[mirror_qemu.git] / qapi / crypto.json

# -*- Mode: Python -*-
# vim: filetype=python
#

##
# = Cryptography
##

##
# @QCryptoTLSCredsEndpoint:
#
# The type of network endpoint that will be using the credentials.
# Most types of credential require different setup / structures
# depending on whether they will be used in a server versus a client.
#
# @client: the network endpoint is acting as the client
#
# @server: the network endpoint is acting as the server
#
# Since: 2.5
##
{ 'enum': 'QCryptoTLSCredsEndpoint',
  'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
  'data': ['client', 'server']}

##
# @QCryptoSecretFormat:
#
# The data format that the secret is provided in
#
# @raw: raw bytes.  When encoded in JSON only valid UTF-8 sequences
#     can be used
#
# @base64: arbitrary base64 encoded binary data
#
# Since: 2.6
##
{ 'enum': 'QCryptoSecretFormat',
  'prefix': 'QCRYPTO_SECRET_FORMAT',
  'data': ['raw', 'base64']}

##
# @QCryptoHashAlgorithm:
#
# The supported algorithms for computing content digests
#
# @md5: MD5. Should not be used in any new code, legacy compat only
#
# @sha1: SHA-1. Should not be used in any new code, legacy compat only
#
# @sha224: SHA-224. (since 2.7)
#
# @sha256: SHA-256. Current recommended strong hash.
#
# @sha384: SHA-384. (since 2.7)
#
# @sha512: SHA-512. (since 2.7)
#
# @ripemd160: RIPEMD-160. (since 2.7)
#
# Since: 2.6
##
{ 'enum': 'QCryptoHashAlgorithm',
  'prefix': 'QCRYPTO_HASH_ALG',
  'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}

##
# @QCryptoCipherAlgorithm:
#
# The supported algorithms for content encryption ciphers
#
# @aes-128: AES with 128 bit / 16 byte keys
#
# @aes-192: AES with 192 bit / 24 byte keys
#
# @aes-256: AES with 256 bit / 32 byte keys
#
# @des: DES with 56 bit / 8 byte keys.  Do not use except in VNC.
#     (since 6.1)
#
# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
#
# @cast5-128: Cast5 with 128 bit / 16 byte keys
#
# @serpent-128: Serpent with 128 bit / 16 byte keys
#
# @serpent-192: Serpent with 192 bit / 24 byte keys
#
# @serpent-256: Serpent with 256 bit / 32 byte keys
#
# @twofish-128: Twofish with 128 bit / 16 byte keys
#
# @twofish-192: Twofish with 192 bit / 24 byte keys
#
# @twofish-256: Twofish with 256 bit / 32 byte keys
#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherAlgorithm',
  'prefix': 'QCRYPTO_CIPHER_ALG',
  'data': ['aes-128', 'aes-192', 'aes-256',
           'des', '3des',
           'cast5-128',
           'serpent-128', 'serpent-192', 'serpent-256',
           'twofish-128', 'twofish-192', 'twofish-256']}

##
# @QCryptoCipherMode:
#
# The supported modes for content encryption ciphers
#
# @ecb: Electronic Code Book
#
# @cbc: Cipher Block Chaining
#
# @xts: XEX with tweaked code book and ciphertext stealing
#
# @ctr: Counter (Since 2.8)
#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherMode',
  'prefix': 'QCRYPTO_CIPHER_MODE',
  'data': ['ecb', 'cbc', 'xts', 'ctr']}

##
# @QCryptoIVGenAlgorithm:
#
# The supported algorithms for generating initialization vectors for
# full disk encryption.  The 'plain' generator should not be used for
# disks with sector numbers larger than 2^32, except where
# compatibility with pre-existing Linux dm-crypt volumes is required.
#
# @plain: 64-bit sector number truncated to 32-bits
#
# @plain64: 64-bit sector number
#
# @essiv: 64-bit sector number encrypted with a hash of the encryption
#     key
#
# Since: 2.6
##
{ 'enum': 'QCryptoIVGenAlgorithm',
  'prefix': 'QCRYPTO_IVGEN_ALG',
  'data': ['plain', 'plain64', 'essiv']}

##
# @QCryptoBlockFormat:
#
# The supported full disk encryption formats
#
# @qcow: QCow/QCow2 built-in AES-CBC encryption.  Use only for
#     liberating data from old images.
#
# @luks: LUKS encryption format.  Recommended for new images
#
# Since: 2.6
##
{ 'enum': 'QCryptoBlockFormat',
#  'prefix': 'QCRYPTO_BLOCK_FORMAT',
  'data': ['qcow', 'luks']}

##
# @QCryptoBlockOptionsBase:
#
# The common options that apply to all full disk encryption formats
#
# @format: the encryption format
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsBase',
  'data': { 'format': 'QCryptoBlockFormat' }}

##
# @QCryptoBlockOptionsQCow:
#
# The options that apply to QCow/QCow2 AES-CBC encryption format
#
# @key-secret: the ID of a QCryptoSecret object providing the
#     decryption key.  Mandatory except when probing image for
#     metadata only.
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsQCow',
  'data': { '*key-secret': 'str' }}

##
# @QCryptoBlockOptionsLUKS:
#
# The options that apply to LUKS encryption format
#
# @key-secret: the ID of a QCryptoSecret object providing the
#     decryption key.  Mandatory except when probing image for
#     metadata only.
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockOptionsLUKS',
  'data': { '*key-secret': 'str' }}

