| # -*- Mode: Python -*- |
| # vim: filetype=python |
| # |
| |
| ## |
| # = Cryptography |
| ## |
| |
| ## |
| # @QCryptoTLSCredsEndpoint: |
| # |
| # The type of network endpoint that will be using the credentials. |
| # Most types of credential require different setup / structures |
| # depending on whether they will be used in a server versus a client. |
| # |
| # @client: the network endpoint is acting as the client |
| # |
| # @server: the network endpoint is acting as the server |
| # |
| # Since: 2.5 |
| ## |
| { 'enum': 'QCryptoTLSCredsEndpoint', |
| 'data': ['client', 'server']} |
| |
| ## |
| # @QCryptoSecretFormat: |
| # |
| # The data format that the secret is provided in |
| # |
| # @raw: raw bytes. When encoded in JSON only valid UTF-8 sequences |
| # can be used |
| # |
| # @base64: arbitrary base64 encoded binary data |
| # |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoSecretFormat', |
| 'data': ['raw', 'base64']} |
| |
| ## |
| # @QCryptoHashAlgo: |
| # |
| # The supported algorithms for computing content digests |
| # |
| # @md5: MD5. Should not be used in any new code, legacy compat only |
| # |
| # @sha1: SHA-1. Should not be used in any new code, legacy compat only |
| # |
| # @sha224: SHA-224. (since 2.7) |
| # |
| # @sha256: SHA-256. Current recommended strong hash. |
| # |
| # @sha384: SHA-384. (since 2.7) |
| # |
| # @sha512: SHA-512. (since 2.7) |
| # |
| # @ripemd160: RIPEMD-160. (since 2.7) |
| # |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoHashAlgo', |
| 'data': ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'ripemd160']} |
| |
| ## |
| # @QCryptoCipherAlgorithm: |
| # |
| # The supported algorithms for content encryption ciphers |
| # |
| # @aes-128: AES with 128 bit / 16 byte keys |
| # |
| # @aes-192: AES with 192 bit / 24 byte keys |
| # |
| # @aes-256: AES with 256 bit / 32 byte keys |
| # |
| # @des: DES with 56 bit / 8 byte keys. Do not use except in VNC. |
| # (since 6.1) |
| # |
| # @3des: 3DES(EDE) with 192 bit / 24 byte keys (since 2.9) |
| # |
| # @cast5-128: Cast5 with 128 bit / 16 byte keys |
| # |
| # @serpent-128: Serpent with 128 bit / 16 byte keys |
| # |
| # @serpent-192: Serpent with 192 bit / 24 byte keys |
| # |
| # @serpent-256: Serpent with 256 bit / 32 byte keys |
| # |
| # @twofish-128: Twofish with 128 bit / 16 byte keys |
| # |
| # @twofish-192: Twofish with 192 bit / 24 byte keys |
| # |
| # @twofish-256: Twofish with 256 bit / 32 byte keys |
| # |
| # @sm4: SM4 with 128 bit / 16 byte keys (since 9.0) |
| # |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoCipherAlgorithm', |
| 'prefix': 'QCRYPTO_CIPHER_ALG', |
| 'data': ['aes-128', 'aes-192', 'aes-256', |
| 'des', '3des', |
| 'cast5-128', |
| 'serpent-128', 'serpent-192', 'serpent-256', |
| 'twofish-128', 'twofish-192', 'twofish-256', |
| 'sm4']} |
| |
| ## |
| # @QCryptoCipherMode: |
| # |
| # The supported modes for content encryption ciphers |
| # |
| # @ecb: Electronic Code Book |
| # |
| # @cbc: Cipher Block Chaining |
| # |
| # @xts: XEX with tweaked code book and ciphertext stealing |
| # |
| # @ctr: Counter (Since 2.8) |
| # |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoCipherMode', |
| 'data': ['ecb', 'cbc', 'xts', 'ctr']} |
| |
| ## |
| # @QCryptoIVGenAlgorithm: |
| # |
| # The supported algorithms for generating initialization vectors for |
| # full disk encryption. The 'plain' generator should not be used for |
| # disks with sector numbers larger than 2^32, except where |
| # compatibility with pre-existing Linux dm-crypt volumes is required. |
| # |
| # @plain: 64-bit sector number truncated to 32-bits |
| # |
| # @plain64: 64-bit sector number |
| # |
| # @essiv: 64-bit sector number encrypted with a hash of the encryption |
| # key |
