On 22.11.19 15:22, Maxim Levitsky wrote:
> Hi!
> 
> This is the second version of the proposed QMP API for key management,
> after discussion with Keven and Max.
> 
> Will this work?
> 
> Adding Peter Krempa to CC, to hear his opinion from the 
> libvirt side.
> 
> Best regards,
> 	Maxim Levitsky

Looks good to me overall.  I don’t think we need to overly push having
the same interface for create and amend, because I don’t see much to be
gained from it.

[...]

> diff --git a/qapi/crypto.json b/qapi/crypto.json
> index b2a4cff683..019db682cd 100644
> --- a/qapi/crypto.json
> +++ b/qapi/crypto.json
> @@ -309,3 +309,56 @@
>    'base': 'QCryptoBlockInfoBase',
>    'discriminator': 'format',
>    'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
> +
> +
> +##
> +# @LUKSKeyslotUpdate:
> +#
> +# @keyslot:         If specified, will update only keyslot with this index
> +#
> +# @old-secret:      If specified, will only update keyslots that
> +#                   can be opened with password which is contained in
> +#                   QCryptoSecret with @old-secret ID
> +#
> +#                   If neither @keyslot nor @old-secret is specified,
> +#                   first empty keyslot is selected for the update
> +#
> +# @new-secret:      The ID of a QCryptoSecret object providing a new decryption
> +#                   key to place in all matching keyslots. Empty string erases the
> +#                   keyslot.

Hm...  Can’t we make this some string-or-null alternate type so that
null will erase the keyslot?  That would make more sense to me.

Max

> +# @iter-time:       number of milliseconds to spend in
> +#                   PBKDF passphrase processing
> +##
> +{ 'struct': 'LUKSKeyslotUpdate',
> +  'data': {
> +         '*keyslot': 'int',
> +         '*old-secret': 'str',
> +         'new-secret' : 'str',
> +         '*iter-time' : 'int' } }