##
# @QCryptoBlockCreateOptionsLUKS:
#
# The options that apply to LUKS encryption format initialization
#
# @cipher-alg: the cipher algorithm for data encryption Currently
#     defaults to 'aes-256'.
#
# @cipher-mode: the cipher mode for data encryption Currently defaults
#     to 'xts'
#
# @ivgen-alg: the initialization vector generator Currently defaults
#     to 'plain64'
#
# @ivgen-hash-alg: the initialization vector generator hash Currently
#     defaults to 'sha256'
#
# @hash-alg: the master key hash algorithm Currently defaults to
#     'sha256'
#
# @iter-time: number of milliseconds to spend in PBKDF passphrase
#     processing.  Currently defaults to 2000. (since 2.8)
#
# Since: 2.6
##
{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
  'base': 'QCryptoBlockOptionsLUKS',
  'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
            '*cipher-mode': 'QCryptoCipherMode',
            '*ivgen-alg': 'QCryptoIVGenAlgorithm',
            '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
            '*hash-alg': 'QCryptoHashAlgorithm',
            '*iter-time': 'int'}}

##
# @QCryptoBlockOpenOptions:
#
# The options that are available for all encryption formats when
# opening an existing volume
#
# Since: 2.6
##
{ 'union': 'QCryptoBlockOpenOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
            'luks': 'QCryptoBlockOptionsLUKS' } }

##
# @QCryptoBlockCreateOptions:
#
# The options that are available for all encryption formats when
# initializing a new volume
#
# Since: 2.6
##
{ 'union': 'QCryptoBlockCreateOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': { 'qcow': 'QCryptoBlockOptionsQCow',
            'luks': 'QCryptoBlockCreateOptionsLUKS' } }

##
# @QCryptoBlockInfoBase:
#
# The common information that applies to all full disk encryption
# formats
#
# @format: the encryption format
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoBase',
  'data': { 'format': 'QCryptoBlockFormat' }}

##
# @QCryptoBlockInfoLUKSSlot:
#
# Information about the LUKS block encryption key slot options
#
# @active: whether the key slot is currently in use
#
# @key-offset: offset to the key material in bytes
#
# @iters: number of PBKDF2 iterations for key material
#
# @stripes: number of stripes for splitting key material
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoLUKSSlot',
  'data': {'active': 'bool',
           '*iters': 'int',
           '*stripes': 'int',
           'key-offset': 'int' } }

##
# @QCryptoBlockInfoLUKS:
#
# Information about the LUKS block encryption options
#
# @cipher-alg: the cipher algorithm for data encryption
#
# @cipher-mode: the cipher mode for data encryption
#
# @ivgen-alg: the initialization vector generator
#
# @ivgen-hash-alg: the initialization vector generator hash
#
# @hash-alg: the master key hash algorithm
#
# @payload-offset: offset to the payload data in bytes
#
# @master-key-iters: number of PBKDF2 iterations for key material
#
# @uuid: unique identifier for the volume
#
# @slots: information about each key slot
#
# Since: 2.7
##
{ 'struct': 'QCryptoBlockInfoLUKS',
  'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
           'cipher-mode': 'QCryptoCipherMode',
           'ivgen-alg': 'QCryptoIVGenAlgorithm',
           '*ivgen-hash-alg': 'QCryptoHashAlgorithm',
           'hash-alg': 'QCryptoHashAlgorithm',
           'payload-offset': 'int',
           'master-key-iters': 'int',
           'uuid': 'str',
           'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}

##
# @QCryptoBlockInfo:
#
# Information about the block encryption options
#
# Since: 2.7
##
{ 'union': 'QCryptoBlockInfo',
  'base': 'QCryptoBlockInfoBase',
  'discriminator': 'format',
  'data': { 'luks': 'QCryptoBlockInfoLUKS' } }

##
# @QCryptoBlockLUKSKeyslotState:
#
# Defines state of keyslots that are affected by the update
#
# @active: The slots contain the given password and marked as active
#
# @inactive: The slots are erased (contain garbage) and marked as
#     inactive
#
# Since: 5.1
##
{ 'enum': 'QCryptoBlockLUKSKeyslotState',
  'data': [ 'active', 'inactive' ] }

##
# @QCryptoBlockAmendOptionsLUKS:
#
# This struct defines the update parameters that activate/de-activate
# set of keyslots
#
# @state: the desired state of the keyslots
#
# @new-secret: The ID of a QCryptoSecret object providing the password
#     to be written into added active keyslots
#
# @old-secret: Optional (for deactivation only) If given will
#     deactivate all keyslots that match password located in
#     QCryptoSecret with this ID
#
# @iter-time: Optional (for activation only) Number of milliseconds to
#     spend in PBKDF passphrase processing for the newly activated
#     keyslot.  Currently defaults to 2000.
#
# @keyslot: Optional.  ID of the keyslot to activate/deactivate.  For
#     keyslot activation, keyslot should not be active already (this
#     is unsafe to update an active keyslot), but possible if 'force'
#     parameter is given.  If keyslot is not given, first free keyslot
#     will be written.
#
#     For keyslot deactivation, this parameter specifies the exact
#     keyslot to deactivate
#
# @secret: Optional.  The ID of a QCryptoSecret object providing the
#     password to use to retrieve current master key.  Defaults to the
#     same secret that was used to open the image
#
# Since: 5.1
##
{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
  'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
            '*new-secret': 'str',
            '*old-secret': 'str',
            '*keyslot': 'int',
            '*iter-time': 'int',
            '*secret': 'str' } }

##
# @QCryptoBlockAmendOptions:
#
# The options that are available for all encryption formats when
# amending encryption settings
#
# Since: 5.1
##
{ 'union': 'QCryptoBlockAmendOptions',
  'base': 'QCryptoBlockOptionsBase',
  'discriminator': 'format',
  'data': {
          'luks': 'QCryptoBlockAmendOptionsLUKS' } }

