[mirror_qemu.git] / qapi / crypto.json

# -*- Mode: Python -*-
# vim: filetype=python
#

##
# = Cryptography
##

##
# @QCryptoTLSCredsEndpoint:
#
# The type of network endpoint that will be using the credentials.
# Most types of credential require different setup / structures
# depending on whether they will be used in a server versus a
# client.
#
# @client: the network endpoint is acting as the client
#
# @server: the network endpoint is acting as the server
#
# Since: 2.5
##
{ 'enum': 'QCryptoTLSCredsEndpoint',
  'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
  'data': ['client', 'server']}

##
# @QCryptoSecretFormat:
#
# The data format that the secret is provided in
#
# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences can be used
# @base64: arbitrary base64 encoded binary data
#
# Since: 2.6
##
{ 'enum': 'QCryptoSecretFormat',
  'prefix': 'QCRYPTO_SECRET_FORMAT',
  'data': ['raw', 'base64']}

##
# @QCryptoHashAlgorithm:
#
# The supported algorithms for computing content digests
#
# @md5: MD5. Should not be used in any new code, legacy compat only
# @sha1: SHA-1. Should not be used in any new code, legacy compat only
# @sha224: SHA-224. (since 2.7)
# @sha256: SHA-256. Current recommended strong hash.
# @sha384: SHA-384. (since 2.7)
# @sha512: SHA-512. (since 2.7)
# @ripemd160: RIPEMD-160. (since 2.7)
#
# Since: 2.6
##
{ 'enum': 'QCryptoHashAlgorithm',
  'prefix': 'QCRYPTO_HASH_ALG',
  'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}

##
# @QCryptoCipherAlgorithm:
#
# The supported algorithms for content encryption ciphers
#
# @aes-128: AES with 128 bit / 16 byte keys
# @aes-192: AES with 192 bit / 24 byte keys
# @aes-256: AES with 256 bit / 32 byte keys
# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. (since 6.1)
# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
# @cast5-128: Cast5 with 128 bit / 16 byte keys
# @serpent-128: Serpent with 128 bit / 16 byte keys
# @serpent-192: Serpent with 192 bit / 24 byte keys
# @serpent-256: Serpent with 256 bit / 32 byte keys
# @twofish-128: Twofish with 128 bit / 16 byte keys
# @twofish-192: Twofish with 192 bit / 24 byte keys
# @twofish-256: Twofish with 256 bit / 32 byte keys
#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherAlgorithm',
  'prefix': 'QCRYPTO_CIPHER_ALG',
  'data': ['aes-128', 'aes-192', 'aes-256',
           'des', '3des',
           'cast5-128',
           'serpent-128', 'serpent-192', 'serpent-256',
           'twofish-128', 'twofish-192', 'twofish-256']}

##
# @QCryptoCipherMode:
#
# The supported modes for content encryption ciphers
#
# @ecb: Electronic Code Book
# @cbc: Cipher Block Chaining
# @xts: XEX with tweaked code book and ciphertext stealing
# @ctr: Counter (Since 2.8)
#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherMode',
  'prefix': 'QCRYPTO_CIPHER_MODE',
  'data': ['ecb', 'cbc', 'xts', 'ctr']}

##
# @QCryptoIVGenAlgorithm:
#
# The supported algorithms for generating initialization
# vectors for full disk encryption. The 'plain' generator
# should not be used for disks with sector numbers larger
# than 2^32, except where compatibility with pre-existing
# Linux dm-crypt volumes is required.
#
# @plain: 64-bit sector number truncated to 32-bits
# @plain64: 64-bit sector number
# @essiv: 64-bit sector number encrypted with a hash of the encryption key
#
# Since: 2.6
##
{ 'enum': 'QCryptoIVGenAlgorithm',
  'prefix': 'QCRYPTO_IVGEN_ALG',
  'data': ['plain', 'plain64', 'essiv']}

##
# @QCryptoBlockFormat:
#
# The supported full disk encryption formats
#
# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only
#        for liberating data from old images.
# @luks: LUKS encryption format. Recommended for new images
#
# Since: 2.6
##
{ 'enum': 'QCryptoBlockFormat',
#  'prefix': 'QCRYPTO_BLOCK_FORMAT',
  'data': ['qcow', 'luks']}

##
# @QCryptoBlockOptionsBase:
#
# The common options that apply to all full disk
# encryption formats
#
# @format: the encryption format
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsBase',
  'data': { 'format': 'QCryptoBlockFormat' }}

##
# @QCryptoBlockOptionsQCow:
#
# The options that apply to QCow/QCow2 AES-CBC encryption format
#
# @key-secret: the ID of a QCryptoSecret object providing the
#              decryption key. Mandatory except when probing image for
#              metadata only.
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsQCow',
  'data': { '*key-secret': 'str' }}

##
# @QCryptoBlockOptionsLUKS:
#
# The options that apply to LUKS encryption format
#
# @key-secret: the ID of a QCryptoSecret object providing the
#              decryption key. Mandatory except when probing image for
#              metadata only.
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsLUKS',
  'data': { '*key-secret': 'str' }}

