qemu-block
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 02/13] qcrypto-luks: implement encryption key management

From: Kevin Wolf
Subject: Re: [PATCH 02/13] qcrypto-luks: implement encryption key management
Date: Thu, 30 Jan 2020 13:38:47 +0100
User-agent: Mutt/1.12.1 (2019-06-15) 
Am 28.01.2020 um 18:32 hat Daniel P. Berrangé geschrieben:
> On Tue, Jan 28, 2020 at 05:11:16PM +0000, Daniel P. Berrangé wrote:
> > On Tue, Jan 21, 2020 at 03:13:01PM +0200, Maxim Levitsky wrote:
> > > On Tue, 2020-01-21 at 08:54 +0100, Markus Armbruster wrote:
> > > 
> > > <trimmed>
> > > 
> > > > > +##
> > > > > +# @LUKSKeyslotUpdate:
> > > > > +#
> > > > > +# @keyslot:         If specified, will update only keyslot with this 
> > > > > index
> > > > > +#
> > > > > +# @old-secret:      If specified, will only update keyslots that
> > > > > +#                   can be opened with password which is contained in
> > > > > +#                   QCryptoSecret with @old-secret ID
> > > > > +#
> > > > > +#                   If neither @keyslot nor @old-secret is specified,
> > > > > +#                   first empty keyslot is selected for the update
> > > > > +#
> > > > > +# @new-secret:      The ID of a QCryptoSecret object providing a new 
> > > > > decryption
> > > > > +#                   key to place in all matching keyslots.
> > > > > +#                   null/empty string erases all matching keyslots
> > > > 
> > > > I hate making the empty string do something completely different than a
> > > > non-empty string.
> > > > 
> > > > What about making @new-secret optional, and have absent @new-secret
> > > > erase?
> > > 
> > > I don't remember already why I and Keven Wolf decided to do this this 
> > > way, but I think that you are right here.
> > > I don't mind personally to do this this way.
> > > empty string though is my addition, since its not possible to pass null 
> > > on command line.
> > 
> > IIUC this a result of using  "StrOrNull" for this one field...
> > 
> > 
> > > > > +# Since: 5.0
> > > > > +##
> > > > > +{ 'struct': 'LUKSKeyslotUpdate',
> > > > > +  'data': {
> > > > > +           '*keyslot': 'int',
> > > > > +           '*old-secret': 'str',
> > > > > +           'new-secret' : 'StrOrNull',
> > > > > +           '*iter-time' : 'int' } }
> > 
> > It looks wierd here to be special casing "new-secret" to "StrOrNull"
> > instead of just marking it as an optional string field
> > 
> >    "*new-secret": "str"
> > 
> > which would be possible to use from the command line, as you simply
> > omit the field.
> > 
> > I guess the main danger here is that we're using this as a trigger
> > to erase keyslots. So simply omitting "new-secret" can result
> > in damage to the volume by accident which is not an attractive
> > mode.

Right. It's been a while since I discussed this with Maxim, but I think
this was the motivation for me to suggest an explicit null value.

As long as we don't support passing null from the command line, I see
the problem with it, though. Empty string (which I think we didn't
discuss before) looks like a reasonable enough workaround to me, but if
you think this is too much magic, then maybe not.

> Thinking about this again, I really believe we ought to be moire
> explicit about disabling the keyslot by having the "active" field.
> eg
> 
> { 'struct': 'LUKSKeyslotUpdate',
>   'data': {
>           'active': 'bool',
>           '*keyslot': 'int',
>           '*old-secret': 'str',
>           '*new-secret' : 'str',
>           '*iter-time' : 'int' } }
> 
> "new-secret" is thus only needed when "active" == true.

Hm. At the very least, I would make 'active' optional and default to
true, so that for adding or updating you must only specify 'new-secret'
and for deleting only 'active'.

> This avoids the problem with being unable to specify a null for
> StrOrNull on the command line too.

If we ever get a way to pass null on the command line, how would we
think about a struct like this? Will it still feel right, or will it
feel like we feel about simple unions today (they exist, we would like
to get rid of them, but we can't because compatibility)?

Instead of keeping talking about potential future extensions, would it
make more sense to just extend the grammar of the keyval parser now so
that you can specify a type, including null?

We already wanted to use an alternate for keyslot (int) and old-secret
(str) initially, which makes it clear on the schema level that you can
only specify one of both. It would have worked fine for QMP, but not on
the command line because we can't tell integers from strings there. If
we can distinguish them as foo:int=2 and foo:str=2 then that wouldn't be
a problem any more either.

Kevin
reply via email to
[Prev in Thread] Current Thread [Next in Thread]