',
64 'prefix': 'QCRYPTO_HASH_ALG',
65 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}
68 # @QCryptoCipherAlgorithm:
70 # The supported algorithms for content encryption ciphers
72 # @aes-128: AES with 128 bit / 16 byte keys
74 # @aes-192: AES with 192 bit / 24 byte keys
76 # @aes-256: AES with 256 bit / 32 byte keys
78 # @des: DES with 56 bit / 8 byte keys. Do not use except in VNC.
81 # @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
83 # @cast5-128: Cast5 with 128 bit / 16 byte keys
85 # @serpent-128: Serpent with 128 bit / 16 byte keys
87 # @serpent-192: Serpent with 192 bit / 24 byte keys
89 # @serpent-256: Serpent with 256 bit / 32 byte keys
91 # @twofish-128: Twofish with 128 bit / 16 byte keys
93 # @twofish-192: Twofish with 192 bit / 24 byte keys
95 # @twofish-256: Twofish with 256 bit / 32 byte keys
99 { 'enum': 'QCryptoCipherAlgorithm',
100 'prefix': 'QCRYPTO_CIPHER_ALG',
101 'data': ['aes-128', 'aes-192', 'aes-256',
104 'serpent-128', 'serpent-192', 'serpent-256',
105 'twofish-128', 'twofish-192', 'twofish-256']}
108 # @QCryptoCipherMode:
110 # The supported modes for content encryption ciphers
112 # @ecb: Electronic Code Book
114 # @cbc: Cipher Block Chaining
116 # @xts: XEX with tweaked code book and ciphertext stealing
118 # @ctr: Counter (Since 2.8)
122 { 'enum': 'QCryptoCipherMode',
123 'prefix': 'QCRYPTO_CIPHER_MODE',
124 'data': ['ecb', 'cbc', 'xts', 'ctr']}
127 # @QCryptoIVGenAlgorithm:
129 # The supported algorithms for generating initialization vectors for
130 # full disk encryption. The 'plain' generator should not be used for
131 # disks with sector numbers larger than 2^32, except where
132 # compatibility with pre-existing Linux dm-crypt volumes is required.
134 # @plain: 64-bit sector number truncated to 32-bits
136 # @plain64: 64-bit sector number
138 # @essiv: 64-bit sector number encrypted with a hash of the encryption
143 { 'enum': 'QCryptoIVGenAlgorithm',
144 'prefix': 'QCRYPTO_IVGEN_ALG',
145 'data': ['plain', 'plain64', 'essiv']}
148 # @QCryptoBlockFormat:
150 # The supported full disk encryption formats
152 # @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for
153 # liberating data from old images.
155 # @luks: LUKS encryption format. Recommended for new images
159 { 'enum': 'QCryptoBlockFormat',
160 # 'prefix': 'QCRYPTO_BLOCK_FORMAT',
161 'data': ['qcow', 'luks']}
164 # @QCryptoBlockOptionsBase:
166 # The common options that apply to all full disk encryption formats
168 # @format: the encryption format
172 { 'struct': 'QCryptoBlockOptionsBase',
173 'data': { 'format': 'QCryptoBlockFormat' }}
176 # @QCryptoBlockOptionsQCow:
178 # The options that apply to QCow/QCow2 AES-CBC encryption format
180 # @key-secret: the ID of a QCryptoSecret object providing the
181 # decryption key. Mandatory except when probing image for
186 { 'struct': 'QCryptoBlockOptionsQCow',
187 'data': { '*key-secret': 'str' }}
190 # @QCryptoBlockOptionsLUKS:
192 # The options that apply to LUKS encryption format
194 # @key-secret: the ID of a QCryptoSecret object providing the
195 # decryption key. Mandatory except when probing image for
200 { 'struct': 'QCryptoBlockOptionsLUKS',
201 'data': { '*key-secret': 'str' }}
204 # @QCryptoBlockCreateOptionsLUKS:
206 # The options that apply to LUKS encryption format initialization
208 # @cipher-alg: the cipher algorithm for data encryption Currently
209 # defaults to 'aes-256'.
