From nobody Mon Feb 9 15:09:36 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1614177973; cv=none; d=zohomail.com; s=zohoarc; b=WtGYpJNCuZok6aWXO98MgvKep9EWS+3miubJy4aQACSmH7o9HqFJIPCsbk64bf1N4smemO3VVSww6taM4Q6ARapeWe9LnhWQ6QJAKduPEAJEAsdlwH0nZK6flWJNIMvAh9qwlXqqgCt8BziQ3sxE27DAmB2iBobWNmESHI/XzXQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1614177973; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=I+tsw32m4ImJA/s2NdC+WrUHp21imXzyr/ZshNYex1o=; b=J+//CSWUzUvRuu6DpNHdrV3ipy/NJTIb6YcYdcCODWedo41f4JqfPAmh0pwQCeN8acHe1QQZ1fcqrkojfivqESc1nTmLyaE0qcKOEPNnR6ZfTSkhD64JybwrEwHMrhBYEsasIIW+QV9gEsWpe9DnV+Yv5DCno8S81qq0IUWA2/s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1614177973572886.5026611569529; Wed, 24 Feb 2021 06:46:13 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-500-rzqXSic3O_O0wgUlpXqQ8w-1; Wed, 24 Feb 2021 09:46:03 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8F891A3D7BD; Wed, 24 Feb 2021 13:54:25 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 649B85D9E3; Wed, 24 Feb 2021 13:54:25 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1E09858083; Wed, 24 Feb 2021 13:54:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 11ODs0ji016784 for ; Wed, 24 Feb 2021 08:54:00 -0500 Received: by smtp.corp.redhat.com (Postfix) id AFEB15D6AD; Wed, 24 Feb 2021 13:54:00 +0000 (UTC) Received: from merkur.redhat.com (ovpn-114-142.ams2.redhat.com [10.36.114.142]) by smtp.corp.redhat.com (Postfix) with ESMTP id C72995D6D3; Wed, 24 Feb 2021 13:53:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614177972; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=I+tsw32m4ImJA/s2NdC+WrUHp21imXzyr/ZshNYex1o=; b=NdaMT4AiLPnt+/IQinBLZvPWWo/xH/lakD5jw4wjylIt3LcYlJAx9Z0AuFqt1EbmmJwWzG Jzr7g/ahW6+k9P3HlD3qHCWcMCGylRdJOvDGBBeiHnFN5hOBvC6z5SxBTK72UW7+HEwD3R qNUSVRuOAb8XFwoXvTI7KgxTelffzjg= X-MC-Unique: rzqXSic3O_O0wgUlpXqQ8w-1 From: Kevin Wolf To: qemu-devel@nongnu.org Subject: [PATCH v2 11/31] qapi/qom: Add ObjectOptions for tls-*, deprecate 'loaded' Date: Wed, 24 Feb 2021 14:52:35 +0100 Message-Id: <20210224135255.253837-12-kwolf@redhat.com> In-Reply-To: <20210224135255.253837-1-kwolf@redhat.com> References: <20210224135255.253837-1-kwolf@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Cc: kwolf@redhat.com, lvivier@redhat.com, thuth@redhat.com, pkrempa@redhat.com, ehabkost@redhat.com, qemu-block@nongnu.org, libvir-list@redhat.com, jasowang@redhat.com, mreitz@redhat.com, kraxel@redhat.com, pbonzini@redhat.com, dgilbert@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" This adds a QAPI schema for the properties of the tls-* objects. The 'loaded' property doesn't seem to make sense as an external interface: It is automatically set to true in ucc->complete, and explicitly setting it to true earlier just means that additional options will be silently ignored. In other words, the 'loaded' property is useless. Mark it as deprecated in the schema from the start. Signed-off-by: Kevin Wolf Reviewed-by: Eric Blake --- qapi/crypto.json | 98 ++++++++++++++++++++++++++++++++++++++++++++++++ qapi/qom.json | 12 +++++- 2 files changed, 108 insertions(+), 2 deletions(-) diff --git a/qapi/crypto.json b/qapi/crypto.json index 0fef3de66d..7116ae9a46 100644 --- a/qapi/crypto.json +++ b/qapi/crypto.json @@ -442,3 +442,101 @@ { 'struct': 'SecretKeyringProperties', 'base': 'SecretCommonProperties', 'data': { 'serial': 'int32' } } + +## +# @TlsCredsProperties: +# +# Properties for objects of classes derived from tls-creds. +# +# @verify-peer: if true the peer credentials will be verified once the +# handshake is completed. This is a no-op for anonymous +# credentials. (default: true) +# +# @dir: the path of the directory that contains the credential files +# +# @endpoint: whether the QEMU network backend that uses the credentials wi= ll be +# acting as a client or as a server (default: client) +# +# @priority: a gnutls priority string as described at +# https://gnutls.org/manual/html_node/Priority-Strings.html +# +# Since: 2.5 +## +{ 'struct': 'TlsCredsProperties', + 'data': { '*verify-peer': 'bool', + '*dir': 'str', + '*endpoint': 'QCryptoTLSCredsEndpoint', + '*priority': 'str' } } + +## +# @TlsCredsAnonProperties: +# +# Properties for tls-creds-anon objects. +# +# @loaded: if true, the credentials are loaded immediately when applying t= his +# option and will ignore options that are processed later. Don't = use; +# only provided for compatibility. (default: false) +# +# Features: +# @deprecated: Member @loaded is deprecated. Setting true doesn't make se= nse, +# and false is already the default. +# +# Since: 2.5 +## +{ 'struct': 'TlsCredsAnonProperties', + 'base': 'TlsCredsProperties', + 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] } } } + +## +# @TlsCredsPskProperties: +# +# Properties for tls-creds-psk objects. +# +# @loaded: if true, the credentials are loaded immediately when applying t= his +# option and will ignore options that are processed later. Don't = use; +# only provided for compatibility. (default: false) +# +# @username: the username which will be sent to the server. For clients o= nly. +# If absent, "qemu" is sent and the property will read back as = an +# empty string. +# +# Features: +# @deprecated: Member @loaded is deprecated. Setting true doesn't make se= nse, +# and false is already the default. +# +# Since: 3.0 +## +{ 'struct': 'TlsCredsPskProperties', + 'base': 'TlsCredsProperties', + 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, + '*username': 'str' } } + +## +# @TlsCredsX509Properties: +# +# Properties for tls-creds-x509 objects. +# +# @loaded: if true, the credentials are loaded immediately when applying t= his +# option and will ignore options that are processed later. Don't = use; +# only provided for compatibility. (default: false) +# +# @sanity-check: if true, perform some sanity checks before using the +# credentials (default: true) +# +# @passwordid: For the server-key.pem and client-key.pem files which conta= in +# sensitive private keys, it is possible to use an encrypted +# version by providing the @passwordid parameter. This provi= des +# the ID of a previously created secret object containing the +# password for decryption. +# +# Features: +# @deprecated: Member @loaded is deprecated. Setting true doesn't make se= nse, +# and false is already the default. +# +# Since: 2.5 +## +{ 'struct': 'TlsCredsX509Properties', + 'base': 'TlsCredsProperties', + 'data': { '*loaded': { 'type': 'bool', 'features': ['deprecated'] }, + '*sanity-check': 'bool', + '*passwordid': 'str' } } diff --git a/qapi/qom.json b/qapi/qom.json index 2668ad8369..f22b7aa99b 100644 --- a/qapi/qom.json +++ b/qapi/qom.json @@ -452,7 +452,11 @@ 'rng-random', 'secret', 'secret_keyring', - 'throttle-group' + 'throttle-group', + 'tls-creds-anon', + 'tls-creds-psk', + 'tls-creds-x509', + 'tls-cipher-suites' ] } =20 ## @@ -488,7 +492,11 @@ 'rng-random': 'RngRandomProperties', 'secret': 'SecretProperties', 'secret_keyring': 'SecretKeyringProperties', - 'throttle-group': 'ThrottleGroupProperties' + 'throttle-group': 'ThrottleGroupProperties', + 'tls-creds-anon': 'TlsCredsAnonProperties', + 'tls-creds-psk': 'TlsCredsPskProperties', + 'tls-creds-x509': 'TlsCredsX509Properties', + 'tls-cipher-suites': 'TlsCredsProperties' } } =20 ## --=20 2.29.2