| blob | c9d967d782ef3436a35607762e2bd3f3670b38a9 |
1 # -*- Mode: Python -*-
2 # vim: filetype=python
3 #
5 ##
6 # = Cryptography
7 ##
9 ##
10 # @QCryptoTLSCredsEndpoint:
11 #
12 # The type of network endpoint that will be using the credentials.
13 # Most types of credential require different setup / structures
14 # depending on whether they will be used in a server versus a client.
15 #
16 # @client: the network endpoint is acting as the client
17 #
18 # @server: the network endpoint is acting as the server
19 #
20 # Since: 2.5
21 ##
22 { 'enum': 'QCryptoTLSCredsEndpoint',
23 'data': ['client', 'server']}
25 ##
26 # @QCryptoSecretFormat:
27 #
28 # The data format that the secret is provided in
29 #
30 # @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences
31 # can be used
32 #
33 # @base64: arbitrary base64 encoded binary data
34 #
35 # Since: 2.6
36 ##
37 { 'enum': 'QCryptoSecretFormat',
38 'data': ['raw', 'base64']}
40 ##
41 # @QCryptoHashAlgo:
42 #
43 # The supported algorithms for computing content digests
44 #
45 # @md5: MD5. Should not be used in any new code, legacy compat only
46 #
47 # @sha1: SHA-1. Should not be used in any new code, legacy compat only
48 #
49 # @sha224: SHA-224. (since 2.7)
50 #
51 # @sha256: SHA-256. Current recommended strong hash.
52 #
53 # @sha384: SHA-384. (since 2.7)
54 #
55 # @sha512: SHA-512. (since 2.7)
56 #
57 # @ripemd160: RIPEMD-160. (since 2.7)
58 # @sm3: SM3. (since 9.2.0)
59 #
60 # Since: 2.6
61 ##
62 { 'enum': 'QCryptoHashAlgo',
63 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160', 'sm3']}
65 ##
66 # @QCryptoCipherAlgo:
67 #
68 # The supported algorithms for content encryption ciphers
69 #
70 # @aes-128: AES with 128 bit / 16 byte keys
71 #
72 # @aes-192: AES with 192 bit / 24 byte keys
73 #
74 # @aes-256: AES with 256 bit / 32 byte keys
75 #
76 # @des: DES with 56 bit / 8 byte keys. Do not use except in VNC.
77 # (since 6.1)
78 #
79 # @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
80 #
81 # @cast5-128: Cast5 with 128 bit / 16 byte keys
82 #
83 # @serpent-128: Serpent with 128 bit / 16 byte keys
84 #
85 # @serpent-192: Serpent with 192 bit / 24 byte keys
86 #
87 # @serpent-256: Serpent with 256 bit / 32 byte keys
88 #
89 # @twofish-128: Twofish with 128 bit / 16 byte keys
90 #
91 # @twofish-192: Twofish with 192 bit / 24 byte keys
92 #
93 # @twofish-256: Twofish with 256 bit / 32 byte keys
94 #
95 # @sm4: SM4 with 128 bit / 16 byte keys (since 9.0)
96 #
97 # Since: 2.6
98 ##
99 { 'enum': 'QCryptoCipherAlgo',
100 'data': ['aes-128', 'aes-192', 'aes-256',
101 'des', '3des',
102 'cast5-128',
103 'serpent-128', 'serpent-192', 'serpent-256',
104 'twofish-128', 'twofish-192', 'twofish-256',
105 'sm4']}
107 ##
108 # @QCryptoCipherMode:
109 #
110 # The supported modes for content encryption ciphers
111 #
112 # @ecb: Electronic Code Book
113 #
114 # @cbc: Cipher Block Chaining
115 #
116 # @xts: XEX with tweaked code book and ciphertext stealing
117 #
118 # @ctr: Counter (Since 2.8)
119 #
120 # Since: 2.6
121 ##
122 { 'enum': 'QCryptoCipherMode',
123 'data': ['ecb', 'cbc', 'xts', 'ctr']}
125 ##
126 # @QCryptoIVGenAlgo:
127 #
128 # The supported algorithms for generating initialization vectors for
129 # full disk encryption. The 'plain' generator should not be used for
130 # disks with sector numbers larger than 2^32, except where
131 # compatibility with pre-existing Linux dm-crypt volumes is required.
