diff --git a/SOURCES/libvirt-qemu-Add-support-for-using-AES-secret-for-SCSI-hotplug.patch b/SOURCES/libvirt-qemu-Add-support-for-using-AES-secret-for-SCSI-hotplug.patch
new file mode 100644
index 0000000..b657770
--- /dev/null
+++ b/SOURCES/libvirt-qemu-Add-support-for-using-AES-secret-for-SCSI-hotplug.patch
@@ -0,0 +1,168 @@
+From d003f242c8dd06903146604442e633fc286f88ba Mon Sep 17 00:00:00 2001
+Message-Id: <d003f242c8dd06903146604442e633fc286f88ba@dist-git>
+From: Gema Gomez <gema.gomez-solano@linaro.org>
+Date: Wed, 21 Dec 2016 15:55:41 -0500
+Subject: [PATCH] qemu: Add support for using AES secret for SCSI hotplug
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1406442
+
+Support for virtio disks was added in commit id 'fceeeda', but not for
+SCSI drives. Add the secret for the server when hotplugging a SCSI drive.
+No need to make any adjustments for unplug since that's handled during
+the qemuDomainDetachDiskDevice call to qemuDomainRemoveDiskDevice in
+the qemuDomainDetachDeviceDiskLive switch.
+
+Added a test to/for the command line processing to show the command line
+options when adding a SCSI drive for the guest.
+
+(cherry picked from commit 0701abcb3ba78ba27cf1f47e01b3d9607ad37b72)
+
+Resolved conflict since upstream commit id '97ca6eed9a' is not present
+(just remove the drivealias changes)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1411398
+
+Signed-off-by: John Ferlan <jferlan@redhat.com>
+---
+ src/qemu/qemu_hotplug.c | 21 +++++++++++++++++++++
+ ...emuxml2argv-disk-drive-network-rbd-auth-AES.args | 14 ++++++++++++--
+ ...qemuxml2argv-disk-drive-network-rbd-auth-AES.xml | 13 +++++++++++++
+ tests/qemuxml2argvtest.c | 2 +-
+ 4 files changed, 47 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
+index 58d25ca0e..967c7c0b7 100644
+--- a/src/qemu/qemu_hotplug.c
++++ b/src/qemu/qemu_hotplug.c
+@@ -594,12 +594,15 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+ char *devstr = NULL;
+ bool driveAdded = false;
+ bool encobjAdded = false;
++ bool secobjAdded = false;
+ int ret = -1;
+ int rv;
+ virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ virJSONValuePtr encobjProps = NULL;
++ virJSONValuePtr secobjProps = NULL;
+ qemuDomainDiskPrivatePtr diskPriv;
+ qemuDomainSecretInfoPtr encinfo;
++ qemuDomainSecretInfoPtr secinfo;
+
+ if (qemuDomainPrepareDisk(driver, vm, disk, NULL, false) < 0)
+ goto cleanup;
+@@ -631,6 +634,12 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+ goto error;
+
+ diskPriv = QEMU_DOMAIN_DISK_PRIVATE(disk);
++ secinfo = diskPriv->secinfo;
++ if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
++ if (qemuBuildSecretInfoProps(secinfo, &secobjProps) < 0)
++ goto error;
++ }
++
+ encinfo = diskPriv->encinfo;
+ if (encinfo && qemuBuildSecretInfoProps(encinfo, &encobjProps) < 0)
+ goto error;
+@@ -646,6 +655,15 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+
+ qemuDomainObjEnterMonitor(driver, vm);
+
++ if (secobjProps) {
++ rv = qemuMonitorAddObject(priv->mon, "secret", secinfo->s.aes.alias,
++ secobjProps);
++ secobjProps = NULL; /* qemuMonitorAddObject consumes */
++ if (rv < 0)
++ goto exit_monitor;
++ secobjAdded = true;
++ }
++
+ if (encobjProps) {
+ rv = qemuMonitorAddObject(priv->mon, "secret", encinfo->s.aes.alias,
+ encobjProps);
+@@ -671,6 +689,7 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+ ret = 0;
+
+ cleanup:
++ virJSONValueFree(secobjProps);
+ virJSONValueFree(encobjProps);
+ qemuDomainSecretDiskDestroy(disk);
+ VIR_FREE(devstr);
+@@ -684,6 +703,8 @@ qemuDomainAttachSCSIDisk(virConnectPtr conn,
+ VIR_WARN("qemuMonitorAddDevice failed on %s (%s)", drivestr, devstr);
+
+ orig_err = virSaveLastError();
++ if (secobjAdded)
++ ignore_value(qemuMonitorDelObject(priv->mon, secinfo->s.aes.alias));
+ if (encobjAdded)
+ ignore_value(qemuMonitorDelObject(priv->mon, encinfo->s.aes.alias));
+ if (orig_err) {
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+index dd66388f8..57b3d88a7 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+@@ -18,6 +18,7 @@ file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
