summaryrefslogtreecommitdiffstats
path: root/qapi
Commit message (Collapse)AuthorAgeFilesLines
* qapi: Don't pass NULL to printf in string input visitorEric Blake2016-04-291-1/+1
| | | | | | | | | | | Make sure the error message for visit_type_uint64() gracefully handles a NULL 'name' when called from the top level or a list context, as not all the world behaves like glibc in allowing NULL through a printf-family %s. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1461879932-9020-21-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* block: add generic full disk encryption driverDaniel P. Berrange2016-03-301-2/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a block driver that is capable of supporting any full disk encryption format. This utilizes the previously added block encryption code, and at this time supports the LUKS format. The driver code is capable of supporting any format supported by the QCryptoBlock module, so it registers one block driver for each format. This patch only registers the "luks" driver since the "qcow" driver is there only for back-compatibility with existing qcow built-in encryption. New LUKS compatible volumes can be formatted using qemu-img with defaults for all settings. $ qemu-img create --object secret,data=123456,id=sec0 \ -f luks -o key-secret=sec0 demo.luks 10G Alternatively the cryptographic settings can be explicitly set $ qemu-img create --object secret,data=123456,id=sec0 \ -f luks -o key-secret=sec0,cipher-alg=aes-256,\ cipher-mode=cbc,ivgen-alg=plain64,hash-alg=sha256 \ demo.luks 10G And query its size $ qemu-img info demo.img image: demo.img file format: luks virtual size: 10G (10737418240 bytes) disk size: 132K encrypted: yes Note that it was not necessary to provide the password when querying info for the volume. The password is only required when performing I/O on the volume All volumes created by this new 'luks' driver should be capable of being opened by the kernel dm-crypt driver. The only algorithms listed in the LUKS spec that are not currently supported by this impl are sha512 and ripemd160 hashes and cast6 cipher. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> [ kwolf - Added #include to resolve conflict with da34e65c ] Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* block: Remove cache.writeback from blockdev-addKevin Wolf2016-03-301-3/+1Star
| | | | | | | | The WCE bit is a frontend property and should not be part of the backend configuration. This is especially important because the same BDS can be used by different users with different WCE requirements. Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* util: move declarations out of qemu-common.hVeronia Bahaa2016-03-221-1/+1
| | | | | | | | | | Move declarations out of qemu-common.h for functions declared in utils/ files: e.g. include/qemu/path.h for utils/path.c. Move inline functions out of qemu-common.h and into new files (e.g. include/qemu/bcd.h) Signed-off-by: Veronia Bahaa <veroniabahaa@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* include/qemu/osdep.h: Don't include qapi/error.hMarkus Armbruster2016-03-226-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 57cb38b included qapi/error.h into qemu/osdep.h to get the Error typedef. Since then, we've moved to include qemu/osdep.h everywhere. Its file comment explains: "To avoid getting into possible circular include dependencies, this file should not include any other QEMU headers, with the exceptions of config-host.h, compiler.h, os-posix.h and os-win32.h, all of which are doing a similar job to this file and are under similar constraints." qapi/error.h doesn't do a similar job, and it doesn't adhere to similar constraints: it includes qapi-types.h. That's in excess of 100KiB of crap most .c files don't actually need. Add the typedef to qemu/typedefs.h, and include that instead of qapi/error.h. Include qapi/error.h in .c files that need it and don't get it now. Include qapi-types.h in qom/object.h for uint16List. Update scripts/clean-includes accordingly. Update it further to match reality: replace config.h by config-target.h, add sysemu/os-posix.h, sysemu/os-win32.h. Update the list of includes in the qemu/osdep.h comment quoted above similarly. This reduces the number of objects depending on qapi/error.h from "all of them" to less than a third. Unfortunately, the number depending on qapi-types.h shrinks only a little. More work is needed for that one. Signed-off-by: Markus Armbruster <armbru@redhat.com> [Fix compilation without the spice devel packages. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2016-03-18' into ↵Peter Maydell2016-03-182-64/+46Star