132 #
133 # @plain: 64-bit sector number truncated to 32-bits
134 #
135 # @plain64: 64-bit sector number
136 #
137 # @essiv: 64-bit sector number encrypted with a hash of the encryption
138 # key
139 #
140 # Since: 2.6
141 ##
142 { 'enum': 'QCryptoIVGenAlgo',
143 'data': ['plain', 'plain64', 'essiv']}
145 ##
146 # @QCryptoBlockFormat:
147 #
148 # The supported full disk encryption formats
149 #
150 # @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for
151 # liberating data from old images.
152 #
153 # @luks: LUKS encryption format. Recommended for new images
154 #
155 # Since: 2.6
156 ##
157 { 'enum': 'QCryptoBlockFormat',
158 'data': ['qcow', 'luks']}
160 ##
161 # @QCryptoBlockOptionsBase:
162 #
163 # The common options that apply to all full disk encryption formats
164 #
165 # @format: the encryption format
166 #
167 # Since: 2.6
168 ##
169 { 'struct': 'QCryptoBlockOptionsBase',
170 'data': { 'format': 'QCryptoBlockFormat' }}
172 ##
173 # @QCryptoBlockOptionsQCow:
174 #
175 # The options that apply to QCow/QCow2 AES-CBC encryption format
176 #
177 # @key-secret: the ID of a QCryptoSecret object providing the
178 # decryption key. Mandatory except when probing image for
179 # metadata only.
180 #
181 # Since: 2.6
182 ##
183 { 'struct': 'QCryptoBlockOptionsQCow',
184 'data': { '*key-secret': 'str' }}
186 ##
187 # @QCryptoBlockOptionsLUKS:
188 #
189 # The options that apply to LUKS encryption format
190 #
191 # @key-secret: the ID of a QCryptoSecret object providing the
192 # decryption key. Mandatory except when probing image for
193 # metadata only.
194 #
195 # Since: 2.6
196 ##
197 { 'struct': 'QCryptoBlockOptionsLUKS',
198 'data': { '*key-secret': 'str' }}
200 ##
201 # @QCryptoBlockCreateOptionsLUKS:
202 #
203 # The options that apply to LUKS encryption format initialization
204 #
205 # @cipher-alg: the cipher algorithm for data encryption Currently
206 # defaults to 'aes-256'.
207 #
208 # @cipher-mode: the cipher mode for data encryption Currently defaults
209 # to 'xts'
210 #
211 # @ivgen-alg: the initialization vector generator Currently defaults
212 # to 'plain64'
213 #
214 # @ivgen-hash-alg: the initialization vector generator hash Currently
215 # defaults to 'sha256'
216 #
217 # @hash-alg: the master key hash algorithm Currently defaults to
218 # 'sha256'
219 #
220 # @iter-time: number of milliseconds to spend in PBKDF passphrase
221 # processing. Currently defaults to 2000. (since 2.8)
222 #
223 # Since: 2.6
224 ##
225 { 'struct': 'QCryptoBlockCreateOptionsLUKS',
226 'base': 'QCryptoBlockOptionsLUKS',
227 'data': { '*cipher-alg': 'QCryptoCipherAlgo',
228 '*cipher-mode': 'QCryptoCipherMode',
229 '*ivgen-alg': 'QCryptoIVGenAlgo',
230 '*ivgen-hash-alg': 'QCryptoHashAlgo',
231 '*hash-alg': 'QCryptoHashAlgo',
232 '*iter-time': 'int' }}
234 ##
235 # @QCryptoBlockOpenOptions:
236 #
237 # The options that are available for all encryption formats when
238 # opening an existing volume
239 #
240 # Since: 2.6
241 ##
242 { 'union': 'QCryptoBlockOpenOptions',
243 'base': 'QCryptoBlockOptionsBase',
244 'discriminator': 'format',
245 'data': { 'qcow': 'QCryptoBlockOptionsQCow',
246 'luks': 'QCryptoBlockOptionsLUKS' } }
248 ##
249 # @QCryptoBlockCreateOptions:
250 #
251 # The options that are available for all encryption formats when
252 # initializing a new volume
253 #
254 # Since: 2.6
255 ##
256 { 'union': 'QCryptoBlockCreateOptions',
257 'base': 'QCryptoBlockOptionsBase',
258 'discriminator': 'format',