##
# @QCryptoBlockCreateOptionsLUKS:
#
# The options that apply to LUKS encryption format initialization
#
# @cipher-alg: the cipher algorithm for data encryption
#              Currently defaults to 'aes-256'.
# @cipher-mode: the cipher mode for data encryption
#               Currently defaults to 'xts'
# @ivgen-alg: the initialization vector generator
#             Currently defaults to 'plain64'
# @ivgen-hash-alg: the initialization vector generator hash
#                  Currently defaults to 'sha256'
# @hash-alg: the master key hash algorithm
#            Currently defaults to 'sha256'
# @iter-time: number of milliseconds to spend in
#             PBKDF passphrase processing. Currently defaults
#             to 2000. (since 2.8)
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
  'base': 'QCryptoBlockOptionsLUKS',
  'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
            '*cipher-mode': 'QCryptoCipherMode',
            '*ivgen-alg': 'QCryptoIVGenAlgorithm',
            '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
            '*hash-alg': 'QCryptoHashAlgorithm',
            '*iter-time': 'int'}}

##
# @QCryptoBlockOpenOptions:
#
# The options that are available for all encryption formats
# when opening an existing volume
#
# Since: 2.6
##
{ 'union': 'QCryptoBlockOpenOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
            'luks': 'QCryptoBlockOptionsLUKS' } }

##
# @QCryptoBlockCreateOptions:
#
# The options that are available for all encryption formats
# when initializing a new volume
#
# Since: 2.6
##
{ 'union': 'QCryptoBlockCreateOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
            'luks': 'QCryptoBlockCreateOptionsLUKS' } }

##
# @QCryptoBlockInfoBase:
#
# The common information that applies to all full disk
# encryption formats
#
# @format: the encryption format
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoBase',
  'data': { 'format': 'QCryptoBlockFormat' }}

##
# @QCryptoBlockInfoLUKSSlot:
#
# Information about the LUKS block encryption key
# slot options
#
# @active: whether the key slot is currently in use
# @key-offset: offset to the key material in bytes
# @iters: number of PBKDF2 iterations for key material
# @stripes: number of stripes for splitting key material
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoLUKSSlot',
  'data': {'active': 'bool',
           '*iters': 'int',
           '*stripes': 'int',
           'key-offset': 'int' } }

##
# @QCryptoBlockInfoLUKS:
#
# Information about the LUKS block encryption options
#
# @cipher-alg: the cipher algorithm for data encryption
# @cipher-mode: the cipher mode for data encryption
# @ivgen-alg: the initialization vector generator
# @ivgen-hash-alg: the initialization vector generator hash
# @hash-alg: the master key hash algorithm
# @payload-offset: offset to the payload data in bytes
# @master-key-iters: number of PBKDF2 iterations for key material
# @uuid: unique identifier for the volume
# @slots: information about each key slot
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoLUKS',
  'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
           'cipher-mode': 'QCryptoCipherMode',
           'ivgen-alg': 'QCryptoIVGenAlgorithm',
           '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
           'hash-alg': 'QCryptoHashAlgorithm',
           'payload-offset': 'int',
           'master-key-iters': 'int',
           'uuid': 'str',
           'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}

##
# @QCryptoBlockInfo:
#
# Information about the block encryption options
#
# Since: 2.7
##
{ 'union': 'QCryptoBlockInfo',
  'base': 'QCryptoBlockInfoBase',
  'discriminator': 'format',
  'data': { 'luks': 'QCryptoBlockInfoLUKS' } }

##
# @QCryptoBlockLUKSKeyslotState:
#
# Defines state of keyslots that are affected by the update
#
# @active: The slots contain the given password and marked as active
# @inactive: The slots are erased (contain garbage) and marked as inactive
#
# Since: 5.1
##
{ 'enum': 'QCryptoBlockLUKSKeyslotState',
  'data': [ 'active', 'inactive' ] }

##
# @QCryptoBlockAmendOptionsLUKS:
#
# This struct defines the update parameters that activate/de-activate set
# of keyslots
#
# @state: the desired state of the keyslots
#
# @new-secret: The ID of a QCryptoSecret object providing the password to be
#              written into added active keyslots
#
# @old-secret: Optional (for deactivation only)
#              If given will deactivate all keyslots that
#              match password located in QCryptoSecret with this ID
#
# @iter-time: Optional (for activation only)
#             Number of milliseconds to spend in
#             PBKDF passphrase processing for the newly activated keyslot.
#             Currently defaults to 2000.
#
# @keyslot: Optional. ID of the keyslot to activate/deactivate.
#           For keyslot activation, keyslot should not be active already
#           (this is unsafe to update an active keyslot),
#           but possible if 'force' parameter is given.
#           If keyslot is not given, first free keyslot will be written.
#
#           For keyslot deactivation, this parameter specifies the exact
#           keyslot to deactivate
#
# @secret: Optional. The ID of a QCryptoSecret object providing the
#          password to use to retrieve current master key.
#          Defaults to the same secret that was used to open the image
#
# Since: 5.1
##
{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
  'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
            '*new-secret': 'str',
            '*old-secret': 'str',
            '*keyslot': 'int',
            '*iter-time': 'int',
            '*secret': 'str' } }