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | staging QAPI patches for 2016-03-18 # gpg: Signature made Fri 18 Mar 2016 09:54:57 GMT using RSA key ID EB918653 # gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" # gpg: aka "Markus Armbruster <armbru@pond.sub.org>" * remotes/armbru/tags/pull-qapi-2016-03-18: qapi: Use anonymous bases in QMP flat unions qapi: Allow anonymous base for flat union qapi: Make BlockdevOptions doc example closer to reality qapi: Don't special-case simple union wrappers qapi: Drop unused c_null() qapi: Inline gen_visit_members() into lone caller qapi-commands: Inline single-use helpers of gen_marshal() qapi-commands: Utilize implicit struct visits qapi-event: Utilize implicit struct visits qapi-event: Drop qmp_output_get_qobject() null check qapi: Emit implicit structs in generated C qapi: Adjust names of implicit types qapi: Make c_type() more OO-like qapi: Fix command with named empty argument type qapi: Assert in places where variants are not handled Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| * qapi: Use anonymous bases in QMP flat unionsEric Blake2016-03-182-64/+46Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that the generator supports it, we might as well use an anonymous base rather than breaking out a single-use Base structure, for all three of our current QMP flat unions. Oddly enough, this change does not affect the resulting introspection output (because we already inline the members of a base type into an object, and had no independent use of the base type reachable from a command). The case_whitelist now has to list the name of an implicit type; which is not too bad (consider it a feature if it makes it harder for developers to make the whitelist grow :) Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1458254921-17042-16-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* | crypto: implement the LUKS block encryption formatDaniel P. Berrange2016-03-171-3/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Provide a block encryption implementation that follows the LUKS/dm-crypt specification. This supports all combinations of hash, cipher algorithm, cipher mode and iv generator that are implemented by the current crypto layer. There is support for opening existing volumes formatted by dm-crypt, and for formatting new volumes. In the latter case it will only use key slot 0. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* | crypto: add block encryption frameworkDaniel P. Berrange2016-03-171-0/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a generic framework for supporting different block encryption formats. Upon instantiating a QCryptoBlock object, it will read the encryption header and extract the encryption keys. It is then possible to call methods to encrypt/decrypt data buffers. There is also a mode whereby it will create/initialize a new encryption header on a previously unformatted volume. The initial framework comes with support for the legacy QCow AES based encryption. This enables code in the QCow driver to be consolidated later. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* | crypto: wire up XTS mode for cipher APIsDaniel P. Berrange2016-03-171-1/+2
| | | | | | | | | | | | | | | | | | | | | | Introduce 'XTS' as a permitted mode for the cipher APIs. With XTS the key provided must be twice the size of the key normally required for any given algorithm. This is because the key will be split into two pieces for use in XTS mode. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* | crypto: add support for the twofish cipher algorithmDaniel P. Berrange2016-03-171-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New cipher algorithms 'twofish-128', 'twofish-192' and 'twofish-256' are defined for the Twofish algorithm. The gcrypt backend does not support 'twofish-192'. The nettle and gcrypt cipher backends are updated to support the new cipher and a test vector added to the cipher test suite. The new algorithm is enabled in the LUKS block encryption driver. Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* | crypto: add support for the serpent cipher algorithmDaniel P. Berrange2016-03-171-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | New cipher algorithms 'serpent-128', 'serpent-192' and 'serpent-256' are defined for the Serpent algorithm. The nettle and gcrypt cipher backends are updated to support the new cipher and a test vector added to the cipher test suite. The new algorithm is enabled in the LUKS block encryption driver. Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* | crypto: add support for the cast5-128 cipher algorithmDaniel P. Berrange2016-03-171-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A new cipher algorithm 'cast-5-128' is defined for the Cast-5 algorithm with 128 bit key size. Smaller key sizes are supported by Cast-5, but nothing in QEMU should use them, so only 128 bit keys are permitted. The nettle and gcrypt cipher backends are updated to support the new cipher and a test vector added to the cipher test suite. The new algorithm is enabled in the LUKS block encryption driver. Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* | crypto: add support for generating initialization vectorsDaniel P. Berrange2016-03-171-0/+19
|/ | | | | | | | | | | | | | There are a number of different algorithms that can be used to generate initialization vectors for disk encryption. This introduces a simple internal QCryptoBlockIV object to provide a consistent internal API to the different algorithms. The initially implemented algorithms are 'plain', 'plain64' and 'essiv', each matching the same named algorithm provided by the Linux kernel dm-crypt driver. Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* qmp event: Refactor QUORUM_REPORT_BADChanglong Xie2016-03-142-1/+19
| | | | | | | | | | | | Introduce QuorumOpType, and make QUORUM_REPORT_BAD compatible with it. Cc: Dr. David Alan Gilbert <dgilbert@redhat.com> Cc: Wen Congyang <wency@cn.fujitsu.com> Signed-off-by: Wen Congyang <wency@cn.fujitsu.com> Signed-off-by: Changlong Xie <xiecl.fnst@cn.fujitsu.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into stagingPeter Maydell2016-02-251-0/+16
