[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] blobstore disk format (was Re: Design of the blobstore)

From: Daniel P. Berrange
Subject: Re: [Qemu-devel] blobstore disk format (was Re: Design of the blobstore)
Date: Wed, 28 Sep 2011 16:50:31 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

On Wed, Sep 28, 2011 at 11:48:19AM -0400, Stefan Berger wrote:
> On 09/22/2011 02:37 AM, Michael S. Tsirkin wrote:
> >On Wed, Sep 21, 2011 at 09:44:37PM -0400, Stefan Berger wrote:
> >>On 09/19/2011 03:04 PM, Michael S. Tsirkin wrote:
> >>>On Mon, Sep 19, 2011 at 12:22:02PM -0400, Stefan Berger wrote:
> >>>>On 09/17/2011 03:28 PM, Michael S. Tsirkin wrote:
> >>>>>On Fri, Sep 16, 2011 at 12:46:40PM -0400, Stefan Berger wrote:
> >>>>The checksuming I think makes sense if encryption is being added so
> >>>>decryption and testing for proper key material remains an NVRAM
> >>>>operation rather than a device operation.
> >>>Not sure how this addresses the question of what to do
> >>>on checksum failure.
> >>>
> >>Checksum failure on an unencrypted blob would mean that the blob is
> >>corrupted. In case of encryption 'corrupted' would overlap with a
> >>'badly decrypted' blob. In either way the startup of the device
> >>cannot happen.
> >With corruption - why not? A specific block being corrupted does not mean all
> >data is lost.
> >
> Presumably if you feed bad data into a device it either has its own
> way of integrity checking the blob (we actually do this for the TPM)
> or it will blow up/show wrong behavior at some point - hopefully
> sooner rather than later. Though the detection of bad data *can* be
> an NVRAM operation rather than the operation of a device using the
> data stored in the NVRAM.
> >>We could refuse the NVRAM key suggesting that likely
> >>this is the wrong key for decryption but corruption is also
> >>possible.
> >I'm guessing that if we find a correct ber structure in the file, this
> >most likely means the key is correct.
> [I still would add at least a CRC32 (or maybe even a SHA1) for
> detection of corruption of the ASN.1 encoded blob without having to
> hunt the data through a ASN.1 decoder.]
> If we now say that data should be encryptable even if QCoW2 wasn't
> used, then is a command line option
> -nvram id=<driveid>,key=<hex key>,...
> something we should support to make the key applicable to the whole NVRAM?

Try to avoid requiring secret keys to be set on the command line...
At least allow setting them via a monitor command

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

reply via email to

[Prev in Thread] Current Thread [Next in Thread]