##
# @QCryptoBlockAmendOptions:
#
# The options that are available for all encryption formats
# when amending encryption settings
#
# Since: 5.1
##
{ 'union': 'QCryptoBlockAmendOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': {
          'luks': 'QCryptoBlockAmendOptionsLUKS' } }

##
# @SecretCommonProperties:
#
# Properties for objects of classes derived from secret-common.
#
# @loaded: if true, the secret is loaded immediately when applying this option
#          and will probably fail when processing the next option. Don't use;
#          only provided for compatibility. (default: false)
#
# @format: the data format that the secret is provided in (default: raw)
#
# @keyid: the name of another secret that should be used to decrypt the
#         provided data. If not present, the data is assumed to be unencrypted.
#
# @iv: the random initialization vector used for encryption of this particular
#      secret. Should be a base64 encrypted string of the 16-byte IV. Mandatory
#      if @keyid is given. Ignored if @keyid is absent.
#
# Features:
# @deprecated: Member @loaded is deprecated.  Setting true doesn't make sense,
#              and false is already the default.
#
# Since: 2.6
##
{ 'struct': 'SecretCommonProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*format': 'QCryptoSecretFormat',
            '*keyid': 'str',
            '*iv': 'str' } }

##
# @SecretProperties:
#
# Properties for secret objects.
#
# Either @data or @file must be provided, but not both.
#
# @data: the associated with the secret from
#
# @file: the filename to load the data associated with the secret from
#
# Since: 2.6
##
{ 'struct': 'SecretProperties',
  'base': 'SecretCommonProperties',
  'data': { '*data': 'str',
            '*file': 'str' } }

##
# @SecretKeyringProperties:
#
# Properties for secret_keyring objects.
#
# @serial: serial number that identifies a key to get from the kernel
#
# Since: 5.1
##
{ 'struct': 'SecretKeyringProperties',
  'base': 'SecretCommonProperties',
  'data': { 'serial': 'int32' } }

##
# @TlsCredsProperties:
#
# Properties for objects of classes derived from tls-creds.
#
# @verify-peer: if true the peer credentials will be verified once the
#               handshake is completed.  This is a no-op for anonymous
#               credentials. (default: true)
#
# @dir: the path of the directory that contains the credential files
#
# @endpoint: whether the QEMU network backend that uses the credentials will be
#            acting as a client or as a server (default: client)
#
# @priority: a gnutls priority string as described at
#            https://gnutls.org/manual/html_node/Priority-Strings.html
#
# Since: 2.5
##
{ 'struct': 'TlsCredsProperties',
  'data': { '*verify-peer': 'bool',
            '*dir': 'str',
            '*endpoint': 'QCryptoTLSCredsEndpoint',
            '*priority': 'str' } }

##
# @TlsCredsAnonProperties:
#
# Properties for tls-creds-anon objects.
#
# @loaded: if true, the credentials are loaded immediately when applying this
#          option and will ignore options that are processed later. Don't use;
#          only provided for compatibility. (default: false)
#
# Features:
# @deprecated: Member @loaded is deprecated.  Setting true doesn't make sense,
#              and false is already the default.
#
# Since: 2.5
##
{ 'struct': 'TlsCredsAnonProperties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }

##
# @TlsCredsPskProperties:
#
# Properties for tls-creds-psk objects.
#
# @loaded: if true, the credentials are loaded immediately when applying this
#          option and will ignore options that are processed later. Don't use;
#          only provided for compatibility. (default: false)
#
# @username: the username which will be sent to the server.  For clients only.
#            If absent, "qemu" is sent and the property will read back as an
#            empty string.
#
# Features:
# @deprecated: Member @loaded is deprecated.  Setting true doesn't make sense,
#              and false is already the default.
#
# Since: 3.0
##
{ 'struct': 'TlsCredsPskProperties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*username': 'str' } }

##
# @TlsCredsX509Properties:
#
# Properties for tls-creds-x509 objects.
#
# @loaded: if true, the credentials are loaded immediately when applying this
#          option and will ignore options that are processed later. Don't use;
#          only provided for compatibility. (default: false)
#
# @sanity-check: if true, perform some sanity checks before using the
#                credentials (default: true)
#
# @passwordid: For the server-key.pem and client-key.pem files which contain
#              sensitive private keys, it is possible to use an encrypted
#              version by providing the @passwordid parameter.  This provides
#              the ID of a previously created secret object containing the
#              password for decryption.
#
# Features:
# @deprecated: Member @loaded is deprecated.  Setting true doesn't make sense,
#              and false is already the default.
#
# Since: 2.5
##
{ 'struct': 'TlsCredsX509Properties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*sanity-check': 'bool',
            '*passwordid': 'str' } }
##
# @QCryptoAkCipherAlgorithm:
#
# The supported algorithms for asymmetric encryption ciphers
#
# @rsa: RSA algorithm
#
# Since: 7.1
##
{ 'enum': 'QCryptoAkCipherAlgorithm',
  'prefix': 'QCRYPTO_AKCIPHER_ALG',
  'data': ['rsa']}

##
# @QCryptoAkCipherKeyType:
#
# The type of asymmetric keys.
#
# Since: 7.1
##
{ 'enum': 'QCryptoAkCipherKeyType',
  'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE',
  'data': ['public', 'private']}