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Asynchronous dump-guest-memory from Peter * improved logging with -D -daemonize from Dimitris * more address_space_* optimization from Gonglei * TCG xsave/xrstor thinko fix * chardev bugfix and documentation patch # gpg: Signature made Thu 25 Feb 2016 15:12:27 GMT using RSA key ID 78C7AE83 # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" * remotes/bonzini/tags/for-upstream: target-i386: fix confusion in xcr0 bit position vs. mask chardev: Properly initialize ChardevCommon components memory: Remove unreachable return statement memory: optimize qemu_get_ram_ptr and qemu_ram_ptr_length exec: store RAMBlock pointer into memory region log: Redirect stderr to logfile if deamonized dump-guest-memory: add qmp event DUMP_COMPLETED Dump: add hmp command "info dump" Dump: add qmp command "query-dump" DumpState: adding total_size and written_size fields dump-guest-memory: add "detach" support dump-guest-memory: disable dump when in INMIGRATE state dump-guest-memory: introduce dump_process() helper function. dump-guest-memory: add dump_in_progress() helper function dump-guest-memory: using static DumpState, add DumpStatus dump-guest-memory: add "detach" flag for QMP/HMP interfaces. dump-guest-memory: cleanup: removing dump_{error|cleanup}(). scripts/kvm/kvm_stat: Fix missing right parantheses and ".format(...)" qemu-options.hx: Improve documentation of chardev multiplexing mode Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| * dump-guest-memory: add qmp event DUMP_COMPLETEDPeter Xu2016-02-221-0/+16
| | | | | | | | | | | | | | | | | | | | One new QMP event DUMP_COMPLETED is added. When a dump finishes, one DUMP_COMPLETED event will occur to notify the user. Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Message-Id: <1455772616-8668-12-git-send-email-peterx@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* | qapi: Correct the name of the iops_rd parameterAlberto Garcia2016-02-221-1/+1
| | | | | | | | | | Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* | qapi: Add burst length fields to BlockDeviceInfoAlberto Garcia2016-02-221-6/+33
| | | | | | | | | | | | | | | | | | This patch adds the new bps_*_max_length and iops_*_max_length parameters to the BlockDeviceInfo struct. Signed-off-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* | qapi: Add burst length parameters to block_set_io_throttleAlberto Garcia2016-02-221-6/+45
| | | | | | | | | | | | | | | | This patch adds the new bps_*_max_length and iops_*_max_length parameters to the block_set_io_throttle command. Signed-off-by: Alberto Garcia <berto@igalia.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* | qapi: Change visit_start_implicit_struct to visit_start_alternateEric Blake2016-02-193-45/+32Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After recent changes, the only remaining use of visit_start_implicit_struct() is for allocating the space needed when visiting an alternate. Since the term 'implicit struct' is hard to explain, rename the function to its current usage. While at it, we can merge the functionality of visit_get_next_type() into the same function, making it more like visit_start_struct(). Generated code is now slightly smaller: | { | Error *err = NULL; | |- visit_start_implicit_struct(v, (void**) obj, sizeof(BlockdevRef), &err); |+ visit_start_alternate(v, name, (GenericAlternate **)obj, sizeof(**obj), |+ true, &err); | if (err) { | goto out; | } |- visit_get_next_type(v, name, &(*obj)->type, true, &err); |- if (err) { |- goto out_obj; |- } | switch ((*obj)->type) { | case QTYPE_QDICT: | visit_start_struct(v, name, NULL, 0, &err); ... | } |-out_obj: |- visit_end_implicit_struct(v); |+ visit_end_alternate(v); | out: | error_propagate(errp, err); | } Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1455778109-6278-16-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* | qapi: Don't box branches of flat unionsEric Blake2016-02-192-34/+0Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There's no reason to do two malloc's for a flat union; let's just inline the branch struct directly into the C union branch of the flat union. Surprisingly, fewer clients were actually using explicit references to the branch types in comparison to the number of flat unions thus modified. This lets us reduce the hack in qapi-types:gen_variants() added in the previous patch; we no longer need to distinguish between alternates and flat unions. The change to unboxed structs means that u.data (added in commit cee2dedb) is now coincident with random fields of each branch of the flat union, whereas beforehand it was only coincident with pointers (since all branches of a flat union have to be objects). Note that this was already the case for simple unions - but there we got lucky. Remember, visit_start_union() blindly returns true for all visitors except for the dealloc visitor, where it returns the value !!obj->u.data, and that this result then controls whether to proceed with the visit to the variant. Pre-patch, this meant that flat unions were testing whether the boxed pointer was still NULL, and thereby skipping visit_end_implicit_struct() and avoiding a NULL dereference if the pointer had not been allocated. The same was true for simple unions where the current branch had pointer type, except there we bypassed visit_type_FOO(). But