Add encryption support to RBD bdev.

Signed-off-by: Gil Bregman <gbregman@il.ibm.com>

Author: gbregman

module/bdev/rbd/bdev_rbd.c

@@ -47,6 +47,9 @@ struct bdev_rbd {
 	char *user_id;
 	char *pool_name;
 	char *namespace_name;
+	uint32_t encryption_entries_count;
+	uint32_t *encryption_format;
+	char **passphrase;
 	char **config;
 
 	rados_t cluster;
@@ -231,6 +234,8 @@ bdev_rbd_free(struct bdev_rbd *rbd)
 	free(rbd->user_id);
 	free(rbd->pool_name);
 	free(rbd->namespace_name);
+	free(rbd->encryption_format);
+	bdev_rbd_free_passphrase(rbd->passphrase);
 	bdev_rbd_free_config(rbd->config);
 
 	if (rbd->cluster_name) {
@@ -290,6 +295,19 @@ bdev_rbd_dup_config(const char *const *config)
 	return copy;
 }
 
+void
+bdev_rbd_free_passphrase(char **passphrase)
+{
+	char **entry;
+
+	if (passphrase) {
+		for (entry = passphrase; *entry; entry++) {
+			free(*entry);
+		}
+		free(passphrase);
+	}
+}
+
 static int
 bdev_rados_cluster_init(const char *user_id, const char *const *config,
 			rados_t *cluster)
@@ -461,6 +479,61 @@ bdev_rbd_get_pool_ctx(rados_t *cluster_p, const char *name, const char *namespac
 	return -1;
 }
 
+static void
+bdev_rbd_free_encryption_specs(rbd_encryption_spec_t *specs, uint32_t count)
+{
+	uint32_t i;
+
+	if (!specs)
+		return;
+
+	for (i = 0; i < count; i++) {
+		if (specs[i].format == RBD_ENCRYPTION_FORMAT_LUKS1) {
+			free((void *)(((rbd_encryption_luks1_format_options_t *)specs[i].opts)->passphrase));
+		}
+		else if (specs[i].format == RBD_ENCRYPTION_FORMAT_LUKS2) {
+			free((void *)(((rbd_encryption_luks2_format_options_t *)specs[i].opts)->passphrase));
+		}
+		else if (specs[i].format == RBD_ENCRYPTION_FORMAT_LUKS) {
+			free((void *)(((rbd_encryption_luks_format_options_t *)specs[i].opts)->passphrase));
+		}
+		free(specs[i].opts);
+	}
+	free(specs);
+}
+
+static int
+bdev_rbd_set_passphrase(char **out, size_t *phrasesize, const char *phrase)
+{
+	*out = strdup(phrase);
+	if (!*out) {
+		SPDK_ERRLOG("Cannot allocate memory for encryption pass phrase\n");
+		return -1;
+	}
+	*phrasesize = strlen(phrase);
+	return 0;
+}
+
+#define SET_ENC_ENTRY(_specs, _rbd, _index, _fstring, _fmt, _upfmt)                                                    \
+if ((_rbd)->encryption_format[_index] == RBD_ENCRYPTION_FORMAT_##_upfmt ) {                                            \
+	rbd_encryption_##_fmt##_format_options_t *opts;                                                                \
+	strcat(_fstring, #_upfmt " ");                                                                                 \
+	opts = calloc(1, sizeof(*opts));                                                                               \
+	if (!opts) {                                                                                                   \
+		SPDK_ERRLOG("Cannot allocate memory for encryption format options\n");                                 \
+		bdev_rbd_free_encryption_specs(_specs, (_rbd)->encryption_entries_count);                              \
+		return NULL;                                                                                           \
+	}                                                                                                              \
+	if (bdev_rbd_set_passphrase((char **)&opts->passphrase, &opts->passphrase_size, (_rbd->passphrase[_index]))) { \
+		free((char *)opts->passphrase);                                                                        \
+		free(opts);                                                                                            \
+		bdev_rbd_free_encryption_specs(_specs, (_rbd)->encryption_entries_count);                              \
+		return NULL;                                                                                           \
+	}                                                                                                              \
+	_specs[_index].opts = (rbd_encryption_options_t)opts;                                                          \
+	_specs[_index].opts_size = sizeof(*opts);                                                                      \
+}
+
 static void *
 bdev_rbd_init_context(void *arg)
 {
@@ -498,9 +571,52 @@ bdev_rbd_init_context(void *arg)
 	}
 	if (rc < 0) {
 		SPDK_ERRLOG("Failed to open specified rbd device\n");
+		rbd->image = NULL;
 		return NULL;
 	}
 