##
# @QCryptoRSAPaddingAlgorithm:
#
# The padding algorithm for RSA.
#
# @raw: no padding used
# @pkcs1: pkcs1#v1.5
#
# Since: 7.1
##
{ 'enum': 'QCryptoRSAPaddingAlgorithm',
  'prefix': 'QCRYPTO_RSA_PADDING_ALG',
  'data': ['raw', 'pkcs1']}

##
# @QCryptoAkCipherOptionsRSA:
#
# Specific parameters for RSA algorithm.
#
# @hash-alg: QCryptoHashAlgorithm
# @padding-alg: QCryptoRSAPaddingAlgorithm
#
# Since: 7.1
##
{ 'struct': 'QCryptoAkCipherOptionsRSA',
  'data': { 'hash-alg':'QCryptoHashAlgorithm',
            'padding-alg': 'QCryptoRSAPaddingAlgorithm'}}

##
# @QCryptoAkCipherOptions:
#
# The options that are available for all asymmetric key algorithms
# when creating a new QCryptoAkCipher.
#
# Since: 7.1
##
{ 'union': 'QCryptoAkCipherOptions',
  'base': { 'alg': 'QCryptoAkCipherAlgorithm' },
  'discriminator': 'alg',
  'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}
Commit	Line	Data
a090187d	1	# -- Mode: Python --
f7160f32	2	# vim: filetype=python
a090187d	3	#
d3a48372 MAL	4
d3a48372 MAL	5	##
f5cf31c5	6	# = Cryptography
d3a48372	7	##
a090187d DB	8
a090187d DB	9	##
c5927e7a	10	# @QCryptoTLSCredsEndpoint:
a090187d DB	11	#
	12	# The type of network endpoint that will be using the credentials.
	13	# Most types of credential require different setup / structures
	14	# depending on whether they will be used in a server versus a
	15	# client.
	16	#
	17	# @client: the network endpoint is acting as the client
	18	#
	19	# @server: the network endpoint is acting as the server
	20	#
	21	# Since: 2.5
	22	##
	23	{ 'enum': 'QCryptoTLSCredsEndpoint',
	24	'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
	25	'data': ['client', 'server']}
ac1d8878	26
ac1d8878	27	##
c5927e7a	28	# @QCryptoSecretFormat:
ac1d8878 DB	29	#
	30	# The data format that the secret is provided in
	31	#
	32	# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences can be used
	33	# @base64: arbitrary base64 encoded binary data
4ae65a52	34	#
ac1d8878 DB	35	# Since: 2.6
	36	##
	37	{ 'enum': 'QCryptoSecretFormat',
	38	'prefix': 'QCRYPTO_SECRET_FORMAT',
	39	'data': ['raw', 'base64']}
d84b79d3	40
d84b79d3	41	##
c5927e7a	42	# @QCryptoHashAlgorithm:
d84b79d3 DB	43	#
	44	# The supported algorithms for computing content digests
	45	#
	46	# @md5: MD5. Should not be used in any new code, legacy compat only
	47	# @sha1: SHA-1. Should not be used in any new code, legacy compat only
9164b897	48	# @sha224: SHA-224. (since 2.7)
d84b79d3	49	# @sha256: SHA-256. Current recommended strong hash.
9164b897 DB	50	# @sha384: SHA-384. (since 2.7)
	51	# @sha512: SHA-512. (since 2.7)
	52	# @ripemd160: RIPEMD-160. (since 2.7)
4ae65a52	53	#
d84b79d3 DB	54	# Since: 2.6
	55	##
	56	{ 'enum': 'QCryptoHashAlgorithm',
	57	'prefix': 'QCRYPTO_HASH_ALG',
9164b897	58	'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}
d8c02bcc	59
d8c02bcc	60	##
c5927e7a	61	# @QCryptoCipherAlgorithm:
d8c02bcc DB	62	#
	63	# The supported algorithms for content encryption ciphers
	64	#
	65	# @aes-128: AES with 128 bit / 16 byte keys
	66	# @aes-192: AES with 192 bit / 24 byte keys
	67	# @aes-256: AES with 256 bit / 32 byte keys
83bee4b5	68	# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. (since 6.1)
ffb7bf45	69	# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
084a85ee	70	# @cast5-128: Cast5 with 128 bit / 16 byte keys
94318522 DB	71	# @serpent-128: Serpent with 128 bit / 16 byte keys
	72	# @serpent-192: Serpent with 192 bit / 24 byte keys
	73	# @serpent-256: Serpent with 256 bit / 32 byte keys
50f6753e DB	74	# @twofish-128: Twofish with 128 bit / 16 byte keys
	75	# @twofish-192: Twofish with 192 bit / 24 byte keys
	76	# @twofish-256: Twofish with 256 bit / 32 byte keys
4ae65a52	77	#
d8c02bcc DB	78	# Since: 2.6
	79	##
	80	{ 'enum': 'QCryptoCipherAlgorithm',
	81	'prefix': 'QCRYPTO_CIPHER_ALG',
084a85ee	82	'data': ['aes-128', 'aes-192', 'aes-256',
83bee4b5	83	'des', '3des',
94318522	84	'cast5-128',
50f6753e DB	85	'serpent-128', 'serpent-192', 'serpent-256',
50f6753e DB	86	'twofish-128', 'twofish-192', 'twofish-256']}
d8c02bcc	87
d8c02bcc	88	##
c5927e7a	89	# @QCryptoCipherMode:
d8c02bcc DB	90	#
	91	# The supported modes for content encryption ciphers
	92	#
	93	# @ecb: Electronic Code Book
	94	# @cbc: Cipher Block Chaining
eaec903c	95	# @xts: XEX with tweaked code book and ciphertext stealing
