From: Max Reitz <mreitz@redhat.com>
To: "Kevin Wolf" <kwolf@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-block@nongnu.org, John Snow <jsnow@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
qemu-devel@nongnu.org, John Ferlan <jferlan@redhat.com>,
Maxim Levitsky <mlevitsk@redhat.com>
Subject: Re: API definition for LUKS key management
Date: Tue, 12 Nov 2019 11:47:00 +0100 [thread overview]
Message-ID: <1543a6e1-6cb9-b1ea-5f98-79308bf09c75@redhat.com> (raw)
In-Reply-To: <20191112091245.GB5364@linux.fritz.box>
[-- Attachment #1.1: Type: text/plain, Size: 4954 bytes --]
On 12.11.19 10:12, Kevin Wolf wrote:
> Am 11.11.2019 um 19:34 hat Daniel P. Berrangé geschrieben:
>> On Mon, Nov 11, 2019 at 05:58:20PM +0200, Maxim Levitsky wrote:
>>> One of the concerns that was raised during the review was that amend interface for luks that I propose is
>>> different from the amend inteface used currently for qcow2.
>>>
>>> qcow2 amend interface specifies all the format options, thus overwrites the existing options.
>>> Thus it seems natural to make the luks amend interface work the same way, that it receive an array
>>> of 8 slots, and for each slot specify if it is active, and if true what password to put in it.
>>> This does allow to add and erase the keyslots, but it doesn't allow:
>>>
>>> * add a password without knowing all other passwords that exist in existing keyslots
>>> this can be mitigated by specifying which keyslots to modify for example by omitting the
>>> keyslots that shouldn't be touched from the array (passing null placeholder instead)
>>> but then it already doesn't follow the 'specify all the options each time' principle.
>>
>> I think this is highly undesirable, as we must not assume that the
>> mgmt app has access to all the passwords currently set.
>
> And I think this shows the problem that we realy have with the crypto
> driver and amend: For every other driver, if you must, you can query the
> current settings and just write them back.
>
> The difference here is that crypto doesn't allow to directly query or
> specify the content of some options (the keyslots), but provides only a
> way to derives that content from a secret, and obviously there is no way
> back from the stored data to the secret (that's what it's for).
>
> I think we have two options here:
>
> 1. Add a special "don't touch this" value for keyslots. Normally, just
> leaving out the value would be suitable syntax for this. Here,
> however, we have a list of keyslots, so we can't leave anything out.
>
> We could use something like an alternate between str (new secret ID),
> null (erase keyslot) and empty dict (leave it alone) - the latter
> feels a bit hackish, but maybe it's not too bad.
I thought of something similar, but how would that look on the command line?
Though I suppose if the worst thing were how it looks on the command
line, we could introduce a new qemu-img subcommand that then internally
translates into the right amend syntax.
> If the list is
> shorter than 8 entries, the rest is assumed to mean "leave it alone",
> too.
>
> 2. Allow to query and set the raw key, which doesn't require a password
>
>> The two key use cases for having multiple key slots are
>>
>> - To enable a two-phase change of passwords to ensure new password
>> is safely written out before erasing the old password
>>
>> - To allow for multiple access passwords with different controls
>> or access to when each password is made available.
>>
>> eg each VM may have a separate "backup password" securely
>> stored off host that is only made available for use when
>> doing disaster recovery.
>>
>> the second use case is doomed if you need to always provide all
>> current passwords when changing any key slots.
>
> That providing all current passwords doesn't work is obvious.
>
>>> * erase all keyslots matching a password - this is really hard to do using this approach,
>>> unless we give user some kind of api to try each keyslot with given password,
>>> which is kind of ugly and might be racy as well.
>>
>>> So what do you think?
>>
>> The point of using "amend" is that we already have some of the boilerplate
>> supporting framework around that, so it saves effort for both QEMU and
>> our users. If the semantics of "amend" don't fit nicely though, then the
>> benefit of re-using "amend" is cancelled out and we should go back to
>> considering a separate "key-manage" command.
>
> This wouldn't solve the fundamental problem that the crypto block
> driver, as it currently is, isn't able to provide a blockdev-amend
> callback. It's worse for qcow2 because qcow2 already implements amend.
Hm, well, I would have assumed this is only bad on the premise that we
want to have amend be complete at some point. Do we?
While I do think it might be nice to be able to change e.g. cluster_size
especially for the upcoming subcluster extension (in addition to
enabling subclusters on an existing image), I seriously doubt anyone’s
going to implement it. (Maybe enabling subclusters, but not changing
cluster_size.)
> I think we need to find a solution for the amend API.
I do think it’s weird to look for non-amend solutions when it clearly
looks like an amend problem, but OTOH I don’t think it would be that bad
to disregard amend. (Provided there are good reasons for disregarding it.)
Max
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2019-11-12 10:49 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-11 15:58 API definition for LUKS key management Maxim Levitsky
2019-11-11 18:34 ` Daniel P. Berrangé
2019-11-12 9:12 ` Kevin Wolf
2019-11-12 10:47 ` Max Reitz [this message]
2019-11-12 11:02 ` Daniel P. Berrangé
2019-11-14 10:54 ` Maxim Levitsky
2019-11-14 10:58 ` Maxim Levitsky
2019-11-14 10:37 ` Maxim Levitsky
2019-11-12 10:02 ` Daniel P. Berrangé
2019-11-22 14:22 ` API definition for LUKS key management [V2] Maxim Levitsky
2019-11-25 18:45 ` Max Reitz
2019-11-26 9:28 ` Maxim Levitsky
2019-11-26 14:24 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1543a6e1-6cb9-b1ea-5f98-79308bf09c75@redhat.com \
--to=mreitz@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=jferlan@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=mlevitsk@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).