for simple unions where the current branch had scalar type, the contents of that scalar meant that the decision to call visit_type_FOO() was data-dependent - the reason we got lucky there is that visit_type_FOO() for all scalar types in the dealloc visitor is a no-op (only the pointer variants had anything to free), so it did not matter whether the dealloc visit was skipped. But with this patch, we would risk leaking memory if we could skip a call to visit_type_FOO_fields() based solely on a data-dependent decision. But notice: in the dealloc visitor, visit_type_FOO() already handles a NULL obj - it was only the visit_type_implicit_FOO() that was failing to check for NULL. And now that we have refactored things to have the branch be part of the parent struct, we no longer have a separate pointer that can be NULL in the first place. So we can just delete the call to visit_start_union() altogether, and blindly visit the branch type; there is no change in behavior except to the dealloc visitor, where we now unconditionally visit the branch, but where that visit is now always safe (for a flat union, we can no longer dereference NULL, and for a simple union, visit_type_FOO() was already safely handling NULL on pointer types). Unfortunately, simple unions are not as easy to switch to unboxed layout; because we are special-casing the hidden implicit type with a single 'data' member, we really DO need to keep calling another layer of visit_start_struct(), with a second malloc; although there are some cleanups planned for simple unions in later patches. visit_start_union() and gen_visit_implicit_struct() are now unused. Drop them. Note that after this patch, the only remaining use of visit_start_implicit_struct() is for alternate types; the next patch will do further cleanup based on that fact. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1455778109-6278-14-git-send-email-eblake@redhat.com> [Dead code deletion squashed in, commit message updated accordingly] Signed-off-by: Markus Armbruster <armbru@redhat.com>
* | qapi: Adjust layout of FooList typesEric Blake2016-02-197-11/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By sticking the next pointer first, we don't need a union with 64-bit padding for smaller types. On 32-bit platforms, this can reduce the size of uint8List from 16 bytes (or 12, depending on whether 64-bit ints can tolerate 4-byte alignment) down to 8. It has no effect on 64-bit platforms (where alignment still dictates a 16-byte struct); but fewer anonymous unions is still a win in my book. It requires visit_next_list() to gain a size parameter, to know what size element to allocate; comparable to the size parameter of visit_start_struct(). I debated about going one step further, to allow for fewer casts, by doing: typedef GenericList GenericList; struct GenericList { GenericList *next; }; struct FooList { GenericList base; Foo *value; }; so that you convert to 'GenericList *' by '&foolist->base', and back by 'container_of(generic, GenericList, base)' (as opposed to the existing '(GenericList *)foolist' and '(FooList *)generic'). But doing that would require hoisting the declaration of GenericList prior to inclusion of qapi-types.h, rather than its current spot in visitor.h; it also makes iteration a bit more verbose through 'foolist->base.next' instead of 'foolist->next'. Note that for lists of objects, the 'value' payload is still hidden behind a boxed pointer. Someday, it would be nice to do: struct FooList { FooList *next; Foo value; }; for one less level of malloc for each list element. This patch is a step in that direction (now that 'next' is no longer at a fixed non-zero offset within the struct, we can store more than just a pointer's-worth of data as the value payload), but the actual conversion would be a task for another series, as it will touch a lot of code. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1455778109-6278-10-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* | qapi: Simplify excess input reporting in input visitorsEric Blake2016-02-192-18/+8Star
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When reporting that an unvisited member remains at the end of an input visit for a struct, we were using g_hash_table_find() coupled with a callback function that always returns true, to locate an arbitrary member of the hash table. But if all we need is an arbitrary entry, we can get that from a single-use iterator, without needing a tautological callback function. Technically, our cast of &(GQueue *) to (void **) is not strict C (while void * must be able to hold all other pointers, nothing says a void ** has to be the same width or representation as a GQueue **). The kosher way to write it would be the verbose: void *tmp; GQueue *any; if (g_hash_table_iter_next(&iter, NULL, &tmp)) { any = tmp; But our code base (not to mention glib itself) already has other cases of assuming that ALL pointers have the same width and representation, where a compiler would have to go out of its way to mis-compile our borderline behavior. Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1455778109-6278-2-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* nbd: enable use of TLS with nbd-server-start commandDaniel P. Berrange2016-02-161-1/+3
