Kevin Wolf <kw...@redhat.com> writes:
> Am 05.02.2020 um 11:03 hat Markus Armbruster geschrieben:
>> Kevin Wolf <kw...@redhat.com> writes:
>>
>> > Am 05.02.2020 um 09:24 hat Markus Armbruster geschrieben:
>> >> Daniel, Kevin, any comments or objections to the QAPI schema design
>> >> sketch developed below?
>> >>
>> >> For your convenience, here's the result again:
>> >>
>> >> { 'enum': 'LUKSKeyslotState',
>> >> 'data': [ 'active', 'inactive' ] }
>> >> { 'struct': 'LUKSKeyslotActive',
>> >> 'data': { 'secret': 'str',
>> >> '*iter-time': 'int } }
>> >> { 'union': 'LUKSKeyslotAmend',
>> >> 'base': { '*keyslot': 'int',
>> >> 'state': 'LUKSKeyslotState' }
>> >> 'discriminator': 'state',
>> >> 'data': { 'active': 'LUKSKeyslotActive' } }
>> >
>> > I think one of the requirements was that you can specify the keyslot not
>> > only by using its number, but also by specifying the old secret.
>>
>> Quoting myself:
>>
>> When we don't specify the slot#, then "new state active" selects an
>> inactive slot (chosen by the system, and "new state inactive selects
>> slots by secret (commonly just one slot).
>>
>> This takes care of selecting (active) slots by old secret with "new
>> state inactive".
>
> "new secret inactive" can't select a slot by secret because 'secret'
> doesn't even exist for inactive.
My mistake. My text leading up to my schema has it, but the schema
itself doesn't. Obvious fix:
As struct:
{ 'struct': 'LUKSKeyslotUpdate',
'data': { 'active': 'bool', # could do enum instead
'*keyslot': 'int',
'*secret': 'str', # present if @active is true
# or @keyslot is absent
'*iter-time': 'int' } } # absent if @active is false
As union:
{ 'enum': 'LUKSKeyslotState',
'data': [ 'active', 'inactive' ] }
{ 'struct': 'LUKSKeyslotActive',
'data': { 'secret': 'str',
'*iter-time': 'int } }
{ 'struct': 'LUKSKeyslotInactive',
'data': { '*secret': 'str' } } # either @secret or @keyslot present
# might want to name this @old-secret
{ 'union': 'LUKSKeyslotAmend',
'base': { '*keyslot': 'int',
'state': 'LUKSKeyslotState' }
'discriminator': 'state',
'data': { 'active': 'LUKSKeyslotActive',
'inactive': 'LUKSKeyslotInactive' } }
The "deactivate secret" operation needs a bit of force to fit into the
amend interface's "describe desired state" mold: the desired state is
(state=inactive, secret=S). In other words, the inactive slot keeps its
secret, you just can't use it for anything.
Sadly, even with a union, we now have optional members that aren't
really optional: "either @secret or @keyslot present". To avoid that,
we'd have to come up with sane semantics for "neither" and "both". Let
me try.
The basic idea is to have @keyslot and @secret each select a set of
slots, and take the intersection.
If @keyslot is present: { @keyslot }
absent: all slots
If @secret is present: the set of slots holding @secret
absent: all slots
Neither present: select all slots.
Both present: slot @keyslot if it holds @secret, else no slots
The ability to specify @keyslot and @secret might actually be
appreciated by some users. Belt *and* suspenders.
Selecting no slots could be a no-op or an error. As a user, I don't
care as long as I can tell what the command actually changed.
Selecting all slots is an error because deactivating the last slot is.
No different from selecting all slots with a particular secret when no
active slots with different secrets exist.
I'm not sure this is much of an improvement.
>> I intentionally did not provide for selecting (active) slots by old
>> secret with "new state active", because that's unsafe update in place.
>>
>> We want to update secrets, of course. But the safe way to do that is to
>> put the new secret into a free slot, and if that succeeds, deactivate
>> the old secret. If deactivation fails, you're left with both old and
>> new secret, which beats being left with no secret when update in place
>> fails.
>
> Right. I wonder if qemu-img wants support for that specifically
> (possibly with allowing to enter the key interactively) rather than
> requiring the user to call qemu-img amend twice.
Human users may well appreciate such a "replace secret" operation. As
so often with high-level operations, the difficulty is its failure
modes:
* Activation fails: no change (old secret still active)
* Deactivate fails: both secrets are active
Humans should be able to deal with both failure modes, provided the
error reporting is sane.
If I'd have to program a machine, however, I'd rather use the primitive
operations, because each either succeeds completely or fails completely,
which means I don't have to figure out *how* something failed.
Note that such a high-level "replace secret" doesn't quite fit into the
amend interface's "describe desired state" mold: the old secret is not
part of the desired state.
>> > Trivial
>> > extension, you just get another optional field that can be specified
>> > instead of 'keyslot'.
>> >
>> > Resulting commands:
>> >
>> > Adding a key:
>> > qemu-img amend -o
>> > encrypt.keys.0.state=active,encrypt.keys.0.secret=sec0 test.qcow2
>>
>> This activates an inactive slot chosen by the sysem.
>>
>> You can activate a specific keyslot N by throwing in
>> encrypt.keys.0.keyslot=N.
>
> Yes. The usual case is that you just want to add a new key somwhere.
Sure.
>> > Deleting a key:
>> > qemu-img amend -o
>> > encrypt.keys.0.state=inactive,encrypt.keys.0.keyslot=2 test.qcow2
>>
>> This deactivates keyslot#2.
>>
>> You can deactivate slots holding a specific secret S by replacing
>> encrypt.keys.0.keyslot=2 by encrypt.keys.0.secret=S.
>
> Not with your definition above, but with the appropriate changes, this
> makes sense.
Appropriately corrected, I hope.
>> > Previous version (if this series is applied unchanged):
>> >
>> > Adding a key:
>> > qemu-img amend -o encrypt.keys.0.new-secret=sec0 test.qcow2
>> >
>> > Deleting a key:
>> > qemu-img amend -o encrypt.keys.0.new-secret=,encrypt.keys.0.keyslot=2
>> > test.qcow2
>> >
>> > Adding a key gets more complicated with your proposed interface because
>> > state must be set explicitly now whereas before it was derived
>> > automatically from the fact that if you give a key, only active makes
>> > sense.
>>
>> The explicitness could be viewed as an improvement :)
>
> Not really. I mean, I really know to appreciate the advantages of
> -blockdev where needed, but usually I don't want to type all that stuff
> for the most common tasks. qemu-img amend is similar.
>
> For deleting, I might actually agree that explicitness is an
> improvement, but for creating it's just unnecessary verbosity.
>
>> If you'd prefer implicit here: Max has patches for making union tags
>> optional with a default. They'd let you default active to true.
>
> I guess this would improve the usability in this case.
>
> Kevin
