[pbs-devel] [PATCH proxmox-backup(-qemu) 0/3] switch to fingerprint for tracking key

[pbs-devel] [PATCH proxmox-backup(-qemu) 0/3] switch to fingerprint for tracking key

[Fabian Grünbichler]

one patch in proxmox-backup to make the inner bytes accessible from
other crates, after that has been applied + bumped the other two can be
used to switch over proxmox-backup-qemu to using the fingerprint()
method. forwards migration works without invalidating the bitmap,
backwards migration will invalidate the bitmap but otherwise work.

[pbs-devel] [PATCH proxmox-backup-qemu 1/2] encryption key tracking: use fingerprint

[Fabian Grünbichler]

but accept old variant as well for now, to not invalidate bitmaps for
freshly migrated VMs.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    needs proxmox-backup with Fingerprint::bytes()

 src/commands.rs | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/commands.rs b/src/commands.rs
index 7a24b7c..dcee5a1 100644
--- a/src/commands.rs
+++ b/src/commands.rs
@@ -108,6 +108,8 @@ fn archive_name(device_name: &str) -> String {
 const CRYPT_CONFIG_HASH_INPUT:&[u8] = b"this is just a static string to protect against key changes";
 
 /// Create an identifying digest for the crypt config
+/// legacy version for VMs freshly migrated from old version
+/// TODO: remove in PVE 7.0
 pub(crate) fn crypt_config_digest(
     config: Arc<CryptConfig>,
 ) -> [u8;32] {
@@ -152,7 +154,8 @@ pub(crate) fn check_last_encryption_key(
     let digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
     match (*digest_guard, config)  {
         (Some(last_digest), Some(current_config)) => {
-            crypt_config_digest(current_config) == last_digest
+            current_config.fingerprint().bytes() == &last_digest
+                || crypt_config_digest(current_config) == last_digest
         },
         (None, None) => true,
         _ => false,
@@ -440,7 +443,13 @@ pub(crate) async fn finish_backup(
 
     {
         let crypt_config_digest = match crypt_config {
-            Some(current_config) => Some(crypt_config_digest(current_config)),
+            Some(current_config) => {
+                let fp = current_config
+                    .fingerprint()
+                    .bytes()
+                    .to_owned();
+                Some(fp)
+            },
             None => None,
         };
 
-- 
2.20.1

Re: [pbs-devel] [PATCH proxmox-backup-qemu 1/2] encryption key tracking: use fingerprint

[Dietmar Maurer]

Does this improve something? I can't see the purpose of this change.


> @@ -152,7 +154,8 @@ pub(crate) fn check_last_encryption_key(
>      let digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
>      match (*digest_guard, config)  {
>          (Some(last_digest), Some(current_config)) => {
> -            crypt_config_digest(current_config) == last_digest
> +            current_config.fingerprint().bytes() == &last_digest
> +                || crypt_config_digest(current_config) == last_digest
>          },
>          (None, None) => true,
>          _ => false,
> @@ -440,7 +443,13 @@ pub(crate) async fn finish_backup(
>  
>      {
>          let crypt_config_digest = match crypt_config {
> -            Some(current_config) => Some(crypt_config_digest(current_config)),
> +            Some(current_config) => {
> +                let fp = current_config
> +                    .fingerprint()
> +                    .bytes()
> +                    .to_owned();
> +                Some(fp)
> +            },
>              None => None,
>          };
>

Re: [pbs-devel] [PATCH proxmox-backup-qemu 1/2] encryption key tracking: use fingerprint

[Fabian Grünbichler]

On November 24, 2020 4:36 pm, Dietmar Maurer wrote:
> Does this improve something? I can't see the purpose of this change.

it allows use to display this remembered fingerprint (e.g., in the 
'invalidating bitmap' message or via the WIP 'query-proxmox-support'.

