Re: [PATCH v4 5/7] block: Support detached LUKS header creation using qemu-img

Mon, 19 Feb 2024 06:25:26 -0800 

yong.hu...@smartx.com writes:

> From: Hyman Huang <yong.hu...@smartx.com>
>
> Even though a LUKS header might be created with cryptsetup,
> qemu-img should be enhanced to accommodate it as well.
>
> Add the 'detached-header' option to specify the creation of
> a detached LUKS header. This is how it is used:
> $ qemu-img create --object secret,id=sec0,data=abc123 -f luks
>> -o cipher-alg=aes-256,cipher-mode=xts -o key-secret=sec0
>> -o detached-header=true header.luks
>
> Using qemu-img or cryptsetup tools to query information of
> an LUKS header image as follows:
>
> Assume a detached LUKS header image has been created by:
> $ dd if=/dev/zero of=test-header.img bs=1M count=32
> $ dd if=/dev/zero of=test-payload.img bs=1M count=1000
> $ cryptsetup luksFormat --header test-header.img test-payload.img
>> --force-password --type luks1
>
> Header image information could be queried using cryptsetup:
> $ cryptsetup luksDump test-header.img
>
> or qemu-img:
> $ qemu-img info 'json:{"driver":"luks","file":{"filename":
>> "test-payload.img"},"header":{"filename":"test-header.img"}}'
>
> When using qemu-img, keep in mind that the entire disk
> information specified by the JSON-format string above must be
> supplied on the commandline; if not, an overlay check will reveal
> a problem with the LUKS volume check logic.
>
> Signed-off-by: Hyman Huang <yong.hu...@smartx.com>

[...]

> diff --git a/qapi/crypto.json b/qapi/crypto.json
> index fd3d46ebd1..62fd145223 100644
> --- a/qapi/crypto.json
> +++ b/qapi/crypto.json
> @@ -223,6 +223,8 @@
>  # @iter-time: number of milliseconds to spend in PBKDF passphrase
>  #     processing.  Currently defaults to 2000. (since 2.8)
>  #
> +# @detached-header: create a detached LUKS header. (since 9.0)
> +#

Behavior when @detached-header is present vs. behavior when it's absent?

>  # Since: 2.6
>  ##
>  { 'struct': 'QCryptoBlockCreateOptionsLUKS',
> @@ -232,7 +234,8 @@
>              '*ivgen-alg': 'QCryptoIVGenAlgorithm',
>              '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
>              '*hash-alg': 'QCryptoHashAlgorithm',
> -            '*iter-time': 'int'}}
> +            '*iter-time': 'int',
> +            '*detached-header': 'bool'}}
>  
>  ##
>  # @QCryptoBlockOpenOptions:

Reply via email to