+ -monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
+ -no-acpi \
+ -boot c \
++-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x3 \
+ -usb \
+ -drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \
+ -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
+@@ -28,5 +29,14 @@ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:6322,\
+ file.password-secret=virtio-disk0-secret0,format=raw,if=none,\
+ id=drive-virtio-disk0' \
+--device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
+-id=virtio-disk0
++-device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
++id=virtio-disk0 \
++-object secret,id=scsi0-0-0-0-secret0,\
++data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
++keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
++-drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
++mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:\
++6322,file.password-secret=scsi0-0-0-0-secret0,format=raw,if=none,\
++id=drive-scsi0-0-0-0,cache=none' \
++-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\
++drive=drive-scsi0-0-0-0,id=scsi0-0-0-0
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
+index ac2e94209..885fb1127 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
++++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.xml
+@@ -32,7 +32,20 @@
+ </source>
+ <target dev='vda' bus='virtio'/>
+ </disk>
++ <disk type='network' device='disk'>
++ <driver name='qemu' type='raw' cache='none'/>
++ <auth username='myname'>
++ <secret type='ceph' usage='mycluster_myname'/>
++ </auth>
++ <source protocol='rbd' name='pool/image'>
++ <host name='mon1.example.org' port='6321'/>
++ <host name='mon2.example.org' port='6322'/>
++ <host name='mon3.example.org' port='6322'/>
++ </source>
++ <target bus='scsi' dev='sda'/>
++ </disk>
+ <controller type='usb' index='0'/>
++ <controller type='scsi' index='0' model='virtio-scsi'/>
+ <controller type='ide' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <input type='mouse' bus='ps2'/>
+diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
+index f48632b70..dc5580e02 100644
+--- a/tests/qemuxml2argvtest.c
++++ b/tests/qemuxml2argvtest.c
+@@ -827,7 +827,7 @@ mymain(void)
+ DO_TEST("disk-drive-network-rbd-auth", NONE);
+ # ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
+ DO_TEST("disk-drive-network-rbd-auth-AES",
+- QEMU_CAPS_OBJECT_SECRET);
++ QEMU_CAPS_OBJECT_SECRET, QEMU_CAPS_VIRTIO_SCSI);
+ # endif
+ DO_TEST("disk-drive-network-rbd-ipv6", NONE);
+ DO_TEST_FAILURE("disk-drive-network-rbd-no-colon", NONE);
+--
+2.11.1
+
diff --git a/SOURCES/libvirt-qemu-Don-t-assume-secret-provided-for-LUKS-encryption.patch b/SOURCES/libvirt-qemu-Don-t-assume-secret-provided-for-LUKS-encryption.patch
new file mode 100644
index 0000000..3c5466c
--- /dev/null
+++ b/SOURCES/libvirt-qemu-Don-t-assume-secret-provided-for-LUKS-encryption.patch
@@ -0,0 +1,114 @@
+From 84664353b00622571f099cf3306b317b7a67072f Mon Sep 17 00:00:00 2001
+Message-Id: <84664353b00622571f099cf3306b317b7a67072f@dist-git>
+From: John Ferlan <jferlan@redhat.com>
+Date: Tue, 3 Jan 2017 13:31:55 -0500
+Subject: [PATCH] qemu: Don't assume secret provided for LUKS encryption
+
+7.4: https://bugzilla.redhat.com/show_bug.cgi?id=1405269
+
+If a secret was not provided for what was determined to be a LUKS
+encrypted disk (during virStorageFileGetMetadata processing when
+called from qemuDomainDetermineDiskChain as a result of hotplug
+attach qemuDomainAttachDeviceDiskLive), then do not attempt to
+look it up (avoiding a libvirtd crash) and do not alter the format
+to "luks" when adding the disk; otherwise, the device_add would
+fail with a message such as:
+
+ "unable to execute QEMU command 'device_add': Property 'scsi-hd.drive'
+ can't find value 'drive-scsi0-0-0-0'"
+
+because of assumptions that when the format=luks that libvirt would have
+provided the secret to decrypt the volume.
+
+Access to unlock the volume will thus be left to the application.