259 'data': { 'qcow': 'QCryptoBlockOptionsQCow',
260 'luks': 'QCryptoBlockCreateOptionsLUKS' } }
262 ##
263 # @QCryptoBlockInfoBase:
264 #
265 # The common information that applies to all full disk encryption
266 # formats
267 #
268 # @format: the encryption format
269 #
270 # Since: 2.7
271 ##
272 { 'struct': 'QCryptoBlockInfoBase',
273 'data': { 'format': 'QCryptoBlockFormat' }}
275 ##
276 # @QCryptoBlockInfoLUKSSlot:
277 #
278 # Information about the LUKS block encryption key slot options
279 #
280 # @active: whether the key slot is currently in use
281 #
282 # @key-offset: offset to the key material in bytes
283 #
284 # @iters: number of PBKDF2 iterations for key material
285 #
286 # @stripes: number of stripes for splitting key material
287 #
288 # Since: 2.7
289 ##
290 { 'struct': 'QCryptoBlockInfoLUKSSlot',
291 'data': {'active': 'bool',
292 '*iters': 'int',
293 '*stripes': 'int',
294 'key-offset': 'int' } }
296 ##
297 # @QCryptoBlockInfoLUKS:
298 #
299 # Information about the LUKS block encryption options
300 #
301 # @cipher-alg: the cipher algorithm for data encryption
302 #
303 # @cipher-mode: the cipher mode for data encryption
304 #
305 # @ivgen-alg: the initialization vector generator
306 #
307 # @ivgen-hash-alg: the initialization vector generator hash
308 #
309 # @hash-alg: the master key hash algorithm
310 #
311 # @detached-header: whether the LUKS header is detached (Since 9.0)
312 #
313 # @payload-offset: offset to the payload data in bytes
314 #
315 # @master-key-iters: number of PBKDF2 iterations for key material
316 #
317 # @uuid: unique identifier for the volume
318 #
319 # @slots: information about each key slot
320 #
321 # Since: 2.7
322 ##
323 { 'struct': 'QCryptoBlockInfoLUKS',
324 'data': {'cipher-alg': 'QCryptoCipherAlgo',
325 'cipher-mode': 'QCryptoCipherMode',
326 'ivgen-alg': 'QCryptoIVGenAlgo',
327 '*ivgen-hash-alg': 'QCryptoHashAlgo',
328 'hash-alg': 'QCryptoHashAlgo',
329 'detached-header': 'bool',
330 'payload-offset': 'int',
331 'master-key-iters': 'int',
332 'uuid': 'str',
333 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
335 ##
336 # @QCryptoBlockInfo:
337 #
338 # Information about the block encryption options
339 #
340 # Since: 2.7
341 ##
342 { 'union': 'QCryptoBlockInfo',
343 'base': 'QCryptoBlockInfoBase',
344 'discriminator': 'format',
345 'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
347 ##
348 # @QCryptoBlockLUKSKeyslotState:
349 #
350 # Defines state of keyslots that are affected by the update
351 #
352 # @active: The slots contain the given password and marked as active
353 #
354 # @inactive: The slots are erased (contain garbage) and marked as
355 # inactive
356 #
357 # Since: 5.1
358 ##
359 { 'enum': 'QCryptoBlockLUKSKeyslotState',
360 'data': [ 'active', 'inactive' ] }
362 ##
363 # @QCryptoBlockAmendOptionsLUKS:
364 #
365 # This struct defines the update parameters that activate/de-activate
366 # set of keyslots
367 #
368 # @state: the desired state of the keyslots
369 #
370 # @new-secret: The ID of a QCryptoSecret object providing the password
371 # to be written into added active keyslots
372 #
373 # @old-secret: Optional (for deactivation only) If given will
374 # deactivate all keyslots that match password located in
375 # QCryptoSecret with this ID
376 #
377 # @iter-time: Optional (for activation only) Number of milliseconds to
378 # spend in PBKDF passphrase processing for the newly activated
379 # keyslot. Currently defaults to 2000.
