On Wed, 03/12 18:00, Markus Armbruster wrote:
> Opening an encrypted image takes an additional step: setting the key.
> Between open and the key set, the image must not be used.
>
> We have some protection against accidental use in place: you can't
> unpause a guest while we're missing keys. You can, however, hot-plug
> block devices lacking keys into a running guest just fine, or insert
> media lacking keys. In the latter case, notifying the guest of the
> insert is delayed until the key is set, which may suffice to protect
> at least some guests in common usage.
>
> This patch makes the protection apply in more cases, in a rather
> heavy-handed way: it doesn't let you open encrypted images unless
> we're in a paused state.
>
> It doesn't extend the protection to users other than the guest (block
> jobs?). Use of runstate_check() from block.c is disgusting. Best I
> can do right now.
>
> Signed-off-by: Markus Armbruster <arm...@redhat.com>
> ---
> block.c | 8 +++++++-
> stubs/Makefile.objs | 1 +
> stubs/runstate-check.c | 6 ++++++
> 3 files changed, 14 insertions(+), 1 deletion(-)
> create mode 100644 stubs/runstate-check.c
>
> diff --git a/block.c b/block.c
> index f1ef4b0..7604881 100644
> --- a/block.c
> +++ b/block.c
> @@ -1388,12 +1388,18 @@ done:
> ret = -EINVAL;
> goto close_and_fail;
> }
> - QDECREF(options);
>
> if (!bdrv_key_required(bs)) {
> bdrv_dev_change_media_cb(bs, true);
> + } else if (!runstate_check(RUN_STATE_PRELAUNCH)
> + && !runstate_check(RUN_STATE_PAUSED)) { /* HACK */
> + error_setg(errp,
> + "Guest must be stopped for opening of encrypted image");
Changing error message here breaks qemu-iotests 087.
Thanks,
Fam
> + ret = -EBUSY;
> + goto close_and_fail;
> }
>
> + QDECREF(options);
> *pbs = bs;
> return 0;
>
> diff --git a/stubs/Makefile.objs b/stubs/Makefile.objs
> index df3aa7a..09e7790 100644
> --- a/stubs/Makefile.objs
> +++ b/stubs/Makefile.objs
> @@ -19,6 +19,7 @@ stub-obj-y += mon-protocol-event.o
> stub-obj-y += mon-set-error.o
> stub-obj-y += pci-drive-hot-add.o
> stub-obj-y += reset.o
> +stub-obj-y += runstate-check.o
> stub-obj-y += set-fd-handler.o
> stub-obj-y += slirp.o
> stub-obj-y += sysbus.o
> diff --git a/stubs/runstate-check.c b/stubs/runstate-check.c
> new file mode 100644
> index 0000000..bd2e375
> --- /dev/null
> +++ b/stubs/runstate-check.c
> @@ -0,0 +1,6 @@
> +#include "sysemu/sysemu.h"
> +
> +bool runstate_check(RunState state)
> +{
> + return state == RUN_STATE_PRELAUNCH;
> +}
> --
> 1.8.1.4
>
>
