diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index e0b6ba704ff71b1be3a87d3dbe7b03967d6654e2..eb3aacd4365d7e804d7656bd030f0926c7781bcc 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -6227,6 +6227,45 @@ qemu-kvm -net nic,model=? /dev/null being on a file system that lacks security labeling.
+The content of the optional keywrap
element specifies
+ whether the guest will be allowed to perform the S390 cryptographic key
+ management operations. A clear key can be protected by encrypting it
+ under a unique wrapping key that is generated for each guest VM running
+ on the host. Two variations of wrapping keys are generated: one version
+ for encrypting protected keys using the DEA/TDEA algorithm, and another
+ version for keys encrypted using the AES algorithm. If a
+ keywrap
element is not included, the guest will be granted
+ access to both AES and DEA/TDEA key wrapping by default.
+<domain> + ... + <keywrap> + <cipher name='aes' state='off'/> + </keywrap> + ... +</domain> ++
+ At least one cipher
element must be nested within the
+ keywrap
element.
+
cipher
name
attribute identifies the algorithm
+ for encrypting a protected key. The values supported for this attribute
+ are aes
for encryption under the AES wrapping key, or
+ dea
for encryption under the DEA/TDEA wrapping key. The
+ state
attribute indicates whether the cryptographic key
+ management operations should be turned on for the specified encryption
+ algorithm. The value can be set to on
or off
.
+ Note: DEA/TDEA is synonymous with DES/TDES.
+
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index c151e92974d298b93d9f4a2c3cab77ffb48bc4c5..64a094b5ad1c49258a21b21b7a0af739ee1dd7fc 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -67,6 +67,9 @@