380 #
381 # @keyslot: Optional. ID of the keyslot to activate/deactivate. For
382 # keyslot activation, keyslot should not be active already (this
383 # is unsafe to update an active keyslot), but possible if 'force'
384 # parameter is given. If keyslot is not given, first free keyslot
385 # will be written.
386 #
387 # For keyslot deactivation, this parameter specifies the exact
388 # keyslot to deactivate
389 #
390 # @secret: Optional. The ID of a QCryptoSecret object providing the
391 # password to use to retrieve current master key. Defaults to the
392 # same secret that was used to open the image
393 #
394 # Since: 5.1
395 ##
396 { 'struct': 'QCryptoBlockAmendOptionsLUKS',
397 'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
398 '*new-secret': 'str',
399 '*old-secret': 'str',
400 '*keyslot': 'int',
401 '*iter-time': 'int',
402 '*secret': 'str' } }
404 ##
405 # @QCryptoBlockAmendOptions:
406 #
407 # The options that are available for all encryption formats when
408 # amending encryption settings
409 #
410 # Since: 5.1
411 ##
412 { 'union': 'QCryptoBlockAmendOptions',
413 'base': 'QCryptoBlockOptionsBase',
414 'discriminator': 'format',
415 'data': {
416 'luks': 'QCryptoBlockAmendOptionsLUKS' } }
418 ##
419 # @SecretCommonProperties:
420 #
421 # Properties for objects of classes derived from secret-common.
422 #
423 # @format: the data format that the secret is provided in
424 # (default: raw)
425 #
426 # @keyid: the name of another secret that should be used to decrypt
427 # the provided data. If not present, the data is assumed to be
428 # unencrypted.
429 #
430 # @iv: the random initialization vector used for encryption of this
431 # particular secret. Should be a base64 encrypted string of the
432 # 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is
433 # absent.
434 #
435 # Since: 2.6
436 ##
437 { 'struct': 'SecretCommonProperties',
438 'data': { '*format': 'QCryptoSecretFormat',
439 '*keyid': 'str',
440 '*iv': 'str' } }
442 ##
443 # @SecretProperties:
444 #
445 # Properties for secret objects.
446 #
447 # Either @data or @file must be provided, but not both.
448 #
449 # @data: the associated with the secret from
450 #
451 # @file: the filename to load the data associated with the secret from
452 #
453 # Since: 2.6
454 ##
455 { 'struct': 'SecretProperties',
456 'base': 'SecretCommonProperties',
457 'data': { '*data': 'str',
458 '*file': 'str' } }
460 ##
461 # @SecretKeyringProperties:
462 #
463 # Properties for secret_keyring objects.
464 #
465 # @serial: serial number that identifies a key to get from the kernel
466 #
467 # Since: 5.1
468 ##
469 { 'struct': 'SecretKeyringProperties',
470 'base': 'SecretCommonProperties',
471 'data': { 'serial': 'int32' },
472 'if': 'CONFIG_SECRET_KEYRING' }
474 ##
475 # @TlsCredsProperties:
476 #
477 # Properties for objects of classes derived from tls-creds.