+	if (rbd->encryption_entries_count > 0) {
+		uint32_t i;
+		rbd_encryption_spec_t *specs;
+		char *formats_string;
+
+		formats_string = calloc(rbd->encryption_entries_count, strlen("LUKSx") + 1);
+		if (!formats_string) {
+			SPDK_ERRLOG("Cannot allocate memory for encryption formats string\n");
+			return NULL;
+		}
+		specs = calloc(rbd->encryption_entries_count, sizeof(*specs));
+		if (!specs) {
+			SPDK_ERRLOG("Cannot allocate memory for encryption specs\n");
+			free(formats_string);
+			return NULL;
+		}
+		for (i = 0; i < rbd->encryption_entries_count; i++) {
+			specs[i].format = rbd->encryption_format[i];
+			SET_ENC_ENTRY(specs, rbd, i, formats_string, luks1, LUKS1)
+			SET_ENC_ENTRY(specs, rbd, i, formats_string, luks2, LUKS2)
+			SET_ENC_ENTRY(specs, rbd, i, formats_string, luks, LUKS)
+			if (!specs[i].opts) {
+				SPDK_ERRLOG("Invalid encryption format %d\n", rbd->encryption_format[i]);
+				bdev_rbd_free_encryption_specs(specs, rbd->encryption_entries_count);
+				free(formats_string);
+				return NULL;
+			}
+		}
+
+		SPDK_DEBUGLOG(bdev_rbd, "Will use encryption load for image %s/%s, using encryption format(s) %s\n",
+				rbd->pool_name, rbd->rbd_name, formats_string);
+		rc = rbd_encryption_load2(rbd->image, specs, rbd->encryption_entries_count);
+		bdev_rbd_free_encryption_specs(specs, rbd->encryption_entries_count);
+		if (rc != 0) {
+			SPDK_ERRLOG("Error %d trying to encryption load image %s/%s using format(s) %s\n", rc,
+					rbd->pool_name, rbd->rbd_name, formats_string);
+			free(formats_string);
+			return NULL;
+		}
+		free(formats_string);
+	}
+
 	rc = rbd_update_watch(rbd->image, &rbd->rbd_watch_handle, rbd_update_callback, (void *)rbd);
 	if (rc < 0) {
 		SPDK_ERRLOG("Failed to set up watch %d\n", rc);
@@ -1061,6 +1177,27 @@ bdev_rbd_write_config_json(struct spdk_bdev *bdev, struct spdk_json_write_ctx *w
 		spdk_json_write_named_string(w, "user_id", rbd->user_id);
 	}
 
+	if (rbd->encryption_format && rbd->encryption_entries_count > 0) {
+		uint32_t i;
+
+		spdk_json_write_named_object_begin(w, "encryption_format");
+		for (i = 0; i < rbd->encryption_entries_count; i++) {
+			spdk_json_write_uint32(w, rbd->encryption_format[i]);
+		}
+		spdk_json_write_object_end(w);
+	}
+
+	if (rbd->passphrase && rbd->encryption_entries_count > 0) {
+		uint32_t i;
+
+		spdk_json_write_named_object_begin(w, "passphrase");
+		for (i = 0; i < rbd->encryption_entries_count; i++) {
+			/* souldn't write the real pass phrase, it's a security breach */
+			spdk_json_write_string(w, "*");
+		}
+		spdk_json_write_object_end(w);
+	}
+
 	if (rbd->config) {
 		char **entry = rbd->config;
 
@@ -1499,10 +1636,14 @@ bdev_rbd_create(struct spdk_bdev **bdev, const char *name, const char *user_id,
 		uint32_t block_size,
 		const char *cluster_name,
 		const struct spdk_uuid *uuid,
-		bool read_only)
+		bool read_only,
+		uint32_t encryption_entries_count,
+		const uint32_t *encryption_format,
+		const char **passphrase)
 {
 	struct bdev_rbd *rbd;
 	int ret;
+	uint32_t i;
 
 	if ((pool_name == NULL) || (rbd_name == NULL) || (block_size == 0)) {
 		return -EINVAL;
@@ -1549,6 +1690,28 @@ bdev_rbd_create(struct spdk_bdev **bdev, const char *name, const char *user_id,
 		}
 	}
 