##
# @SecretCommonProperties:
#
# Properties for objects of classes derived from secret-common.
#
# @loaded: if true, the secret is loaded immediately when applying
#     this option and will probably fail when processing the next
#     option.  Don't use; only provided for compatibility.
#     (default: false)
#
# @format: the data format that the secret is provided in
#     (default: raw)
#
# @keyid: the name of another secret that should be used to decrypt
#     the provided data.  If not present, the data is assumed to be
#     unencrypted.
#
# @iv: the random initialization vector used for encryption of this
#     particular secret.  Should be a base64 encrypted string of the
#     16-byte IV. Mandatory if @keyid is given.  Ignored if @keyid is
#     absent.
#
# Features:
#
# @deprecated: Member @loaded is deprecated.  Setting true doesn't
#     make sense, and false is already the default.
#
# Since: 2.6
##
{ 'struct': 'SecretCommonProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*format': 'QCryptoSecretFormat',
            '*keyid': 'str',
            '*iv': 'str' } }

##
# @SecretProperties:
#
# Properties for secret objects.
#
# Either @data or @file must be provided, but not both.
#
# @data: the associated with the secret from
#
# @file: the filename to load the data associated with the secret from
#
# Since: 2.6
##
{ 'struct': 'SecretProperties',
  'base': 'SecretCommonProperties',
  'data': { '*data': 'str',
            '*file': 'str' } }

##
# @SecretKeyringProperties:
#
# Properties for secret_keyring objects.
#
# @serial: serial number that identifies a key to get from the kernel
#
# Since: 5.1
##
{ 'struct': 'SecretKeyringProperties',
  'base': 'SecretCommonProperties',
  'data': { 'serial': 'int32' } }

##
# @TlsCredsProperties:
#
# Properties for objects of classes derived from tls-creds.
#
# @verify-peer: if true the peer credentials will be verified once the
#     handshake is completed.  This is a no-op for anonymous
#     credentials.  (default: true)
#
# @dir: the path of the directory that contains the credential files
#
# @endpoint: whether the QEMU network backend that uses the
#     credentials will be acting as a client or as a server
#     (default: client)
#
# @priority: a gnutls priority string as described at
#     https://gnutls.org/manual/html_node/Priority-Strings.html
#
# Since: 2.5
##
{ 'struct': 'TlsCredsProperties',
  'data': { '*verify-peer': 'bool',
            '*dir': 'str',
            '*endpoint': 'QCryptoTLSCredsEndpoint',
            '*priority': 'str' } }

##
# @TlsCredsAnonProperties:
#
# Properties for tls-creds-anon objects.
#
# @loaded: if true, the credentials are loaded immediately when
#     applying this option and will ignore options that are processed
#     later.  Don't use; only provided for compatibility.
#     (default: false)
#
# Features:
#
# @deprecated: Member @loaded is deprecated.  Setting true doesn't
#     make sense, and false is already the default.
#
# Since: 2.5
##
{ 'struct': 'TlsCredsAnonProperties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }

##
# @TlsCredsPskProperties:
#
# Properties for tls-creds-psk objects.
#
# @loaded: if true, the credentials are loaded immediately when
#     applying this option and will ignore options that are processed
#     later.  Don't use; only provided for compatibility.
#     (default: false)
#
# @username: the username which will be sent to the server.  For
#     clients only.  If absent, "qemu" is sent and the property will
#     read back as an empty string.
#
# Features:
#
# @deprecated: Member @loaded is deprecated.  Setting true doesn't
#     make sense, and false is already the default.
#
# Since: 3.0
##
{ 'struct': 'TlsCredsPskProperties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*username': 'str' } }

##
# @TlsCredsX509Properties:
#
# Properties for tls-creds-x509 objects.
#
# @loaded: if true, the credentials are loaded immediately when
#     applying this option and will ignore options that are processed
#     later.  Don't use; only provided for compatibility.
#     (default: false)
#
# @sanity-check: if true, perform some sanity checks before using the
#     credentials (default: true)
#
# @passwordid: For the server-key.pem and client-key.pem files which
#     contain sensitive private keys, it is possible to use an
#     encrypted version by providing the @passwordid parameter.  This
#     provides the ID of a previously created secret object containing
#     the password for decryption.
#
# Features:
#
# @deprecated: Member @loaded is deprecated.  Setting true doesn't
#     make sense, and false is already the default.
#
# Since: 2.5
##
{ 'struct': 'TlsCredsX509Properties',
  'base': 'TlsCredsProperties',
  'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
            '*sanity-check': 'bool',
            '*passwordid': 'str' } }
##
# @QCryptoAkCipherAlgorithm:
#
# The supported algorithms for asymmetric encryption ciphers
#
# @rsa: RSA algorithm
#
# Since: 7.1
##
{ 'enum': 'QCryptoAkCipherAlgorithm',
  'prefix': 'QCRYPTO_AKCIPHER_ALG',
  'data': ['rsa']}

##
# @QCryptoAkCipherKeyType:
#
# The type of asymmetric keys.
#
# Since: 7.1
##
{ 'enum': 'QCryptoAkCipherKeyType',
  'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE',
  'data': ['public', 'private']}

##
# @QCryptoRSAPaddingAlgorithm:
#
# The padding algorithm for RSA.
#
# @raw: no padding used
#
# @pkcs1: pkcs1#v1.5
#
# Since: 7.1
##
{ 'enum': 'QCryptoRSAPaddingAlgorithm',
  'prefix': 'QCRYPTO_RSA_PADDING_ALG',
  'data': ['raw', 'pkcs1']}

