From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=none dis=none) header.from=nutanix.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779886487607482.200123832156; Wed, 27 May 2026 05:54:47 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 9DF6041B95; Wed, 27 May 2026 08:54:46 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id CA78C41C3E; Wed, 27 May 2026 08:45:44 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id AA29E41AE1; Tue, 26 May 2026 06:23:41 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 353F53F351 for ; Tue, 26 May 2026 06:23:40 -0400 (EDT) Received: from pps.filterd (m0127842.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64Q9rYUD3462559 for ; Tue, 26 May 2026 03:23:39 -0700 Received: from sa9pr02cu001.outbound.protection.outlook.com (mail-southcentralusazon11023110.outbound.protection.outlook.com [40.93.196.110]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4ebbjcec5g-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 26 May 2026 03:23:39 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by DM4PR02MB9144.namprd02.prod.outlook.com (2603:10b6:8:10c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.11; Tue, 26 May 2026 10:23:38 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0048.019; Tue, 26 May 2026 10:23:38 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=/ksSn2lf51ymnybjtFLCiAD+EZ73H0Wj4Zr7yCoQ2 Oc=; b=R3R82SSYFtRY3a0CCCsmTCIriFS+6aYto4/tFOkxoEASWOUlKsLLntsqT GkL34kjJZHhTlWgAwESJT1ymwf3ubz09CSE9f+d4SA8ILjwFval/51v+oZShlhUh yuVkbnBCUWKwBWTF2DktsvJDX1BHRpfAWz2AGMDA4FrqILnEtthu2wDGJZAe2nAe 31pxkglGc5mNoMplq2mF4XMP+tK1tg/s8VBgMD/uR4Uw9vPaGxgAf1+O6c/K6m0Z 9DL4DLyRvqD2GVQrsAi8y/ksXMbV2+eTlMwEqWOUowZQ1HK0VeDbWYDtijBSb5af +L+T8MLoJRKQNbEDO+O7blYk3aQ+g== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ADPMe2BQCN/NMkEx/4mrbUtM5fD4gshiaadLEZeHBfa+FQmLEBwgiOfaBl0seEFaypdkKC/k4eh5wzP8YdsstB2vp7iAjFCOYsgb12fq8V9Wvkvcj59c3jDlB7nhk2bggblP5rsWJtP0Z0ZJV+FCHY/rUdEVldkOSvqNcbpk0wlZcOFfL9uDHb41V9mW56kJea0hJQkIcOlLvzxJYi46QF3bgy/R9vh6co2CjvMzaA31x7/rYjuj71u0k7JOMlNt6Qs9uU/WgtUBRScr/DNO0bIGW/X7TF+WRYEvVYIAWK5mBrP+CFssd08BC45rCppJGD7iCtNeH58p+PiqlnDutA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/ksSn2lf51ymnybjtFLCiAD+EZ73H0Wj4Zr7yCoQ2Oc=; b=UJlsxlhpQEQYeK5iIH4rzXWFRGZTgLQd0n9Envj2s2SujxpZ9wuwGT33XRcEK2bm0XDg1TxI6XlAcV8weXLmUhTFvCFrfkas7RBnOZyBe3pdj/iMJXnRzdTd4gR8s29wBmWHDwRY/8g45/5vqTr5pnTP2T8/tQOX2llQz9OTYTQb5Oedq8CLc7PwNB554X841mRsALNpxJPiFL6hFG8nDkql99fbyktNNGKbmDW2RkEEAC960VZkwfO6PATl3eyGzNP8CiQt7BrwN1kd6zRCbkVsERTCZowJFYKhoDX6t3m+mnFtmmtyR/SdButI7Fz3t1B/BFCAp6EiAAK0xAZz9Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/ksSn2lf51ymnybjtFLCiAD+EZ73H0Wj4Zr7yCoQ2Oc=; b=FWGSDPxSKayrlFJy9XDb1XvmfC6bxixgGxiLhccfKf3iE6cwLYJaD3eRyAaDMnoUb4tVbvwQHJ1QGu/UC72qPFsYBHzVsH9P5GpBTubrImd66IADHnXZvilcrnSq528+pzt0+eLUDYd/bI//2oMbejgnhReIlFey5dozjpS9gJfJu1lAK9ebHeg4B8dLEYmO5l0uHvhO0gkfokVYdb1/PzjDri8jln67lem9xZrOdUPuITapyb2SIvVvEW+OePKnoLXJv1yI7zMGEU3SRpCRDXbJOtDS0S2nHqRMgac+ryn8VM9XKy5thwiitUMd13xAenegnFSMA/zPXBOTp9obEQ== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 1/7] conf: Add configuration params for TLS-PSK Date: Tue, 26 May 2026 10:23:24 +0000 Message-ID: <20260526102333.3379532-2-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> References: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR15CA0114.namprd15.prod.outlook.com (2603:10b6:930:7::28) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|DM4PR02MB9144:EE_ X-MS-Office365-Filtering-Correlation-Id: 6398caa7-7283-4c3f-7790-08debb10d9bb x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|3023799007|18002099003|56012099003|22082099003; X-Microsoft-Antispam-Message-Info: DvEj/B+MMFzmOexIC0PPYBnoupi78bfmuJEep1wjxgOGtSDHanl5YlyAE/Kx17+kntJLUW351kb5pTrBv0ZzHqdU5gFbmtHROuyVaQaNdH0v655PkvqV+x8pYE8cNU6cgxjyPR4X3iuSYovEoUWNrWjnnhkBau7+uMBMlRv1f0GM5rbccu93wA2SeZo3ZBiwx6oRxJl2/f+x9qrzKWVM8NQ/1APf3RlHcF/BZR31FMXPbzMlaZIcd8c8Ey+83VI8FkSbPlw3nfd/JJZxguSo3Q35QXEX3tfx/pPnG0jWOEteeMeIVk5DUIsmMQFFXnacJ/ZERrYjlgW6iPa+20jE2LmextXIlE2aKpsvpWloJUqUz3kVxybhbM8PzqVep9uYNItX5N1/TF7hUVwwJC+fdKTA+96trBZe5guIPrH0/u14Uoz5dUMOSPl4/Az/TDlNBPE2A1VwH5feb6jGAn0neU8nUs/MgrNX90a7/Z4XFBeGwwwCIl9wcnjHpRKqe5oXluVMMnvHOiiC0Fwy544ZOe6HIVzmKRixmvzzDUEO/qVjX8pVKGN/rkthCS4RJMw3G0kqadJfWdKPog+Lva0yBDHphdhg0TDO1yRMz5OAvZ3JOeToNDJStK4n0AaJjMNCat1rxkH7h92RIDdF2j93E47cIiFXJWOtJDYnNGasHtGbQu4eqB9tjYDY5jVRrOAC X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(3023799007)(18002099003)(56012099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?59IXgJ09zdryh5wbN6jJhVYuJ5qdX05RP5nQs0iG5FVlKgbtzHXu7a1F25mK?= =?us-ascii?Q?qbAvHI8Xbab1ts6yDcv/Gpj98mfSIrIPYDsnUU83fcyVhkJ2MIr0ZbcTMCTT?= =?us-ascii?Q?DwLwF7XtWnuowtypH9BeiuEcLlXM62SkLRRonkbIuhM9bH2FFZqcy+8Wmal+?= =?us-ascii?Q?j+lX83SAg2mDIXgQ23VjKgBdby/VY1zJbuVY/g6W67d4r5UWJaLgXfFX1wXc?= =?us-ascii?Q?8cRbz3+pcaxZPMc4Dmk7kH/d0sg99vRf0A1dd+TFxtEUB0zbS+tGSORbCKCd?= =?us-ascii?Q?GuQ5agx4mw39dgYuHA7G8SnBnjxokB3pEyaI3LN3jwD5no81TXU8dXCCFRKb?= =?us-ascii?Q?LnM6wVIsb99jJ80zwjcFlENOSDaa6Bx79fr5tAC4U06If74AJCcWPvJ6s+xf?= =?us-ascii?Q?rX+g58M7bZO6ugByUZNMq4NJN0Xw79UjmjLATkhzu5bSl92peLryvcIoWHSk?= =?us-ascii?Q?4qGLKviCDwZxFKCjBBX4FUE+kdoyPK0WiKPcBJS1Zvxys2yMnXx52PbbXFTH?= =?us-ascii?Q?6NwepISKnyQV2VVgOB8YWDOXc0DdX45SUO4alKutDu0a09QaG5ZDX0ExsPYs?= =?us-ascii?Q?gcH4zuIZ0/vAVipAZIbLDKHEtJ9/MT6mvQbva7h1IYF/YyCLlN8IBwYQXxtz?= =?us-ascii?Q?EYvmv8AvRYHToZkRb73u67UPmTboEnPT7kt71oWm/OT1enDDAJK67S1UaMlH?= =?us-ascii?Q?18GnckTc/rNsy+hODiTfa5juomHFZpZpdKiQhoMMJKSY0zF2rWS0CsPvbcLU?= =?us-ascii?Q?Da3nt1vFPb7slkthMTxR2ZPG0UyHAVtM60ptVapMminPdxuC/Y0+c7cO0Fs8?= =?us-ascii?Q?qxFGjMkqKk4But9ddBpb6l9sYLl8HrhKNgAmTJYhFuQ4CpBvNFPwxMZFqiIh?= =?us-ascii?Q?GIpJNG4r6CRZpJn17Vx+BC/WJGG40W5j7c8DGgXjACAUomujSIcOTPm7bCDH?= =?us-ascii?Q?aLzQP/CqO/fapOAjS13VnC2LkDMfuQMftfO7NgvRXC7hNFnLl9WesJl+dxHD?= =?us-ascii?Q?684Qx34vv+yqHs473L93IR4T/pBUYYK5HP1ulIPUrEf7xi99fmfqt+sjtiMm?= =?us-ascii?Q?5ojwP8veE5ATydzhwrucMEVZ5zDtVQtvGiYT80oyltouUp41IIv7uyuL9Odv?= =?us-ascii?Q?ghGEzcg9tGKb+QiVYME+2MJhPK/STwIkH927bvWXMqSy275q9qd5gmojshJQ?= =?us-ascii?Q?YqNp6gyKXXhbS5eAJUlAMqV80Nli0yUQX1EfrkV6JE6nRWxG4yzVBJLasC5+?= =?us-ascii?Q?n/bAduVoFmRXuVZ6H3wyvRq5X0BbDLacpegSSCa8bB3eWFMNd4iS7ExznFBU?= =?us-ascii?Q?qLuSs6DPfkCzAffXt5owifMXqIecG+cGn+v7wjJA0OYyDqLLeoTsGfiJnVFE?= =?us-ascii?Q?wywHS+rmGD7Hqoj81wFb4auM2njH2cg8ZczEQPHueEYGgMlLuxA9ACnOnRdx?= =?us-ascii?Q?II00bA89hpqa5lcECo7RjZBBNIv2V5xMsPC915MwoCMfQRtJ0IavXmHxz9Y1?