| | | | | | | | | | | | | This modifies the nbd-server-start QMP command so that it is possible to request use of TLS. This is done by adding a new optional parameter "tls-creds" which provides the ID of a previously created QCryptoTLSCreds object instance. TLS is only supported when using an IPv4/IPv6 socket listener. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-Id: <1455129674-17255-17-git-send-email-berrange@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
* qmp: Don't abuse stack to track qmp-output rootEric Blake2016-02-081-63/+26Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | The previous commit documented an inconsistency in how we are using the stack of qmp-output-visitor. Normally, pushing a single top-level object puts the object on the stack twice: once as the root, and once as the current container being appended to; but popping that struct only pops once. However, qmp_ouput_add() was trying to either set up the added object as the new root (works if you parse two top-level scalars in a row: the second replaces the first as the root) or as a member of the current container (works as long as you have an open container on the stack; but if you have popped the first top-level container, it then resolves to the root and still tries to add into that existing container). Fix the stupidity by not tracking two separate things in the stack. Drop the now-useless qmp_output_first() and qmp_output_last() while at it. Saved for a later patch: we still are rather sloppy in that qmp_output_get_object() can be called in the middle of a parse, rather than requiring that a visit is complete. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1454075341-13658-26-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qmp: Fix reference-counting of qnull on empty output visitEric Blake2016-02-081-7/+34
| | | | | | | | | | | | | | | | | | | | | | | | | Commit 6c2f9a15 ensured that we would not return NULL when the caller used an output visitor but had nothing to visit. But in doing so, it added a FIXME about a reference count leak that could abort qemu in the (unlikely) case of SIZE_MAX such visits (more plausible on 32-bit). (Although that commit suggested we might fix it in time for 2.5, we ran out of time; fortunately, it is unlikely enough to bite that it was not worth worrying about during the 2.5 release.) This fixes things by documenting the internal contracts, and explaining why the internal function can return NULL and only the public facing interface needs to worry about qnull(), thus avoiding over-referencing the qnull_ global object. It does not, however, fix the stupidity of the stack mixing up two separate pieces of information; add a FIXME to explain that issue, which will be fixed shortly in a future patch. Signed-off-by: Eric Blake <eblake@redhat.com> Cc: qemu-stable@nongnu.org Message-Id: <1454075341-13658-25-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Drop unused error argument for list and implicit structEric Blake2016-02-087-34/+25Star
| | | | | | | | | | | | | | | | | No backend was setting an error when ending the visit of a list or implicit struct, or when moving to the next list node. Make the callers a bit easier to follow by making this a part of the contract, and removing the errp argument - callers can then unconditionally end an object as part of cleanup without having to think about whether a second error is dominated by a first, because there is no second error. A later patch will then tackle the larger task of splitting visit_end_struct(), which can indeed set an error. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1454075341-13658-24-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Tighten qmp_input_end_list()Eric Blake2016-02-081-1/+1
| | | | | | | | | | | | | | | The only way that qmp_input_pop() will set errp is if a dictionary was the most recent thing pushed. Since we don't have any push(struct)/pop(list) or push(list)/pop(struct) mismatches (such a mismatch is a programming bug), we therefore cannot set errp inside qmp_input_end_list(). Make this obvious by using &error_abort. A later patch will then remove the errp parameter of qmp_input_pop(), but that will first require the larger task of splitting visit_end_struct(). Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1454075341-13658-23-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Drop unused 'kind' for struct/enum visitEric Blake2016-02-085-17/+11Star
| | | | | | | | | | | | | | | | | visit_start_struct() and visit_type_enum() had a 'kind' argument that was usually set to either the stringized version of the corresponding qapi type name, or to NULL (although some clients didn't even get that right). But nothing ever used the argument. It's even hard to argue that it would be useful in a debugger, as a stack backtrace also tells which type is being visited. Therefore, drop the 'kind' argument as dead. Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1454075341-13658-22-git-send-email-eblake@redhat.com> [Harmless rebase mistake cleaned up] Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Swap 'name' in visit_* callbacks to match public APIEric Blake2016-02-087-75/+74Star