##
# @QCryptoAkCipherOptionsRSA:
#
# Specific parameters for RSA algorithm.
#
# @hash-alg: QCryptoHashAlgorithm
#
# @padding-alg: QCryptoRSAPaddingAlgorithm
#
# Since: 7.1
##
{ 'struct': 'QCryptoAkCipherOptionsRSA',
  'data': { 'hash-alg':'QCryptoHashAlgorithm',
            'padding-alg': 'QCryptoRSAPaddingAlgorithm'}}

##
# @QCryptoAkCipherOptions:
#
# The options that are available for all asymmetric key algorithms
# when creating a new QCryptoAkCipher.
#
# Since: 7.1
##
{ 'union': 'QCryptoAkCipherOptions',
  'base': { 'alg': 'QCryptoAkCipherAlgorithm' },
  'discriminator': 'alg',
  'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}
Commit	Line	Data
a090187d	1	# -- Mode: Python --
f7160f32	2	# vim: filetype=python
a090187d	3	#
d3a48372 MAL	4
d3a48372 MAL	5	##
f5cf31c5	6	# = Cryptography
d3a48372	7	##
a090187d DB	8
a090187d DB	9	##
c5927e7a	10	# @QCryptoTLSCredsEndpoint:
a090187d DB	11	#
	12	# The type of network endpoint that will be using the credentials.
	13	# Most types of credential require different setup / structures
a937b6aa	14	# depending on whether they will be used in a server versus a client.
a090187d DB	15	#
	16	# @client: the network endpoint is acting as the client
	17	#
	18	# @server: the network endpoint is acting as the server
	19	#
	20	# Since: 2.5
	21	##
	22	{ 'enum': 'QCryptoTLSCredsEndpoint',
	23	'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
	24	'data': ['client', 'server']}
ac1d8878	25
ac1d8878	26	##
c5927e7a	27	# @QCryptoSecretFormat:
ac1d8878 DB	28	#
	29	# The data format that the secret is provided in
	30	#
a937b6aa MA	31	# @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences
	32	# can be used
	33	#
ac1d8878	34	# @base64: arbitrary base64 encoded binary data
4ae65a52	35	#
ac1d8878 DB	36	# Since: 2.6
	37	##
	38	{ 'enum': 'QCryptoSecretFormat',
	39	'prefix': 'QCRYPTO_SECRET_FORMAT',
	40	'data': ['raw', 'base64']}
d84b79d3	41
d84b79d3	42	##
c5927e7a	43	# @QCryptoHashAlgorithm:
d84b79d3 DB	44	#
	45	# The supported algorithms for computing content digests
	46	#
	47	# @md5: MD5. Should not be used in any new code, legacy compat only
a937b6aa	48	#
d84b79d3	49	# @sha1: SHA-1. Should not be used in any new code, legacy compat only
a937b6aa	50	#
9164b897	51	# @sha224: SHA-224. (since 2.7)
a937b6aa	52	#
d84b79d3	53	# @sha256: SHA-256. Current recommended strong hash.
a937b6aa	54	#
9164b897	55	# @sha384: SHA-384. (since 2.7)
a937b6aa	56	#
9164b897	57	# @sha512: SHA-512. (since 2.7)
a937b6aa	58	#
9164b897	59	# @ripemd160: RIPEMD-160. (since 2.7)
4ae65a52	60	#
d84b79d3 DB	61	# Since: 2.6
	62	##
	63	{ 'enum': 'QCryptoHashAlgorithm',
	64	'prefix': 'QCRYPTO_HASH_ALG',
9164b897	65	'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']}
d8c02bcc	66
d8c02bcc	67	##
c5927e7a	68	# @QCryptoCipherAlgorithm:
d8c02bcc DB	69	#
	70	# The supported algorithms for content encryption ciphers
	71	#
	72	# @aes-128: AES with 128 bit / 16 byte keys
a937b6aa	73	#
d8c02bcc	74	# @aes-192: AES with 192 bit / 24 byte keys
a937b6aa	75	#
d8c02bcc	76	# @aes-256: AES with 256 bit / 32 byte keys
a937b6aa MA	77	#
	78	# @des: DES with 56 bit / 8 byte keys. Do not use except in VNC.
	79	# (since 6.1)
	80	#
ffb7bf45	81	# @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9)
a937b6aa	82	#
084a85ee	83	# @cast5-128: Cast5 with 128 bit / 16 byte keys
a937b6aa	84	#
94318522	85	# @serpent-128: Serpent with 128 bit / 16 byte keys
a937b6aa	86	#
94318522	87	# @serpent-192: Serpent with 192 bit / 24 byte keys
a937b6aa	88	#
94318522	89	# @serpent-256: Serpent with 256 bit / 32 byte keys
a937b6aa	90	#
50f6753e	91	# @twofish-128: Twofish with 128 bit / 16 byte keys
a937b6aa	92	#
50f6753e	93	# @twofish-192: Twofish with 192 bit / 24 byte keys
a937b6aa	94	#
50f6753e	95	# @twofish-256: Twofish with 256 bit / 32 byte keys
4ae65a52	96	#
d8c02bcc DB	97	# Since: 2.6
	98	##
	99	{ 'enum': 'QCryptoCipherAlgorithm',
	100	'prefix': 'QCRYPTO_CIPHER_ALG',
084a85ee	101	'data': ['aes-128', 'aes-192', 'aes-256',
83bee4b5	102	'des', '3des',
94318522	103	'cast5-128',
50f6753e DB	104	'serpent-128', 'serpent-192', 'serpent-256',
50f6753e DB	105	'twofish-128', 'twofish-192', 'twofish-256']}
d8c02bcc	106
d8c02bcc	107	##
c5927e7a	108	# @QCryptoCipherMode:
d8c02bcc DB	109	#
	110	# The supported modes for content encryption ciphers
	111	#
	112	# @ecb: Electronic Code Book
a937b6aa	113	#
d8c02bcc	114	# @cbc: Cipher Block Chaining
a937b6aa	115	#
eaec903c	116	# @xts: XEX with tweaked code book and ciphertext stealing
a937b6aa	117	#
3c28292f	118	# @ctr: Counter (Since 2.8)