211 # @cipher-mode: the cipher mode for data encryption Currently defaults
214 # @ivgen-alg: the initialization vector generator Currently defaults
217 # @ivgen-hash-alg: the initialization vector generator hash Currently
218 # defaults to 'sha256'
220 # @hash-alg: the master key hash algorithm Currently defaults to
223 # @iter-time: number of milliseconds to spend in PBKDF passphrase
224 # processing. Currently defaults to 2000. (since 2.8)
228 { 'struct': 'QCryptoBlockCreateOptionsLUKS',
229 'base': 'QCryptoBlockOptionsLUKS',
230 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
231 '*cipher-mode': 'QCryptoCipherMode',
232 '*ivgen-alg': 'QCryptoIVGenAlgorithm',
233 '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
234 '*hash-alg': 'QCryptoHashAlgorithm',
235 '*iter-time': 'int'}}
238 # @QCryptoBlockOpenOptions:
240 # The options that are available for all encryption formats when
241 # opening an existing volume
245 { 'union': 'QCryptoBlockOpenOptions',
246 'base': 'QCryptoBlockOptionsBase',
247 'discriminator': 'format',
248 'data': { 'qcow': 'QCryptoBlockOptionsQCow',
249 'luks': 'QCryptoBlockOptionsLUKS' } }
252 # @QCryptoBlockCreateOptions:
254 # The options that are available for all encryption formats when
255 # initializing a new volume
259 { 'union': 'QCryptoBlockCreateOptions',
260 'base': 'QCryptoBlockOptionsBase',
261 'discriminator': 'format',
262 'data': { 'qcow': 'QCryptoBlockOptionsQCow',
263 'luks': 'QCryptoBlockCreateOptionsLUKS' } }
266 # @QCryptoBlockInfoBase:
268 # The common information that applies to all full disk encryption
271 # @format: the encryption format
275 { 'struct': 'QCryptoBlockInfoBase',
276 'data': { 'format': 'QCryptoBlockFormat' }}
279 # @QCryptoBlockInfoLUKSSlot:
281 # Information about the LUKS block encryption key slot options
283 # @active: whether the key slot is currently in use
285 # @key-offset: offset to the key material in bytes
287 # @iters: number of PBKDF2 iterations for key material
289 # @stripes: number of stripes for splitting key material
293 { 'struct': 'QCryptoBlockInfoLUKSSlot',
294 'data': {'active': 'bool',
297 'key-offset': 'int' } }
300 # @QCryptoBlockInfoLUKS:
302 # Information about the LUKS block encryption options
304 # @cipher-alg: the cipher algorithm for data encryption
306 # @cipher-mode: the cipher mode for data encryption
308 # @ivgen-alg: the initialization vector generator
310 # @ivgen-hash-alg: the initialization vector generator hash
312 # @hash-alg: the master key hash algorithm
314 # @payload-offset: offset to the payload data in bytes
316 # @master-key-iters: number of PBKDF2 iterations for key material
318 # @uuid: unique identifier for the volume
320 # @slots: information about each key slot
324 { 'struct': 'QCryptoBlockInfoLUKS',
325 'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
326 'cipher-mode': 'QCryptoCipherMode',
327 'ivgen-alg': 'QCryptoIVGenAlgorithm',
328 '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
329 'hash-alg': 'QCryptoHashAlgorithm',
330 'payload-offset': 'int',
331 'master-key-iters': 'int',
333 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
338 # Information about the block encryption options
342 { 'union': 'QCryptoBlockInfo',
343 'base': 'QCryptoBlockInfoBase',
344 'discriminator': 'format',
345 'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
348 # @QCryptoBlockLUKSKeyslotState:
350 # Defines state of keyslots that are affected by the update
352 # @active: The slots contain the given password and marked as active
354 # @inactive: The slots are erased (contain garbage) and marked as
359 { 'enum': 'QCryptoBlockLUKSKeyslotState',
360 'data': [ 'active', 'inactive' ] }
363 # @QCryptoBlockAmendOptionsLUKS:
365 # This struct defines the update parameters that activate/de-activate
368 # @state: the desired state of the keyslots
370 # @new-secret: The ID of a QCryptoSecret object providing the password
371 # to be written into added active keyslots
373 # @old-secret: Optional (for deactivation only) If given will
374 # deactivate all keyslots that match password located in
375 # QCryptoSecret with this ID
377 # @iter-time: Optional (for activation only) Number of milliseconds to
378 # spend in PBKDF passphrase processing for the newly activated
379 # keyslot. Currently defaults to 2000.
381 # @keyslot: Optional. ID of the keyslot to activate/deactivate. For
382 # keyslot activation, keyslot should not be active already (this
383 # is unsafe to update an active keyslot), but possible if 'force'
384 # parameter is given. If keyslot is not given, first free keyslot
387 # For keyslot deactivation, this parameter specifies the exact
388 # keyslot to deactivate
390 # @secret: Optional. The ID of a QCryptoSecret object providing the
391 # password to use to retrieve current master key. Defaults to the
392 # same secret that was used to open the image
396 { 'struct': 'QCryptoBlockAmendOptionsLUKS',
397 'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
398 '*new-secret': 'str',
399 '*old-secret': 'str',
405 # @QCryptoBlockAmendOptions:
407 # The options that are available for all encryption formats when
408 # amending encryption settings
412 { 'union': 'QCryptoBlockAmendOptions',
413 'base': 'QCryptoBlockOptionsBase',
414 'discriminator': 'format',
416 'luks': 'QCryptoBlockAmendOptionsLUKS' } }
419 # @SecretCommonProperties:
421 # Properties for objects of classes derived from secret-common.
423 # @loaded: if true, the secret is loaded immediately when applying
424 # this option and will probably fail when processing the next
425 # option. Don't use; only provided for compatibility.
428 # @format: the data format that the secret is provided in
431 # @keyid: the name of another secret that should be used to decrypt
432 # the provided data. If not present, the data is assumed to be
435 # @iv: the random initialization vector used for encryption of this
436 # particular secret. Should be a base64 encrypted string of the
437 # 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is
442 # @deprecated: Member @loaded is deprecated. Setting true doesn't
443 # make sense, and false is already the default.
