qemu

crypto.json (17269B)

---

 # -*- Mode: Python -*-
 # vim: filetype=python
 #
 
 ##
 # = Cryptography
 ##
 
 ##
 # @QCryptoTLSCredsEndpoint:
 #
 # The type of network endpoint that will be using the credentials.
 # Most types of credential require different setup / structures
 # depending on whether they will be used in a server versus a
 # client.
 #
 # @client: the network endpoint is acting as the client
 #
 # @server: the network endpoint is acting as the server
 #
 # Since: 2.5
 ##
 { 'enum': 'QCryptoTLSCredsEndpoint',
   'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
   'data': ['client', 'server']}
 
 ##
 # @QCryptoSecretFormat:
 #
 # The data format that the secret is provided in
 #
 # @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences can be used
 # @base64: arbitrary base64 encoded binary data
 #
 # Since: 2.6
 ##
 { 'enum': 'QCryptoSecretFormat',
   'prefix': 'QCRYPTO_SECRET_FORMAT',
   'data': ['raw', 'base64']}
 
 ##
 # @QCryptoHashAlgorithm:
 #
 # The supported algorithms for computing content digests
 #
 # @md5: MD5. Should not be used in any new code, legacy compat only
 # @sha1: SHA-1. Should not be used in any new code, legacy compat only
 # @sha224: SHA-224. (since 2.7)
 # @sha256: SHA-256. Current recommended strong hash.
 # @sha384: SHA-384. (since 2.7)
 # @sha512: SHA-512. (since 2.7)
 # @ripemd160: RIPEMD-160. (since 2.7)
 #
 # Since: 2.6
 ##
 { 'enum': 'QCryptoHashAlgorithm',
   'prefix': 'QCRYPTO_HASH_ALG',
   'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}
 
 ##
 # @QCryptoCipherAlgorithm:
 #
 # The supported algorithms for content encryption ciphers
 #
 # @aes-128: AES with 128 bit / 16 byte keys
 # @aes-192: AES with 192 bit / 24 byte keys
 # @aes-256: AES with 256 bit / 32 byte keys
 # @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. (since 6.1)
 # @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
 # @cast5-128: Cast5 with 128 bit / 16 byte keys
 # @serpent-128: Serpent with 128 bit / 16 byte keys
 # @serpent-192: Serpent with 192 bit / 24 byte keys
 # @serpent-256: Serpent with 256 bit / 32 byte keys
 # @twofish-128: Twofish with 128 bit / 16 byte keys
 # @twofish-192: Twofish with 192 bit / 24 byte keys
 # @twofish-256: Twofish with 256 bit / 32 byte keys
 #
 # Since: 2.6
 ##
 { 'enum': 'QCryptoCipherAlgorithm',
   'prefix': 'QCRYPTO_CIPHER_ALG',
   'data': ['aes-128', 'aes-192', 'aes-256',
            'des', '3des',
            'cast5-128',
            'serpent-128', 'serpent-192', 'serpent-256',
            'twofish-128', 'twofish-192', 'twofish-256']}
 
 ##
 # @QCryptoCipherMode:
 #
 # The supported modes for content encryption ciphers
 #
 # @ecb: Electronic Code Book
 # @cbc: Cipher Block Chaining
 # @xts: XEX with tweaked code book and ciphertext stealing
 # @ctr: Counter (Since 2.8)
 #
 # Since: 2.6
 ##
 { 'enum': 'QCryptoCipherMode',
   'prefix': 'QCRYPTO_CIPHER_MODE',
   'data': ['ecb', 'cbc', 'xts', 'ctr']}
 