3c28292f	96	# @ctr: Counter (Since 2.8)
4ae65a52	97	#
d8c02bcc DB	98	# Since: 2.6
	99	##
	100	{ 'enum': 'QCryptoCipherMode',
	101	'prefix': 'QCRYPTO_CIPHER_MODE',
3c28292f	102	'data': ['ecb', 'cbc', 'xts', 'ctr']}
cb730894	103
cb730894	104	##
c5927e7a	105	# @QCryptoIVGenAlgorithm:
cb730894 DB	106	#
	107	# The supported algorithms for generating initialization
	108	# vectors for full disk encryption. The 'plain' generator
	109	# should not be used for disks with sector numbers larger
	110	# than 2^32, except where compatibility with pre-existing
	111	# Linux dm-crypt volumes is required.
	112	#
	113	# @plain: 64-bit sector number truncated to 32-bits
	114	# @plain64: 64-bit sector number
	115	# @essiv: 64-bit sector number encrypted with a hash of the encryption key
4ae65a52	116	#
cb730894 DB	117	# Since: 2.6
	118	##
	119	{ 'enum': 'QCryptoIVGenAlgorithm',
	120	'prefix': 'QCRYPTO_IVGEN_ALG',
	121	'data': ['plain', 'plain64', 'essiv']}
7d969014 DB	122
7d969014 DB	123	##
c5927e7a	124	# @QCryptoBlockFormat:
7d969014 DB	125	#
	126	# The supported full disk encryption formats
	127	#
	128	# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only
	129	# for liberating data from old images.
3e308f20	130	# @luks: LUKS encryption format. Recommended for new images
7d969014 DB	131	#
	132	# Since: 2.6
	133	##
	134	{ 'enum': 'QCryptoBlockFormat',
	135	# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
3e308f20	136	'data': ['qcow', 'luks']}
7d969014 DB	137
7d969014 DB	138	##
c5927e7a	139	# @QCryptoBlockOptionsBase:
7d969014 DB	140	#
	141	# The common options that apply to all full disk
	142	# encryption formats
	143	#
	144	# @format: the encryption format
	145	#
	146	# Since: 2.6
	147	##
	148	{ 'struct': 'QCryptoBlockOptionsBase',
	149	'data': { 'format': 'QCryptoBlockFormat' }}
	150
	151	##
c5927e7a	152	# @QCryptoBlockOptionsQCow:
7d969014 DB	153	#
	154	# The options that apply to QCow/QCow2 AES-CBC encryption format
	155	#
1d8bda12	156	# @key-secret: the ID of a QCryptoSecret object providing the
7d969014 DB	157	# decryption key. Mandatory except when probing image for
	158	# metadata only.
	159	#
	160	# Since: 2.6
	161	##
	162	{ 'struct': 'QCryptoBlockOptionsQCow',
	163	'data': { '*key-secret': 'str' }}
	164
3e308f20	165	##
c5927e7a	166	# @QCryptoBlockOptionsLUKS:
3e308f20 DB	167	#
	168	# The options that apply to LUKS encryption format
	169	#
1d8bda12	170	# @key-secret: the ID of a QCryptoSecret object providing the
3e308f20 DB	171	# decryption key. Mandatory except when probing image for
3e308f20 DB	172	# metadata only.
4ae65a52	173	#
3e308f20 DB	174	# Since: 2.6
	175	##
	176	{ 'struct': 'QCryptoBlockOptionsLUKS',
	177	'data': { '*key-secret': 'str' }}
	178
3e308f20	179	##
c5927e7a	180	# @QCryptoBlockCreateOptionsLUKS:
3e308f20 DB	181	#
	182	# The options that apply to LUKS encryption format initialization
	183	#
1d8bda12	184	# @cipher-alg: the cipher algorithm for data encryption
a8b826d4	185	# Currently defaults to 'aes-256'.
1d8bda12	186	# @cipher-mode: the cipher mode for data encryption
a8b826d4	187	# Currently defaults to 'xts'
1d8bda12	188	# @ivgen-alg: the initialization vector generator
a8b826d4	189	# Currently defaults to 'plain64'
1d8bda12	190	# @ivgen-hash-alg: the initialization vector generator hash
3e308f20	191	# Currently defaults to 'sha256'
1d8bda12	192	# @hash-alg: the master key hash algorithm
3e308f20	193	# Currently defaults to 'sha256'
1d8bda12	194	# @iter-time: number of milliseconds to spend in
3bd18890	195	# PBKDF passphrase processing. Currently defaults
2ab66cd5	196	# to 2000. (since 2.8)
4ae65a52	197	#
3e308f20 DB	198	# Since: 2.6
	199	##
	200	{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
	201	'base': 'QCryptoBlockOptionsLUKS',
	202	'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
	203	'*cipher-mode': 'QCryptoCipherMode',
	204	'*ivgen-alg': 'QCryptoIVGenAlgorithm',
	205	'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
3bd18890 DB	206	'*hash-alg': 'QCryptoHashAlgorithm',
3bd18890 DB	207	'*iter-time': 'int'}}
3e308f20	208
7d969014	209	##
c5927e7a	210	# @QCryptoBlockOpenOptions:
7d969014 DB	211	#
	212	# The options that are available for all encryption formats
	213	# when opening an existing volume
	214	#
	215	# Since: 2.6
	216	##
