Index: /trunk/src/VBox/Main/include/ConsoleImpl.h =================================================================== --- /trunk/src/VBox/Main/include/ConsoleImpl.h (revision 51924) +++ /trunk/src/VBox/Main/include/ConsoleImpl.h (revision 51925) @@ -844,4 +844,5 @@ HRESULT i_consoleParseDiskEncryption(const char *psz, const char **ppszEnd); HRESULT i_configureEncryptionForDisk(const char *pszUuid); + HRESULT i_clearDiskEncryptionKeysOnAllAttachments(void); int i_consoleParseKeyValue(const char *psz, const char **ppszEnd, char **ppszKey, char **ppszVal); Index: /trunk/src/VBox/Main/src-client/ConsoleImpl.cpp =================================================================== --- /trunk/src/VBox/Main/src-client/ConsoleImpl.cpp (revision 51924) +++ /trunk/src/VBox/Main/src-client/ConsoleImpl.cpp (revision 51925) @@ -4380,4 +4380,88 @@ /** + * Removes the key interfaces from all disk attachments, useful when + * changing the key store or dropping it. + */ +HRESULT Console::i_clearDiskEncryptionKeysOnAllAttachments(void) +{ + HRESULT hrc = S_OK; + SafeIfaceArray sfaAttachments; + + AutoCaller autoCaller(this); + AssertComRCReturnRC(autoCaller.rc()); + + /* Get the VM - must be done before the read-locking. */ + SafeVMPtr ptrVM(this); + if (!ptrVM.isOk()) + return ptrVM.rc(); + + AutoReadLock alock(this COMMA_LOCKVAL_SRC_POS); + + hrc = mMachine->COMGETTER(MediumAttachments)(ComSafeArrayAsOutParam(sfaAttachments)); + AssertComRCReturnRC(hrc); + + /* Find the correct attachment. */ + for (unsigned i = 0; i < sfaAttachments.size(); i++) + { + const ComPtr &pAtt = sfaAttachments[i]; + + /* + * Query storage controller, port and device + * to identify the correct driver. + */ + ComPtr pStorageCtrl; + Bstr storageCtrlName; + LONG lPort, lDev; + ULONG ulStorageCtrlInst; + + hrc = pAtt->COMGETTER(Controller)(storageCtrlName.asOutParam()); + AssertComRC(hrc); + + hrc = pAtt->COMGETTER(Port)(&lPort); + AssertComRC(hrc); + + hrc = pAtt->COMGETTER(Device)(&lDev); + AssertComRC(hrc); + + hrc = mMachine->GetStorageControllerByName(storageCtrlName.raw(), pStorageCtrl.asOutParam()); + AssertComRC(hrc); + + hrc = pStorageCtrl->COMGETTER(Instance)(&ulStorageCtrlInst); + AssertComRC(hrc); + + StorageControllerType_T enmCtrlType; + hrc = pStorageCtrl->COMGETTER(ControllerType)(&enmCtrlType); + AssertComRC(hrc); + const char *pcszDevice = i_convertControllerTypeToDev(enmCtrlType); + + StorageBus_T enmBus; + hrc = pStorageCtrl->COMGETTER(Bus)(&enmBus); + AssertComRC(hrc); + + unsigned uLUN; + hrc = Console::i_convertBusPortDeviceToLun(enmBus, lPort, lDev, uLUN); + AssertComRC(hrc); + + PPDMIBASE pIBase = NULL; + PPDMIMEDIA pIMedium = NULL; + int rc = PDMR3QueryDriverOnLun(ptrVM.rawUVM(), pcszDevice, ulStorageCtrlInst, uLUN, "VD", &pIBase); + if (RT_SUCCESS(rc)) + { + if (pIBase) + { + pIMedium = (PPDMIMEDIA)pIBase->pfnQueryInterface(pIBase, PDMIMEDIA_IID); + if (pIMedium) + { + rc = pIMedium->pfnSetSecKeyIf(pIMedium, NULL); + Assert(RT_SUCCESS(rc) || rc == VERR_NOT_SUPPORTED); + } + } + } + } + + return hrc; +} + +/** * Configures the encryption support for the disk identified by the gien UUID with * the given key. @@ -4484,12 +4568,14 @@ if (!pIMedium) return setError(E_FAIL, tr("could not query medium interface of controller")); + else + { + rc = pIMedium->pfnSetSecKeyIf(pIMedium, mpIfSecKey); + if (RT_FAILURE(rc)) + return setError(E_FAIL, tr("Failed to set the encryption key (%Rrc)"), rc); + } } else return setError(E_FAIL, tr("could not query base interface of controller")); } - - rc = pIMedium->pfnSetSecKeyIf(pIMedium, mpIfSecKey); - if (RT_FAILURE(rc)) - return setError(E_FAIL, tr("Failed to set the encryption key (%Rrc)"), rc); } } @@ -5965,4 +6051,16 @@ if (RT_FAILURE(vrc)) hrc = setError(VBOX_E_VM_ERROR, tr("Could not suspend the machine execution (%Rrc)"), vrc); + else + { + /* Unconfigure disk encryption from all attachments. */ + i_clearDiskEncryptionKeysOnAllAttachments(); + + /* Clear any keys we have stored. */ + for (SecretKeyMap::iterator it = m_mapSecretKeys.begin(); + it != m_mapSecretKeys.end(); + it++) + delete it->second; + m_mapSecretKeys.clear(); + } LogFlowThisFunc(("hrc=%Rhrc\n", hrc));