| # |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoIVGenAlgorithm', |
| 'prefix': 'QCRYPTO_IVGEN_ALG', |
| 'data': ['plain', 'plain64', 'essiv']} |
| |
| ## |
| # @QCryptoBlockFormat: |
| # |
| # The supported full disk encryption formats |
| # |
| # @qcow: QCow/QCow2 built-in AES-CBC encryption. Use only for |
| # liberating data from old images. |
| # |
| # @luks: LUKS encryption format. Recommended for new images |
| # |
| # Since: 2.6 |
| ## |
| { 'enum': 'QCryptoBlockFormat', |
| 'data': ['qcow', 'luks']} |
| |
| ## |
| # @QCryptoBlockOptionsBase: |
| # |
| # The common options that apply to all full disk encryption formats |
| # |
| # @format: the encryption format |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'QCryptoBlockOptionsBase', |
| 'data': { 'format': 'QCryptoBlockFormat' }} |
| |
| ## |
| # @QCryptoBlockOptionsQCow: |
| # |
| # The options that apply to QCow/QCow2 AES-CBC encryption format |
| # |
| # @key-secret: the ID of a QCryptoSecret object providing the |
| # decryption key. Mandatory except when probing image for |
| # metadata only. |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'QCryptoBlockOptionsQCow', |
| 'data': { '*key-secret': 'str' }} |
| |
| ## |
| # @QCryptoBlockOptionsLUKS: |
| # |
| # The options that apply to LUKS encryption format |
| # |
| # @key-secret: the ID of a QCryptoSecret object providing the |
| # decryption key. Mandatory except when probing image for |
| # metadata only. |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'QCryptoBlockOptionsLUKS', |
| 'data': { '*key-secret': 'str' }} |
| |
| ## |
| # @QCryptoBlockCreateOptionsLUKS: |
| # |
| # The options that apply to LUKS encryption format initialization |
| # |
| # @cipher-alg: the cipher algorithm for data encryption Currently |
| # defaults to 'aes-256'. |
| # |
| # @cipher-mode: the cipher mode for data encryption Currently defaults |
| # to 'xts' |
| # |
| # @ivgen-alg: the initialization vector generator Currently defaults |
| # to 'plain64' |
| # |
| # @ivgen-hash-alg: the initialization vector generator hash Currently |
| # defaults to 'sha256' |
| # |
| # @hash-alg: the master key hash algorithm Currently defaults to |
| # 'sha256' |
| # |
| # @iter-time: number of milliseconds to spend in PBKDF passphrase |
| # processing. Currently defaults to 2000. (since 2.8) |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'QCryptoBlockCreateOptionsLUKS', |
| 'base': 'QCryptoBlockOptionsLUKS', |
| 'data': { '*cipher-alg': 'QCryptoCipherAlgorithm', |
| '*cipher-mode': 'QCryptoCipherMode', |
| '*ivgen-alg': 'QCryptoIVGenAlgorithm', |
| '*ivgen-hash-alg': 'QCryptoHashAlgo', |
| '*hash-alg': 'QCryptoHashAlgo', |
| '*iter-time': 'int' }} |
| |
| ## |
| # @QCryptoBlockOpenOptions: |
| # |
| # The options that are available for all encryption formats when |
| # opening an existing volume |
| # |
| # Since: 2.6 |
| ## |
| { 'union': 'QCryptoBlockOpenOptions', |
| 'base': 'QCryptoBlockOptionsBase', |
| 'discriminator': 'format', |
| 'data': { 'qcow': 'QCryptoBlockOptionsQCow', |
| 'luks': 'QCryptoBlockOptionsLUKS' } } |
| |
| ## |
| # @QCryptoBlockCreateOptions: |
| # |
| # The options that are available for all encryption formats when |
| # initializing a new volume |
| # |
| # Since: 2.6 |
| ## |
| { 'union': 'QCryptoBlockCreateOptions', |
| 'base': 'QCryptoBlockOptionsBase', |
| 'discriminator': 'format', |
| 'data': { 'qcow': 'QCryptoBlockOptionsQCow', |
| 'luks': 'QCryptoBlockCreateOptionsLUKS' } } |
| |
| ## |
| # @QCryptoBlockInfoBase: |
| # |
| # The common information that applies to all full disk encryption |
| # formats |
| # |
| # @format: the encryption format |
| # |
| # Since: 2.7 |
| ## |
| { 'struct': 'QCryptoBlockInfoBase', |