| | | | | | | | | | | | | | | | | | | As explained in the previous patches, matching argument order of 'name, &value' to JSON's "name":value makes sense. However, while the last two patches were easy with Coccinelle, I ended up doing this one all by hand. Now all the visitor callbacks match the main interface. The compiler is able to enforce that all clients match the changed interface in visitor-impl.h, even where two pointers are being swapped, because only one of the two pointers is const (if that were not the case, then C's looseness on treating 'char *' like 'void *' would have made review a bit harder). Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1454075341-13658-21-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Swap visit_* arguments for consistent 'name' placementEric Blake2016-02-081-24/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | JSON uses "name":value, but many of our visitor interfaces were called with visit_type_FOO(v, &value, name, errp). This can be a bit confusing to have to mentally swap the parameter order to match JSON order. It's particularly bad for visit_start_struct(), where the 'name' parameter is smack in the middle of the otherwise-related group of 'obj, kind, size' parameters! It's time to do a global swap of the parameter ordering, so that the 'name' parameter is always immediately after the Visitor argument. Additional reason in favor of the swap: the existing include/qjson.h prefers listing 'name' first in json_prop_*(), and I have plans to unify that file with the qapi visitors; listing 'name' first in qapi will minimize churn to the (admittedly few) qjson.h clients. Later patches will then fix docs, object.h, visitor-impl.h, and those clients to match. Done by first patching scripts/qapi*.py by hand to make generated files do what I want, then by running the following Coccinelle script to affect the rest of the code base: $ spatch --sp-file script `git grep -l '\bvisit_' -- '**/*.[ch]'` I then had to apply some touchups (Coccinelle insisted on TAB indentation in visitor.h, and botched the signature of visit_type_enum() by rewriting 'const char *const strings[]' to the syntactically invalid 'const char*const[] strings'). The movement of parameters is sufficient to provoke compiler errors if any callers were missed. // Part 1: Swap declaration order @@ type TV, TErr, TObj, T1, T2; identifier OBJ, ARG1, ARG2; @@ void visit_start_struct -(TV v, TObj OBJ, T1 ARG1, const char *name, T2 ARG2, TErr errp) +(TV v, const char *name, TObj OBJ, T1 ARG1, T2 ARG2, TErr errp) { ... } @@ type bool, TV, T1; identifier ARG1; @@ bool visit_optional -(TV v, T1 ARG1, const char *name) +(TV v, const char *name, T1 ARG1) { ... } @@ type TV, TErr, TObj, T1; identifier OBJ, ARG1; @@ void visit_get_next_type -(TV v, TObj OBJ, T1 ARG1, const char *name, TErr errp) +(TV v, const char *name, TObj OBJ, T1 ARG1, TErr errp) { ... } @@ type TV, TErr, TObj, T1, T2; identifier OBJ, ARG1, ARG2; @@ void visit_type_enum -(TV v, TObj OBJ, T1 ARG1, T2 ARG2, const char *name, TErr errp) +(TV v, const char *name, TObj OBJ, T1 ARG1, T2 ARG2, TErr errp) { ... } @@ type TV, TErr, TObj; identifier OBJ; identifier VISIT_TYPE =~ "^visit_type_"; @@ void VISIT_TYPE -(TV v, TObj OBJ, const char *name, TErr errp) +(TV v, const char *name, TObj OBJ, TErr errp) { ... } // Part 2: swap caller order @@ expression V, NAME, OBJ, ARG1, ARG2, ERR; identifier VISIT_TYPE =~ "^visit_type_"; @@ ( -visit_start_struct(V, OBJ, ARG1, NAME, ARG2, ERR) +visit_start_struct(V, NAME, OBJ, ARG1, ARG2, ERR) | -visit_optional(V, ARG1, NAME) +visit_optional(V, NAME, ARG1) | -visit_get_next_type(V, OBJ, ARG1, NAME, ERR) +visit_get_next_type(V, NAME, OBJ, ARG1, ERR) | -visit_type_enum(V, OBJ, ARG1, ARG2, NAME, ERR) +visit_type_enum(V, NAME, OBJ, ARG1, ARG2, ERR) | -VISIT_TYPE(V, OBJ, NAME, ERR) +VISIT_TYPE(V, NAME, OBJ, ERR) ) Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1454075341-13658-19-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Consolidate visitor small integer callbacksEric Blake2016-02-081-94/+54Star
| | | | | | | | | | | | | | | | | | | | Commit 4e27e819 introduced optional visitor callbacks for all sorts of int types, but no visitor has supplied any of the callbacks for sizes less than 64 bits. In other words, the generic implementation based on using type_[u]int64() followed by bounds-checking works just fine. In the interest of simplicity, it's easier to make the visitor callback interface not have to worry about the other sizes. Adding some helper functions minimizes the boilerplate required to correct FIXMEs added earlier with regards to questionable reuse of errp, particularly now that we can guarantee from a single file audit that value is unchanged if an error is set. Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1454075341-13658-16-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Make all visitors supply uint64 callbacksEric Blake2016-02-086-25/+67