 ##
 # @QCryptoIVGenAlgorithm:
 #
 # The supported algorithms for generating initialization
 # vectors for full disk encryption. The 'plain' generator
 # should not be used for disks with sector numbers larger
 # than 2^32, except where compatibility with pre-existing
 # Linux dm-crypt volumes is required.
 #
 # @plain: 64-bit sector number truncated to 32-bits
 # @plain64: 64-bit sector number
 # @essiv: 64-bit sector number encrypted with a hash of the encryption key
 #
 # Since: 2.6
 ##
 { 'enum': 'QCryptoIVGenAlgorithm',
   'prefix': 'QCRYPTO_IVGEN_ALG',
   'data': ['plain', 'plain64', 'essiv']}
 
 ##
 # @QCryptoBlockFormat:
 #
 # The supported full disk encryption formats
 #
 # @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only
 #        for liberating data from old images.
 # @luks: LUKS encryption format. Recommended for new images
 #
 # Since: 2.6
 ##
 { 'enum': 'QCryptoBlockFormat',
 #  'prefix': 'QCRYPTO_BLOCK_FORMAT',
   'data': ['qcow', 'luks']}
 
 ##
 # @QCryptoBlockOptionsBase:
 #
 # The common options that apply to all full disk
 # encryption formats
 #
 # @format: the encryption format
 #
 # Since: 2.6
 ##
 { 'struct': 'QCryptoBlockOptionsBase',
   'data': { 'format': 'QCryptoBlockFormat' }}
 
 ##
 # @QCryptoBlockOptionsQCow:
 #
 # The options that apply to QCow/QCow2 AES-CBC encryption format
 #
 # @key-secret: the ID of a QCryptoSecret object providing the
 #              decryption key. Mandatory except when probing image for
 #              metadata only.
 #
 # Since: 2.6
 ##
 { 'struct': 'QCryptoBlockOptionsQCow',
   'data': { '*key-secret': 'str' }}
 
 ##
 # @QCryptoBlockOptionsLUKS:
 #
 # The options that apply to LUKS encryption format
 #
 # @key-secret: the ID of a QCryptoSecret object providing the
 #              decryption key. Mandatory except when probing image for
 #              metadata only.
 #
 # Since: 2.6
 ##
 { 'struct': 'QCryptoBlockOptionsLUKS',
   'data': { '*key-secret': 'str' }}
 
 ##
 # @QCryptoBlockCreateOptionsLUKS:
 #
 # The options that apply to LUKS encryption format initialization
 #
 # @cipher-alg: the cipher algorithm for data encryption
 #              Currently defaults to 'aes-256'.
 # @cipher-mode: the cipher mode for data encryption
 #               Currently defaults to 'xts'
 # @ivgen-alg: the initialization vector generator
 #             Currently defaults to 'plain64'
 # @ivgen-hash-alg: the initialization vector generator hash
 #                  Currently defaults to 'sha256'
 # @hash-alg: the master key hash algorithm
 #            Currently defaults to 'sha256'
 # @iter-time: number of milliseconds to spend in
 #             PBKDF passphrase processing. Currently defaults
 #             to 2000. (since 2.8)
 #
 # Since: 2.6
 ##
 { 'struct': 'QCryptoBlockCreateOptionsLUKS',
   'base': 'QCryptoBlockOptionsLUKS',
   'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
             '*cipher-mode': 'QCryptoCipherMode',
             '*ivgen-alg': 'QCryptoIVGenAlgorithm',
             '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
             '*hash-alg': 'QCryptoHashAlgorithm',
             '*iter-time': 'int'}}
 
 ##
 # @QCryptoBlockOpenOptions:
 #
 # The options that are available for all encryption formats
 # when opening an existing volume
 #
 # Since: 2.6
 ##
 { 'union': 'QCryptoBlockOpenOptions',
   'base': 'QCryptoBlockOptionsBase',
   'discriminator': 'format',
   'data': { 'qcow': 'QCryptoBlockOptionsQCow',
             'luks': 'QCryptoBlockOptionsLUKS' } }
 