= =?us-ascii?Q?0cfoNo0Hj++C46r1b2NiL+APSLl1EL46juewP+mrPq3dHcpfX9IcgRI9pe0O?= =?us-ascii?Q?Zmm06P2U+5waADRrOINVCorYQgaHY98jFl+TrQiT0lPgYDhj4lOn8vRHbtCe?= =?us-ascii?Q?5egHEkJMtKM1/ARIjezrlb4eHhBkuBWzoW4sWW5uew40UNkdeQjby7lv8pwr?= =?us-ascii?Q?s1buPG67nIe/a1O8U1l5wTBl86shuAaKjT1SQOmQKqOLk2InG03E5f868OMc?= =?us-ascii?Q?qAFR0cW66qjcVwaeDvqG+krji4xdsQI=3D?= X-Exchange-RoutingPolicyChecked: JlHNKWXZlY4tnZ29EpJeTtsupyTRg2DCkedu2Tujac49qen/s9gK3jzFcT46xTd5y1lK4+uHvBkmRz1x/3DNLbEje2lFtlyOa+LlXlDY+v7uz3V7hrfsaqj+h1HKloa004zhfKbrsibLqmK3vwCOBuo1M9kH1TjOTZuitsCHBBIr9ns8LhwFsumg0DZhpTVCGU1RErzT2OqjI4A/EiN2UhLL/4vtYq8y/4G16Ybv7LqyAbawFiDkDrHbP28cDHsjPgdjmFUF8bxF6UuPDDxiQTPQyBt1Pf1C6VI1p0zviMa4546vYbaNErMg/6cyC7dOMj+nmjjEDc1KjA0XJBF+5g== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6398caa7-7283-4c3f-7790-08debb10d9bb X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2026 10:23:38.0773 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dv0GxQYxv05yVHhlyTkTzllSQMgvHLvhORTwkBHm/ySHA3WiMihi0VZFvianqOl+8M3hL30DNW+Sv6Pn61nsO/zvAg6mL2dp2sRneoTKVPw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR02MB9144 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI2MDA5MCBTYWx0ZWRfXxlHIa3AeV2jB I3qXmLV1ZyMkh/FqzyElcuQEyYwTPDWPTgvVGZ6xPw5ilOXuBvpacnNRkg+6Y6adRJz011zhaK9 /B2z/JbKeBm19oaUqfXeP8GLMkNdee2IDvdwVsc3J7Iom1K/Y268q2ySd12lTtB24juWcAP7Y5g Y11w+Kp62HruK71m7MKMPCgmsVUNR2G8JlryxSLNfxueVXIFruoGRrM6lf1FX6djCqvTWMX0/eO wRM4EirNULRCF4KaqOiKQB8Gkq/xNG+7XZU45EZecRMA/RvgkvOZekepS/f6llOe1m4JCBGgotE rZUfbtzJYhdDz6qMkiWNl06DKjOTjCM5XoKCWvsZj4+vOIu1XMO8TdBPRWTnrm9ddRyDq6LijOw u53MuSlBIhkRSnz6B/I2Q6bImV02X8RoHGdaNlC72fPv/ihNh60bXxuz3lqJVlGdTFjK2G+WMaA ClHnOTwYk2cCQJp4tYg== X-Proofpoint-ORIG-GUID: vEakseYPoZh_ryy6Xez2bXMmvibBN3cM X-Proofpoint-GUID: vEakseYPoZh_ryy6Xez2bXMmvibBN3cM X-Authority-Analysis: v=2.4 cv=PazPQChd c=1 sm=1 tr=0 ts=6a1574ab cx=c_pps a=qcps1HI71LguUYAr+x9W0g==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=VUi8bpU7OL1Oj2-RSIOF:22 a=64Cc0HZtAAAA:8 a=hvZuPmmjHhvV4XmtxV4A:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-26_02,2026-05-26_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation Message-ID-Hash: UH7EXAULSPR2MHTZ7XCY267UEIZZ54RD X-Message-ID-Hash: UH7EXAULSPR2MHTZ7XCY267UEIZZ54RD X-Mailman-Approved-At: Wed, 27 May 2026 12:45:09 +0000 CC: tejus.gk@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779886488748154100 Content-Type: text/plain; charset="utf-8" For encrypted migration of VMs, QEMU provides the TLS-PSK authentication apart from TLS certificates. This mechanism relies on pre-shared keys (a secret key that is known to both sender and receiver prior to secure communication) for providing secure transfer of data. We store these keys in a pre-shared key file, where each line contains a pair of identifier and its corresponding key. During an encrypted migration, the parties negotiate which unique identifier to utilize, then parse the key file to extract the key matching the identifier. Add the "migrate_tls_psk_dir" parameter to qemu.conf to allow users to define the path containing the pre-shared keys. In case the user does not define this parameter and attempts to utilize TLS-PSK for migration, we fallback to the configurable "default_tls_psk_dir" parameter whose value is set to /etc/pki/qemu-psk by default. In addition, we get the client identity by parsing the migration URI, defaulting to 'qemu' if username is undefined. Example entry format in a PSK file: qemu:61aa7b2c93d4e8f10c25b6a782e3f4051a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/libvirtd_qemu.aug | 2 ++ src/qemu/qemu.conf.in | 19 +++++++++++ src/qemu/qemu_conf.c | 55 +++++++++++++++++++++++++++++- src/qemu/qemu_conf.h | 3 ++ src/qemu/qemu_migration.c | 2 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ tests/testutilsqemu.c | 2 ++ 7 files changed, 84 insertions(+), 1 deletion(-) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index eb790d48be..75639919fa 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -29,6 +29,7 @@ module Libvirtd_qemu =3D (* Config entry grouped by function - same order as example config *) let default_tls_entry =3D str_entry "default_tls_x509_cert_dir" | bool_entry "default_tls_x509_verify" + | str_entry "default_tls_psk_dir" | str_entry "default_tls_x509_secret_uuid" | str_entry "default_tls_priority" =20 @@ -68,6 +69,7 @@ module Libvirtd_qemu =3D | str_entry "migrate_tls_x509_secret_uuid" | str_entry "migrate_tls_priority" | bool_entry "migrate_tls_force" + | str_entry "migrate_tls_psk_dir" =20 let backup_entry =3D str_entry "backup_tls_x509_cert_dir" | bool_entry "backup_tls_x509_verify" diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 5eacd70022..5dfd3229e5 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -49,6 +49,17 @@ #default_tls_x509_verify =3D 1 =20 =20 +# Use of TLS-PSK requires the pre-shared key files to be present. +# The default is to keep them in /etc/pki/qemu-psk. This directory must co= ntain +# keys.psk - PSK key information +# +# If the directory does not exist, libvirtd will fail to start. If the +# directory doesn't contain the necessary files, VM migration will fail +# during TLS handshake if they are configured to use TLS-PSK. +# +#default_tls_psk_dir =3D "/etc/pki/qemu-psk" + + # Libvirt assumes the server-key.pem file is unencrypted by default. # To use an encrypted server-key.pem file, the password to decrypt # the PEM file is required. This can be provided by creating a secret @@ -437,6 +448,14 @@ #migrate_tls_force =3D 0 =20 =20 +# In order to override the default TLS pre-shared key files location for m= igration, +# supply a valid path to the key files. If the provided path does not exis= t, libvirtd +# will fail to start. If the path is not provided, but TLS-PSK-based migra= tion is +# requested, then the default_tls_psk_dir path will be used. +# +#migrate_tls_psk_dir =3D "/etc/pki/libvirt-migrate-psk" + + # In order to override the default TLS certificate location for backup NBD # server certificates, supply a valid path to the certificate directory. I= f the # provided path does not exist, libvirtd will fail to start. If the path is diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 9c32310096..f52c8d78dd 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -245,14 +245,16 @@ virQEMUDriverConfig *virQEMUDriverConfigNew(bool priv= ileged, cfg->passtStateDir =3D g_strdup_printf("%s/passt", cfg->stateDir); cfg->dbusStateDir =3D