From nobody Mon Feb 9 14:14:29 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1600777776; cv=none; d=zohomail.com; s=zohoarc; b=UviLxILpYWPqpf7CI47u96iCjJPTHVdD/YjySWIenvUggsFfewlhWFaj417DuAAvekNizgtdz6OW3IFp9UsnOE31eSfkNv9rt8xpzCzLrh8kzX4mU5yByAWqlEYtOcbSL7Lh8jxCIWU5B7pVWYPwc8/OEC/RkPpU+bbClxAtN/8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1600777776; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=zeUqfOQvzKbNobapFJLwB2MIRwlaAfb5YMn1pc/dxsA=; b=DzyPMNd8QXG1cmKTOvH+OSKT7JXqzFhNCZ5lr/XWx5uMLzbDDIFuwbUO/UjpLiTp+blXvMcDbyqFNn0K0U07ub0F+AtIxR5tAO21oJre6gF7J57woqBrYBYs/nHr829l/cjkDPW3yyhI85CYB+flZUGEuv2A/ajt6Pi2NjAr7kA= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1600777776809748.2817027133905; Tue, 22 Sep 2020 05:29:36 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-166-T7SLli7hP0qgnE5VtQY7ow-1; Tue, 22 Sep 2020 08:29:33 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2D8B864086; Tue, 22 Sep 2020 12:29:28 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 058125577B; Tue, 22 Sep 2020 12:29:28 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C0DDE922EC; Tue, 22 Sep 2020 12:29:27 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 08MCTCHN017272 for ; Tue, 22 Sep 2020 08:29:12 -0400 Received: by smtp.corp.redhat.com (Postfix) id E21122156A30; Tue, 22 Sep 2020 12:29:11 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DD0282156A36 for ; Tue, 22 Sep 2020 12:29:11 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BF79A85829C for ; Tue, 22 Sep 2020 12:29:11 +0000 (UTC) Received: from mail-lf1-f67.google.com (mail-lf1-f67.google.com [209.85.167.67]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-584-BvtADrqOMPG7Eq0hg0ii1A-1; Tue, 22 Sep 2020 08:29:09 -0400 Received: by mail-lf1-f67.google.com with SMTP id b22so17772795lfs.13 for ; Tue, 22 Sep 2020 05:29:08 -0700 (PDT) Received: from kloomba.my.domain ([5.227.242.255]) by smtp.gmail.com with ESMTPSA id y26sm3715539ljy.88.2020.09.22.05.29.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Sep 2020 05:29:06 -0700 (PDT) X-MC-Unique: T7SLli7hP0qgnE5VtQY7ow-1 X-MC-Unique: BvtADrqOMPG7Eq0hg0ii1A-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zeUqfOQvzKbNobapFJLwB2MIRwlaAfb5YMn1pc/dxsA=; b=NHlKm3bagRfGnwLkLnyFxf4ZzJuSKAHUsMV5rxh1ijnYzhaj0MOK23YfZ4hyal2icQ VlRTgsNagTXd6XgienuxUMLT5t+nowgjPAhvafLC8vIBlK6W++yIk1cHk1iPTYGsMAef CnJnJcGAIzt8J0Uk2h7OTGl3rgLWBZgV2uY82c07EhPrjTm5toUEyl7MAFlhTCqXatMO q74vUD1MmemavtcEwnTSv07nX6foZjvk4/q4+QOEVw/+z6Ieg1gAUtaQ4f6MgZRS28KE S6vcSILed/GlmSXLw33RYBORA9q9hUi54hzq1LzbyQiR5A0dWKjrCy4muVQ/IoQzCNxy LW/w== X-Gm-Message-State: AOAM530cdIYWYczTklMrcMeVwBpcu/hp0Ljgwy1oolbqyAU/I/XXuSqN Rao84hEebGotlzRuVXepnA2fCQluaX1D+S7C X-Google-Smtp-Source: ABdhPJysMXo+7Fcki4qCQ/v9CnV80YPMt2ewOxQh1jIhqrbABKDaekiytDR3/slmF2EDiA9ROMVArw== X-Received: by 2002:a19:606:: with SMTP id 6mr1497792lfg.407.1600777746914; Tue, 22 Sep 2020 05:29:06 -0700 (PDT) From: Roman Bogorodskiy To: libvir-list@redhat.com Subject: [PATCH v2 4/4] bhyve: add VNC password support Date: Tue, 22 Sep 2020 16:28:51 +0400 Message-Id: <20200922122851.70947-5-bogorodskiy@gmail.com> In-Reply-To: <20200922122851.70947-1-bogorodskiy@gmail.com> References: <20200922122851.70947-1-bogorodskiy@gmail.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: libvir-list@redhat.com Cc: Fabian Freyer , Roman Bogorodskiy X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Fabian Freyer Support setting a password for the VNC framebuffer using the passwd attribute on the element, if the driver has the BHYVE_CAP_VNC_PASSWORD capability. Note that virsh domxml-from-native does not output the password in the generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when formatting the domain definition. Signed-off-by: Fabian Freyer Signed-off-by: Roman Bogorodskiy Reviewed-by: Daniel P. Berrang=C3=A9 --- NEWS.rst | 7 +++ src/bhyve/bhyve_command.c | 33 +++++++++----- src/bhyve/bhyve_parse_command.c | 5 +++ .../bhyveargv2xml-vnc-password.args | 10 +++++ .../bhyveargv2xml-vnc-password.xml | 22 ++++++++++ tests/bhyveargv2xmltest.c | 3 +- .../bhyvexml2argv-vnc-password-comma.xml | 26 +++++++++++ .../bhyvexml2argv-vnc-password.args | 12 +++++ .../bhyvexml2argv-vnc-password.ldargs | 1 + .../bhyvexml2argv-vnc-password.xml | 26 +++++++++++ tests/bhyvexml2argvtest.c | 8 +++- .../bhyvexml2xmlout-vnc-password.xml | 44 +++++++++++++++++++ tests/bhyvexml2xmltest.c | 1 + 13 files changed, 185 insertions(+), 13 deletions(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comm= a.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldar= gs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.= xml diff --git a/NEWS.rst b/NEWS.rst index bb48f5bd43..c949cb941b 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -25,6 +25,13 @@ v6.8.0 (unreleased) Libvirt can now set the framebuffer's "w" and "h" parameters using the ``resolution`` element. =20 + * bhyve: Support VNC password authentication + + Libvirt can now probe whether the bhyve binary supports + VNC password authentication. In case it does, a VNC password + can now be passed using the ``passwd`` attribute on + the ```` element. + * **Improvements** =20 * qemu: Allow migration over UNIX sockets diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c index 176a339d5a..1b48438168 100644 --- a/src/bhyve/bhyve_command.c +++ b/src/bhyve/bhyve_command.c @@ -424,17 +424,6 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, return -1; } =20 - if (graphics->data.vnc.auth.passwd) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("vnc password auth not supported")); - return -1; - } else { - /* Bhyve doesn't support VNC Auth yet, so print a warning abo= ut - * unauthenticated VNC sessions */ - VIR_WARN("%s", _("Security warning: currently VNC auth is not" - " supported.")); - } - if (glisten->address) { escapeAddr =3D strchr(glisten->address, ':') !=3D NULL; if (escapeAddr) @@ -468,6 +457,28 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, return -1; } =20 + if (graphics->data.vnc.auth.passwd) { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("VNC Passwort authentication not supported " + "by bhyve")); + return -1; + } + + if (strchr(graphics->data.vnc.auth.passwd, ',')) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Password may not contain ',' character")); + return -1; + } + + virBufferAsprintf(&opt, ",password=3D%s", graphics->data.vnc.auth.= passwd); + } else { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) + VIR_WARN("%s", _("Security warning: VNC auth is not supported.= ")); + else + VIR_WARN("%s", _("Security warning: VNC is used without authen= tication.")); + } + if (video->res) virBufferAsprintf(&opt, ",w=3D%d,h=3D%d", video->res->x, video->re= s->y); =20 diff --git a/src/bhyve/bhyve_parse_command.c b/src/bhyve/bhyve_parse_comman= d.c index c6abdfacf3..05cb8eb7d6 100644 --- a/src/bhyve/bhyve_parse_command.c +++ b/src/bhyve/bhyve_parse_command.c @@ -641,6 +641,11 @@ bhyveParsePCIFbuf(virDomainDefPtr def, if (virStrToLong_uip(param, NULL, 10, &video->res->y)) goto error; } + + if (STRPREFIX(param, "password=3D")) { + param +=3D strlen("password=3D"); + graphics->data.vnc.auth.passwd =3D g_strdup(param); + } } =20 cleanup: diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args b/test= s/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args new file mode 100644 index 0000000000..c16e970795 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 4:0,fbuf,tcp=3D127.0.0.1:5904,password=3Ds3cr3t \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml b/tests= /bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml new file mode 100644 index 0000000000..456a1ee9e3 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml @@ -0,0 +1,22 @@ + + bhyve + c7a5fdbd-edaf-9455-926a-d65c16db1809 + 219136 + 219136 + 1 + + hvm + + + destroy + destroy + destroy + + + + + + + diff --git a/tests/bhyveargv2xmltest.c b/tests/bhyveargv2xmltest.c index 4bf39d50dc..2c1ffc75f3 100644 --- a/tests/bhyveargv2xmltest.c +++ b/tests/bhyveargv2xmltest.c @@ -76,7 +76,7 @@ testCompareXMLToArgvFiles(const char *xmlfile, return -1; } =20 - if (vmdef && !(actualxml =3D virDomainDefFormat(vmdef, driver.xmlopt, = 0))) + if (vmdef && !(actualxml =3D virDomainDefFormat(vmdef, driver.xmlopt, = VIR_DOMAIN_DEF_FORMAT_SECURE))) return -1; =20 if (vmdef && virTestCompareToFile(actualxml, xmlfile) < 0) @@ -187,6 +187,7 @@ mymain(void) DO_TEST("vnc-vga-off"); DO_TEST("vnc-vga-io"); DO_TEST("vnc-resolution"); + DO_TEST("vnc-password"); =20 virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml b= /tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml new file mode 100644 index 0000000000..76dd36f72a --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml @@ -0,0 +1,26 @@ + + bhyve + df3be7e7-a104-11e3-aeb0-50e5492bd3dc + 219136 + 1 + + hvm + /path/to/test.fd + + + + + + +
+ + + + +
+ + + + + + diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args b/test= s/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args new file mode 100644 index 0000000000..b3b1c244be --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args @@ -0,0 +1,12 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 1:0,lpc \ +-s 2:0,ahci,hd:/tmp/freebsd.img \ +-s 3:0,virtio-net,faketapdev,mac=3D52:54:00:00:00:00 \ +-s 4:0,fbuf,tcp=3D127.0.0.1:5904,password=3Ds3cr3t bhyve diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs b/te= sts/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs new file mode 100644 index 0000000000..421376db9e --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs @@ -0,0 +1 @@ +dummy diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml b/tests= /bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml new file mode 100644 index 0000000000..97925a74fc --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml @@ -0,0 +1,26 @@ + + bhyve + df3be7e7-a104-11e3-aeb0-50e5492bd3dc + 219136 + 1 + + hvm + /path/to/test.fd + + + + + + +
+ + + + +
+ + + + + + diff --git a/tests/bhyvexml2argvtest.c b/tests/bhyvexml2argvtest.c index d4c4275702..def2acc15c 100644 --- a/tests/bhyvexml2argvtest.c +++ b/tests/bhyvexml2argvtest.c @@ -166,7 +166,8 @@ mymain(void) driver.bhyvecaps =3D BHYVE_CAP_RTC_UTC | BHYVE_CAP_AHCI32SLOT | \ BHYVE_CAP_NET_E1000 | BHYVE_CAP_LPC_BOOTROM | \ BHYVE_CAP_FBUF | BHYVE_CAP_XHCI | \ - BHYVE_CAP_CPUTOPOLOGY | BHYVE_CAP_SOUND_HDA; + BHYVE_CAP_CPUTOPOLOGY | BHYVE_CAP_SOUND_HDA | \ + BHYVE_CAP_VNC_PASSWORD; =20 DO_TEST("base"); DO_TEST("wired"); @@ -198,6 +199,8 @@ mymain(void) DO_TEST("vnc-vgaconf-io"); DO_TEST("vnc-autoport"); DO_TEST("vnc-resolution"); + DO_TEST("vnc-password"); + DO_TEST_FAILURE("vnc-password-comma"); DO_TEST("cputopology"); DO_TEST_FAILURE("cputopology-nvcpu-mismatch"); DO_TEST("commandline"); @@ -250,6 +253,9 @@ mymain(void) driver.bhyvecaps &=3D ~BHYVE_CAP_SOUND_HDA; DO_TEST_FAILURE("sound"); =20 + driver.bhyvecaps &=3D ~BHYVE_CAP_VNC_PASSWORD; + DO_TEST_FAILURE("vnc-password"); + virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); virPortAllocatorRangeFree(driver.remotePorts); diff --git a/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml b/t= ests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml new file mode 100644 index 0000000000..6786e10ab9 --- /dev/null +++ b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml @@ -0,0 +1,44 @@ + + bhyve + df3be7e7-a104-11e3-aeb0-50e5492bd3dc + 219136 + 219136 + 1 + + hvm + /path/to/test.fd + + + + destroy + restart + destroy + + + + + +
+ + + +
+ + +
+ + + + + +
+ + + + +