Re: [PATCH 02/13] qcrypto-luks: implement encryption key management

[Markus Armbruster <armbru@redhat.com>]

Kevin Wolf <kwolf@redhat.com> writes:

> Am 05.02.2020 um 11:03 hat Markus Armbruster geschrieben:
>> Kevin Wolf <kwolf@redhat.com> writes:
>> 
>> > Am 05.02.2020 um 09:24 hat Markus Armbruster geschrieben:
>> >> Daniel, Kevin, any comments or objections to the QAPI schema design
>> >> sketch developed below?
>> >> 
>> >> For your convenience, here's the result again:
>> >> 
>> >>     { 'enum': 'LUKSKeyslotState',
>> >>       'data': [ 'active', 'inactive' ] }
>> >>     { 'struct': 'LUKSKeyslotActive',
>> >>       'data': { 'secret': 'str',
>> >>                 '*iter-time': 'int } }
>> >>     { 'union': 'LUKSKeyslotAmend',
>> >>       'base': { '*keyslot': 'int',
>> >>                 'state': 'LUKSKeyslotState' }
>> >>       'discriminator': 'state',
>> >>       'data': { 'active': 'LUKSKeyslotActive' } }
>> >
>> > I think one of the requirements was that you can specify the keyslot not
>> > only by using its number, but also by specifying the old secret.
>> 
>> Quoting myself:
>> 
>>   When we don't specify the slot#, then "new state active" selects an
>>   inactive slot (chosen by the system, and "new state inactive selects
>>   slots by secret (commonly just one slot).
>> 
>> This takes care of selecting (active) slots by old secret with "new
>> state inactive".
>
> "new secret inactive" can't select a slot by secret because 'secret'
> doesn't even exist for inactive.

My mistake.  My text leading up to my schema has it, but the schema
itself doesn't.  Obvious fix:

As struct:

    { 'struct': 'LUKSKeyslotUpdate',
      'data': { 'active': 'bool',       # could do enum instead
                '*keyslot': 'int',
                '*secret': 'str',       # present if @active is true
                                        #   or @keyslot is absent
                '*iter-time': 'int' } } # absent if @active is false

As union:

    { 'enum': 'LUKSKeyslotState',
      'data': [ 'active', 'inactive' ] }
    { 'struct': 'LUKSKeyslotActive',
      'data': { 'secret': 'str',
                '*iter-time': 'int } }
    { 'struct': 'LUKSKeyslotInactive',
      'data': { '*secret': 'str' } }    # either @secret or @keyslot present
                                        # might want to name this @old-secret
    { 'union': 'LUKSKeyslotAmend',
      'base': { '*keyslot': 'int',
                'state': 'LUKSKeyslotState' }
      'discriminator': 'state',
      'data': { 'active': 'LUKSKeyslotActive',
                'inactive': 'LUKSKeyslotInactive' } }

The "deactivate secret" operation needs a bit of force to fit into the
amend interface's "describe desired state" mold: the desired state is
(state=inactive, secret=S).  In other words, the inactive slot keeps its
secret, you just can't use it for anything.

Sadly, even with a union, we now have optional members that aren't
really optional: "either @secret or @keyslot present".  To avoid that,
we'd have to come up with sane semantics for "neither" and "both".  Let
me try.

The basic idea is to have @keyslot and @secret each select a set of
slots, and take the intersection.

If @keyslot is present: { @keyslot }
               absent: all slots
If @secret is present: the set of slots holding @secret
              absent: all slots

Neither present: select all slots.
Both present: slot @keyslot if it holds @secret, else no slots

The ability to specify @keyslot and @secret might actually be
appreciated by some users.  Belt *and* suspenders.

Selecting no slots could be a no-op or an error.  As a user, I don't
care as long as I can tell what the command actually changed.

Selecting all slots is an error because deactivating the last slot is.
No different from selecting all slots with a particular secret when no
active slots with different secrets exist.

I'm not sure this is much of an improvement.

>> I intentionally did not provide for selecting (active) slots by old
>> secret with "new state active", because that's unsafe update in place.
>> 
>> We want to update secrets, of course.  But the safe way to do that is to
>> put the new secret into a free slot, and if that succeeds, deactivate
>> the old secret.  If deactivation fails, you're left with both old and
>> new secret, which beats being left with no secret when update in place
>> fails.
>
> Right. I wonder if qemu-img wants support for that specifically
> (possibly with allowing to enter the key interactively) rather than
> requiring the user to call qemu-img amend twice.

Human users may well appreciate such a "replace secret" operation.  As
so often with high-level operations, the difficulty is its failure
modes:

* Activation fails: no change (old secret still active)

* Deactivate fails: both secrets are active

Humans should be able to deal with both failure modes, provided the
error reporting is sane.

If I'd have to program a machine, however, I'd rather use the primitive
operations, because each either succeeds completely or fails completely,
which means I don't have to figure out *how* something failed.

Note that such a high-level "replace secret" doesn't quite fit into the
amend interface's "describe desired state" mold: the old secret is not
part of the desired state.

>> >                                                                  Trivial
>> > extension, you just get another optional field that can be specified
>> > instead of 'keyslot'.
>> >
>> > Resulting commands:
>> >
>> >     Adding a key:
>> >     qemu-img amend -o encrypt.keys.0.state=active,encrypt.keys.0.secret=sec0 test.qcow2
>> 
>> This activates an inactive slot chosen by the sysem.
>> 
>> You can activate a specific keyslot N by throwing in
>> encrypt.keys.0.keyslot=N.
>
> Yes. The usual case is that you just want to add a new key somwhere.

Sure.

>> >     Deleting a key:
>> >     qemu-img amend -o encrypt.keys.0.state=inactive,encrypt.keys.0.keyslot=2 test.qcow2
>> 
>> This deactivates keyslot#2.
>> 
>> You can deactivate slots holding a specific secret S by replacing
>> encrypt.keys.0.keyslot=2 by encrypt.keys.0.secret=S.
>
> Not with your definition above, but with the appropriate changes, this
> makes sense.

Appropriately corrected, I hope.

>> > Previous version (if this series is applied unchanged):
>> >
>> >     Adding a key:
>> >     qemu-img amend -o encrypt.keys.0.new-secret=sec0 test.qcow2
>> >
>> >     Deleting a key:
>> >     qemu-img amend -o encrypt.keys.0.new-secret=,encrypt.keys.0.keyslot=2 test.qcow2
>> >
>> > Adding a key gets more complicated with your proposed interface because
>> > state must be set explicitly now whereas before it was derived
>> > automatically from the fact that if you give a key, only active makes
>> > sense.
>> 
>> The explicitness could be viewed as an improvement :)
>
> Not really. I mean, I really know to appreciate the advantages of
> -blockdev where needed, but usually I don't want to type all that stuff
> for the most common tasks. qemu-img amend is similar.
>
> For deleting, I might actually agree that explicitness is an
> improvement, but for creating it's just unnecessary verbosity.
>
>> If you'd prefer implicit here: Max has patches for making union tags
>> optional with a default.  They'd let you default active to true.
>
> I guess this would improve the usability in this case.
>
> Kevin