478 #
479 # @verify-peer: if true the peer credentials will be verified once the
480 # handshake is completed. This is a no-op for anonymous
481 # credentials. (default: true)
482 #
483 # @dir: the path of the directory that contains the credential files
484 #
485 # @endpoint: whether the QEMU network backend that uses the
486 # credentials will be acting as a client or as a server
487 # (default: client)
488 #
489 # @priority: a gnutls priority string as described at
490 # https://gnutls.org/manual/html_node/Priority-Strings.html
491 #
492 # Since: 2.5
493 ##
494 { 'struct': 'TlsCredsProperties',
495 'data': { '*verify-peer': 'bool',
496 '*dir': 'str',
497 '*endpoint': 'QCryptoTLSCredsEndpoint',
498 '*priority': 'str' } }
500 ##
501 # @TlsCredsAnonProperties:
502 #
503 # Properties for tls-creds-anon objects.
504 #
505 # Since: 2.5
506 ##
507 { 'struct': 'TlsCredsAnonProperties',
508 'base': 'TlsCredsProperties',
509 'data': { } }
511 ##
512 # @TlsCredsPskProperties:
513 #
514 # Properties for tls-creds-psk objects.
515 #
516 # @username: the username which will be sent to the server. For
517 # clients only. If absent, "qemu" is sent and the property will
518 # read back as an empty string.
519 #
520 # Since: 3.0
521 ##
522 { 'struct': 'TlsCredsPskProperties',
523 'base': 'TlsCredsProperties',
524 'data': { '*username': 'str' } }
526 ##
527 # @TlsCredsX509Properties:
528 #
529 # Properties for tls-creds-x509 objects.
530 #
531 # @sanity-check: if true, perform some sanity checks before using the
532 # credentials (default: true)
533 #
534 # @passwordid: For the server-key.pem and client-key.pem files which
535 # contain sensitive private keys, it is possible to use an
536 # encrypted version by providing the @passwordid parameter. This
537 # provides the ID of a previously created secret object containing
538 # the password for decryption.
539 #
540 # Since: 2.5
541 ##
542 { 'struct': 'TlsCredsX509Properties',
543 'base': 'TlsCredsProperties',
544 'data': { '*sanity-check': 'bool',
545 '*passwordid': 'str' } }
546 ##
547 # @QCryptoAkCipherAlgo:
548 #
549 # The supported algorithms for asymmetric encryption ciphers
550 #
551 # @rsa: RSA algorithm
552 #
553 # Since: 7.1
554 ##
555 { 'enum': 'QCryptoAkCipherAlgo',
556 'data': ['rsa']}
558 ##
559 # @QCryptoAkCipherKeyType:
560 #
561 # The type of asymmetric keys.
562 #
563 # @public: public key
564 #
565 # @private: private key
566 #
567 # Since: 7.1
568 ##
569 { 'enum': 'QCryptoAkCipherKeyType',
570 'data': ['public', 'private']}
572 ##
573 # @QCryptoRSAPaddingAlgo:
574 #
575 # The padding algorithm for RSA.
576 #
577 # @raw: no padding used
578 #
579 # @pkcs1: pkcs1#v1.5
580 #
581 # Since: 7.1
582 ##
583 { 'enum': 'QCryptoRSAPaddingAlgo',
584 'data': ['raw', 'pkcs1']}
586 ##
587 # @QCryptoAkCipherOptionsRSA:
588 #
589 # Specific parameters for RSA algorithm.
590 #
591 # @hash-alg: QCryptoHashAlgo
592 #
593 # @padding-alg: QCryptoRSAPaddingAlgo
594 #
595 # Since: 7.1
596 ##
597 { 'struct': 'QCryptoAkCipherOptionsRSA',
598 'data': { 'hash-alg':'QCryptoHashAlgo',
599 'padding-alg': 'QCryptoRSAPaddingAlgo'}}
601 ##
602 # @QCryptoAkCipherOptions:
603 #
604 # The options that are available for all asymmetric key algorithms
605 # when creating a new QCryptoAkCipher.
606 #
607 # @alg: encryption cipher algorithm
608 #
609 # Since: 7.1
610 ##
611 { 'union': 'QCryptoAkCipherOptions',
612 'base': { 'alg': 'QCryptoAkCipherAlgo' },
613 'discriminator': 'alg',
614 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}