| # -*- Mode: Python -*- |
| # vim: filetype=python |
| # |
| |
| ## |
| # = Cryptography |
| ## |
| |
| ## |
| # @QCryptoTLSCredsEndpoint: |
| # |
| # The type of network endpoint that will be using the credentials. |
| # Most types of credential require different setup / structures |
| # depending on whether they will be used in a server versus a |
| # client. |
| # |
| # @client: the network endpoint is acting as the client |
| # |
| # @server: the network endpoint is acting as the server |
| # |
| # Since: 2.5 |
| ## |
| { 'enum': 'QCryptoTLSCredsEndpoint', |
| 'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT', |
| 'data': ['client', 'server']} |
| |
| |
| ## |
| # @QCryptoSecretFormat: |
| # |
| # The data format that the secret is provided in |
| # |
| # @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences can be used |
| # @base64: arbitrary base64 encoded binary data |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoSecretFormat', |
| 'prefix': 'QCRYPTO_SECRET_FORMAT', |
| 'data': ['raw', 'base64']} |
| |
| |
| ## |
| # @QCryptoHashAlgorithm: |
| # |
| # The supported algorithms for computing content digests |
| # |
| # @md5: MD5. Should not be used in any new code, legacy compat only |
| # @sha1: SHA-1. Should not be used in any new code, legacy compat only |
| # @sha224: SHA-224. (since 2.7) |
| # @sha256: SHA-256. Current recommended strong hash. |
| # @sha384: SHA-384. (since 2.7) |
| # @sha512: SHA-512. (since 2.7) |
| # @ripemd160: RIPEMD-160. (since 2.7) |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoHashAlgorithm', |
| 'prefix': 'QCRYPTO_HASH_ALG', |
| 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']} |
| |
| |
| ## |
| # @QCryptoCipherAlgorithm: |
| # |
| # The supported algorithms for content encryption ciphers |
| # |
| # @aes-128: AES with 128 bit / 16 byte keys |
| # @aes-192: AES with 192 bit / 24 byte keys |
| # @aes-256: AES with 256 bit / 32 byte keys |
| # @des-rfb: RFB specific variant of single DES. Do not use except in VNC. |
| # @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) |
| # @cast5-128: Cast5 with 128 bit / 16 byte keys |
| # @serpent-128: Serpent with 128 bit / 16 byte keys |
| # @serpent-192: Serpent with 192 bit / 24 byte keys |
| # @serpent-256: Serpent with 256 bit / 32 byte keys |
| # @twofish-128: Twofish with 128 bit / 16 byte keys |
| # @twofish-192: Twofish with 192 bit / 24 byte keys |
| # @twofish-256: Twofish with 256 bit / 32 byte keys |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoCipherAlgorithm', |
| 'prefix': 'QCRYPTO_CIPHER_ALG', |
| 'data': ['aes-128', 'aes-192', 'aes-256', |
| 'des-rfb', '3des', |
| 'cast5-128', |
| 'serpent-128', 'serpent-192', 'serpent-256', |
| 'twofish-128', 'twofish-192', 'twofish-256']} |
| |
| |
| ## |
| # @QCryptoCipherMode: |
| # |
| # The supported modes for content encryption ciphers |
| # |
| # @ecb: Electronic Code Book |
| # @cbc: Cipher Block Chaining |
| # @xts: XEX with tweaked code book and ciphertext stealing |
| # @ctr: Counter (Since 2.8) |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoCipherMode', |
| 'prefix': 'QCRYPTO_CIPHER_MODE', |
| 'data': ['ecb', 'cbc', 'xts', 'ctr']} |
| |
| |
| ## |
| # @QCryptoIVGenAlgorithm: |
| # |
| # The supported algorithms for generating initialization |
| # vectors for full disk encryption. The 'plain' generator |
| # should not be used for disks with sector numbers larger |
| # than 2^32, except where compatibility with pre-existing |
| # Linux dm-crypt volumes is required. |
| # |
| # @plain: 64-bit sector number truncated to 32-bits |
| # @plain64: 64-bit sector number |
| # @essiv: 64-bit sector number encrypted with a hash of the encryption key |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoIVGenAlgorithm', |
| 'prefix': 'QCRYPTO_IVGEN_ALG', |
| 'data': ['plain', 'plain64', 'essiv']} |
| |
| ## |
| # @QCryptoBlockFormat: |
| # |
| # The supported full disk encryption formats |
| # |
| # @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only |
| # for liberating data from old images. |
| # @luks: LUKS encryption format. Recommended for new images |
| # |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoBlockFormat', |
| # 'prefix': 'QCRYPTO_BLOCK_FORMAT', |
| 'data': ['qcow', 'luks']} |