	217	{ 'union': 'QCryptoBlockOpenOptions',
	218	'base': 'QCryptoBlockOptionsBase',
	219	'discriminator': 'format',
3e308f20 DB	220	'data': { 'qcow': 'QCryptoBlockOptionsQCow',
3e308f20 DB	221	'luks': 'QCryptoBlockOptionsLUKS' } }
7d969014	222
7d969014	223	##
c5927e7a	224	# @QCryptoBlockCreateOptions:
7d969014 DB	225	#
	226	# The options that are available for all encryption formats
	227	# when initializing a new volume
	228	#
	229	# Since: 2.6
	230	##
	231	{ 'union': 'QCryptoBlockCreateOptions',
	232	'base': 'QCryptoBlockOptionsBase',
	233	'discriminator': 'format',
3e308f20 DB	234	'data': { 'qcow': 'QCryptoBlockOptionsQCow',
3e308f20 DB	235	'luks': 'QCryptoBlockCreateOptionsLUKS' } }
40c85028	236
40c85028	237	##
c5927e7a	238	# @QCryptoBlockInfoBase:
40c85028 DB	239	#
	240	# The common information that applies to all full disk
	241	# encryption formats
	242	#
	243	# @format: the encryption format
	244	#
	245	# Since: 2.7
	246	##
	247	{ 'struct': 'QCryptoBlockInfoBase',
	248	'data': { 'format': 'QCryptoBlockFormat' }}
	249
40c85028	250	##
c5927e7a	251	# @QCryptoBlockInfoLUKSSlot:
40c85028 DB	252	#
	253	# Information about the LUKS block encryption key
	254	# slot options
	255	#
	256	# @active: whether the key slot is currently in use
	257	# @key-offset: offset to the key material in bytes
1d8bda12 MA	258	# @iters: number of PBKDF2 iterations for key material
1d8bda12 MA	259	# @stripes: number of stripes for splitting key material
40c85028 DB	260	#
	261	# Since: 2.7
	262	##
	263	{ 'struct': 'QCryptoBlockInfoLUKSSlot',
	264	'data': {'active': 'bool',
	265	'*iters': 'int',
	266	'*stripes': 'int',
	267	'key-offset': 'int' } }
	268
40c85028	269	##
c5927e7a	270	# @QCryptoBlockInfoLUKS:
40c85028 DB	271	#
	272	# Information about the LUKS block encryption options
	273	#
	274	# @cipher-alg: the cipher algorithm for data encryption
	275	# @cipher-mode: the cipher mode for data encryption
	276	# @ivgen-alg: the initialization vector generator
1d8bda12	277	# @ivgen-hash-alg: the initialization vector generator hash
40c85028 DB	278	# @hash-alg: the master key hash algorithm
	279	# @payload-offset: offset to the payload data in bytes
	280	# @master-key-iters: number of PBKDF2 iterations for key material
	281	# @uuid: unique identifier for the volume
	282	# @slots: information about each key slot
	283	#
	284	# Since: 2.7
	285	##
	286	{ 'struct': 'QCryptoBlockInfoLUKS',
	287	'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
	288	'cipher-mode': 'QCryptoCipherMode',
	289	'ivgen-alg': 'QCryptoIVGenAlgorithm',
	290	'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
	291	'hash-alg': 'QCryptoHashAlgorithm',
	292	'payload-offset': 'int',
	293	'master-key-iters': 'int',
	294	'uuid': 'str',
	295	'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
	296
40c85028	297	##
c5927e7a	298	# @QCryptoBlockInfo:
40c85028 DB	299	#
	300	# Information about the block encryption options
	301	#
	302	# Since: 2.7
	303	##
	304	{ 'union': 'QCryptoBlockInfo',
	305	'base': 'QCryptoBlockInfoBase',
	306	'discriminator': 'format',
29cd0403	307	'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
43cbd06d	308
557d2bdc ML	309	##
	310	# @QCryptoBlockLUKSKeyslotState:
	311	#
	312	# Defines state of keyslots that are affected by the update
	313	#
c0ac533b AB	314	# @active: The slots contain the given password and marked as active
c0ac533b AB	315	# @inactive: The slots are erased (contain garbage) and marked as inactive
557d2bdc ML	316	#
	317	# Since: 5.1
	318	##
	319	{ 'enum': 'QCryptoBlockLUKSKeyslotState',
	320	'data': [ 'active', 'inactive' ] }
	321
557d2bdc ML	322	##
	323	# @QCryptoBlockAmendOptionsLUKS:
	324	#
	325	# This struct defines the update parameters that activate/de-activate set
	326	# of keyslots
	327	#
	328	# @state: the desired state of the keyslots
	329	#
c0ac533b AB	330	# @new-secret: The ID of a QCryptoSecret object providing the password to be
c0ac533b AB	331	# written into added active keyslots
557d2bdc	332	#
c0ac533b AB	333	# @old-secret: Optional (for deactivation only)
	334	# If given will deactivate all keyslots that
	335	# match password located in QCryptoSecret with this ID
557d2bdc	336	#
c0ac533b AB	337	# @iter-time: Optional (for activation only)
	338	# Number of milliseconds to spend in