4ae65a52	119	#
d8c02bcc DB	120	# Since: 2.6
	121	##
	122	{ 'enum': 'QCryptoCipherMode',
	123	'prefix': 'QCRYPTO_CIPHER_MODE',
3c28292f	124	'data': ['ecb', 'cbc', 'xts', 'ctr']}
cb730894	125
cb730894	126	##
c5927e7a	127	# @QCryptoIVGenAlgorithm:
cb730894	128	#
a937b6aa MA	129	# The supported algorithms for generating initialization vectors for
	130	# full disk encryption. The 'plain' generator should not be used for
	131	# disks with sector numbers larger than 2^32, except where
	132	# compatibility with pre-existing Linux dm-crypt volumes is required.
cb730894 DB	133	#
cb730894 DB	134	# @plain: 64-bit sector number truncated to 32-bits
a937b6aa	135	#
cb730894	136	# @plain64: 64-bit sector number
a937b6aa MA	137	#
	138	# @essiv: 64-bit sector number encrypted with a hash of the encryption
	139	# key
4ae65a52	140	#
cb730894 DB	141	# Since: 2.6
	142	##
	143	{ 'enum': 'QCryptoIVGenAlgorithm',
	144	'prefix': 'QCRYPTO_IVGEN_ALG',
	145	'data': ['plain', 'plain64', 'essiv']}
7d969014 DB	146
7d969014 DB	147	##
c5927e7a	148	# @QCryptoBlockFormat:
7d969014 DB	149	#
	150	# The supported full disk encryption formats
	151	#
a937b6aa MA	152	# @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for
	153	# liberating data from old images.
	154	#
	155	# @luks: LUKS encryption format. Recommended for new images
7d969014 DB	156	#
	157	# Since: 2.6
	158	##
	159	{ 'enum': 'QCryptoBlockFormat',
	160	# 'prefix': 'QCRYPTO_BLOCK_FORMAT',
3e308f20	161	'data': ['qcow', 'luks']}
7d969014 DB	162
7d969014 DB	163	##
c5927e7a	164	# @QCryptoBlockOptionsBase:
7d969014	165	#
a937b6aa	166	# The common options that apply to all full disk encryption formats
7d969014 DB	167	#
	168	# @format: the encryption format
	169	#
	170	# Since: 2.6
	171	##
	172	{ 'struct': 'QCryptoBlockOptionsBase',
	173	'data': { 'format': 'QCryptoBlockFormat' }}
	174
	175	##
c5927e7a	176	# @QCryptoBlockOptionsQCow:
7d969014 DB	177	#
	178	# The options that apply to QCow/QCow2 AES-CBC encryption format
	179	#
1d8bda12	180	# @key-secret: the ID of a QCryptoSecret object providing the
a937b6aa MA	181	# decryption key. Mandatory except when probing image for
a937b6aa MA	182	# metadata only.
7d969014 DB	183	#
	184	# Since: 2.6
	185	##
	186	{ 'struct': 'QCryptoBlockOptionsQCow',
	187	'data': { '*key-secret': 'str' }}
	188
3e308f20	189	##
c5927e7a	190	# @QCryptoBlockOptionsLUKS:
3e308f20 DB	191	#
	192	# The options that apply to LUKS encryption format
	193	#
1d8bda12	194	# @key-secret: the ID of a QCryptoSecret object providing the
a937b6aa MA	195	# decryption key. Mandatory except when probing image for
a937b6aa MA	196	# metadata only.
4ae65a52	197	#
3e308f20 DB	198	# Since: 2.6
	199	##
	200	{ 'struct': 'QCryptoBlockOptionsLUKS',
	201	'data': { '*key-secret': 'str' }}
	202
3e308f20	203	##
c5927e7a	204	# @QCryptoBlockCreateOptionsLUKS:
3e308f20 DB	205	#
	206	# The options that apply to LUKS encryption format initialization
	207	#
a937b6aa MA	208	# @cipher-alg: the cipher algorithm for data encryption Currently
	209	# defaults to 'aes-256'.
	210	#
	211	# @cipher-mode: the cipher mode for data encryption Currently defaults
	212	# to 'xts'
	213	#
	214	# @ivgen-alg: the initialization vector generator Currently defaults
	215	# to 'plain64'
	216	#
	217	# @ivgen-hash-alg: the initialization vector generator hash Currently
	218	# defaults to 'sha256'
	219	#
	220	# @hash-alg: the master key hash algorithm Currently defaults to
	221	# 'sha256'
	222	#
	223	# @iter-time: number of milliseconds to spend in PBKDF passphrase
	224	# processing. Currently defaults to 2000. (since 2.8)
4ae65a52	225	#
3e308f20 DB	226	# Since: 2.6
	227	##
	228	{ 'struct': 'QCryptoBlockCreateOptionsLUKS',
	229	'base': 'QCryptoBlockOptionsLUKS',
	230	'data': { '*cipher-alg': 'QCryptoCipherAlgorithm',
	231	'*cipher-mode': 'QCryptoCipherMode',
	232	'*ivgen-alg': 'QCryptoIVGenAlgorithm',
	233	'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
3bd18890 DB	234	'*hash-alg': 'QCryptoHashAlgorithm',
3bd18890 DB	235	'*iter-time': 'int'}}
3e308f20	236
7d969014	237	##
c5927e7a	238	# @QCryptoBlockOpenOptions:
7d969014	239	#
a937b6aa MA	240	# The options that are available for all encryption formats when
a937b6aa MA	241	# opening an existing volume
7d969014 DB	242	#
	243	# Since: 2.6
	244	##
	245	{ 'union': 'QCryptoBlockOpenOptions',
	246	'base': 'QCryptoBlockOptionsBase',
	247	'discriminator': 'format',
3e308f20 DB	248	'data': { 'qcow': 'QCryptoBlockOptionsQCow',
3e308f20 DB	249	'luks': 'QCryptoBlockOptionsLUKS' } }