| 'data': { 'format': 'QCryptoBlockFormat' }} |
| |
| ## |
| # @QCryptoBlockInfoLUKSSlot: |
| # |
| # Information about the LUKS block encryption key slot options |
| # |
| # @active: whether the key slot is currently in use |
| # |
| # @key-offset: offset to the key material in bytes |
| # |
| # @iters: number of PBKDF2 iterations for key material |
| # |
| # @stripes: number of stripes for splitting key material |
| # |
| # Since: 2.7 |
| ## |
| { 'struct': 'QCryptoBlockInfoLUKSSlot', |
| 'data': {'active': 'bool', |
| '*iters': 'int', |
| '*stripes': 'int', |
| 'key-offset': 'int' } } |
| |
| ## |
| # @QCryptoBlockInfoLUKS: |
| # |
| # Information about the LUKS block encryption options |
| # |
| # @cipher-alg: the cipher algorithm for data encryption |
| # |
| # @cipher-mode: the cipher mode for data encryption |
| # |
| # @ivgen-alg: the initialization vector generator |
| # |
| # @ivgen-hash-alg: the initialization vector generator hash |
| # |
| # @hash-alg: the master key hash algorithm |
| # |
| # @detached-header: whether the LUKS header is detached (Since 9.0) |
| # |
| # @payload-offset: offset to the payload data in bytes |
| # |
| # @master-key-iters: number of PBKDF2 iterations for key material |
| # |
| # @uuid: unique identifier for the volume |
| # |
| # @slots: information about each key slot |
| # |
| # Since: 2.7 |
| ## |
| { 'struct': 'QCryptoBlockInfoLUKS', |
| 'data': {'cipher-alg': 'QCryptoCipherAlgorithm', |
| 'cipher-mode': 'QCryptoCipherMode', |
| 'ivgen-alg': 'QCryptoIVGenAlgorithm', |
| '*ivgen-hash-alg': 'QCryptoHashAlgo', |
| 'hash-alg': 'QCryptoHashAlgo', |
| 'detached-header': 'bool', |
| 'payload-offset': 'int', |
| 'master-key-iters': 'int', |
| 'uuid': 'str', |
| 'slots': [ 'QCryptoBlockInfoLUKSSlot' ] }} |
| |
| ## |
| # @QCryptoBlockInfo: |
| # |
| # Information about the block encryption options |
| # |
| # Since: 2.7 |
| ## |
| { 'union': 'QCryptoBlockInfo', |
| 'base': 'QCryptoBlockInfoBase', |
| 'discriminator': 'format', |
| 'data': { 'luks': 'QCryptoBlockInfoLUKS' } } |
| |
| ## |
| # @QCryptoBlockLUKSKeyslotState: |
| # |
| # Defines state of keyslots that are affected by the update |
| # |
| # @active: The slots contain the given password and marked as active |
| # |
| # @inactive: The slots are erased (contain garbage) and marked as |
| # inactive |
| # |
| # Since: 5.1 |
| ## |
| { 'enum': 'QCryptoBlockLUKSKeyslotState', |
| 'data': [ 'active', 'inactive' ] } |
| |
| ## |
| # @QCryptoBlockAmendOptionsLUKS: |
| # |
| # This struct defines the update parameters that activate/de-activate |
| # set of keyslots |
| # |
| # @state: the desired state of the keyslots |
| # |
| # @new-secret: The ID of a QCryptoSecret object providing the password |
| # to be written into added active keyslots |
| # |
| # @old-secret: Optional (for deactivation only) If given will |
| # deactivate all keyslots that match password located in |
| # QCryptoSecret with this ID |
| # |
| # @iter-time: Optional (for activation only) Number of milliseconds to |
| # spend in PBKDF passphrase processing for the newly activated |
| # keyslot. Currently defaults to 2000. |
| # |
| # @keyslot: Optional. ID of the keyslot to activate/deactivate. For |
| # keyslot activation, keyslot should not be active already (this |
| # is unsafe to update an active keyslot), but possible if 'force' |
| # parameter is given. If keyslot is not given, first free keyslot |
| # will be written. |
| # |
| # For keyslot deactivation, this parameter specifies the exact |
| # keyslot to deactivate |
| # |
| # @secret: Optional. The ID of a QCryptoSecret object providing the |
| # password to use to retrieve current master key. Defaults to the |
| # same secret that was used to open the image |
| # |
| # Since: 5.1 |
| ## |
