[mirror_qemu.git] / qapi / crypto.json

# -*- Mode: Python -*-
#

##
# = QAPI crypto definitions
##

##
# @QCryptoTLSCredsEndpoint:
#
# The type of network endpoint that will be using the credentials.
# Most types of credential require different setup / structures
# depending on whether they will be used in a server versus a
# client.
#
# @client: the network endpoint is acting as the client
#
# @server: the network endpoint is acting as the server
#
# Since: 2.5
##
{ 'enum': 'QCryptoTLSCredsEndpoint',
  'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
  'data': ['client', 'server']}


##
# @QCryptoSecretFormat:
#
# The data format that the secret is provided in
#
# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences can be used
# @base64: arbitrary base64 encoded binary data
# Since: 2.6
##
{ 'enum': 'QCryptoSecretFormat',
  'prefix': 'QCRYPTO_SECRET_FORMAT',
  'data': ['raw', 'base64']}


##
# @QCryptoHashAlgorithm:
#
# The supported algorithms for computing content digests
#
# @md5: MD5. Should not be used in any new code, legacy compat only
# @sha1: SHA-1. Should not be used in any new code, legacy compat only
# @sha224: SHA-224. (since 2.7)
# @sha256: SHA-256. Current recommended strong hash.
# @sha384: SHA-384. (since 2.7)
# @sha512: SHA-512. (since 2.7)
# @ripemd160: RIPEMD-160. (since 2.7)
# Since: 2.6
##
{ 'enum': 'QCryptoHashAlgorithm',
  'prefix': 'QCRYPTO_HASH_ALG',
  'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}


##
# @QCryptoCipherAlgorithm:
#
# The supported algorithms for content encryption ciphers
#
# @aes-128: AES with 128 bit / 16 byte keys
# @aes-192: AES with 192 bit / 24 byte keys
# @aes-256: AES with 256 bit / 32 byte keys
# @des-rfb: RFB specific variant of single DES. Do not use except in VNC.
# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
# @cast5-128: Cast5 with 128 bit / 16 byte keys
# @serpent-128: Serpent with 128 bit / 16 byte keys
# @serpent-192: Serpent with 192 bit / 24 byte keys
# @serpent-256: Serpent with 256 bit / 32 byte keys
# @twofish-128: Twofish with 128 bit / 16 byte keys
# @twofish-192: Twofish with 192 bit / 24 byte keys
# @twofish-256: Twofish with 256 bit / 32 byte keys
# Since: 2.6
##
{ 'enum': 'QCryptoCipherAlgorithm',
  'prefix': 'QCRYPTO_CIPHER_ALG',
  'data': ['aes-128', 'aes-192', 'aes-256',
           'des-rfb', '3des',
           'cast5-128',
           'serpent-128', 'serpent-192', 'serpent-256',
           'twofish-128', 'twofish-192', 'twofish-256']}


##
# @QCryptoCipherMode:
#
# The supported modes for content encryption ciphers
#
# @ecb: Electronic Code Book
# @cbc: Cipher Block Chaining
# @xts: XEX with tweaked code book and ciphertext stealing
# @ctr: Counter (Since 2.8)
# Since: 2.6
##
{ 'enum': 'QCryptoCipherMode',
  'prefix': 'QCRYPTO_CIPHER_MODE',
  'data': ['ecb', 'cbc', 'xts', 'ctr']}


##
# @QCryptoIVGenAlgorithm:
#
# The supported algorithms for generating initialization
# vectors for full disk encryption. The 'plain' generator
# should not be used for disks with sector numbers larger
# than 2^32, except where compatibility with pre-existing
# Linux dm-crypt volumes is required.
#
# @plain: 64-bit sector number truncated to 32-bits
# @plain64: 64-bit sector number
# @essiv: 64-bit sector number encrypted with a hash of the encryption key
# Since: 2.6
##
{ 'enum': 'QCryptoIVGenAlgorithm',
  'prefix': 'QCRYPTO_IVGEN_ALG',
  'data': ['plain', 'plain64', 'essiv']}

##
# @QCryptoBlockFormat:
#
# The supported full disk encryption formats
#
# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only
#        for liberating data from old images.
# @luks: LUKS encryption format. Recommended for new images
#
# Since: 2.6
##
{ 'enum': 'QCryptoBlockFormat',
#  'prefix': 'QCRYPTO_BLOCK_FORMAT',
  'data': ['qcow', 'luks']}

##
# @QCryptoBlockOptionsBase:
#
# The common options that apply to all full disk
# encryption formats
#
# @format: the encryption format
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsBase',
  'data': { 'format': 'QCryptoBlockFormat' }}

