On 09/28/2011 11:50 AM, Daniel P. Berrange wrote:
On Wed, Sep 28, 2011 at 11:48:19AM -0400, Stefan Berger wrote:
On 09/22/2011 02:37 AM, Michael S. Tsirkin wrote:
I'm guessing that if we find a correct ber structure in the file, this
most likely means the key is correct.
[I still would add at least a CRC32 (or maybe even a SHA1) for
detection of corruption of the ASN.1 encoded blob without having to
hunt the data through a ASN.1 decoder.]
If we now say that data should be encryptable even if QCoW2 wasn't
used, then is a command line option
-nvram id=<driveid>,key=<hex key>,...
something we should support to make the key applicable to the whole NVRAM?
Try to avoid requiring secret keys to be set on the command line...
At least allow setting them via a monitor command
Hm, this brings me back to the previous problem of the ordering of
things that ended up being problematic:
In the case of encrypted QCoW2 the monitor queries for the password when
the use types 'c' for continue. That happens *after* device's 'init'
function was called and also *after* their 'reset' handler was invoked,
so not being able to decrypt encrypted state blobs and not being able to
feed devices with their persistent state even until the 'reset' handler
was invoked. The password comes quite late.
The monitor reacts to key typing, which in turn is handled in the
main_loop() in vl.c.
So, the solution could be that each NVRAM client also registers its
reset handler (along with the DeviceState pointer). Each NVRAM client
would have to be written in such a way that it ignores previous failed
attempts to read its state due to the key coming so late and once the
NVRAM has the key it invokes the reset handlers again, which now trigger
the reading of the state in the NVRAM that now can be decrypted. Does
this sound 'sane' or more like a 'hack' ?
Stefan
Daniel