| | | | | | | | | | | | | | | | | | | | | | | | | Our qapi visitor contract supports multiple integer visitors, but left the type_uint64 visitor as optional (falling back on type_int64); which in turn can lead to awkward behavior with numbers larger than INT64_MAX (the user has to be aware of twos complement, and deal with negatives). This patch does not address the disparity in handling large values as negatives. It merely moves the fallback from uint64 to int64 from the visitor core to the visitors, where the issue can actually be fixed, by implementing the missing type_uint64() callbacks on top of the respective type_int64() callbacks, and with a FIXME comment explaining why that's wrong. With that done, we now have a type_uint64() callback in every driver, so we can make it mandatory from the core. And although the type_int64() callback can cover the entire valid range of type_uint{8,16,32} on valid user input, using type_uint64() to avoid mixed signedness makes more sense. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1454075341-13658-15-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Prefer type_int64 over type_int in visitorsEric Blake2016-02-087-31/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | The qapi builtin type 'int' is basically shorthand for the type 'int64'. In fact, since no visitor was providing the optional type_int64() callback, visit_type_int64() was just always falling back to type_int(), cementing the equivalence between the types. However, some visitors are providing a type_uint64() callback. For purposes of code consistency, it is nicer if all visitors use the paired type_int64/type_uint64 names rather than the mismatched type_int/type_uint64. So this patch just renames the signed int callbacks in place, dropping the type_int() callback as redundant, and a later patch will focus on the unsigned int callbacks. Add some FIXMEs to questionable reuse of errp in code touched by the rename, while at it (the reuse works as long as the callbacks don't modify value when setting an error, but it's not a good example to set) - a later patch will then fix those. No change in functionality here, although further cleanups are in the pipeline. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1454075341-13658-14-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi-visit: Kill unused visit_end_union()Eric Blake2016-02-081-7/+1Star
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The generated code can call visit_end_union() without having called visit_start_union(). Example: if (!*obj) { goto out_obj; } visit_type_CpuInfoBase_fields(v, (CpuInfoBase **)obj, &err); if (err) { goto out_obj; // if we go from here... } if (!visit_start_union(v, !!(*obj)->u.data, &err) || err) { goto out_obj; } switch ((*obj)->arch) { [...] } out_obj: // ... then *obj is true, and ... error_propagate(errp, err); err = NULL; if (*obj) { // we end up here visit_end_union(v, !!(*obj)->u.data, &err); } error_propagate(errp, err); Harmless only because no visitor implements end_union(). Clean it up anyway, by deleting the function as useless. Messed up since we have visit_end_union (commit cee2ded). Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1453902888-20457-3-git-send-email-armbru@redhat.com> [expand scope of patch to delete rather than repair] Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1454075341-13658-13-git-send-email-eblake@redhat.com>
* qapi: Dealloc visitor does not need a type_size()Eric Blake2016-02-081-6/+0Star
| | | | | | | | | | | | | The intent of having the visitor type_size() callback differ from type_uint64() is to allow special handling for sizes; the visitor core gracefully falls back to type_uint64() if there is no need for the distinction. Since the dealloc visitor does nothing for any of the int visits, drop the pointless size handler. Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1454075341-13658-5-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Drop dead dealloc visitor variableEric Blake2016-02-081-1/+0Star
| | | | | | | | | | Commit 0b9d8542 added StackEntry.is_list_head, but forgot to delete the now-unused QapiDeallocVisitor.is_list_head. Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1454075341-13658-4-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Avoid use of misnamed DO_UPCAST()Eric Blake2016-02-083-28/+44
| | | | | | | | | | | | | | | | | | | | The macro DO_UPCAST() is incorrectly named: it converts from a parent class to a derived class (which is a downcast). Better, and more consistent with some of the other qapi visitors, is to use the container_of() macro through a to_FOO() helper. Names like 'to_ov()' may be a bit short, but for a static helper it doesn't hurt too much, and matches existing practice in files like qmp-input-visitor.c. Our current definition of container_of() is weaker than DO_UPCAST(), in that it does not require the derived class to have Visitor as its first member, but this does not hurt our usage patterns in qapi visitors. Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <1454075341-13658-3-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
* qapi: Clean up includesPeter Maydell2016-02-0411-4/+11
| | | | | | | | | | | Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Eric Blake <eblake@redhat.com> Message-id: 1454089805-5470-8-git-send-email-peter.maydell@linaro.org
* qemu-img: Make MapEntry a QAPI structFam Zheng2016-02-021-0/+27
| | | | | | | | | | | | | The "flags" bit mask is expanded to two booleans, "data" and "zero"; "bs" is replaced with "filename" string. Refactor the merge conditions in img_map() into entry_mergeable(). Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1453780743-16806-16-git-send-email-famz@redhat.com Signed-off-by: Max Reitz <mreitz@redhat.com>
* block/qapi: Emit tray_open only if there is a trayMax Reitz2016-02-021-2/+2
| | | | | | | Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Message-id: 1454096953-31773-5-git-send-email-mreitz@redhat.com
* blockdev: Fix 'change' for slot devicesMax Reitz2016-02-021-2/+1Star