| { 'struct': 'QCryptoBlockAmendOptionsLUKS', |
| 'data': { 'state': 'QCryptoBlockLUKSKeyslotState', |
| '*new-secret': 'str', |
| '*old-secret': 'str', |
| '*keyslot': 'int', |
| '*iter-time': 'int', |
| '*secret': 'str' } } |
| |
| ## |
| # @QCryptoBlockAmendOptions: |
| # |
| # The options that are available for all encryption formats when |
| # amending encryption settings |
| # |
| # Since: 5.1 |
| ## |
| { 'union': 'QCryptoBlockAmendOptions', |
| 'base': 'QCryptoBlockOptionsBase', |
| 'discriminator': 'format', |
| 'data': { |
| 'luks': 'QCryptoBlockAmendOptionsLUKS' } } |
| |
| ## |
| # @SecretCommonProperties: |
| # |
| # Properties for objects of classes derived from secret-common. |
| # |
| # @loaded: if true, the secret is loaded immediately when applying |
| # this option and will probably fail when processing the next |
| # option. Don't use; only provided for compatibility. |
| # (default: false) |
| # |
| # @format: the data format that the secret is provided in |
| # (default: raw) |
| # |
| # @keyid: the name of another secret that should be used to decrypt |
| # the provided data. If not present, the data is assumed to be |
| # unencrypted. |
| # |
| # @iv: the random initialization vector used for encryption of this |
| # particular secret. Should be a base64 encrypted string of the |
| # 16-byte IV. Mandatory if @keyid is given. Ignored if @keyid is |
| # absent. |
| # |
| # Features: |
| # |
| # @deprecated: Member @loaded is deprecated. Setting true doesn't |
| # make sense, and false is already the default. |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'SecretCommonProperties', |
| 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, |
| '*format': 'QCryptoSecretFormat', |
| '*keyid': 'str', |
| '*iv': 'str' } } |
| |
| ## |
| # @SecretProperties: |
| # |
| # Properties for secret objects. |
| # |
| # Either @data or @file must be provided, but not both. |
| # |
| # @data: the associated with the secret from |
| # |
| # @file: the filename to load the data associated with the secret from |
| # |
| # Since: 2.6 |
| ## |
| { 'struct': 'SecretProperties', |
| 'base': 'SecretCommonProperties', |
| 'data': { '*data': 'str', |
| '*file': 'str' } } |
| |
| ## |
| # @SecretKeyringProperties: |
| # |
| # Properties for secret_keyring objects. |
| # |
| # @serial: serial number that identifies a key to get from the kernel |
| # |
| # Since: 5.1 |
| ## |
| { 'struct': 'SecretKeyringProperties', |
| 'base': 'SecretCommonProperties', |
| 'data': { 'serial': 'int32' }, |
| 'if': 'CONFIG_SECRET_KEYRING' } |
| |
| ## |
| # @TlsCredsProperties: |
| # |
| # Properties for objects of classes derived from tls-creds. |
| # |
| # @verify-peer: if true the peer credentials will be verified once the |
| # handshake is completed. This is a no-op for anonymous |
| # credentials. (default: true) |
| # |
| # @dir: the path of the directory that contains the credential files |
| # |
| # @endpoint: whether the QEMU network backend that uses the |
| # credentials will be acting as a client or as a server |
| # (default: client) |
| # |
| # @priority: a gnutls priority string as described at |
| # https://gnutls.org/manual/html_node/Priority-Strings.html |
| # |
| # Since: 2.5 |
| ## |
| { 'struct': 'TlsCredsProperties', |
| 'data': { '*verify-peer': 'bool', |
| '*dir': 'str', |
| '*endpoint': 'QCryptoTLSCredsEndpoint', |
| '*priority': 'str' } } |
| |
| ## |
| # @TlsCredsAnonProperties: |
| # |
| # Properties for tls-creds-anon objects. |
| # |
| # @loaded: if true, the credentials are loaded immediately when |
| # applying this option and will ignore options that are processed |
| # later. Don't use; only provided for compatibility. |
| # (default: false) |
| # |
| # Features: |
| # |