	339	# PBKDF passphrase processing for the newly activated keyslot.
	340	# Currently defaults to 2000.
557d2bdc	341	#
c0ac533b AB	342	# @keyslot: Optional. ID of the keyslot to activate/deactivate.
	343	# For keyslot activation, keyslot should not be active already
	344	# (this is unsafe to update an active keyslot),
	345	# but possible if 'force' parameter is given.
	346	# If keyslot is not given, first free keyslot will be written.
557d2bdc	347	#
c0ac533b AB	348	# For keyslot deactivation, this parameter specifies the exact
c0ac533b AB	349	# keyslot to deactivate
557d2bdc	350	#
c0ac533b AB	351	# @secret: Optional. The ID of a QCryptoSecret object providing the
	352	# password to use to retrieve current master key.
	353	# Defaults to the same secret that was used to open the image
557d2bdc	354	#
433a4fdc	355	# Since: 5.1
557d2bdc ML	356	##
	357	{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
	358	'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
	359	'*new-secret': 'str',
	360	'*old-secret': 'str',
	361	'*keyslot': 'int',
	362	'*iter-time': 'int',
	363	'*secret': 'str' } }
43cbd06d ML	364
	365	##
	366	# @QCryptoBlockAmendOptions:
	367	#
	368	# The options that are available for all encryption formats
	369	# when amending encryption settings
	370	#
	371	# Since: 5.1
	372	##
	373	{ 'union': 'QCryptoBlockAmendOptions',
	374	'base': 'QCryptoBlockOptionsBase',
	375	'discriminator': 'format',
	376	'data': {
557d2bdc	377	'luks': 'QCryptoBlockAmendOptionsLUKS' } }
39c4c27d KW	378
	379	##
	380	# @SecretCommonProperties:
	381	#
	382	# Properties for objects of classes derived from secret-common.
	383	#
	384	# @loaded: if true, the secret is loaded immediately when applying this option
	385	# and will probably fail when processing the next option. Don't use;
	386	# only provided for compatibility. (default: false)
	387	#
	388	# @format: the data format that the secret is provided in (default: raw)
	389	#
	390	# @keyid: the name of another secret that should be used to decrypt the
	391	# provided data. If not present, the data is assumed to be unencrypted.
	392	#
	393	# @iv: the random initialization vector used for encryption of this particular
	394	# secret. Should be a base64 encrypted string of the 16-byte IV. Mandatory
	395	# if @keyid is given. Ignored if @keyid is absent.
	396	#
	397	# Features:
	398	# @deprecated: Member @loaded is deprecated. Setting true doesn't make sense,
	399	# and false is already the default.
	400	#
	401	# Since: 2.6
	402	##
	403	{ 'struct': 'SecretCommonProperties',
	404	'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
	405	'*format': 'QCryptoSecretFormat',
	406	'*keyid': 'str',
	407	'*iv': 'str' } }
	408
	409	##
	410	# @SecretProperties:
	411	#
	412	# Properties for secret objects.
	413	#
	414	# Either @data or @file must be provided, but not both.
	415	#
	416	# @data: the associated with the secret from
	417	#
	418	# @file: the filename to load the data associated with the secret from
	419	#
	420	# Since: 2.6
	421	##
	422	{ 'struct': 'SecretProperties',
	423	'base': 'SecretCommonProperties',
	424	'data': { '*data': 'str',
	425	'*file': 'str' } }
	426
	427	##
	428	# @SecretKeyringProperties:
	429	#
	430	# Properties for secret_keyring objects.
	431	#
	432	# @serial: serial number that identifies a key to get from the kernel
	433	#
	434	# Since: 5.1
	435	##
	436	{ 'struct': 'SecretKeyringProperties',
	437	'base': 'SecretCommonProperties',
	438	'data': { 'serial': 'int32' } }
d09e4937 KW	439
	440	##
	441	# @TlsCredsProperties:
	442	#
	443	# Properties for objects of classes derived from tls-creds.
	444	#
	445	# @verify-peer: if true the peer credentials will be verified once the
	446	# handshake is completed. This is a no-op for anonymous
	447	# credentials. (default: true)
	448	#
	449	# @dir: the path of the directory that contains the credential files
	450	#
	451	# @endpoint: whether the QEMU network backend that uses the credentials will be
	452	# acting as a client or as a server (default: client)
	453	#
	454	# @priority: a gnutls priority string as described at
	455	# https://gnutls.org/manual/html_node/Priority-Strings.html
	456	#
	457	# Since: 2.5
	458	##
	459	{ 'struct': 'TlsCredsProperties',
	460	'data': { '*verify-peer': 'bool',
	461	'*dir': 'str',
