From nobody Sun Feb  8 09:16:38 2026
Delivered-To: importer@patchew.org
Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied
 by domain of lists.libvirt.org) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain
 of lists.libvirt.org)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1707841435840414.0089732064599;
 Tue, 13 Feb 2024 08:23:55 -0800 (PST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id B453819C0; Tue, 13 Feb 2024 11:23:54 -0500 (EST)
Received: from lists.libvirt.org.85.43.8.in-addr.arpa (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 064611B70;
	Tue, 13 Feb 2024 11:16:42 -0500 (EST)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 5118119BF; Tue, 13 Feb 2024 11:16:15 -0500 (EST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 7647219C5
	for <devel@lists.libvirt.org>; Tue, 13 Feb 2024 11:16:14 -0500 (EST)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-647-TBzmYK2EPr6OlMU1XCyLlQ-1; Tue, 13 Feb 2024 11:16:12 -0500
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 740E885A58E
	for <devel@lists.libvirt.org>; Tue, 13 Feb 2024 16:16:12 +0000 (UTC)
Received: from maggie.brq.redhat.com (unknown [10.43.3.102])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 1C9EA492C2D
	for <devel@lists.libvirt.org>; Tue, 13 Feb 2024 16:16:12 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No,
 score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.4
X-MC-Unique: TBzmYK2EPr6OlMU1XCyLlQ-1
From: Michal Privoznik <mprivozn@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH 3/4] virsecretobj: Encrypt/decrypt secrets using TPM
Date: Tue, 13 Feb 2024 17:16:07 +0100
Message-ID: 
 <0d2ae03a75d98a3784ca2152ac6806bbba5481ff.1707840643.git.mprivozn@redhat.com>
In-Reply-To: <cover.1707840643.git.mprivozn@redhat.com>
References: <cover.1707840643.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.10
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Message-ID-Hash: ZBU4UFVEHP7QQJYX7SBT3WDQGBOF2I6D
X-Message-ID-Hash: ZBU4UFVEHP7QQJYX7SBT3WDQGBOF2I6D
X-MailFrom: mprivozn@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/ZBU4UFVEHP7QQJYX7SBT3WDQGBOF2I6D/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
Content-Type: text/plain; charset="utf-8"; x-default="true"
Content-Transfer-Encoding: quoted-printable
X-ZM-MESSAGEID: 1707841436113100001

If user requests their virSecret value to be encrypted using
hosts' TPM we can now honour such request as we have all the APIs
ready. The value is still stored in a file (obj->base64File) but
because it was encrypted by TPM it's not readable (even though
it's still base64 encoded).

And since we can detect usability of host's TPM, let's do that
when a virSecret is defined and TPM is requested. This avoids
unpleasant surprises later on.

Resolves: https://issues.redhat.com/browse/RHEL-7125
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/conf/virsecretobj.c    | 32 +++++++++++++++++++++++++++++---
 src/secret/secret_driver.c |  7 +++++++
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/conf/virsecretobj.c b/src/conf/virsecretobj.c
index 455798d414..b77d69649c 100644
--- a/src/conf/virsecretobj.c
+++ b/src/conf/virsecretobj.c
@@ -24,12 +24,13 @@
 #include <sys/stat.h>
=20
 #include "datatypes.h"
-#include "virsecretobj.h"
 #include "viralloc.h"
 #include "virerror.h"
 #include "virfile.h"
 #include "virhash.h"
 #include "virlog.h"
+#include "virsecret.h"
+#include "virsecretobj.h"
 #include "virstring.h"
=20
 #define VIR_FROM_THIS VIR_FROM_SECRET
@@ -689,7 +690,19 @@ virSecretObjSaveData(virSecretObj *obj)
     if (!obj->value)
         return 0;
=20
-    base64 =3D g_base64_encode(obj->value, obj->value_size);
+    if (obj->def->tpm =3D=3D VIR_TRISTATE_BOOL_YES) {
+        char uuidStr[VIR_UUID_STRING_BUFLEN] =3D { 0 };
+
+        virUUIDFormat(obj->def->uuid, uuidStr);
+
+        if (virSecretTPMEncrypt(uuidStr,
+                                obj->value, obj->value_size,
+                                &base64) < 0) {
+            return -1;
+        }
+    } else {
+        base64 =3D g_base64_encode(obj->value, obj->value_size);
+    }
=20
     if (virFileRewriteStr(obj->base64File, S_IRUSR | S_IWUSR, base64) < 0)
         return -1;
@@ -847,7 +860,20 @@ virSecretLoadValue(virSecretObj *obj)
=20
     VIR_FORCE_CLOSE(fd);
=20
-    obj->value =3D g_base64_decode(contents, &obj->value_size);
+    if (obj->def->tpm =3D=3D VIR_TRISTATE_BOOL_YES) {
+        char uuidStr[VIR_UUID_STRING_BUFLEN] =3D { 0 };
+
+        virUUIDFormat(obj->def->uuid, uuidStr);
+
+        if (virSecretTPMDecrypt(uuidStr,
+                                contents,
+                                &obj->value,
+                                &obj->value_size) < 0) {
+            goto cleanup;
+        }
+    } else {
+        obj->value =3D g_base64_decode(contents, &obj->value_size);
+    }
=20
     ret =3D 0;
=20
diff --git a/src/secret/secret_driver.c b/src/secret/secret_driver.c
index c7bd65b4e9..116d645243 100644
--- a/src/secret/secret_driver.c
+++ b/src/secret/secret_driver.c
@@ -234,6 +234,13 @@ secretDefineXML(virConnectPtr conn,
     if (virSecretDefineXMLEnsureACL(conn, def) < 0)
         goto cleanup;
=20
+    if (def->tpm =3D=3D VIR_TRISTATE_BOOL_YES &&
+        virSecretTPMAvailable() !=3D 1) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                       _("TPM is unavailable or unusable on this host"));
+        goto cleanup;
+    }
+
     if (!(obj =3D virSecretObjListAdd(driver->secrets, &def,
                                     driver->configDir, &backup)))
         goto cleanup;
--=20
2.43.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org