| # @deprecated: Member @loaded is deprecated. Setting true doesn't |
| # make sense, and false is already the default. |
| # |
| # Since: 2.5 |
| ## |
| { 'struct': 'TlsCredsAnonProperties', |
| 'base': 'TlsCredsProperties', |
| 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } } |
| |
| ## |
| # @TlsCredsPskProperties: |
| # |
| # Properties for tls-creds-psk objects. |
| # |
| # @loaded: if true, the credentials are loaded immediately when |
| # applying this option and will ignore options that are processed |
| # later. Don't use; only provided for compatibility. |
| # (default: false) |
| # |
| # @username: the username which will be sent to the server. For |
| # clients only. If absent, "qemu" is sent and the property will |
| # read back as an empty string. |
| # |
| # Features: |
| # |
| # @deprecated: Member @loaded is deprecated. Setting true doesn't |
| # make sense, and false is already the default. |
| # |
| # Since: 3.0 |
| ## |
| { 'struct': 'TlsCredsPskProperties', |
| 'base': 'TlsCredsProperties', |
| 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, |
| '*username': 'str' } } |
| |
| ## |
| # @TlsCredsX509Properties: |
| # |
| # Properties for tls-creds-x509 objects. |
| # |
| # @loaded: if true, the credentials are loaded immediately when |
| # applying this option and will ignore options that are processed |
| # later. Don't use; only provided for compatibility. |
| # (default: false) |
| # |
| # @sanity-check: if true, perform some sanity checks before using the |
| # credentials (default: true) |
| # |
| # @passwordid: For the server-key.pem and client-key.pem files which |
| # contain sensitive private keys, it is possible to use an |
| # encrypted version by providing the @passwordid parameter. This |
| # provides the ID of a previously created secret object containing |
| # the password for decryption. |
| # |
| # Features: |
| # |
| # @deprecated: Member @loaded is deprecated. Setting true doesn't |
| # make sense, and false is already the default. |
| # |
| # Since: 2.5 |
| ## |
| { 'struct': 'TlsCredsX509Properties', |
| 'base': 'TlsCredsProperties', |
| 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, |
| '*sanity-check': 'bool', |
| '*passwordid': 'str' } } |
| ## |
| # @QCryptoAkCipherAlgorithm: |
| # |
| # The supported algorithms for asymmetric encryption ciphers |
| # |
| # @rsa: RSA algorithm |
| # |
| # Since: 7.1 |
| ## |
| { 'enum': 'QCryptoAkCipherAlgorithm', |
| 'prefix': 'QCRYPTO_AKCIPHER_ALG', |
| 'data': ['rsa']} |
| |
| ## |
| # @QCryptoAkCipherKeyType: |
| # |
| # The type of asymmetric keys. |
| # |
| # Since: 7.1 |
| ## |
| { 'enum': 'QCryptoAkCipherKeyType', |
| 'data': ['public', 'private']} |
| |
| ## |
| # @QCryptoRSAPaddingAlgorithm: |
| # |
| # The padding algorithm for RSA. |
| # |
| # @raw: no padding used |
| # |
| # @pkcs1: pkcs1#v1.5 |
| # |
| # Since: 7.1 |
| ## |
| { 'enum': 'QCryptoRSAPaddingAlgorithm', |
| 'prefix': 'QCRYPTO_RSA_PADDING_ALG', |
| 'data': ['raw', 'pkcs1']} |
| |
| ## |
| # @QCryptoAkCipherOptionsRSA: |
| # |
| # Specific parameters for RSA algorithm. |
| # |
| # @hash-alg: QCryptoHashAlgo |
| # |
| # @padding-alg: QCryptoRSAPaddingAlgorithm |
| # |
| # Since: 7.1 |
| ## |
| { 'struct': 'QCryptoAkCipherOptionsRSA', |
| 'data': { 'hash-alg':'QCryptoHashAlgo', |
| 'padding-alg': 'QCryptoRSAPaddingAlgorithm'}} |
| |
| ## |
| # @QCryptoAkCipherOptions: |
| # |
| # The options that are available for all asymmetric key algorithms |
| # when creating a new QCryptoAkCipher. |
| # |
| # @alg: encryption cipher algorithm |
| # |
| # Since: 7.1 |
| ## |
| { 'union': 'QCryptoAkCipherOptions', |
| 'base': { 'alg': 'QCryptoAkCipherAlgorithm' }, |
| 'discriminator': 'alg', |
| 'data': { 'rsa': 'QCryptoAkCipherOptionsRSA' }} |