g_strdup_printf("%s/dbus", cfg->stateDir); =20 - /* Set the default directory to find TLS X.509 certificates. + /* Set the default directory to find TLS X.509 certificates and pre-sh= ared key files. * This will then be used as a fallback if the service specific * directory doesn't exist (although we don't check if this exists). */ if (root =3D=3D NULL) { cfg->defaultTLSx509certdir =3D g_strdup(SYSCONFDIR "/pki/qemu"); + cfg->defaultTLSPSKdir =3D g_strdup(SYSCONFDIR "/pki/qemu-psk"); } else { cfg->defaultTLSx509certdir =3D g_strdup_printf("%s/etc/pki/qemu", = root); + cfg->defaultTLSPSKdir =3D g_strdup_printf("%s/etc/pki/qemu-psk", r= oot); } =20 cfg->vncListen =3D g_strdup(VIR_LOOPBACK_IPV4_ADDR); @@ -380,6 +382,7 @@ static void virQEMUDriverConfigDispose(void *obj) =20 g_free(cfg->defaultTLSx509certdir); g_free(cfg->defaultTLSx509secretUUID); + g_free(cfg->defaultTLSPSKdir); =20 g_free(cfg->vncTLSx509certdir); g_free(cfg->vncTLSx509secretUUID); @@ -406,6 +409,8 @@ static void virQEMUDriverConfigDispose(void *obj) g_free(cfg->migrateTLSx509certdir); g_free(cfg->migrateTLSx509secretUUID); =20 + g_free(cfg->migrateTLSPSKdir); + g_free(cfg->backupTLSx509certdir); g_free(cfg->backupTLSx509secretUUID); =20 @@ -472,6 +477,9 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverCon= fig *cfg, if (virConfGetValueString(conf, "default_tls_priority", &cfg->defaultTLSpriority) < 0) return -1; + if ((rv =3D virConfGetValueString(conf, "default_tls_psk_dir", &cfg->d= efaultTLSPSKdir)) < 0) + return -1; + cfg->defaultTLSPSKdirPresent =3D (rv =3D=3D 1); =20 return 0; } @@ -611,6 +619,11 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverC= onfig *cfg, =20 #undef GET_CONFIG_TLS_CERTINFO_COMMON #undef GET_CONFIG_TLS_CERTINFO_SERVER + + if (virConfGetValueString(conf, "migrate_tls_psk_dir", + &cfg->migrateTLSPSKdir) < 0) + return -1; + return 0; } =20 @@ -1445,6 +1458,15 @@ virQEMUDriverConfigValidate(virQEMUDriverConfig *cfg) } } =20 + if (cfg->defaultTLSPSKdirPresent) { + if (!virFileExists(cfg->defaultTLSPSKdir)) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("default_tls_psk_dir directory '%1$s' does no= t exist"), + cfg->defaultTLSPSKdir); + return -1; + } + } + if (cfg->vncTLSx509certdir && !virFileExists(cfg->vncTLSx509certdir)) { virReportError(VIR_ERR_CONF_SYNTAX, @@ -1485,6 +1507,14 @@ virQEMUDriverConfigValidate(virQEMUDriverConfig *cfg) return -1; } =20 + if (cfg->migrateTLSPSKdir && + !virFileExists(cfg->migrateTLSPSKdir)) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("migrate_tls_psk_dir directory '%1$s' does not ex= ist"), + cfg->migrateTLSPSKdir); + return -1; + } + if (cfg->backupTLSx509certdir && !virFileExists(cfg->backupTLSx509certdir)) { virReportError(VIR_ERR_CONF_SYNTAX, @@ -1586,6 +1616,29 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *= cfg) =20 #undef SET_TLS_VERIFY_DEFAULT =20 + + /* + * If a "SYSCONFDIR" + "pki/libvirt--psk" exists, then assume som= eone + * has created a val specific area to place service specific key files. + * + * If the service specific directory doesn't exist, 'assume' that the + * user has created and populated the "SYSCONFDIR" + "pki/libvirt-defa= ult-psk". + */ +#define SET_TLS_PSK_DEFAULT(val) \ + do { \ + if (cfg->val ## TLSPSKdir) \ + break; \ + if (virFileExists(SYSCONFDIR "/pki/libvirt-"#val"-psk")) { \ + cfg->val ## TLSPSKdir =3D g_strdup(SYSCONFDIR "/pki/libvirt-"= #val"-psk"); \ + } else { \ + cfg->val ## TLSPSKdir =3D g_strdup(cfg->defaultTLSPSKdir); \ + } \ + } while (0) + + SET_TLS_PSK_DEFAULT(migrate); + + #undef SET_TLS_PSK_DEFAULT + return 0; } =20 diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 511ab77f71..ba7364dc89 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -130,6 +130,8 @@ struct _virQEMUDriverConfig { bool defaultTLSx509verifyPresent; char *defaultTLSx509secretUUID; char *defaultTLSpriority; + char *defaultTLSPSKdir; + bool defaultTLSPSKdirPresent; =20 bool vncAutoUnixSocket; bool vncTLS; @@ -169,6 +171,7 @@ struct _virQEMUDriverConfig { char *migrateTLSx509secretUUID; char *migrateTLSpriority; bool migrateTLSForce; + char *migrateTLSPSKdir; =20 char *backupTLSx509certdir; bool backupTLSx509verify; diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 4a43ab83b0..af981fb992 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -4355,6 +4355,7 @@ struct _qemuMigrationSpec { const char *protocol; const char *name; int port; + const char *username; } host; =20 struct { @@ -5460,6 +5461,7 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, spec.dest.host.protocol =3D uribits->scheme; spec.dest.host.name =3D uribits->server; spec.dest.host.port =3D uribits->port; + spec.dest.host.username =3D uribits->user; } =20 spec.fwdType =3D MIGRATION_FWD_DIRECT; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index 2582c6a09c..9782e45b59 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -4,6 +4,7 @@ module Test_libvirtd_qemu =3D test Libvirtd_qemu.lns get conf =3D { "default_tls_x509_cert_dir" =3D "/etc/pki/qemu" } { "default_tls_x509_verify" =3D "1" } +{ "default_tls_psk_dir" =3D "/etc/pki/qemu-psk" } { "default_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } { "default_tls_priority" =3D "@SYSTEM" } { "vnc_listen" =3D "0.0.0.0" } @@ -45,6 +46,7 @@ module Test_libvirtd_qemu =3D { "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } { "migrate_tls_priority" =3D "@SYSTEM" } { "migrate_tls_force" =3D "0" } +{ "migrate_tls_psk_dir" =3D "/etc/pki/libvirt-migrate-psk" } { "backup_tls_x509_cert_dir" =3D "/etc/pki/libvirt-backup" } { "backup_tls_x509_verify" =3D "1" } { "backup_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000"= } diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c index e7a61d0c6f..6c71272e80 100644 --- a/tests/testutilsqemu.c +++ b/tests/testutilsqemu.c @@ -401,6 +401,8 @@ int qemuTestDriverInit(virQEMUDriver *driver) cfg->nbdTLSx509certdir =3D g_strdup("/etc/pki/libvirt-nbd"); VIR_FREE(cfg->migrateTLSx509certdir); cfg->migrateTLSx509certdir =3D g_strdup("/etc/pki/libvirt-migrate"); + VIR_FREE(cfg->migrateTLSPSKdir); + cfg->migrateTLSPSKdir =3D g_strdup("/etc/pki/libvirt-migrate-psk"); VIR_FREE(cfg->backupTLSx509certdir); cfg->backupTLSx509certdir =3D g_strdup("/etc/pki/libvirt-backup"); =20 --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=none dis=none) header.from=nutanix.