(also, I'd rather harmonize this now while PVE->PBS is still in beta, 
and not afterwards)

>> @@ -152,7 +154,8 @@ pub(crate) fn check_last_encryption_key(
>>      let digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
>>      match (*digest_guard, config)  {
>>          (Some(last_digest), Some(current_config)) => {
>> -            crypt_config_digest(current_config) == last_digest
>> +            current_config.fingerprint().bytes() == &last_digest
>> +                || crypt_config_digest(current_config) == last_digest
>>          },
>>          (None, None) => true,
>>          _ => false,
>> @@ -440,7 +443,13 @@ pub(crate) async fn finish_backup(
>>  
>>      {
>>          let crypt_config_digest = match crypt_config {
>> -            Some(current_config) => Some(crypt_config_digest(current_config)),
>> +            Some(current_config) => {
>> +                let fp = current_config
>> +                    .fingerprint()
>> +                    .bytes()
>> +                    .to_owned();
>> +                Some(fp)
>> +            },
>>              None => None,
>>          };
>>
> 

[pbs-devel] applied: [PATCH proxmox-backup-qemu 1/2] encryption key tracking: use fingerprint

[Dietmar Maurer]

applied both patches.

> On 11/24/2020 2:05 PM Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:
> 
>  
> but accept old variant as well for now, to not invalidate bitmaps for
> freshly migrated VMs.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> 
> Notes:
>     needs proxmox-backup with Fingerprint::bytes()
> 
>  src/commands.rs | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
> 
> diff --git a/src/commands.rs b/src/commands.rs
> index 7a24b7c..dcee5a1 100644
> --- a/src/commands.rs
> +++ b/src/commands.rs
> @@ -108,6 +108,8 @@ fn archive_name(device_name: &str) -> String {
>  const CRYPT_CONFIG_HASH_INPUT:&[u8] = b"this is just a static string to protect against key changes";
>  
>  /// Create an identifying digest for the crypt config
> +/// legacy version for VMs freshly migrated from old version
> +/// TODO: remove in PVE 7.0
>  pub(crate) fn crypt_config_digest(
>      config: Arc<CryptConfig>,
>  ) -> [u8;32] {
> @@ -152,7 +154,8 @@ pub(crate) fn check_last_encryption_key(
>      let digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
>      match (*digest_guard, config)  {
>          (Some(last_digest), Some(current_config)) => {
> -            crypt_config_digest(current_config) == last_digest
> +            current_config.fingerprint().bytes() == &last_digest
> +                || crypt_config_digest(current_config) == last_digest
>          },
>          (None, None) => true,
>          _ => false,
> @@ -440,7 +443,13 @@ pub(crate) async fn finish_backup(
>  
>      {
>          let crypt_config_digest = match crypt_config {
> -            Some(current_config) => Some(crypt_config_digest(current_config)),
> +            Some(current_config) => {
> +                let fp = current_config
> +                    .fingerprint()
> +                    .bytes()
> +                    .to_owned();
> +                Some(fp)
> +            },
>              None => None,
>          };
>  
> -- 
> 2.20.1
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup] fingerprint: add bytes() accessor

[Fabian Grünbichler]

needed for libproxmox-backup-qemu0

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/backup/crypt_config.rs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/backup/crypt_config.rs b/src/backup/crypt_config.rs
index 7d27706a..67482a75 100644
--- a/src/backup/crypt_config.rs
+++ b/src/backup/crypt_config.rs
@@ -47,6 +47,12 @@ pub struct Fingerprint {
     bytes: [u8; 32],
 }
 
+impl Fingerprint {
+    pub fn bytes(&self) -> &[u8; 32] {
+        &self.bytes
+    }
+}
+
 /// Display as short key ID
 impl Display for Fingerprint {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-- 
2.20.1

