Re: [Qemu-devel] blobstore disk format (was Re: Design of the blobstore)

[Stefan Berger]

On 09/28/2011 11:50 AM, Daniel P. Berrange wrote:
> On Wed, Sep 28, 2011 at 11:48:19AM -0400, Stefan Berger wrote:
> > On 09/22/2011 02:37 AM, Michael S. Tsirkin wrote:
> > > I'm guessing that if we find a correct ber structure in the file, this
> > > most likely means the key is correct.
> > [I still would add at least a CRC32 (or maybe even a SHA1) for
> > detection of corruption of the ASN.1 encoded blob without having to
> > hunt the data through a ASN.1 decoder.]
> >
> > If we now say that data should be encryptable even if QCoW2 wasn't
> > used, then is a command line option
> >
> > -nvram id=<driveid>,key=<hex key>,...
> >
> > something we should support to make the key applicable to the whole NVRAM?
> Try to avoid requiring secret keys to be set on the command line...
> At least allow setting them via a monitor command
Hm, this brings me back to the previous problem of the ordering of 
things that ended up being problematic:

In the case of encrypted QCoW2 the monitor queries for the password when 
the use types 'c' for continue. That happens *after* device's 'init' 
function was called and also *after* their 'reset' handler was invoked, 
so not being able to decrypt encrypted state blobs and not being able to 
feed devices with their persistent state even until the 'reset' handler 
was invoked. The password comes quite late.

The monitor reacts to key typing, which in turn is handled in the 
main_loop() in vl.c.

So, the solution could be that each NVRAM client also registers its 
reset handler (along with the DeviceState pointer). Each NVRAM client 
would have to be written in such a way that it ignores previous failed 
attempts to read its state due to the key coming so late and once the 
NVRAM has the key it invokes the reset handlers again, which now trigger 
the reading of the state in the NVRAM that now can be decrypted.  Does 
this sound 'sane' or more like a 'hack' ?

   Stefan

> Daniel