| |
| ## |
| # @QCryptoBlockOptionsBase: |
| # |
| # The common options that apply to all full disk |
| # encryption formats |
| # |
| # @format: the encryption format |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'QCryptoBlockOptionsBase', |
| 'data': { 'format': 'QCryptoBlockFormat' }} |
| |
| ## |
| # @QCryptoBlockOptionsQCow: |
| # |
| # The options that apply to QCow/QCow2 AES-CBC encryption format |
| # |
| # @key-secret: the ID of a QCryptoSecret object providing the |
| # decryption key. Mandatory except when probing image for |
| # metadata only. |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'QCryptoBlockOptionsQCow', |
| 'data': { '*key-secret': 'str' }} |
| |
| ## |
| # @QCryptoBlockOptionsLUKS: |
| # |
| # The options that apply to LUKS encryption format |
| # |
| # @key-secret: the ID of a QCryptoSecret object providing the |
| # decryption key. Mandatory except when probing image for |
| # metadata only. |
| # Since: 2.6 |
| ## |
| { 'struct': 'QCryptoBlockOptionsLUKS', |
| 'data': { '*key-secret': 'str' }} |
| |
| |
| ## |
| # @QCryptoBlockCreateOptionsLUKS: |
| # |
| # The options that apply to LUKS encryption format initialization |
| # |
| # @cipher-alg: the cipher algorithm for data encryption |
| # Currently defaults to 'aes-256'. |
| # @cipher-mode: the cipher mode for data encryption |
| # Currently defaults to 'xts' |
| # @ivgen-alg: the initialization vector generator |
| # Currently defaults to 'plain64' |
| # @ivgen-hash-alg: the initialization vector generator hash |
| # Currently defaults to 'sha256' |
| # @hash-alg: the master key hash algorithm |
| # Currently defaults to 'sha256' |
| # @iter-time: number of milliseconds to spend in |
| # PBKDF passphrase processing. Currently defaults |
| # to 2000. (since 2.8) |
| # Since: 2.6 |
| ## |
| { 'struct': 'QCryptoBlockCreateOptionsLUKS', |
| 'base': 'QCryptoBlockOptionsLUKS', |
| 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm', |
| '*cipher-mode': 'QCryptoCipherMode', |
| '*ivgen-alg': 'QCryptoIVGenAlgorithm', |
| '*ivgen-hash-alg': 'QCryptoHashAlgorithm', |
| '*hash-alg': 'QCryptoHashAlgorithm', |
| '*iter-time': 'int'}} |
| |
| |
| ## |
| # @QCryptoBlockOpenOptions: |
| # |
| # The options that are available for all encryption formats |
| # when opening an existing volume |
| # |
| # Since: 2.6 |
| ## |
| { 'union': 'QCryptoBlockOpenOptions', |
| 'base': 'QCryptoBlockOptionsBase', |
| 'discriminator': 'format', |
| 'data': { 'qcow': 'QCryptoBlockOptionsQCow', |
| 'luks': 'QCryptoBlockOptionsLUKS' } } |
| |
| |
| ## |
| # @QCryptoBlockCreateOptions: |
| # |
| # The options that are available for all encryption formats |
| # when initializing a new volume |
| # |
| # Since: 2.6 |
| ## |
| { 'union': 'QCryptoBlockCreateOptions', |
| 'base': 'QCryptoBlockOptionsBase', |
| 'discriminator': 'format', |
| 'data': { 'qcow': 'QCryptoBlockOptionsQCow', |
| 'luks': 'QCryptoBlockCreateOptionsLUKS' } } |
| |
| |
| ## |
| # @QCryptoBlockInfoBase: |
| # |
| # The common information that applies to all full disk |
| # encryption formats |
| # |
| # @format: the encryption format |
| # |
| # Since: 2.7 |
| ## |
| { 'struct': 'QCryptoBlockInfoBase', |
| 'data': { 'format': 'QCryptoBlockFormat' }} |
| |
| |
| ## |
| # @QCryptoBlockInfoLUKSSlot: |
| # |
| # Information about the LUKS block encryption key |
| # slot options |
| # |
| # @active: whether the key slot is currently in use |
| # @key-offset: offset to the key material in bytes |
| # @iters: number of PBKDF2 iterations for key material |
| # @stripes: number of stripes for splitting key material |
| # |
| # Since: 2.7 |
| ## |
| { 'struct': 'QCryptoBlockInfoLUKSSlot', |
| 'data': {'active': 'bool', |
| '*iters': 'int', |
| '*stripes': 'int', |
| 'key-offset': 'int' } } |
| |
| |
| ## |
| # @QCryptoBlockInfoLUKS: |
| # |
| # Information about the LUKS block encryption options |
| # |
| # @cipher-alg: the cipher algorithm for data encryption |
| # @cipher-mode: the cipher mode for data encryption |
| # @ivgen-alg: the initialization vector generator |
| # @ivgen-hash-alg: the initialization vector generator hash |
| # @hash-alg: the master key hash algorithm |
| # @payload-offset: offset to the payload data in bytes |
