From dbc094900f3de46bb9ef9250ae314c2b52e79297 Mon Sep 17 00:00:00 2001

Message-Id: <dbc094900f3de46bb9ef9250ae314c2b52e79297@dist-git>

From: John Ferlan <jferlan@redhat.com>

Date: Mon, 25 Jul 2016 12:43:05 -0400

Subject: [PATCH] storage: Add extra failure condition for luks volume creation

https://bugzilla.redhat.com/show_bug.cgi?id=1301021

Commit id '5e46d7d6' did not take into account that usage of a luks

volume will require usage of the master key encrypted passphrase for

a QEMU environment.  So rather than allow creation of something that

won't be usable, just fail the creation.

(cherry picked from commit 30d27f24d8ab262ad93b663002a0e1d5edf95fa0)

Signed-off-by: John Ferlan <jferlan@redhat.com>

---

 src/storage/storage_backend.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c

index d0eaaf9..8faafa4 100644

--- a/src/storage/storage_backend.c

+++ b/src/storage/storage_backend.c

@@ -56,6 +56,7 @@

 #include "internal.h"

 #include "secret_conf.h"

 #include "secret_util.h"

+#include "vircrypto.h"

 #include "viruuid.h"

 #include "virstoragefile.h"

 #include "storage_backend.h"

@@ -1065,6 +1066,12 @@ virStorageBackendCreateQemuImgCheckEncryption(int format,

                            _("no secret provided for luks encryption"));

             return -1;

         }

+        if (!virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC)) {

+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",

+                           _("luks encryption usage requires encrypted "

+                             "secret generation to be supported"));

+            return -1;

+        }

     } else {

         virReportError(VIR_ERR_CONFIG_UNSUPPORTED,

                        _("volume encryption unsupported with format %s"), type);

-- 

2.9.2