##
# @QCryptoBlockOptionsQCow:
#
# The options that apply to QCow/QCow2 AES-CBC encryption format
#
# @key-secret: the ID of a QCryptoSecret object providing the
#              decryption key. Mandatory except when probing image for
#              metadata only.
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsQCow',
  'data': { '*key-secret': 'str' }}

##
# @QCryptoBlockOptionsLUKS:
#
# The options that apply to LUKS encryption format
#
# @key-secret: the ID of a QCryptoSecret object providing the
#              decryption key. Mandatory except when probing image for
#              metadata only.
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsLUKS',
  'data': { '*key-secret': 'str' }}


##
# @QCryptoBlockCreateOptionsLUKS:
#
# The options that apply to LUKS encryption format initialization
#
# @cipher-alg: the cipher algorithm for data encryption
#              Currently defaults to 'aes'.
# @cipher-mode: the cipher mode for data encryption
#               Currently defaults to 'cbc'
# @ivgen-alg: the initialization vector generator
#             Currently defaults to 'essiv'
# @ivgen-hash-alg: the initialization vector generator hash
#                  Currently defaults to 'sha256'
# @hash-alg: the master key hash algorithm
#            Currently defaults to 'sha256'
# @iter-time: number of milliseconds to spend in
#             PBKDF passphrase processing. Currently defaults
#             to 2000. (since 2.8)
# Since: 2.6
##
{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
  'base': 'QCryptoBlockOptionsLUKS',
  'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
            '*cipher-mode': 'QCryptoCipherMode',
            '*ivgen-alg': 'QCryptoIVGenAlgorithm',
            '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
            '*hash-alg': 'QCryptoHashAlgorithm',
            '*iter-time': 'int'}}


##
# @QCryptoBlockOpenOptions:
#
# The options that are available for all encryption formats
# when opening an existing volume
#
# Since: 2.6
##
{ 'union': 'QCryptoBlockOpenOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
            'luks': 'QCryptoBlockOptionsLUKS' } }


##
# @QCryptoBlockCreateOptions:
#
# The options that are available for all encryption formats
# when initializing a new volume
#
# Since: 2.6
##
{ 'union': 'QCryptoBlockCreateOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
            'luks': 'QCryptoBlockCreateOptionsLUKS' } }


##
# @QCryptoBlockInfoBase:
#
# The common information that applies to all full disk
# encryption formats
#
# @format: the encryption format
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoBase',
  'data': { 'format': 'QCryptoBlockFormat' }}


##
# @QCryptoBlockInfoLUKSSlot:
#
# Information about the LUKS block encryption key
# slot options
#
# @active: whether the key slot is currently in use
# @key-offset: offset to the key material in bytes
# @iters: number of PBKDF2 iterations for key material
# @stripes: number of stripes for splitting key material
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoLUKSSlot',
  'data': {'active': 'bool',
           '*iters': 'int',
           '*stripes': 'int',
           'key-offset': 'int' } }


##
# @QCryptoBlockInfoLUKS:
#
# Information about the LUKS block encryption options
#
# @cipher-alg: the cipher algorithm for data encryption
# @cipher-mode: the cipher mode for data encryption
# @ivgen-alg: the initialization vector generator
# @ivgen-hash-alg: the initialization vector generator hash
# @hash-alg: the master key hash algorithm
# @payload-offset: offset to the payload data in bytes
# @master-key-iters: number of PBKDF2 iterations for key material
# @uuid: unique identifier for the volume
# @slots: information about each key slot
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoLUKS',
  'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
           'cipher-mode': 'QCryptoCipherMode',
           'ivgen-alg': 'QCryptoIVGenAlgorithm',
           '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
           'hash-alg': 'QCryptoHashAlgorithm',
           'payload-offset': 'int',
           'master-key-iters': 'int',
           'uuid': 'str',
           'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}

##
# @QCryptoBlockInfoQCow:
#
# Information about the QCow block encryption options
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoQCow',
  'data': { }}