| # @master-key-iters: number of PBKDF2 iterations for key material |
| # @uuid: unique identifier for the volume |
| # @slots: information about each key slot |
| # |
| # Since: 2.7 |
| ## |
| { 'struct': 'QCryptoBlockInfoLUKS', |
| 'data': {'cipher-alg': 'QCryptoCipherAlgorithm', |
| 'cipher-mode': 'QCryptoCipherMode', |
| 'ivgen-alg': 'QCryptoIVGenAlgorithm', |
| '*ivgen-hash-alg': 'QCryptoHashAlgorithm', |
| 'hash-alg': 'QCryptoHashAlgorithm', |
| 'payload-offset': 'int', |
| 'master-key-iters': 'int', |
| 'uuid': 'str', |
| 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} |
| |
| ## |
| # @QCryptoBlockInfo: |
| # |
| # Information about the block encryption options |
| # |
| # Since: 2.7 |
| ## |
| { 'union': 'QCryptoBlockInfo', |
| 'base': 'QCryptoBlockInfoBase', |
| 'discriminator': 'format', |
| 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } |
| |
| ## |
| # @QCryptoBlockLUKSKeyslotState: |
| # |
| # Defines state of keyslots that are affected by the update |
| # |
| # @active: The slots contain the given password and marked as active |
| # @inactive: The slots are erased (contain garbage) and marked as inactive |
| # |
| # Since: 5.1 |
| ## |
| { 'enum': 'QCryptoBlockLUKSKeyslotState', |
| 'data': [ 'active', 'inactive' ] } |
| |
| |
| ## |
| # @QCryptoBlockAmendOptionsLUKS: |
| # |
| # This struct defines the update parameters that activate/de-activate set |
| # of keyslots |
| # |
| # @state: the desired state of the keyslots |
| # |
| # @new-secret: The ID of a QCryptoSecret object providing the password to be |
| # written into added active keyslots |
| # |
| # @old-secret: Optional (for deactivation only) |
| # If given will deactivate all keyslots that |
| # match password located in QCryptoSecret with this ID |
| # |
| # @iter-time: Optional (for activation only) |
| # Number of milliseconds to spend in |
| # PBKDF passphrase processing for the newly activated keyslot. |
| # Currently defaults to 2000. |
| # |
| # @keyslot: Optional. ID of the keyslot to activate/deactivate. |
| # For keyslot activation, keyslot should not be active already |
| # (this is unsafe to update an active keyslot), |
| # but possible if 'force' parameter is given. |
| # If keyslot is not given, first free keyslot will be written. |
| # |
| # For keyslot deactivation, this parameter specifies the exact |
| # keyslot to deactivate |
| # |
| # @secret: Optional. The ID of a QCryptoSecret object providing the |
| # password to use to retrieve current master key. |
| # Defaults to the same secret that was used to open the image |
| # |
| # |
| # Since 5.1 |
| ## |
| { 'struct': 'QCryptoBlockAmendOptionsLUKS', |
| 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', |
| '*new-secret': 'str', |
| '*old-secret': 'str', |
| '*keyslot': 'int', |
| '*iter-time': 'int', |
| '*secret': 'str' } } |
| |
| ## |
| # @QCryptoBlockAmendOptions: |
| # |
| # The options that are available for all encryption formats |
| # when amending encryption settings |
| # |
| # Since: 5.1 |
| ## |
| { 'union': 'QCryptoBlockAmendOptions', |
| 'base': 'QCryptoBlockOptionsBase', |
| 'discriminator': 'format', |
| 'data': { |
| 'luks': 'QCryptoBlockAmendOptionsLUKS' } } |
| |
| ## |
| # @SecretCommonProperties: |
| # |
| # Properties for objects of classes derived from secret-common. |
| # |
| # @loaded: if true, the secret is loaded immediately when applying this option |
| # and will probably fail when processing the next option. Don't use; |
| # only provided for compatibility. (default: false) |
| # |
| # @format: the data format that the secret is provided in (default: raw) |
| # |
| # @keyid: the name of another secret that should be used to decrypt the |
| # provided data. If not present, the data is assumed to be unencrypted. |
| # |
| # @iv: the random initialization vector used for encryption of this particular |
| # secret. Should be a base64 encrypted string of the 16-byte IV. Mandatory |
| # if @keyid is given. Ignored if @keyid is absent. |
| # |
| # Features: |
| # @deprecated: Member @loaded is deprecated. Setting true doesn't make sense, |
| # and false is already the default. |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'SecretCommonProperties', |
| 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, |
