qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] blobstore disk format (was Re: Design of the blobstore)

From: Stefan Berger
Subject: Re: [Qemu-devel] blobstore disk format (was Re: Design of the blobstore)
Date: Wed, 28 Sep 2011 11:48:19 -0400
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110621 Fedora/3.1.11-1.fc14 Lightning/1.0b3pre Thunderbird/3.1.11 
On 09/22/2011 02:37 AM, Michael S. Tsirkin wrote:

On Wed, Sep 21, 2011 at 09:44:37PM -0400, Stefan Berger wrote:

On 09/19/2011 03:04 PM, Michael S. Tsirkin wrote:

On Mon, Sep 19, 2011 at 12:22:02PM -0400, Stefan Berger wrote:

On 09/17/2011 03:28 PM, Michael S. Tsirkin wrote:

On Fri, Sep 16, 2011 at 12:46:40PM -0400, Stefan Berger wrote:

The checksuming I think makes sense if encryption is being added so
decryption and testing for proper key material remains an NVRAM
operation rather than a device operation.

Not sure how this addresses the question of what to do
on checksum failure.


Checksum failure on an unencrypted blob would mean that the blob is
corrupted. In case of encryption 'corrupted' would overlap with a
'badly decrypted' blob. In either way the startup of the device
cannot happen.

With corruption - why not? A specific block being corrupted does not mean all
data is lost.
Presumably if you feed bad data into a device it either has its own way of integrity checking the blob (we actually do this for the TPM) or it will blow up/show wrong behavior at some point - hopefully sooner rather than later. Though the detection of bad data *can* be an NVRAM operation rather than the operation of a device using the data stored in the NVRAM. 
We could refuse the NVRAM key suggesting that likely
this is the wrong key for decryption but corruption is also
possible.

I'm guessing that if we find a correct ber structure in the file, this
most likely means the key is correct.
[I still would add at least a CRC32 (or maybe even a SHA1) for detection of corruption of the ASN.1 encoded blob without having to hunt the data through a ASN.1 decoder.]
If we now say that data should be encryptable even if QCoW2 wasn't used, then is a command line option 

-nvram id=<driveid>,key=<hex key>,...

something we should support to make the key applicable to the whole NVRAM?

     Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]