+
+(cherry picked from commit 7f7d99048350935a394d07b98a13d7da9c4b0502)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1411394
+
+Signed-off-by: John Ferlan <jferlan@redhat.com>
+---
+ src/qemu/qemu_command.c | 3 +--
+ src/qemu/qemu_domain.c | 15 +++++++++++++--
+ src/qemu/qemu_domain.h | 3 +++
+ src/qemu/qemu_hotplug.c | 3 +--
+ 4 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index ade9e2524..bd01a0f76 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -1312,8 +1312,7 @@ qemuBuildDriveSourceStr(virDomainDiskDefPtr disk,
+ if (disk->src->format > 0 &&
+ disk->src->type != VIR_STORAGE_TYPE_DIR) {
+ const char *qemuformat = virStorageFileFormatTypeToString(disk->src->format);
+- if (disk->src->encryption &&
+- disk->src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS)
++ if (qemuDomainDiskHasEncryptionSecret(disk->src))
+ qemuformat = "luks";
+ virBufferAsprintf(buf, "format=%s,", qemuformat);
+ }
+diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
+index 3d2650fd5..b91db229f 100644
+--- a/src/qemu/qemu_domain.c
++++ b/src/qemu/qemu_domain.c
+@@ -1037,6 +1037,18 @@ qemuDomainSecretDiskCapable(virStorageSourcePtr src)
+ }
+
+
++bool
++qemuDomainDiskHasEncryptionSecret(virStorageSourcePtr src)
++{
++ if (!virStorageSourceIsEmpty(src) && src->encryption &&
++ src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS &&
++ src->encryption->nsecrets > 0)
++ return true;
++
++ return false;
++}
++
++
+ /* qemuDomainSecretDiskPrepare:
+ * @conn: Pointer to connection
+ * @priv: pointer to domain private object
+@@ -1075,8 +1087,7 @@ qemuDomainSecretDiskPrepare(virConnectPtr conn,
+ diskPriv->secinfo = secinfo;
+ }
+
+- if (!virStorageSourceIsEmpty(src) && src->encryption &&
+- src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
++ if (qemuDomainDiskHasEncryptionSecret(src)) {
+
+ if (VIR_ALLOC(secinfo) < 0)
+ return -1;
+diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
+index 66ffe5817..e6eda2388 100644
+--- a/src/qemu/qemu_domain.h
++++ b/src/qemu/qemu_domain.h
+@@ -698,6 +698,9 @@ void qemuDomainSecretDiskDestroy(virDomainDiskDefPtr disk)
+ bool qemuDomainSecretDiskCapable(virStorageSourcePtr src)
+ ATTRIBUTE_NONNULL(1);
+
++bool qemuDomainDiskHasEncryptionSecret(virStorageSourcePtr src)
++ ATTRIBUTE_NONNULL(1);
++
+ int qemuDomainSecretDiskPrepare(virConnectPtr conn,
+ qemuDomainObjPrivatePtr priv,
+ virDomainDiskDefPtr disk)
+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
+index 967c7c0b7..b7302a5f9 100644
+--- a/src/qemu/qemu_hotplug.c
++++ b/src/qemu/qemu_hotplug.c
+@@ -3148,8 +3148,7 @@ qemuDomainRemoveDiskDevice(virQEMUDriverPtr driver,
+ /* Similarly, if this is possible a device using LUKS encryption, we
+ * can remove the luks object password too
+ */
+- if (!virStorageSourceIsEmpty(disk->src) && disk->src->encryption &&
+- disk->src->encryption->format == VIR_STORAGE_ENCRYPTION_FORMAT_LUKS) {
++ if (qemuDomainDiskHasEncryptionSecret(disk->src)) {
+
+ if (!(encAlias =
+ qemuDomainGetSecretAESAlias(disk->info.alias, true))) {
+--
+2.11.1
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 6eb0a69..c707107 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -217,7 +217,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 2.0.0
-Release: 10%{?dist}.4%{?extra_release}
+Release: 10%{?dist}.5%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -506,6 +506,8 @@ Patch274: libvirt-qemuDomainAttachNetDevice-Enable-multiqueue-for-vhost-user.pat
Patch275: libvirt-qemuDomainAttachNetDevice-pass-mq-and-vectors-for-vhost-user-with-multiqueue.patch
Patch276: libvirt-qemuDomainAttachNetDevice-Avoid-originalError-leak.patch
Patch277: libvirt-qemu-snapshot-Resume-VM-after-live-snapshot.patch
+Patch278: libvirt-qemu-Add-support-for-using-AES-secret-for-SCSI-hotplug.patch
+Patch279: libvirt-qemu-Don-t-assume-secret-provided-for-LUKS-encryption.patch
Requires: libvirt-daemon = %{version}-%{release}
@@ -2148,6 +2150,10 @@ exit 0
%changelog
+* Fri Feb 10 2017 Jiri Denemark <jdenemar@redhat.com> - 2.0.0-10.el7_3.5
+- qemu: Add support for using AES secret for SCSI hotplug (rhbz#1411398)
+- qemu: Don't assume secret provided for LUKS encryption (rhbz#1411394)
+
* Thu Jan 5 2017 Jiri Denemark <jdenemar@redhat.com> - 2.0.0-10.el7_3.4
- qemuDomainAttachNetDevice: Avoid @originalError leak (rhbz#1404186)
- qemu: snapshot: Resume VM after live snapshot (rhbz#1406765)