7d969014	250
7d969014	251	##
c5927e7a	252	# @QCryptoBlockCreateOptions:
7d969014	253	#
a937b6aa MA	254	# The options that are available for all encryption formats when
a937b6aa MA	255	# initializing a new volume
7d969014 DB	256	#
	257	# Since: 2.6
	258	##
	259	{ 'union': 'QCryptoBlockCreateOptions',
	260	'base': 'QCryptoBlockOptionsBase',
	261	'discriminator': 'format',
3e308f20 DB	262	'data': { 'qcow': 'QCryptoBlockOptionsQCow',
3e308f20 DB	263	'luks': 'QCryptoBlockCreateOptionsLUKS' } }
40c85028	264
40c85028	265	##
c5927e7a	266	# @QCryptoBlockInfoBase:
40c85028	267	#
a937b6aa MA	268	# The common information that applies to all full disk encryption
a937b6aa MA	269	# formats
40c85028 DB	270	#
	271	# @format: the encryption format
	272	#
	273	# Since: 2.7
	274	##
	275	{ 'struct': 'QCryptoBlockInfoBase',
	276	'data': { 'format': 'QCryptoBlockFormat' }}
	277
40c85028	278	##
c5927e7a	279	# @QCryptoBlockInfoLUKSSlot:
40c85028	280	#
a937b6aa	281	# Information about the LUKS block encryption key slot options
40c85028 DB	282	#
40c85028 DB	283	# @active: whether the key slot is currently in use
a937b6aa	284	#
40c85028	285	# @key-offset: offset to the key material in bytes
a937b6aa	286	#
1d8bda12	287	# @iters: number of PBKDF2 iterations for key material
a937b6aa	288	#
1d8bda12	289	# @stripes: number of stripes for splitting key material
40c85028 DB	290	#
	291	# Since: 2.7
	292	##
	293	{ 'struct': 'QCryptoBlockInfoLUKSSlot',
	294	'data': {'active': 'bool',
	295	'*iters': 'int',
	296	'*stripes': 'int',
	297	'key-offset': 'int' } }
	298
40c85028	299	##
c5927e7a	300	# @QCryptoBlockInfoLUKS:
40c85028 DB	301	#
	302	# Information about the LUKS block encryption options
	303	#
	304	# @cipher-alg: the cipher algorithm for data encryption
a937b6aa	305	#
40c85028	306	# @cipher-mode: the cipher mode for data encryption
a937b6aa	307	#
40c85028	308	# @ivgen-alg: the initialization vector generator
a937b6aa	309	#
1d8bda12	310	# @ivgen-hash-alg: the initialization vector generator hash
a937b6aa	311	#
40c85028	312	# @hash-alg: the master key hash algorithm
a937b6aa	313	#
40c85028	314	# @payload-offset: offset to the payload data in bytes
a937b6aa	315	#
40c85028	316	# @master-key-iters: number of PBKDF2 iterations for key material
a937b6aa	317	#
40c85028	318	# @uuid: unique identifier for the volume
a937b6aa	319	#
40c85028 DB	320	# @slots: information about each key slot
	321	#
	322	# Since: 2.7
	323	##
	324	{ 'struct': 'QCryptoBlockInfoLUKS',
	325	'data': {'cipher-alg': 'QCryptoCipherAlgorithm',
	326	'cipher-mode': 'QCryptoCipherMode',
	327	'ivgen-alg': 'QCryptoIVGenAlgorithm',
	328	'*ivgen-hash-alg': 'QCryptoHashAlgorithm',
	329	'hash-alg': 'QCryptoHashAlgorithm',
	330	'payload-offset': 'int',
	331	'master-key-iters': 'int',
	332	'uuid': 'str',
	333	'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }}
	334
40c85028	335	##
c5927e7a	336	# @QCryptoBlockInfo:
40c85028 DB	337	#
	338	# Information about the block encryption options
	339	#
	340	# Since: 2.7
	341	##
	342	{ 'union': 'QCryptoBlockInfo',
	343	'base': 'QCryptoBlockInfoBase',
	344	'discriminator': 'format',
29cd0403	345	'data': { 'luks': 'QCryptoBlockInfoLUKS' } }
43cbd06d	346
557d2bdc ML	347	##
	348	# @QCryptoBlockLUKSKeyslotState:
	349	#
	350	# Defines state of keyslots that are affected by the update
	351	#
c0ac533b	352	# @active: The slots contain the given password and marked as active
a937b6aa MA	353	#
	354	# @inactive: The slots are erased (contain garbage) and marked as
	355	# inactive
557d2bdc ML	356	#
	357	# Since: 5.1
	358	##
	359	{ 'enum': 'QCryptoBlockLUKSKeyslotState',
	360	'data': [ 'active', 'inactive' ] }
	361
557d2bdc ML	362	##
	363	# @QCryptoBlockAmendOptionsLUKS:
	364	#
a937b6aa MA	365	# This struct defines the update parameters that activate/de-activate
a937b6aa MA	366	# set of keyslots
557d2bdc ML	367	#
	368	# @state: the desired state of the keyslots
	369	#
a937b6aa MA	370	# @new-secret: The ID of a QCryptoSecret object providing the password
a937b6aa MA	371	# to be written into added active keyslots
557d2bdc	372	#
a937b6aa MA	373	# @old-secret: Optional (for deactivation only) If given will
	374	# deactivate all keyslots that match password located in
	375	# QCryptoSecret with this ID
557d2bdc	376	#
a937b6aa MA	377	# @iter-time: Optional (for activation only) Number of milliseconds to
	378	# spend in PBKDF passphrase processing for the newly activated
	379	# keyslot. Currently defaults to 2000.
557d2bdc	380	#
a937b6aa MA	381	# @keyslot: Optional. ID of the keyslot to activate/deactivate. For