 ##
 # @QCryptoBlockCreateOptions:
 #
 # The options that are available for all encryption formats
 # when initializing a new volume
 #
 # Since: 2.6
 ##
 { 'union': 'QCryptoBlockCreateOptions',
   'base': 'QCryptoBlockOptionsBase',
   'discriminator': 'format',
   'data': { 'qcow': 'QCryptoBlockOptionsQCow',
             'luks': 'QCryptoBlockCreateOptionsLUKS' } }
 
 ##
 # @QCryptoBlockInfoBase:
 #
 # The common information that applies to all full disk
 # encryption formats
 #
 # @format: the encryption format
 #
 # Since: 2.7
 ##
 { 'struct': 'QCryptoBlockInfoBase',
   'data': { 'format': 'QCryptoBlockFormat' }}
 
 ##
 # @QCryptoBlockInfoLUKSSlot:
 #
 # Information about the LUKS block encryption key
 # slot options
 #
 # @active: whether the key slot is currently in use
 # @key-offset: offset to the key material in bytes
 # @iters: number of PBKDF2 iterations for key material
 # @stripes: number of stripes for splitting key material
 #
 # Since: 2.7
 ##
 { 'struct': 'QCryptoBlockInfoLUKSSlot',
   'data': {'active': 'bool',
            '*iters': 'int',
            '*stripes': 'int',
            'key-offset': 'int' } }
 
 ##
 # @QCryptoBlockInfoLUKS:
 #
 # Information about the LUKS block encryption options
 #
 # @cipher-alg: the cipher algorithm for data encryption
 # @cipher-mode: the cipher mode for data encryption
 # @ivgen-alg: the initialization vector generator
 # @ivgen-hash-alg: the initialization vector generator hash
 # @hash-alg: the master key hash algorithm
 # @payload-offset: offset to the payload data in bytes
 # @master-key-iters: number of PBKDF2 iterations for key material
 # @uuid: unique identifier for the volume
 # @slots: information about each key slot
 #
 # Since: 2.7
 ##
 { 'struct': 'QCryptoBlockInfoLUKS',
   'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
            'cipher-mode': 'QCryptoCipherMode',
            'ivgen-alg': 'QCryptoIVGenAlgorithm',
            '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
            'hash-alg': 'QCryptoHashAlgorithm',
            'payload-offset': 'int',
            'master-key-iters': 'int',
            'uuid': 'str',
            'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
 
 ##
 # @QCryptoBlockInfo:
 #
 # Information about the block encryption options
 #
 # Since: 2.7
 ##
 { 'union': 'QCryptoBlockInfo',
   'base': 'QCryptoBlockInfoBase',
   'discriminator': 'format',
   'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
 
 ##
 # @QCryptoBlockLUKSKeyslotState:
 #
 # Defines state of keyslots that are affected by the update
 #
 # @active: The slots contain the given password and marked as active
 # @inactive: The slots are erased (contain garbage) and marked as inactive
 #
 # Since: 5.1
 ##
 { 'enum': 'QCryptoBlockLUKSKeyslotState',
   'data': [ 'active', 'inactive' ] }
 
 ##
 # @QCryptoBlockAmendOptionsLUKS:
 #
 # This struct defines the update parameters that activate/de-activate set
 # of keyslots
 #
 # @state: the desired state of the keyslots
 #
 # @new-secret: The ID of a QCryptoSecret object providing the password to be
 #              written into added active keyslots
 #
 # @old-secret: Optional (for deactivation only)
 #              If given will deactivate all keyslots that
 #              match password located in QCryptoSecret with this ID
 #
 # @iter-time: Optional (for activation only)
 #             Number of milliseconds to spend in
 #             PBKDF passphrase processing for the newly activated keyslot.
 #             Currently defaults to 2000.
 #
 # @keyslot: Optional. ID of the keyslot to activate/deactivate.
 #           For keyslot activation, keyslot should not be active already
 #           (this is unsafe to update an active keyslot),
 #           but possible if 'force' parameter is given.
 #           If keyslot is not given, first free keyslot will be written.
 #
 #           For keyslot deactivation, this parameter specifies the exact
 #           keyslot to deactivate
 #
 # @secret: Optional. The ID of a QCryptoSecret object providing the
 #          password to use to retrieve current master key.
 #          Defaults to the same secret that was used to open the image
 #
 # Since: 5.1
 ##
 { 'struct': 'QCryptoBlockAmendOptionsLUKS',
   'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
             '*new-secret': 'str',
             '*old-secret': 'str',
             '*keyslot': 'int',
             '*iter-time': 'int',
             '*secret': 'str' } }
 