[pbs-devel] applied: [PATCH proxmox-backup] fingerprint: add bytes() accessor

[Dietmar Maurer]

applied

> On 11/24/2020 2:05 PM Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:
> 
>  
> needed for libproxmox-backup-qemu0
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
>  src/backup/crypt_config.rs | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/src/backup/crypt_config.rs b/src/backup/crypt_config.rs
> index 7d27706a..67482a75 100644
> --- a/src/backup/crypt_config.rs
> +++ b/src/backup/crypt_config.rs
> @@ -47,6 +47,12 @@ pub struct Fingerprint {
>      bytes: [u8; 32],
>  }
>  
> +impl Fingerprint {
> +    pub fn bytes(&self) -> &[u8; 32] {
> +        &self.bytes
> +    }
> +}
> +
>  /// Display as short key ID
>  impl Display for Fingerprint {
>      fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
> -- 
> 2.20.1
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup-qemu 2/2] fingerprint: rename variables

[Fabian Grünbichler]

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/commands.rs | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/commands.rs b/src/commands.rs
index dcee5a1..cd81dae 100644
--- a/src/commands.rs
+++ b/src/commands.rs
@@ -23,7 +23,7 @@ lazy_static!{
         Mutex::new(HashMap::new())
     };
 
-    static ref PREVIOUS_CRYPT_CONFIG_DIGEST: Mutex<Option<[u8;32]>> = {
+    static ref PREVIOUS_KEY_FINGERPRINT: Mutex<Option<[u8;32]>> = {
         Mutex::new(None)
     };
 }
@@ -40,16 +40,16 @@ pub struct ImageUploadInfo {
 
 pub(crate) fn serialize_state() -> Vec<u8> {
     let prev_csums = &*PREVIOUS_CSUMS.lock().unwrap();
-    let prev_crypt_digest = &*PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
-    bincode::serialize(&(prev_csums, prev_crypt_digest)).unwrap()
+    let prev_key_fingerprint = &*PREVIOUS_KEY_FINGERPRINT.lock().unwrap();
+    bincode::serialize(&(prev_csums, prev_key_fingerprint)).unwrap()
 }
 
 pub(crate) fn deserialize_state(data: &[u8]) -> Result<(), Error> {
-    let (prev_csums, prev_crypt_digest) = bincode::deserialize(data)?;
+    let (prev_csums, prev_key_fingerprint) = bincode::deserialize(data)?;
     let mut prev_csums_guard = PREVIOUS_CSUMS.lock().unwrap();
-    let mut prev_crypt_digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
+    let mut prev_key_fingerprint_guard = PREVIOUS_KEY_FINGERPRINT.lock().unwrap();
     *prev_csums_guard = prev_csums;
-    *prev_crypt_digest_guard = prev_crypt_digest;
+    *prev_key_fingerprint_guard = prev_key_fingerprint;
     Ok(())
 }
 
@@ -151,11 +151,11 @@ pub(crate) fn check_last_encryption_mode(
 pub(crate) fn check_last_encryption_key(
     config: Option<Arc<CryptConfig>>,
 ) -> bool {
-    let digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
-    match (*digest_guard, config)  {
-        (Some(last_digest), Some(current_config)) => {
-            current_config.fingerprint().bytes() == &last_digest
-                || crypt_config_digest(current_config) == last_digest
+    let fingerprint_guard = PREVIOUS_KEY_FINGERPRINT.lock().unwrap();
+    match (*fingerprint_guard, config)  {
+        (Some(last_fingerprint), Some(current_config)) => {
+            current_config.fingerprint().bytes() == &last_fingerprint
+                || crypt_config_digest(current_config) == last_fingerprint
         },
         (None, None) => true,
         _ => false,
@@ -442,7 +442,7 @@ pub(crate) async fn finish_backup(
     };
 
     {
-        let crypt_config_digest = match crypt_config {
+        let key_fingerprint = match crypt_config {
             Some(current_config) => {
                 let fp = current_config
                     .fingerprint()
@@ -453,8 +453,8 @@ pub(crate) async fn finish_backup(
             None => None,
         };
 
-        let mut crypt_config_digest_guard = PREVIOUS_CRYPT_CONFIG_DIGEST.lock().unwrap();
-        *crypt_config_digest_guard = crypt_config_digest;
+        let mut key_fingerprint_guard = PREVIOUS_KEY_FINGERPRINT.lock().unwrap();
+        *key_fingerprint_guard = key_fingerprint;
     }
 
     client
-- 
2.20.1