##
# @QCryptoBlockInfo:
#
# Information about the block encryption options
#
# Since: 2.7
##
{ 'union': 'QCryptoBlockInfo',
  'base': 'QCryptoBlockInfoBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockInfoQCow',
            'luks': 'QCryptoBlockInfoLUKS' } }
Commit	Line	Data
a090187d DB	1	# -- Mode: Python --
a090187d DB	2	#
d3a48372 MAL	3
	4	##
	5	# = QAPI crypto definitions
	6	##
a090187d DB	7
a090187d DB	8	##
c5927e7a	9	# @QCryptoTLSCredsEndpoint:
a090187d DB	10	#
	11	# The type of network endpoint that will be using the credentials.
	12	# Most types of credential require different setup / structures
	13	# depending on whether they will be used in a server versus a
	14	# client.
	15	#
	16	# @client: the network endpoint is acting as the client
	17	#
	18	# @server: the network endpoint is acting as the server
	19	#
	20	# Since: 2.5
	21	##
	22	{ 'enum': 'QCryptoTLSCredsEndpoint',
	23	'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
	24	'data': ['client', 'server']}
ac1d8878 DB	25
	26
	27	##
c5927e7a	28	# @QCryptoSecretFormat:
ac1d8878 DB	29	#
	30	# The data format that the secret is provided in
	31	#
	32	# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences can be used
	33	# @base64: arbitrary base64 encoded binary data
	34	# Since: 2.6
	35	##
	36	{ 'enum': 'QCryptoSecretFormat',
	37	'prefix': 'QCRYPTO_SECRET_FORMAT',
	38	'data': ['raw', 'base64']}
d84b79d3 DB	39
	40
	41	##
c5927e7a	42	# @QCryptoHashAlgorithm:
d84b79d3 DB	43	#
	44	# The supported algorithms for computing content digests
	45	#
	46	# @md5: MD5. Should not be used in any new code, legacy compat only
	47	# @sha1: SHA-1. Should not be used in any new code, legacy compat only
9164b897	48	# @sha224: SHA-224. (since 2.7)
d84b79d3	49	# @sha256: SHA-256. Current recommended strong hash.
9164b897 DB	50	# @sha384: SHA-384. (since 2.7)
	51	# @sha512: SHA-512. (since 2.7)
	52	# @ripemd160: RIPEMD-160. (since 2.7)
d84b79d3 DB	53	# Since: 2.6
	54	##
	55	{ 'enum': 'QCryptoHashAlgorithm',
	56	'prefix': 'QCRYPTO_HASH_ALG',
9164b897	57	'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}
d8c02bcc DB	58
	59
	60	##
c5927e7a	61	# @QCryptoCipherAlgorithm:
d8c02bcc DB	62	#
	63	# The supported algorithms for content encryption ciphers
	64	#
	65	# @aes-128: AES with 128 bit / 16 byte keys
	66	# @aes-192: AES with 192 bit / 24 byte keys
	67	# @aes-256: AES with 256 bit / 32 byte keys
	68	# @des-rfb: RFB specific variant of single DES. Do not use except in VNC.
ffb7bf45	69	# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
084a85ee	70	# @cast5-128: Cast5 with 128 bit / 16 byte keys
94318522 DB	71	# @serpent-128: Serpent with 128 bit / 16 byte keys
	72	# @serpent-192: Serpent with 192 bit / 24 byte keys
	73	# @serpent-256: Serpent with 256 bit / 32 byte keys
50f6753e DB	74	# @twofish-128: Twofish with 128 bit / 16 byte keys
	75	# @twofish-192: Twofish with 192 bit / 24 byte keys
	76	# @twofish-256: Twofish with 256 bit / 32 byte keys
d8c02bcc DB	77	# Since: 2.6
	78	##
	79	{ 'enum': 'QCryptoCipherAlgorithm',
	80	'prefix': 'QCRYPTO_CIPHER_ALG',
084a85ee	81	'data': ['aes-128', 'aes-192', 'aes-256',
ffb7bf45	82	'des-rfb', '3des',
94318522	83	'cast5-128',
50f6753e DB	84	'serpent-128', 'serpent-192', 'serpent-256',
50f6753e DB	85	'twofish-128', 'twofish-192', 'twofish-256']}
d8c02bcc DB	86
	87
	88	##
c5927e7a	89	# @QCryptoCipherMode:
d8c02bcc DB	90	#
	91	# The supported modes for content encryption ciphers
	92	#
	93	# @ecb: Electronic Code Book
	94	# @cbc: Cipher Block Chaining
eaec903c	95	# @xts: XEX with tweaked code book and ciphertext stealing
3c28292f	96	# @ctr: Counter (Since 2.8)
d8c02bcc DB	97	# Since: 2.6
	98	##
	99	{ 'enum': 'QCryptoCipherMode',