 ##
 # @QCryptoBlockAmendOptions:
 #
 # The options that are available for all encryption formats
 # when amending encryption settings
 #
 # Since: 5.1
 ##
 { 'union': 'QCryptoBlockAmendOptions',
   'base': 'QCryptoBlockOptionsBase',
   'discriminator': 'format',
   'data': {
           'luks': 'QCryptoBlockAmendOptionsLUKS' } }
 
 ##
 # @SecretCommonProperties:
 #
 # Properties for objects of classes derived from secret-common.
 #
 # @loaded: if true, the secret is loaded immediately when applying this option
 #          and will probably fail when processing the next option. Don't use;
 #          only provided for compatibility. (default: false)
 #
 # @format: the data format that the secret is provided in (default: raw)
 #
 # @keyid: the name of another secret that should be used to decrypt the
 #         provided data. If not present, the data is assumed to be unencrypted.
 #
 # @iv: the random initialization vector used for encryption of this particular
 #      secret. Should be a base64 encrypted string of the 16-byte IV. Mandatory
 #      if @keyid is given. Ignored if @keyid is absent.
 #
 # Features:
 # @deprecated: Member @loaded is deprecated.  Setting true doesn't make sense,
 #              and false is already the default.
 #
 # Since: 2.6
 ##
 { 'struct': 'SecretCommonProperties',
   'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
             '*format': 'QCryptoSecretFormat',
             '*keyid': 'str',
             '*iv': 'str' } }
 
 ##
 # @SecretProperties:
 #
 # Properties for secret objects.
 #
 # Either @data or @file must be provided, but not both.
 #
 # @data: the associated with the secret from
 #
 # @file: the filename to load the data associated with the secret from
 #
 # Since: 2.6
 ##
 { 'struct': 'SecretProperties',
   'base': 'SecretCommonProperties',
   'data': { '*data': 'str',
             '*file': 'str' } }
 
 ##
 # @SecretKeyringProperties:
 #
 # Properties for secret_keyring objects.
 #
 # @serial: serial number that identifies a key to get from the kernel
 #
 # Since: 5.1
 ##
 { 'struct': 'SecretKeyringProperties',
   'base': 'SecretCommonProperties',
   'data': { 'serial': 'int32' } }
 
 ##
 # @TlsCredsProperties:
 #
 # Properties for objects of classes derived from tls-creds.
 #
 # @verify-peer: if true the peer credentials will be verified once the
 #               handshake is completed.  This is a no-op for anonymous
 #               credentials. (default: true)
 #
 # @dir: the path of the directory that contains the credential files
 #
 # @endpoint: whether the QEMU network backend that uses the credentials will be
 #            acting as a client or as a server (default: client)
 #
 # @priority: a gnutls priority string as described at
 #            https://gnutls.org/manual/html_node/Priority-Strings.html
 #
 # Since: 2.5
 ##
 { 'struct': 'TlsCredsProperties',
   'data': { '*verify-peer': 'bool',
             '*dir': 'str',
             '*endpoint': 'QCryptoTLSCredsEndpoint',
             '*priority': 'str' } }
 
 ##
 # @TlsCredsAnonProperties:
 #
 # Properties for tls-creds-anon objects.
 #
 # @loaded: if true, the credentials are loaded immediately when applying this
 #          option and will ignore options that are processed later. Don't use;
 #          only provided for compatibility. (default: false)
 #
 # Features:
 # @deprecated: Member @loaded is deprecated.  Setting true doesn't make sense,
 #              and false is already the default.
 #
 # Since: 2.5
 ##
 { 'struct': 'TlsCredsAnonProperties',
   'base': 'TlsCredsProperties',
   'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }
 
