From b3b0863f3274d3de217d006cf03a442a63606271 Mon Sep 17 00:00:00 2001
Message-Id: <b3b0863f3274d3de217d006cf03a442a63606271@dist-git>
From: John Ferlan <jferlan@redhat.com>
Date: Mon, 25 Jul 2016 12:43:04 -0400
Subject: [PATCH] qemu: Disallow usage of luks encryption if aes secret not
 possible

https://bugzilla.redhat.com/show_bug.cgi?id=1301021

Resolves a CI test integration failure with a RHEL6/Centos6 environment.

In order to use a LUKS encrypted device, the design decision was to
generate an encrypted secret based on the master key. However, commit
id 'da86c6c' missed checking for that specifically.

When qemuDomainSecretSetup was implemented, a design decision was made
to "fall back" to a plain text secret setup if the specific cipher was
not available (e.g. virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC))
as well as the QEMU_CAPS_OBJECT_SECRET. For the luks encryption setup
there is no fall back to the plaintext secret, thus if that gets set
up by qemuDomainSecretSetup, then we need to fail.

Also, while the qemuxml2argvtest has set the QEMU_CAPS_OBJECT_SECRET
bit, it didn't take into account the second requirement that the
ability to generate the encrypted secret is possible. So modify the
test to not attempt to run the luks-disk if we know we don't have
the encryption algorithm.

(cherry picked from commit a53349e6c6d3ff051e48b40c94a672168bbc3aac)
Signed-off-by: John Ferlan <jferlan@redhat.com>
---
 src/qemu/qemu_domain.c   | 7 +++++++
 tests/qemuxml2argvtest.c | 4 ++++
 2 files changed, 11 insertions(+)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 26d0d12..158f3ef 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1042,6 +1042,13 @@ qemuDomainSecretDiskPrepare(virConnectPtr conn,
                                   true) < 0)
             goto error;
 
+        if (secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                           _("luks encryption requires encrypted secrets "
+                             "to be supported"));
+            goto error;
+        }
+
         diskPriv->encinfo = secinfo;
     }
 
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index eddacf8..f49f9b9 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1379,7 +1379,11 @@ mymain(void)
 
     DO_TEST("encrypted-disk", NONE);
     DO_TEST("encrypted-disk-usage", NONE);
+# ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
     DO_TEST("luks-disks", QEMU_CAPS_OBJECT_SECRET);
+# else
+    DO_TEST_FAILURE("luks-disks", QEMU_CAPS_OBJECT_SECRET);
+# endif
 
     DO_TEST("memtune", NONE);
     DO_TEST("memtune-unlimited", NONE);
-- 
2.9.2