	462	'*endpoint': 'QCryptoTLSCredsEndpoint',
	463	'*priority': 'str' } }
	464
	465	##
	466	# @TlsCredsAnonProperties:
	467	#
	468	# Properties for tls-creds-anon objects.
	469	#
	470	# @loaded: if true, the credentials are loaded immediately when applying this
	471	# option and will ignore options that are processed later. Don't use;
	472	# only provided for compatibility. (default: false)
	473	#
	474	# Features:
	475	# @deprecated: Member @loaded is deprecated. Setting true doesn't make sense,
	476	# and false is already the default.
	477	#
	478	# Since: 2.5
	479	##
	480	{ 'struct': 'TlsCredsAnonProperties',
	481	'base': 'TlsCredsProperties',
	482	'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }
	483
	484	##
	485	# @TlsCredsPskProperties:
	486	#
	487	# Properties for tls-creds-psk objects.
	488	#
	489	# @loaded: if true, the credentials are loaded immediately when applying this
	490	# option and will ignore options that are processed later. Don't use;
	491	# only provided for compatibility. (default: false)
	492	#
	493	# @username: the username which will be sent to the server. For clients only.
	494	# If absent, "qemu" is sent and the property will read back as an
	495	# empty string.
	496	#
	497	# Features:
	498	# @deprecated: Member @loaded is deprecated. Setting true doesn't make sense,
	499	# and false is already the default.
	500	#
	501	# Since: 3.0
	502	##
503	{ 'struct': 'TlsCredsPskProperties',
504	'base': 'TlsCredsProperties',
505	'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
506	'*username': 'str' } }
507
508	##
509	# @TlsCredsX509Properties:
510	#
511	# Properties for tls-creds-x509 objects.
512	#
513	# @loaded: if true, the credentials are loaded immediately when applying this
514	# option and will ignore options that are processed later. Don't use;
515	# only provided for compatibility. (default: false)
516	#
517	# @sanity-check: if true, perform some sanity checks before using the
518	# credentials (default: true)
519	#
520	# @passwordid: For the server-key.pem and client-key.pem files which contain
521	# sensitive private keys, it is possible to use an encrypted
522	# version by providing the @passwordid parameter. This provides
523	# the ID of a previously created secret object containing the
524	# password for decryption.
525	#
526	# Features:
527	# @deprecated: Member @loaded is deprecated. Setting true doesn't make sense,
528	# and false is already the default.
529	#
530	# Since: 2.5
531	##
532	{ 'struct': 'TlsCredsX509Properties',
533	'base': 'TlsCredsProperties',
534	'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
535	'*sanity-check': 'bool',
536	'*passwordid': 'str' } }
daa55f3e LH	537	##
	538	# @QCryptoAkCipherAlgorithm:
	539	#
	540	# The supported algorithms for asymmetric encryption ciphers
	541	#
	542	# @rsa: RSA algorithm
	543	#
	544	# Since: 7.1
	545	##
	546	{ 'enum': 'QCryptoAkCipherAlgorithm',
	547	'prefix': 'QCRYPTO_AKCIPHER_ALG',
	548	'data': ['rsa']}
	549
	550	##
	551	# @QCryptoAkCipherKeyType:
	552	#
	553	# The type of asymmetric keys.
	554	#
	555	# Since: 7.1
	556	##
	557	{ 'enum': 'QCryptoAkCipherKeyType',
	558	'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE',
	559	'data': ['public', 'private']}
	560
	561	##
	562	# @QCryptoRSAPaddingAlgorithm:
	563	#
	564	# The padding algorithm for RSA.
	565	#
	566	# @raw: no padding used
	567	# @pkcs1: pkcs1#v1.5
	568	#
	569	# Since: 7.1
	570	##
	571	{ 'enum': 'QCryptoRSAPaddingAlgorithm',
	572	'prefix': 'QCRYPTO_RSA_PADDING_ALG',
	573	'data': ['raw', 'pkcs1']}
	574
	575	##
	576	# @QCryptoAkCipherOptionsRSA:
	577	#
	578	# Specific parameters for RSA algorithm.
	579	#
	580	# @hash-alg: QCryptoHashAlgorithm
	581	# @padding-alg: QCryptoRSAPaddingAlgorithm
	582	#
	583	# Since: 7.1
	584	##
	585	{ 'struct': 'QCryptoAkCipherOptionsRSA',
	586	'data': { 'hash-alg':'QCryptoHashAlgorithm',
	587	'padding-alg': 'QCryptoRSAPaddingAlgorithm'}}
	588
	589	##
	590	# @QCryptoAkCipherOptions:
	591	#
	592	# The options that are available for all asymmetric key algorithms
	593	# when creating a new QCryptoAkCipher.
	594	#
	595	# Since: 7.1
	596	##
	597	{ 'union': 'QCryptoAkCipherOptions',
	598	'base': { 'alg': 'QCryptoAkCipherAlgorithm' },
	599	'discriminator': 'alg',
	600	'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}