	100	'prefix': 'QCRYPTO_CIPHER_MODE',
3c28292f	101	'data': ['ecb', 'cbc', 'xts', 'ctr']}
cb730894 DB	102
	103
	104	##
c5927e7a	105	# @QCryptoIVGenAlgorithm:
cb730894 DB	106	#
	107	# The supported algorithms for generating initialization
	108	# vectors for full disk encryption. The 'plain' generator
	109	# should not be used for disks with sector numbers larger
	110	# than 2^32, except where compatibility with pre-existing
	111	# Linux dm-crypt volumes is required.
	112	#
	113	# @plain: 64-bit sector number truncated to 32-bits
	114	# @plain64: 64-bit sector number
	115	# @essiv: 64-bit sector number encrypted with a hash of the encryption key
	116	# Since: 2.6
	117	##
	118	{ 'enum': 'QCryptoIVGenAlgorithm',
	119	'prefix': 'QCRYPTO_IVGEN_ALG',
	120	'data': ['plain', 'plain64', 'essiv']}
7d969014 DB	121
7d969014 DB	122	##
c5927e7a	123	# @QCryptoBlockFormat:
7d969014 DB	124	#
	125	# The supported full disk encryption formats
	126	#
	127	# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only
	128	# for liberating data from old images.
3e308f20	129	# @luks: LUKS encryption format. Recommended for new images
7d969014 DB	130	#
	131	# Since: 2.6
	132	##
	133	{ 'enum': 'QCryptoBlockFormat',
	134	# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
3e308f20	135	'data': ['qcow', 'luks']}
7d969014 DB	136
7d969014 DB	137	##
c5927e7a	138	# @QCryptoBlockOptionsBase:
7d969014 DB	139	#
	140	# The common options that apply to all full disk
	141	# encryption formats
	142	#
	143	# @format: the encryption format
	144	#
	145	# Since: 2.6
	146	##
	147	{ 'struct': 'QCryptoBlockOptionsBase',
	148	'data': { 'format': 'QCryptoBlockFormat' }}
	149
	150	##
c5927e7a	151	# @QCryptoBlockOptionsQCow:
7d969014 DB	152	#
	153	# The options that apply to QCow/QCow2 AES-CBC encryption format
	154	#
1d8bda12	155	# @key-secret: the ID of a QCryptoSecret object providing the
7d969014 DB	156	# decryption key. Mandatory except when probing image for
	157	# metadata only.
	158	#
	159	# Since: 2.6
	160	##
	161	{ 'struct': 'QCryptoBlockOptionsQCow',
	162	'data': { '*key-secret': 'str' }}
	163
3e308f20	164	##
c5927e7a	165	# @QCryptoBlockOptionsLUKS:
3e308f20 DB	166	#
	167	# The options that apply to LUKS encryption format
	168	#
1d8bda12	169	# @key-secret: the ID of a QCryptoSecret object providing the
3e308f20 DB	170	# decryption key. Mandatory except when probing image for
	171	# metadata only.
	172	# Since: 2.6
	173	##
	174	{ 'struct': 'QCryptoBlockOptionsLUKS',
	175	'data': { '*key-secret': 'str' }}
	176
	177
	178	##
c5927e7a	179	# @QCryptoBlockCreateOptionsLUKS:
3e308f20 DB	180	#
	181	# The options that apply to LUKS encryption format initialization
	182	#
1d8bda12	183	# @cipher-alg: the cipher algorithm for data encryption
3e308f20	184	# Currently defaults to 'aes'.
1d8bda12	185	# @cipher-mode: the cipher mode for data encryption
3e308f20	186	# Currently defaults to 'cbc'
1d8bda12	187	# @ivgen-alg: the initialization vector generator
3e308f20	188	# Currently defaults to 'essiv'
1d8bda12	189	# @ivgen-hash-alg: the initialization vector generator hash
3e308f20	190	# Currently defaults to 'sha256'
1d8bda12	191	# @hash-alg: the master key hash algorithm
3e308f20	192	# Currently defaults to 'sha256'
1d8bda12	193	# @iter-time: number of milliseconds to spend in
3bd18890	194	# PBKDF passphrase processing. Currently defaults
2ab66cd5	195	# to 2000. (since 2.8)
3e308f20 DB	196	# Since: 2.6
	197	##
	198	{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
	199	'base': 'QCryptoBlockOptionsLUKS',
	200	'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
	201	'*cipher-mode': 'QCryptoCipherMode',
	202	'*ivgen-alg': 'QCryptoIVGenAlgorithm',
	203	'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
