QEMU provides the ability to encrypt the migration data stream using
two transport layer security (TLS) authentication schemes: X.509
certificates and pre-shared keys (PSK). Currently, Libvirt only
supports the X.509-based TLS authentication scheme. In TLS X.509
certificates, a set of live migrations utilize a fixed
set of static certificates for encrypted migration. In this
authentication scheme, users require to deploy a certificate authority
and monitor the certificate expiration window. In case certificates
are compromised all the future live migrations are vulnerable.

To resolve this, the patch series introduce the alternative pre-shared
key-based authentication scheme. This mechanism relies on symmetric
pre-shared keys (a secret key that is known to both sender and receiver
prior to secure communication) for providing secure transfer of data.
During a migration, the parties negotiate which unique key to utilize
for encrypting the migration data. To improve the security further, we
utilize different key files for each migration session.

Abhisek Panda (7):
  conf: Add configuration params for TLS-PSK
  include: define VIR_MIGRATE_TLS_PSK flag
  qemu: Add support to build the tls-creds-psk object
  qemu: rename tls-creds-x509 obj related functions
  qemu: Manage tls-creds-psk object lifecycle
  qemu: Set up the migrate TLS-PSK objects
  include: define VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY

 include/libvirt/libvirt-domain.h              |  31 ++-
 src/qemu/libvirtd_qemu.aug                    |   2 +
 src/qemu/qemu.conf.in                         |  27 ++-
 src/qemu/qemu_alias.c                         |  19 +-
 src/qemu/qemu_alias.h                         |   5 +-
 src/qemu/qemu_backup.c                        |   2 +-
 src/qemu/qemu_command.c                       |  31 ++-
 src/qemu/qemu_command.h                       |   8 +
 src/qemu/qemu_conf.c                          |  55 ++++-
 src/qemu/qemu_conf.h                          |   3 +
 src/qemu/qemu_domain.c                        |   2 +-
 src/qemu/qemu_driver.c                        |  24 ++-
 src/qemu/qemu_hotplug.c                       | 125 +++++++----
 src/qemu/qemu_hotplug.h                       |  43 ++--
 src/qemu/qemu_migration.c                     | 194 ++++++++++++------
 src/qemu/qemu_migration.h                     |   3 +
 src/qemu/qemu_migration_params.c              | 138 ++++++++++---
 src/qemu/qemu_migration_params.h              |  28 ++-
 src/qemu/qemu_postparse.c                     |   2 +-
 src/qemu/test_libvirtd_qemu.aug.in            |   2 +
 tests/qemumigparamsdata/tls-enabled.json      |   2 +-
 tests/qemumigparamsdata/tls-enabled.reply     |   2 +-
 tests/qemumigparamsdata/tls-enabled.xml       |   2 +-
 tests/qemumigparamsdata/tls-hostname.json     |   2 +-
 tests/qemumigparamsdata/tls-hostname.reply    |   2 +-
 tests/qemumigparamsdata/tls-hostname.xml      |   2 +-
 tests/qemumonitorjsontest.c                   |   4 +-
 tests/qemustatusxml2xmldata/upgrade-out.xml   |   2 +-
 .../chardev-backends-json.x86_64-9.1.0.args   |   8 +-
 .../chardev-backends-json.x86_64-latest.args  |   8 +-
 .../chardev-backends.x86_64-9.1.0.args        |   8 +-
 .../chardev-backends.x86_64-latest.args       |   8 +-
 ...rk-tlsx509-nbd-hostname.x86_64-latest.args |   6 +-
 ...isk-network-tlsx509-nbd.x86_64-latest.args |   6 +-
 ...-tlsx509-chardev-verify.x86_64-latest.args |   4 +-
 ...ial-tcp-tlsx509-chardev.x86_64-latest.args |   4 +-
 ...-tlsx509-secret-chardev.x86_64-latest.args |   4 +-
 tests/testutilsqemu.c                         |   2 +
 tools/virsh-domain.c                          |  12 ++
 39 files changed, 623 insertions(+), 209 deletions(-)

-- 
2.39.3