 ##
 # @TlsCredsPskProperties:
 #
 # Properties for tls-creds-psk objects.
 #
 # @loaded: if true, the credentials are loaded immediately when applying this
 #          option and will ignore options that are processed later. Don't use;
 #          only provided for compatibility. (default: false)
 #
 # @username: the username which will be sent to the server.  For clients only.
 #            If absent, "qemu" is sent and the property will read back as an
 #            empty string.
 #
 # Features:
 # @deprecated: Member @loaded is deprecated.  Setting true doesn't make sense,
 #              and false is already the default.
 #
 # Since: 3.0
 ##
 { 'struct': 'TlsCredsPskProperties',
   'base': 'TlsCredsProperties',
   'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
             '*username': 'str' } }
 
 ##
 # @TlsCredsX509Properties:
 #
 # Properties for tls-creds-x509 objects.
 #
 # @loaded: if true, the credentials are loaded immediately when applying this
 #          option and will ignore options that are processed later. Don't use;
 #          only provided for compatibility. (default: false)
 #
 # @sanity-check: if true, perform some sanity checks before using the
 #                credentials (default: true)
 #
 # @passwordid: For the server-key.pem and client-key.pem files which contain
 #              sensitive private keys, it is possible to use an encrypted
 #              version by providing the @passwordid parameter.  This provides
 #              the ID of a previously created secret object containing the
 #              password for decryption.
 #
 # Features:
 # @deprecated: Member @loaded is deprecated.  Setting true doesn't make sense,
 #              and false is already the default.
 #
 # Since: 2.5
 ##
 { 'struct': 'TlsCredsX509Properties',
   'base': 'TlsCredsProperties',
   'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
             '*sanity-check': 'bool',
             '*passwordid': 'str' } }
 ##
 # @QCryptoAkCipherAlgorithm:
 #
 # The supported algorithms for asymmetric encryption ciphers
 #
 # @rsa: RSA algorithm
 #
 # Since: 7.1
 ##
 { 'enum': 'QCryptoAkCipherAlgorithm',
   'prefix': 'QCRYPTO_AKCIPHER_ALG',
   'data': ['rsa']}
 
 ##
 # @QCryptoAkCipherKeyType:
 #
 # The type of asymmetric keys.
 #
 # Since: 7.1
 ##
 { 'enum': 'QCryptoAkCipherKeyType',
   'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE',
   'data': ['public', 'private']}
 
 ##
 # @QCryptoRSAPaddingAlgorithm:
 #
 # The padding algorithm for RSA.
 #
 # @raw: no padding used
 # @pkcs1: pkcs1#v1.5
 #
 # Since: 7.1
 ##
 { 'enum': 'QCryptoRSAPaddingAlgorithm',
   'prefix': 'QCRYPTO_RSA_PADDING_ALG',
   'data': ['raw', 'pkcs1']}
 
 ##
 # @QCryptoAkCipherOptionsRSA:
 #
 # Specific parameters for RSA algorithm.
 #
 # @hash-alg: QCryptoHashAlgorithm
 # @padding-alg: QCryptoRSAPaddingAlgorithm
 #
 # Since: 7.1
 ##
 { 'struct': 'QCryptoAkCipherOptionsRSA',
   'data': { 'hash-alg':'QCryptoHashAlgorithm',
             'padding-alg': 'QCryptoRSAPaddingAlgorithm'}}
 
 ##
 # @QCryptoAkCipherOptions:
 #
 # The options that are available for all asymmetric key algorithms
 # when creating a new QCryptoAkCipher.
 #
 # Since: 7.1
 ##
 { 'union': 'QCryptoAkCipherOptions',
   'base': { 'alg': 'QCryptoAkCipherAlgorithm' },
   'discriminator': 'alg',
   'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}