+	rbd->encryption_entries_count = encryption_entries_count;
+	if (encryption_entries_count > 0) {
+		rbd->encryption_format = calloc(encryption_entries_count, sizeof(uint32_t));
+		if (!rbd->encryption_format) {
+			bdev_rbd_free(rbd);
+			return -ENOMEM;
+		}
+		rbd->passphrase = calloc(encryption_entries_count + 1, sizeof(char *));
+		if (!rbd->passphrase) {
+			bdev_rbd_free(rbd);
+			return -ENOMEM;
+		}
+		for (i = 0; i < encryption_entries_count; i++) {
+			rbd->encryption_format[i] = encryption_format[i];
+			rbd->passphrase[i] = strdup(passphrase[i]);
+			if (!rbd->passphrase[i]) {
+				bdev_rbd_free(rbd);
+				return -ENOMEM;
+			}
+		}
+	}
+
 	if (config && !(rbd->config = bdev_rbd_dup_config(config))) {
 		bdev_rbd_free(rbd);
 		return -ENOMEM;

module/bdev/rbd/bdev_rbd.h

@@ -23,15 +23,17 @@ struct cluster_register_info {
 void dump_cluster_nonce(struct spdk_json_write_ctx *w, const char *name);
 void bdev_rbd_free_config(char **config);
 char **bdev_rbd_dup_config(const char *const *config);
+void bdev_rbd_free_passphrase(char **passphrase);
 
 typedef void (*spdk_delete_rbd_complete)(void *cb_arg, int bdeverrno);
 
 int bdev_rbd_create(struct spdk_bdev **bdev, const char *name, const char *user_id,
-		    const char *pool_name,
-			const char *namespace_name,
+		    const char *pool_name, const char *namespace_name,
 		    const char *const *config,
 		    const char *rbd_name, uint32_t block_size, const char *cluster_name,
-		    const struct spdk_uuid *uuid, bool read_only);
+		    const struct spdk_uuid *uuid, bool read_only,
+		    uint32_t encryption_entries_count,
+		    const uint32_t *encryption_format, const char **passphrase);
 /**
  * Delete rbd bdev.
  *

module/bdev/rbd/bdev_rbd_rpc.c

@@ -20,6 +20,9 @@ struct rpc_create_rbd {
 	char *cluster_name;
 	struct spdk_uuid uuid;
 	bool read_only;
+	uint32_t encryption_entries_count;
+	uint32_t *encryption_format;
+	char **passphrase;
 };
 
 static void
@@ -32,6 +35,8 @@ free_rpc_create_rbd(struct rpc_create_rbd *req)
 	free(req->rbd_name);
 	bdev_rbd_free_config(req->config);
 	free(req->cluster_name);
+	free(req->encryption_format);
+	bdev_rbd_free_passphrase(req->passphrase);
 }
 
 static int
@@ -76,6 +81,42 @@ bdev_rbd_decode_config(const struct spdk_json_val *values, void *out)
 	return 0;
 }
 
+static int
+bdev_rbd_decode_passphrase(const struct spdk_json_val *values, void *out)
+{
+	char ***phrases = out;
+	size_t out_size;
+
+	*phrases = calloc(values->len + 1, sizeof(**phrases));
+	if (!*phrases) {
+		return -1;
+	}
+	if (spdk_json_decode_array(values, spdk_json_decode_string, *phrases, values->len, &out_size, sizeof(char *)) != 0) {
+		free(*phrases);
+		*phrases = NULL;
+		return -1;
+	}
+	return 0;
+}
+
+static int
+bdev_rbd_decode_encryption_format(const struct spdk_json_val *values, void *out)
+{
+	uint32_t **formats = out;
+	size_t out_size;
+
+	*formats = calloc(values->len + 1, sizeof(**formats));
+	if (!*formats) {
+		return -1;
+	}
+	if (spdk_json_decode_array(values, spdk_json_decode_uint32, *formats, values->len, &out_size, sizeof(uint32_t)) != 0) {
+		free(*formats);
+		*formats = NULL;
+		return -1;
+	}
+	return 0;
+}
+
 static const struct spdk_json_object_decoder rpc_create_rbd_decoders[] = {
 	{"name", offsetof(struct rpc_create_rbd, name), spdk_json_decode_string, true},
 	{"user_id", offsetof(struct rpc_create_rbd, user_id), spdk_json_decode_string, true},
@@ -86,7 +127,9 @@ static const struct spdk_json_object_decoder rpc_create_rbd_decoders[] = {
 	{"config", offsetof(struct rpc_create_rbd, config), bdev_rbd_decode_config, true},
 	{"cluster_name", offsetof(struct rpc_create_rbd, cluster_name), spdk_json_decode_string, true},
 	{"uuid", offsetof(struct rpc_create_rbd, uuid), spdk_json_decode_uuid, true},
-	{"read_only", offsetof(struct rpc_create_rbd, read_only), spdk_json_decode_bool, true}
+	{"read_only", offsetof(struct rpc_create_rbd, read_only), spdk_json_decode_bool, true},
+	{"encryption_format", offsetof(struct rpc_create_rbd, encryption_format), bdev_rbd_decode_encryption_format, true},
+	{"passphrase", offsetof(struct rpc_create_rbd, passphrase), bdev_rbd_decode_passphrase, true}
 };
 