3bd18890 DB	204	'*hash-alg': 'QCryptoHashAlgorithm',
3bd18890 DB	205	'*iter-time': 'int'}}
3e308f20 DB	206
3e308f20 DB	207
7d969014	208	##
c5927e7a	209	# @QCryptoBlockOpenOptions:
7d969014 DB	210	#
	211	# The options that are available for all encryption formats
	212	# when opening an existing volume
	213	#
	214	# Since: 2.6
	215	##
	216	{ 'union': 'QCryptoBlockOpenOptions',
	217	'base': 'QCryptoBlockOptionsBase',
	218	'discriminator': 'format',
3e308f20 DB	219	'data': { 'qcow': 'QCryptoBlockOptionsQCow',
3e308f20 DB	220	'luks': 'QCryptoBlockOptionsLUKS' } }
7d969014 DB	221
	222
	223	##
c5927e7a	224	# @QCryptoBlockCreateOptions:
7d969014 DB	225	#
	226	# The options that are available for all encryption formats
	227	# when initializing a new volume
	228	#
	229	# Since: 2.6
	230	##
	231	{ 'union': 'QCryptoBlockCreateOptions',
	232	'base': 'QCryptoBlockOptionsBase',
	233	'discriminator': 'format',
3e308f20 DB	234	'data': { 'qcow': 'QCryptoBlockOptionsQCow',
3e308f20 DB	235	'luks': 'QCryptoBlockCreateOptionsLUKS' } }
40c85028 DB	236
	237
	238	##
c5927e7a	239	# @QCryptoBlockInfoBase:
40c85028 DB	240	#
	241	# The common information that applies to all full disk
	242	# encryption formats
	243	#
	244	# @format: the encryption format
	245	#
	246	# Since: 2.7
	247	##
	248	{ 'struct': 'QCryptoBlockInfoBase',
	249	'data': { 'format': 'QCryptoBlockFormat' }}
	250
	251
	252	##
c5927e7a	253	# @QCryptoBlockInfoLUKSSlot:
40c85028 DB	254	#
	255	# Information about the LUKS block encryption key
	256	# slot options
	257	#
	258	# @active: whether the key slot is currently in use
	259	# @key-offset: offset to the key material in bytes
1d8bda12 MA	260	# @iters: number of PBKDF2 iterations for key material
1d8bda12 MA	261	# @stripes: number of stripes for splitting key material
40c85028 DB	262	#
	263	# Since: 2.7
	264	##
	265	{ 'struct': 'QCryptoBlockInfoLUKSSlot',
	266	'data': {'active': 'bool',
	267	'*iters': 'int',
	268	'*stripes': 'int',
	269	'key-offset': 'int' } }
	270
	271
	272	##
c5927e7a	273	# @QCryptoBlockInfoLUKS:
40c85028 DB	274	#
	275	# Information about the LUKS block encryption options
	276	#
	277	# @cipher-alg: the cipher algorithm for data encryption
	278	# @cipher-mode: the cipher mode for data encryption
	279	# @ivgen-alg: the initialization vector generator
1d8bda12	280	# @ivgen-hash-alg: the initialization vector generator hash
40c85028 DB	281	# @hash-alg: the master key hash algorithm
	282	# @payload-offset: offset to the payload data in bytes
	283	# @master-key-iters: number of PBKDF2 iterations for key material
	284	# @uuid: unique identifier for the volume
	285	# @slots: information about each key slot
	286	#
	287	# Since: 2.7
	288	##
	289	{ 'struct': 'QCryptoBlockInfoLUKS',
	290	'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
	291	'cipher-mode': 'QCryptoCipherMode',
	292	'ivgen-alg': 'QCryptoIVGenAlgorithm',
	293	'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
	294	'hash-alg': 'QCryptoHashAlgorithm',
	295	'payload-offset': 'int',
	296	'master-key-iters': 'int',
	297	'uuid': 'str',
	298	'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
	299
	300	##
c5927e7a	301	# @QCryptoBlockInfoQCow:
40c85028 DB	302	#
	303	# Information about the QCow block encryption options
	304	#
	305	# Since: 2.7
	306	##
	307	{ 'struct': 'QCryptoBlockInfoQCow',
	308	'data': { }}
	309
	310
	311	##
c5927e7a	312	# @QCryptoBlockInfo:
40c85028 DB	313	#
	314	# Information about the block encryption options
	315	#
	316	# Since: 2.7
	317	##
	318	{ 'union': 'QCryptoBlockInfo',
	319	'base': 'QCryptoBlockInfoBase',
	320	'discriminator': 'format',
	321	'data': { 'qcow': 'QCryptoBlockInfoQCow',
	322	'luks': 'QCryptoBlockInfoLUKS' } }