	382	# keyslot activation, keyslot should not be active already (this
	383	# is unsafe to update an active keyslot), but possible if 'force'
	384	# parameter is given. If keyslot is not given, first free keyslot
	385	# will be written.
557d2bdc	386	#
a937b6aa MA	387	# For keyslot deactivation, this parameter specifies the exact
a937b6aa MA	388	# keyslot to deactivate
557d2bdc	389	#
a937b6aa MA	390	# @secret: Optional. The ID of a QCryptoSecret object providing the
	391	# password to use to retrieve current master key. Defaults to the
	392	# same secret that was used to open the image
557d2bdc	393	#
433a4fdc	394	# Since: 5.1
557d2bdc ML	395	##
	396	{ 'struct': 'QCryptoBlockAmendOptionsLUKS',
	397	'data': { 'state': 'QCryptoBlockLUKSKeyslotState',
	398	'*new-secret': 'str',
	399	'*old-secret': 'str',
	400	'*keyslot': 'int',
	401	'*iter-time': 'int',
	402	'*secret': 'str' } }
43cbd06d ML	403
	404	##
	405	# @QCryptoBlockAmendOptions:
	406	#
a937b6aa MA	407	# The options that are available for all encryption formats when
a937b6aa MA	408	# amending encryption settings
43cbd06d ML	409	#
	410	# Since: 5.1
	411	##
	412	{ 'union': 'QCryptoBlockAmendOptions',
	413	'base': 'QCryptoBlockOptionsBase',
	414	'discriminator': 'format',
	415	'data': {
557d2bdc	416	'luks': 'QCryptoBlockAmendOptionsLUKS' } }
39c4c27d KW	417
	418	##
	419	# @SecretCommonProperties:
	420	#
	421	# Properties for objects of classes derived from secret-common.
	422	#
a937b6aa MA	423	# @loaded: if true, the secret is loaded immediately when applying
	424	# this option and will probably fail when processing the next
	425	# option. Don't use; only provided for compatibility.
	426	# (default: false)
39c4c27d	427	#
a937b6aa MA	428	# @format: the data format that the secret is provided in
a937b6aa MA	429	# (default: raw)
39c4c27d	430	#
a937b6aa MA	431	# @keyid: the name of another secret that should be used to decrypt
	432	# the provided data. If not present, the data is assumed to be
	433	# unencrypted.
39c4c27d	434	#
a937b6aa MA	435	# @iv: the random initialization vector used for encryption of this
	436	# particular secret. Should be a base64 encrypted string of the
	437	# 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is
	438	# absent.
39c4c27d KW	439	#
39c4c27d KW	440	# Features:
a937b6aa MA	441	#
	442	# @deprecated: Member @loaded is deprecated. Setting true doesn't
	443	# make sense, and false is already the default.
39c4c27d KW	444	#
	445	# Since: 2.6
	446	##
	447	{ 'struct': 'SecretCommonProperties',
	448	'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
	449	'*format': 'QCryptoSecretFormat',
	450	'*keyid': 'str',
	451	'*iv': 'str' } }
	452
	453	##
	454	# @SecretProperties:
	455	#
	456	# Properties for secret objects.
	457	#
	458	# Either @data or @file must be provided, but not both.
	459	#
	460	# @data: the associated with the secret from
	461	#
	462	# @file: the filename to load the data associated with the secret from
	463	#
	464	# Since: 2.6
	465	##
	466	{ 'struct': 'SecretProperties',
	467	'base': 'SecretCommonProperties',
	468	'data': { '*data': 'str',
	469	'*file': 'str' } }
	470
	471	##
	472	# @SecretKeyringProperties:
	473	#
	474	# Properties for secret_keyring objects.
	475	#
	476	# @serial: serial number that identifies a key to get from the kernel
	477	#
	478	# Since: 5.1
	479	##
	480	{ 'struct': 'SecretKeyringProperties',
	481	'base': 'SecretCommonProperties',
	482	'data': { 'serial': 'int32' } }
d09e4937 KW	483
	484	##
	485	# @TlsCredsProperties:
	486	#
	487	# Properties for objects of classes derived from tls-creds.
	488	#
	489	# @verify-peer: if true the peer credentials will be verified once the
a937b6aa MA	490	# handshake is completed. This is a no-op for anonymous
a937b6aa MA	491	# credentials. (default: true)
d09e4937 KW	492	#
	493	# @dir: the path of the directory that contains the credential files
	494	#
a937b6aa MA	495	# @endpoint: whether the QEMU network backend that uses the
	496	# credentials will be acting as a client or as a server
	497	# (default: client)
d09e4937 KW	498	#
d09e4937 KW	499	# @priority: a gnutls priority string as described at
a937b6aa	500	# https://gnutls.org/manual/html_node/Priority-Strings.html
d09e4937 KW	501	#
	502	# Since: 2.5
	503	##
	504	{ 'struct': 'TlsCredsProperties',
	505	'data': { '*verify-peer': 'bool',
	506	'*dir': 'str',
	507	'*endpoint': 'QCryptoTLSCredsEndpoint',
	508	'*priority': 'str' } }
	509
	510	##
	511	# @TlsCredsAnonProperties:
	512	#