| | | | | | | | | | | | | | | | | | | 'change' and related operations did not work when used on guest devices featuring removable media but no actual tray, because blk_dev_is_tray_open() always returned false for them and the blockdev-{insert,remove}-medium commands required it to return true. Fix this by making blockdev-{insert,remove}-medium work on tray-less devices. Also, blockdev-{open,close}-tray are now explicitly no-ops when invoked on such devices, and blk_dev_change_media_cb() is instead called by blockdev-{insert,remove}-medium (for tray-less devices only). Reported-by: Peter Maydell <peter.maydell@linaro.org> Cc: qemu-stable <qemu-stable@nongnu.org> Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Message-id: 1454096953-31773-3-git-send-email-mreitz@redhat.com Reviewed-by: Eric Blake <eblake@redhat.com>
* fdc: add drive type qapi enumJohn Snow2016-01-251-0/+16
| | | | | | | | | Change the floppy drive type to a QAPI enum type, to allow us to specify the floppy drive type from the CLI in a forthcoming patch. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: John Snow <jsnow@redhat.com> Message-id: 1453495865-9649-4-git-send-email-jsnow@redhat.com
* Migration: Emit event at start of passDr. David Alan Gilbert2016-01-131-0/+13
| | | | | | | | | | | | | Emit an event each time we sync the dirty bitmap on the source; this helps libvirt use postcopy by giving it a kick when it might be a good idea to start the postcopy. Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Amit Shah <amit.shah@redhat.com> Message-Id: <1450266458-3178-5-git-send-email-dgilbert@redhat.com> Signed-off-by: Amit Shah <amit.shah@redhat.com>
* qmp: Add blockdev-mirror commandFam Zheng2016-01-071-0/+48
| | | | | | | | | | | | | | | | This will start a mirror job from a named device to another named device, its relation with drive-mirror is similar with blockdev-backup to drive-backup. In blockdev-mirror, the target node should be prepared by blockdev-add, which will be responsible for assigning a name to the new node, so we don't have 'node-name' parameter. Signed-off-by: Fam Zheng <famz@redhat.com> Acked-by: Markus Armbruster <armbru@redhat.com> Message-id: 1450932306-13717-5-git-send-email-famz@redhat.com Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com>
* crypto: move QCryptoCipherAlgorithm/Mode enum definitions into QAPIDaniel P. Berrange2015-12-231-0/+30
| | | | | | | | | | The QCryptoCipherAlgorithm and QCryptoCipherMode enums are defined in the crypto/cipher.h header. In the future some QAPI types will want to reference the hash enums, so move the enum definition into QAPI too. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: move QCryptoHashAlgorithm enum definition into QAPIDaniel P. Berrange2015-12-231-0/+15
| | | | | | | | | The QCryptoHashAlgorithm enum is defined in the crypto/hash.h header. In the future some QAPI types will want to reference the hash enums, so move the enum definition into QAPI too. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* crypto: add QCryptoSecret object class for password/key handlingDaniel P. Berrange2015-12-181-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Introduce a new QCryptoSecret object class which will be used for providing passwords and keys to other objects which need sensitive credentials. The new object can provide secret values directly as properties, or indirectly via a file. The latter includes support for file descriptor passing syntax on UNIX platforms. Ordinarily passing secret values directly as properties is insecure, since they are visible in process listings, or in log files showing the CLI args / QMP commands. It is possible to use AES-256-CBC to encrypt the secret values though, in which case all that is visible is the ciphertext. For ad hoc developer testing though, it is fine to provide the secrets directly without encryption so this is not explicitly forbidden. The anticipated scenario is that libvirtd will create a random master key per QEMU instance (eg /var/run/libvirt/qemu/$VMNAME.key) and will use that key to encrypt all passwords it provides to QEMU via '-object secret,....'. This avoids the need for libvirt (or other mgmt apps) to worry about file descriptor passing. It also makes life easier for people who are scripting the management of QEMU, for whom FD passing is significantly more complex. Providing data inline (insecure, only for ad hoc dev testing) $QEMU -object secret,id=sec0,data=letmein Providing data indirectly in raw format printf "letmein" > mypasswd.txt $QEMU -object secret,id=sec0,file=mypasswd.txt Providing data indirectly in base64 format $QEMU -object secret,id=sec0,file=mykey.b64,format=base64 Providing data with encryption $QEMU -object secret,id=master0,file=mykey.b64,format=base64 \ -object secret,id=sec0,data=[base64 ciphertext],\ keyid=master0,iv=[base64 IV],format=base64 Note that 'format' here refers to the format of the ciphertext data. The decrypted data must always be in raw byte format. More examples are shown in the updated docs. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
* kvm: add support for -machine kernel_irqchip=splitMatt Gingell2015-12-171-0/+16
| | | | | | | | | | This patch adds the initial plumbing for split IRQ chip mode via KVM_CAP_SPLIT_IRQCHIP. In addition to option processing, a number of kvm_*_in_kernel macros are defined to help clarify which component is where. Signed-off-by: Matt Gingell <gingell@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>