447 { 'struct': 'SecretCommonProperties',
448 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
449 '*format': 'QCryptoSecretFormat',
456 # Properties for secret objects.
458 # Either @data or @file must be provided, but not both.
460 # @data: the associated with the secret from
462 # @file: the filename to load the data associated with the secret from
466 { 'struct': 'SecretProperties',
467 'base': 'SecretCommonProperties',
468 'data': { '*data': 'str',
472 # @SecretKeyringProperties:
474 # Properties for secret_keyring objects.
476 # @serial: serial number that identifies a key to get from the kernel
480 { 'struct': 'SecretKeyringProperties',
481 'base': 'SecretCommonProperties',
482 'data': { 'serial': 'int32' } }
485 # @TlsCredsProperties:
487 # Properties for objects of classes derived from tls-creds.
489 # @verify-peer: if true the peer credentials will be verified once the
490 # handshake is completed. This is a no-op for anonymous
491 # credentials. (default: true)
493 # @dir: the path of the directory that contains the credential files
495 # @endpoint: whether the QEMU network backend that uses the
496 # credentials will be acting as a client or as a server
499 # @priority: a gnutls priority string as described at
500 # https://gnutls.org/manual/html_node/Priority-Strings.html
504 { 'struct': 'TlsCredsProperties',
505 'data': { '*verify-peer': 'bool',
507 '*endpoint': 'QCryptoTLSCredsEndpoint',
508 '*priority': 'str' } }
511 # @TlsCredsAnonProperties:
513 # Properties for tls-creds-anon objects.
515 # @loaded: if true, the credentials are loaded immediately when
516 # applying this option and will ignore options that are processed
517 # later. Don't use; only provided for compatibility.
522 # @deprecated: Member @loaded is deprecated. Setting true doesn't
523 # make sense, and false is already the default.
527 { 'struct': 'TlsCredsAnonProperties',
528 'base': 'TlsCredsProperties',
529 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }
532 # @TlsCredsPskProperties:
534 # Properties for tls-creds-psk objects.
536 # @loaded: if true, the credentials are loaded immediately when
537 # applying this option and will ignore options that are processed
538 # later. Don't use; only provided for compatibility.
541 # @username: the username which will be sent to the server. For
542 # clients only. If absent, "qemu" is sent and the property will
543 # read back as an empty string.
547 # @deprecated: Member @loaded is deprecated. Setting true doesn't
548 # make sense, and false is already the default.
552 { 'struct': 'TlsCredsPskProperties',
553 'base': 'TlsCredsProperties',
554 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
555 '*username': 'str' } }
558 # @TlsCredsX509Properties:
560 # Properties for tls-creds-x509 objects.
562 # @loaded: if true, the credentials are loaded immediately when
563 # applying this option and will ignore options that are processed
564 # later. Don't use; only provided for compatibility.
567 # @sanity-check: if true, perform some sanity checks before using the
568 # credentials (default: true)
570 # @passwordid: For the server-key.pem and client-key.pem files which
571 # contain sensitive private keys, it is possible to use an
572 # encrypted version by providing the @passwordid parameter. This
573 # provides the ID of a previously created secret object containing
574 # the password for decryption.
578 # @deprecated: Member @loaded is deprecated. Setting true doesn't
579 # make sense, and false is already the default.
583 { 'struct': 'TlsCredsX509Properties',
584 'base': 'TlsCredsProperties',
585 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
586 '*sanity-check': 'bool',
587 '*passwordid': 'str' } }
589 # @QCryptoAkCipherAlgorithm:
591 # The supported algorithms for asymmetric encryption ciphers
593 # @rsa: RSA algorithm
597 { 'enum': 'QCryptoAkCipherAlgorithm',
598 'prefix': 'QCRYPTO_AKCIPHER_ALG',
602 # @QCryptoAkCipherKeyType:
604 # The type of asymmetric keys.
608 { 'enum': 'QCryptoAkCipherKeyType',
609 'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE',
610 'data': ['public', 'private']}
613 # @QCryptoRSAPaddingAlgorithm:
615 # The padding algorithm for RSA.
617 # @raw: no padding used
623 { 'enum': 'QCryptoRSAPaddingAlgorithm',
624 'prefix': 'QCRYPTO_RSA_PADDING_ALG',
625 'data': ['raw', 'pkcs1']}
628 # @QCryptoAkCipherOptionsRSA:
630 # Specific parameters for RSA algorithm.
632 # @hash-alg: QCryptoHashAlgorithm
634 # @padding-alg: QCryptoRSAPaddingAlgorithm
638 { 'struct': 'QCryptoAkCipherOptionsRSA',
639 'data': { 'hash-alg':'QCryptoHashAlgorithm',
640 'padding-alg': 'QCryptoRSAPaddingAlgorithm'}}
643 # @QCryptoAkCipherOptions:
645 # The options that are available for all asymmetric key algorithms
646 # when creating a new QCryptoAkCipher.
650 { 'union': 'QCryptoAkCipherOptions',
651 'base': { 'alg': 'QCryptoAkCipherAlgorithm' },
652 'discriminator': 'alg',
653 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}