| '*format': 'QCryptoSecretFormat', |
| '*keyid': 'str', |
| '*iv': 'str' } } |
| |
| ## |
| # @SecretProperties: |
| # |
| # Properties for secret objects. |
| # |
| # Either @data or @file must be provided, but not both. |
| # |
| # @data: the associated with the secret from |
| # |
| # @file: the filename to load the data associated with the secret from |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'SecretProperties', |
| 'base': 'SecretCommonProperties', |
| 'data': { '*data': 'str', |
| '*file': 'str' } } |
| |
| ## |
| # @SecretKeyringProperties: |
| # |
| # Properties for secret_keyring objects. |
| # |
| # @serial: serial number that identifies a key to get from the kernel |
| # |
| # Since: 5.1 |
| ## |
| { 'struct': 'SecretKeyringProperties', |
| 'base': 'SecretCommonProperties', |
| 'data': { 'serial': 'int32' } } |
| |
| ## |
| # @TlsCredsProperties: |
| # |
| # Properties for objects of classes derived from tls-creds. |
| # |
| # @verify-peer: if true the peer credentials will be verified once the |
| # handshake is completed. This is a no-op for anonymous |
| # credentials. (default: true) |
| # |
| # @dir: the path of the directory that contains the credential files |
| # |
| # @endpoint: whether the QEMU network backend that uses the credentials will be |
| # acting as a client or as a server (default: client) |
| # |
| # @priority: a gnutls priority string as described at |
| # https://gnutls.org/manual/html_node/Priority-Strings.html |
| # |
| # Since: 2.5 |
| ## |
| { 'struct': 'TlsCredsProperties', |
| 'data': { '*verify-peer': 'bool', |
| '*dir': 'str', |
| '*endpoint': 'QCryptoTLSCredsEndpoint', |
| '*priority': 'str' } } |
| |
| ## |
| # @TlsCredsAnonProperties: |
| # |
| # Properties for tls-creds-anon objects. |
| # |
| # @loaded: if true, the credentials are loaded immediately when applying this |
| # option and will ignore options that are processed later. Don't use; |
| # only provided for compatibility. (default: false) |
| # |
| # Features: |
| # @deprecated: Member @loaded is deprecated. Setting true doesn't make sense, |
| # and false is already the default. |
| # |
| # Since: 2.5 |
| ## |
| { 'struct': 'TlsCredsAnonProperties', |
| 'base': 'TlsCredsProperties', |
| 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } } |
| |
| ## |
| # @TlsCredsPskProperties: |
| # |
| # Properties for tls-creds-psk objects. |
| # |
| # @loaded: if true, the credentials are loaded immediately when applying this |
| # option and will ignore options that are processed later. Don't use; |
| # only provided for compatibility. (default: false) |
| # |
| # @username: the username which will be sent to the server. For clients only. |
| # If absent, "qemu" is sent and the property will read back as an |
| # empty string. |
| # |
| # Features: |
| # @deprecated: Member @loaded is deprecated. Setting true doesn't make sense, |
| # and false is already the default. |
| # |
| # Since: 3.0 |
| ## |
| { 'struct': 'TlsCredsPskProperties', |
| 'base': 'TlsCredsProperties', |
| 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, |
| '*username': 'str' } } |
| |
| ## |
| # @TlsCredsX509Properties: |
| # |
| # Properties for tls-creds-x509 objects. |
| # |
| # @loaded: if true, the credentials are loaded immediately when applying this |
| # option and will ignore options that are processed later. Don't use; |
| # only provided for compatibility. (default: false) |
| # |
| # @sanity-check: if true, perform some sanity checks before using the |
| # credentials (default: true) |
| # |
| # @passwordid: For the server-key.pem and client-key.pem files which contain |
| # sensitive private keys, it is possible to use an encrypted |
| # version by providing the @passwordid parameter. This provides |
| # the ID of a previously created secret object containing the |
| # password for decryption. |
| # |
| # Features: |
| # @deprecated: Member @loaded is deprecated. Setting true doesn't make sense, |
| # and false is already the default. |
| # |
| # Since: 2.5 |
| ## |
| { 'struct': 'TlsCredsX509Properties', |
| 'base': 'TlsCredsProperties', |
| 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, |
| '*sanity-check': 'bool', |
| '*passwordid': 'str' } } |