	513	# Properties for tls-creds-anon objects.
	514	#
a937b6aa MA	515	# @loaded: if true, the credentials are loaded immediately when
	516	# applying this option and will ignore options that are processed
	517	# later. Don't use; only provided for compatibility.
	518	# (default: false)
d09e4937 KW	519	#
d09e4937 KW	520	# Features:
a937b6aa MA	521	#
	522	# @deprecated: Member @loaded is deprecated. Setting true doesn't
	523	# make sense, and false is already the default.
d09e4937 KW	524	#
	525	# Since: 2.5
	526	##
	527	{ 'struct': 'TlsCredsAnonProperties',
	528	'base': 'TlsCredsProperties',
	529	'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } }
	530
	531	##
	532	# @TlsCredsPskProperties:
	533	#
	534	# Properties for tls-creds-psk objects.
	535	#
a937b6aa MA	536	# @loaded: if true, the credentials are loaded immediately when
	537	# applying this option and will ignore options that are processed
	538	# later. Don't use; only provided for compatibility.
	539	# (default: false)
d09e4937	540	#
a937b6aa MA	541	# @username: the username which will be sent to the server. For
	542	# clients only. If absent, "qemu" is sent and the property will
	543	# read back as an empty string.
d09e4937 KW	544	#
d09e4937 KW	545	# Features:
a937b6aa MA	546	#
	547	# @deprecated: Member @loaded is deprecated. Setting true doesn't
	548	# make sense, and false is already the default.
d09e4937 KW	549	#
	550	# Since: 3.0
	551	##
	552	{ 'struct': 'TlsCredsPskProperties',
	553	'base': 'TlsCredsProperties',
	554	'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
	555	'*username': 'str' } }
	556
	557	##
	558	# @TlsCredsX509Properties:
	559	#
	560	# Properties for tls-creds-x509 objects.
	561	#
a937b6aa MA	562	# @loaded: if true, the credentials are loaded immediately when
	563	# applying this option and will ignore options that are processed
	564	# later. Don't use; only provided for compatibility.
	565	# (default: false)
d09e4937 KW	566	#
d09e4937 KW	567	# @sanity-check: if true, perform some sanity checks before using the
a937b6aa	568	# credentials (default: true)
d09e4937	569	#
a937b6aa MA	570	# @passwordid: For the server-key.pem and client-key.pem files which
	571	# contain sensitive private keys, it is possible to use an
	572	# encrypted version by providing the @passwordid parameter. This
	573	# provides the ID of a previously created secret object containing
	574	# the password for decryption.
d09e4937 KW	575	#
d09e4937 KW	576	# Features:
a937b6aa MA	577	#
	578	# @deprecated: Member @loaded is deprecated. Setting true doesn't
	579	# make sense, and false is already the default.
d09e4937 KW	580	#
	581	# Since: 2.5
	582	##
	583	{ 'struct': 'TlsCredsX509Properties',
	584	'base': 'TlsCredsProperties',
	585	'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] },
	586	'*sanity-check': 'bool',
	587	'*passwordid': 'str' } }
daa55f3e LH	588	##
	589	# @QCryptoAkCipherAlgorithm:
	590	#
	591	# The supported algorithms for asymmetric encryption ciphers
	592	#
	593	# @rsa: RSA algorithm
	594	#
	595	# Since: 7.1
	596	##
	597	{ 'enum': 'QCryptoAkCipherAlgorithm',
	598	'prefix': 'QCRYPTO_AKCIPHER_ALG',
	599	'data': ['rsa']}
	600
	601	##
	602	# @QCryptoAkCipherKeyType:
	603	#
	604	# The type of asymmetric keys.
	605	#
	606	# Since: 7.1
	607	##
	608	{ 'enum': 'QCryptoAkCipherKeyType',
	609	'prefix': 'QCRYPTO_AKCIPHER_KEY_TYPE',
	610	'data': ['public', 'private']}
	611
	612	##
	613	# @QCryptoRSAPaddingAlgorithm:
	614	#
	615	# The padding algorithm for RSA.
	616	#
	617	# @raw: no padding used
a937b6aa	618	#
daa55f3e LH	619	# @pkcs1: pkcs1#v1.5
	620	#
	621	# Since: 7.1
	622	##
	623	{ 'enum': 'QCryptoRSAPaddingAlgorithm',
	624	'prefix': 'QCRYPTO_RSA_PADDING_ALG',
	625	'data': ['raw', 'pkcs1']}
	626
	627	##
	628	# @QCryptoAkCipherOptionsRSA:
	629	#
	630	# Specific parameters for RSA algorithm.
	631	#
	632	# @hash-alg: QCryptoHashAlgorithm
a937b6aa	633	#
daa55f3e LH	634	# @padding-alg: QCryptoRSAPaddingAlgorithm
	635	#
	636	# Since: 7.1
	637	##
	638	{ 'struct': 'QCryptoAkCipherOptionsRSA',
	639	'data': { 'hash-alg':'QCryptoHashAlgorithm',
	640	'padding-alg': 'QCryptoRSAPaddingAlgorithm'}}
	641
	642	##
	643	# @QCryptoAkCipherOptions:
	644	#
	645	# The options that are available for all asymmetric key algorithms
	646	# when creating a new QCryptoAkCipher.
	647	#
	648	# Since: 7.1
	649	##
	650	{ 'union': 'QCryptoAkCipherOptions',
	651	'base': { 'alg': 'QCryptoAkCipherAlgorithm' },
	652	'discriminator': 'alg',
	653	'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }}