From nobody Fri Nov 21 10:08:32 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1762441340; cv=none; d=zohomail.com; s=zohoarc; b=NtEnpi/ROtsDp4u++MtIhDmEfBM2j3rVaESaWsEqj49lB38rhmoON/kgOIXEWv+5Bo6xFwt0yM1KsU+cIasSoFGbYatzlB2N9rPK2QRMmqkiyI20LQxwazo9i8brxIy0C4NVLVckDhaZQVbkGbozEdGQmUNcTox0AWkPYpaP1Wg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1762441340; h=Content-Type:Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=M/VFQoYftGS/KuQgWPJNz0wMUoCxSpuTVCH2mekeys8=; b=QtivuJ06IQpoAGGT4bXF2saZnQXoh3GIlpCDWBTDFcv0NDJhzZMnyz3mt8x5Jh/fEJT53a1hSV5sXPZfGhAp4uWSz9xACaD+CuxgnlTTdC4E/AkB++Gv5e2R0/EaLsLW899MmGqxgFC8fZY2A+4aoaAx7qZwVvkGYSCVeFBf1Tc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1762441340981251.52230554822563; Thu, 6 Nov 2025 07:02:20 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 7767041C76; Thu, 6 Nov 2025 10:02:20 -0500 (EST) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 5B1DE443F8; Thu, 6 Nov 2025 09:53:49 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id CBD4343DF6; Thu, 6 Nov 2025 09:51:10 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id E329541988 for ; Thu, 6 Nov 2025 09:51:09 -0500 (EST) Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-520-PWbeHe06MR6A-4a_oUuUmQ-1; Thu, 06 Nov 2025 09:51:07 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8764A1955DD0 for ; Thu, 6 Nov 2025 14:51:06 +0000 (UTC) Received: from toolbx.redhat.com (unknown [10.42.28.39]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 7AD8D1800451; Thu, 6 Nov 2025 14:51:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1762440669; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M/VFQoYftGS/KuQgWPJNz0wMUoCxSpuTVCH2mekeys8=; b=TzJR6PYVy3vtGcsiaqxbdSq+cctJYJh/oXXfD3SRdTKhEDjJAqIhp192UzOaXqmWYNTI6X t8N05wq2d54GdHNLODzGpts+uSTNur7Jea3jvbrDwna2G1IaWRQDBn1dlCgRjkY4bw78Aw Bc1UKlaDU2B9Gwef9c6ecJWfDBuSJ3g= X-MC-Unique: PWbeHe06MR6A-4a_oUuUmQ-1 X-Mimecast-MFC-AGG-ID: PWbeHe06MR6A-4a_oUuUmQ_1762440666 To: devel@lists.libvirt.org Subject: [PATCH 10/10] docs: describe support for multiple certs & PQC config Date: Thu, 6 Nov 2025 14:50:50 +0000 Message-ID: <20251106145050.1851526-11-berrange@redhat.com> In-Reply-To: <20251106145050.1851526-1-berrange@redhat.com> References: <20251106145050.1851526-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: gVoFZSBCStKsSkGB5sVEUk8_f5VQNHbEbMeMDKGxCZE_1762440666 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 5NFSKYRJP4FKC4WLGY2WNLPM5JPUZR4J X-Message-ID-Hash: 5NFSKYRJP4FKC4WLGY2WNLPM5JPUZR4J X-MailFrom: berrange@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9_via_Devel?= Reply-To: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1762441342585154100 From: Daniel P. Berrang=C3=A9 This describes the new index based certificate naming scheme, and how to create & deploy certificates for post-quantum cryptography. Signed-off-by: Daniel P. Berrang=C3=A9 --- docs/kbase/tlscerts.rst | 88 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index c10ab11b7f..db962d0f46 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -75,6 +75,25 @@ in the path specified, otherwise the connection will fai= l with a fatal error. If =20 - For the root user, the global default locations will always be used. =20 +Multiple parallel certificate identities +---------------------------------------- + +Any scenario that requires a certificate identify (``servercert.pem`` / +``serverkey.pem`` and ``clientcert.pem`` / ``clientkey.pem``) can optional= ly +provide multiple parallel identities via a new indexed file naming +scheme. The new filenames are ``servercertNN.pem`` / ``serverkeyNN.pem`` +and ``clientcertNN.pem`` / ``clientkeyNN.pem``, for values of ``NN`` betwe= en +0 and 3 inclusive. + +The new naming can be used instead of the old naming, or concurrently +with the old naming. The old file names will be loaded first (if +present), followed by the indexed file names. Loading will stop at +the first missing index value. ie if ``servercert1.pem`` is not present, +then no attempt will be made to load ``servercert2.pem`` or ``servercert3.= pem``. + +If multiple CA certificates are required they must all be concatenated +into the single ``cacert.pem`` file. + Background to TLS certificates ------------------------------ =20 @@ -326,6 +345,75 @@ briefly cover the steps. cp clientkey.pem /etc/pki/libvirt/private/clientkey.pem cp clientcert.pem /etc/pki/libvirt/clientcert.pem =20 +Configuring for Post-Quantum Cryptography +----------------------------------------- + +Given a new enough gnutls release, suitably integrated & configured with t= he +operating system crypto policies, libvirt is able to support post-quantum +crytography on TLS enabled services, either exclusively or in a hybrid mod= e. + +In exclusive mode, only a single set of certificates need to be configured +for libvirt, with PQC compliant algorithms. Such a libvirt configuration w= ill +only be able to interoperate with other libvirt daemons that also have PQC +enabled. This can result in compatibility concerns during the period of +transition over to PQC compliant algorithms. + +In hybrid mode, multiple sets of certificates need to be configured for li= bvirt, +at least one set with traditional (non-PQC compliant) algorithms, and at l= east +one other set with modern (PQC compliant) algorithms. At time of the TLS +handshake, the GNUTLS algorithm priorities should ensure that PQC compliant +algorithms are negotiated if both sides of the connection support PQC. If = one +side lacks PQC, the TLS handshake should fallback to the non-PQC algorithm= s. +This can assist with interoperability during the transition to PQC, but ha= s a +potential weakness wrt downgrade attacks forcing use of non-PQC algorithms. +Exclusive PQC mode should be preferred where both peers in the TLS connect= ions +are known to support PQC. + +Key generation parameters +^^^^^^^^^^^^^^^^^^^^^^^^^ + +To create certificates with PQC compliant algorithms, the ``--key-type`` +argument must be passed to ``certtool`` when creating private keys. No +extra arguments are required for the other ``certtool`` commands, as +their behaviour will be determined by the private key type. + +The typical PQC compliant algorithms to use are ``ML-DSA-44``, ``ML-DSA-65= `` +and ``ML-DSA-87``, with ``ML-DSA-65`` being a suitable default choice in +the absence of explicit requirements. + +Taking the example earlier, for creating a key for a client certificate, +to use ``ML-DSA-65`` the command line would be modified to look like:: + + # certtool --generate-privkey --key-type=3Dmldsa65 > clientkey.pem + +The equivalent modification applies to the creation of the private keys +used for server certs, or root/intermediate CA certs. + +For hybrid mode, the additional indexed certificate naming must be used. +If multiple configured certificates are compatible with the mutually +supported crypto algorithms between the client and server, then the +first matching certificate will be used. + +IOW, to ensure that PQC certificates are preferred, they must use a +non-index based filename, or use an index that is smaller than any +non-PQC certificates. ie, ``servercert.pem`` for PQC and ``servercert0.pem= `` +for non-PQC, or ``servercert0.pem`` for PQC and ``servercert1.pem`` for +non-PQC. + +Force disabling PQC via crypto priority +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If the OS configuration for system crypto algorithm priorities has +enabled PQC, this can (optionally) be overriden in libvirt server +configuration. To disable use of PQC set the ``tls_priority`` +parameter in the ``libvirtd.conf`` / ``virtproxyd.conf`` files: + + tls_priority =3D "@SYSTEM:-SIGN-ML-DSA-65:-SIGN-ML-DSA-44:-SIGN-ML-DSA-8= 7:-GROUP-X25519-MLKEM768:-GROUP-SECP256R1-MLKEM768:-GROUP-SECP384R1-MLKEM10= 24" + +On the client side this can be overriden using the ``tls_priority`` +URI parameter in the libvirt connection address. + + Troubleshooting TLS certificate problems ---------------------------------------- =20 --=20 2.51.1