 static void
@@ -107,11 +150,16 @@ rpc_bdev_rbd_create(struct spdk_jsonrpc_request *request,
 		goto cleanup;
 	}
 
-	rc = bdev_rbd_create(&bdev, req.name, req.user_id, req.pool_name,
-		 		 req.namespace_name,
+	req.encryption_entries_count = 0;
+	while (req.passphrase[req.encryption_entries_count]) {
+		req.encryption_entries_count++;
+	}
+	rc = bdev_rbd_create(&bdev, req.name, req.user_id, req.pool_name, req.namespace_name,
 			     (const char *const *)req.config,
 			     req.rbd_name,
-			     req.block_size, req.cluster_name, &req.uuid, req.read_only);
+			     req.block_size, req.cluster_name, &req.uuid, req.read_only,
+			     req.encryption_entries_count, req.encryption_format,
+			     (const char **)req.passphrase);
 	if (rc) {
 		spdk_jsonrpc_send_error_response(request, rc, spdk_strerror(-rc));
 		goto cleanup;

python/spdk/cli/bdev.py

@@ -870,7 +870,9 @@ def bdev_rbd_create(args):
                                             cluster_name=args.cluster_name,
                                             namespace_name=args.namespace_name,
                                             uuid=args.uuid,
-                                            read_only=args.read_only))
+                                            read_only=args.read_only,
+                                            encryption_format=args.encryption_format,
+                                            passphrase=args.passphrase))
 
     p = subparsers.add_parser('bdev_rbd_create', help='Add a bdev with ceph rbd backend')
     p.add_argument('-b', '--name', help="Name of the bdev")
@@ -884,6 +886,8 @@ def bdev_rbd_create(args):
     p.add_argument('-c', '--cluster-name', help="cluster name to identify the Rados cluster")
     p.add_argument('-u', '--uuid', help="UUID of the bdev")
     p.add_argument("-r", "--readonly", dest='read_only', action='store_true', help='Set this bdev as read-only')
+    p.add_argument('-e', '--encryption-format', nargs='+', help="Encryption format(s) of the bdev")
+    p.add_argument('-p', '--passphrase', nargs='+', help="Pass phrase(s) for encrypted bdevs")
     p.set_defaults(func=bdev_rbd_create)
 
     def bdev_rbd_delete(args):

python/spdk/rpc/bdev.py

@@ -1093,7 +1093,7 @@ def bdev_rbd_get_clusters_info(client, name=None):
 
 @deprecated_method
 def bdev_rbd_create(client, pool_name, rbd_name, block_size, name=None, user_id=None, config=None, cluster_name=None,
-                    namespace_name=None, uuid=None, read_only=None):
+                    namespace_name=None, uuid=None, read_only=None, encryption_format=None, passphrase=None):
     """Create a Ceph RBD block device.
     Args:
         pool_name: Ceph RBD pool name
@@ -1106,6 +1106,8 @@ def bdev_rbd_create(client, pool_name, rbd_name, block_size, name=None, user_id=
         namespace_name: RBD namespace name (optional)
         uuid: UUID of block device (optional)
         read_only: set block device to read-only (optional)
+        encryption_format: encryption format to use (optional)
+        passphrase: pass phrase to use (optional)
     Returns:
         Name of created block device.
     """
@@ -1129,6 +1131,10 @@ def bdev_rbd_create(client, pool_name, rbd_name, block_size, name=None, user_id=
         params['uuid'] = uuid
     if read_only is not None:
         params['read_only'] = read_only
+    if encryption_format is not None:
+        params['encryption_format'] = encryption_format
+    if passphrase is not None:
+        params['passphrase'] = passphrase
     return client.call('bdev_rbd_create', params)