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779886567137766.6780165328521; Wed, 27 May 2026 05:56:07 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id C73D741B66; Wed, 27 May 2026 08:56:05 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 95E3D41C03; Wed, 27 May 2026 08:45:50 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id C760F41B0D; Tue, 26 May 2026 06:23:42 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id EB98A3F351 for ; Tue, 26 May 2026 06:23:41 -0400 (EDT) Received: from pps.filterd (m0127842.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64Q9rfDg3462574 for ; Tue, 26 May 2026 03:23:41 -0700 Received: from sa9pr02cu001.outbound.protection.outlook.com (mail-southcentralusazon11023104.outbound.protection.outlook.com [40.93.196.104]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4ebbjcec5j-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 26 May 2026 03:23:41 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by DM4PR02MB9144.namprd02.prod.outlook.com (2603:10b6:8:10c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.11; Tue, 26 May 2026 10:23:40 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0048.019; Tue, 26 May 2026 10:23:40 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=ac8dlzAj5GWFOIcMqkhXqtl1v+/lOB8v8ZmAzR3xA AA=; b=Wk7ZB3VxaozbWhJbqmhfES8uwI1FzgL0Zt1RCzE2Q88ndsxE8X2cqJT74 iQr93ONKwyOiXkUcM0GlC5Q2M5oMTp3wjaC1a+i4sfb8QFl605jatN4jIlUGLoVb BEeowlnN9aVJ30e1q6YWgr09prARWPNXBZ9DpkXHFbLfx96FgfBrGKnKO1EphyI9 dq2kVhOZzepYC9D0qcRJdNP1VVlMlhM0zAYoJuzqUFj9BpzxrBtkJ6FzpWFTq/6F xekcNiCAeounz5sTxLU6mC/kUlysDDA9TpAilPhACSXNuUsNZr/HqAMxszOrXpwZ z2xT4oZRWDoQPdotPjCBa3CkcSK1g== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=B98INwtFqigkQtoS66Vc/AsvpNvQBT2ucqtxswa6M58LsN5gbIrbSNloxi7X3e0fRZ/v0oNI34WwvYvvLJH2t4i+OIqy2KrbjKHOAxmwH20bFZtq941E+ACJMtJLy45NSqpY2TjpuWCrNO6WyVcHicOazq6N+68JZnWtCMQVUgo1P3SwWQYxGCuS8fjeDm7YuMQhWIOYt7TkXgViQlbcu8RVm+20IylC8zKHPG/31ytqI7VHjzEZ7NAOWa7EvToybLD+Z35pnkTzVr9+ycPJeD8GlMQntTlDuIZgLcn3fEFNbOowNR2EAznZBF81GtJHMwmbEOpJ/ZgrmZPlNk9qWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ac8dlzAj5GWFOIcMqkhXqtl1v+/lOB8v8ZmAzR3xAAA=; b=LBIZYnUYq0AmeXGUrootvLtu7JI1vjOrqiG4oB1ipSvaVRZt6vH7s7kK9mmhaz0GSIO3j+OYI2pdrZEW4G2MGVzLbN4o2NLUnddiqH8aleptjl8i0k/PFO0IQ71MmrwtP3STSh1R7mhgBAGnG/hvqNLGdHHs9zLeU2bxGkCcRgjjwoE9YGmIZ8Xx4tBd3P48S3Te2BVcye+muNsRtHwMxcErcPPAux2RoMfpoBUBbACHxsYDQHFxJRl0bvF7FrBRslgED0Am/h/lPvoeR6AmGq7lnkHqOpc0atH/SAiiMf0E06TEVU7WZLa+6jn2zlhwyj4/7H3OFXufdY5O/hdAfA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ac8dlzAj5GWFOIcMqkhXqtl1v+/lOB8v8ZmAzR3xAAA=; b=mhkh4vFee1qnt1M9yP2uI0HgD5YUSSpZmi1/uUnEO9uQEkuVYPtvE+r50f8kjEq8bC99R77a5mq8IfjVQ9kSfXkiL8m+uSvgRyjkFGm9nKTEDv2b0tQt+6LTyjZYBIGTSL9+/dplmnoQFB2Emadi+3/UUyB90KKdJ4pq1Qzn3mv2Kfb/sYi3AVIDAWmI45OaKQzeaHdQp3spypInGG6xF8RAg1HCFb+OpUjzJ9BzZ3GBQ0FFB95E6OptAGqGLxgAWzoNb2VMNWky+r7uAlUF0zOc/NCNOboVTpJMiFos0NCKRPs9ECsPQ5mjd41zp/5AjAvjh30k86NLAycbhANKrw== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 2/7] include: define VIR_MIGRATE_TLS_PSK flag Date: Tue, 26 May 2026 10:23:25 +0000 Message-ID: <20260526102333.3379532-3-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> References: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR13CA0085.namprd13.prod.outlook.com (2603:10b6:930:a::11) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|DM4PR02MB9144:EE_ X-MS-Office365-Filtering-Correlation-Id: f59b99d0-85fe-4d2e-05ba-08debb10dadc x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|6133799003|3023799007|18002099003|56012099003|22082099003; X-Microsoft-Antispam-Message-Info: ILqOojp4nYsohhLsANV9ykko9zDyVgMfHN1gQWn/S3Rep5HhHWXuSJXrndOiw4f/hlPuVdJCvGGEebigsXqAum98rUEpWZ/gPnHFHnQq6nzyE8x5bXtzDKfjyT8X6a+vx1BJZt0nRxiMfBFgk4ZQclOH+VjehyZMV75iAPOqJiiUnZfA78tpQZ1vf2ikH8Sp2gmAnHlX1AJG2ShlGOCVatVwL42BrmMt5BZb6tdjuh2tIKBZnswsvM0QGzluqcN3LV3nlVmlfG0bq14vzjRJROq1pNGQSfTvKnQceNFVJ3YaiXWaZv2HL61Q6YWeNMymClsyQYhO4caHbPz6s4Xa8KcXq+IXLPt1ByxrshH/2w/dm1Z2fjjCfoEUFoNwl0EEBXFGL32dqhq96zXUIN8F9ouvgQWlDRrx2w/m9Tb8eOXgkLG2l8s7pP9I1GfuMB4u7/DM6jZrnrtMJVFkYgK9PFxFiuhyzqkt+GgQODyLcAD0gRN3ycX1Ix2byAJecpz7HyyWP959PPm0+fEEGLNlPLjIxv3zA8YC7YYP3U9g8S8pekkV7wPGh08iSmtCbEU4QYJitosdCzKC84H9if80wQ1G60gJnQ4JB35UXzAvoyZCQwqyRhuTTG6DDk8Mhadhs/W2rcQKbNDcPxcWx1S3nTxc08N0VrLGKsDEEMQbCYYn67pOegYiggyjHPH7TeHc X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(6133799003)(3023799007)(18002099003)(56012099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?tOjcLwpNg/hkr0SMQd8nrvlq7kwdgNLNL3cIFonGgQvxzyjOOr18aVJzt9XV?= =?us-ascii?Q?i69VGjbHsReyBzxJWNLI01o+asWtzQ9Rn8fdFhuJ18U1SvERJc/20ZISCc99?= =?us-ascii?Q?wr0k3QJBRMw10bC7eAxzHHEaOYWD3GhxJiTw45mzGpuuwwkaVvm84w0hjwSq?= =?us-ascii?Q?Lr2aZtQETLkXtPuLx2b6TisJ8VL22i5/BNsJhsmY9KLz/CDqpipywUKvB08B?= =?us-ascii?Q?8v6LXv2LaL8EY2p+iPV5Nw6sRjCqfQUuwXSvCcIsF0KMlxfL98hfoyTEHLm0?= =?us-ascii?Q?pfWfSazm+XpxosTyRNOPFoU+1vgzCZ7j+x3zVo5sN4PmPKnzsA8sLPp+KWWj?= =?us-ascii?Q?ojTbAMqUGgK7qMgyGTqZPte4ZVnwy7y+SaJWUvK84nk0kUwGd1WrEuW6TTMx?= =?us-ascii?Q?25tvZ+P773o99EW+1L/Wji5ox6IlRGaX3eWPJdTEpvWN0yVn/8j8A+YyB4cY?= =?us-ascii?Q?Zw1tG0c9BzlW7wlBt0BXKAnfckM8LTrpxylWnu1JCm1SiPUcAV/kQPF0vpZF?= =?us-ascii?Q?sn0zBqT6LQcD1NTh3rDpfgiQLXYp5VMhDo2mZcugk4Gj23KU5rr02z/s+izH?= =?us-ascii?Q?DHAbYv2h6nBaceTzjk9vjlf4Vtvxiu504S4FaCGgumKkVENePfP/D/1zEZMR?= =?us-ascii?Q?fOPiQ/BKI6rbrVnVgIlN2tSpX8ycQbdcQ4ZQeHfYVvYu4BpFSbfCJm5biUgO?= =?us-ascii?Q?M9d8cY0a3stiTKeRyc13uWpEr1btKlORsWVActbqU7HyEpJbxIeO55wuV1qd?= =?us-ascii?Q?7P2Nbl55cKi8K2ZtTVVnW3uANOgUEnkQ4qPus1y5VmP6MCVSqjNlk8NYrO3L?= =?us-ascii?Q?qL3P++guTDWdJidUt/AKmXb8WS+aAPR1NEe048R+/nukxZofmkYIMCgUabpp?= =?us-ascii?Q?jsDwSbHo+oCT97y0o0aAapVFVynaaUoUxDb7ecYkaKmj4GGJeAUWoj1EUDgN?= =?us-ascii?Q?uAajQqE4mRiohBUS8y9GczlAubLg7XZwjAsr+v8PBbWeNl3y0hy+cdJ1o6Nj?= =?us-ascii?Q?nM5J97J0rqi1uR7/NLrtIO/JNbFyElGHjx6rWWk+X7cRPydfMBt8q+A7eeUl?= =?us-ascii?Q?vYshUrUcXWxVkuKx5D2FSo9CS8rwhsZdgouTEkpTImXdzAib4Ge3zrIMQk8J?= =?us-ascii?Q?s7UKsRLmsBHJiRGL6+1ERGORBtPbB7ukUEGB7maTBjVVIugFtY3cebdjovoR?= =?us-ascii?Q?/Bz+qK2ALYr/wVW5/mQNGpmVrpwEDD4fUxMD7xylxoHhn2P5Pjv1slVKmovV?= =?us-ascii?Q?dnuz7zyXIhxZCST7M7XdItGl1SUWAe2VDj0uCnWzilt1qbYG6OlqDW1QAISd?= =?us-ascii?Q?DajbwXw5RvxzwNQLDpy+EUaGhFS3HHr5i1lN6vdKFfj1iB3JJqQlpHIZJkqr?= =?us-ascii?Q?iPbWLglN8J+6dFO0h/iXfZcDpbEYqQl68nJd6sWXCM/wlcBKqGVlyPnnOmfD?= =?us-ascii?Q?aXhaMiEOQZKzD9moziZhgsSk+GSpa610RC8xDLc9HIO1+NQxJAHlrKTzVD+y?= =?us-ascii?Q?WGtiy9DowKrjIKmPC+ls6nqbNkqAwCqIoWib47hI7K4AyrlP6DBXbabhw2Js?= =?us-ascii?Q?/Q78W69mXXo1GYzO6Dm00eAemkgwybzM6WENrCWjbhNDI0uwkuxRpQSlAQhL?= =?us-ascii?Q?FtCMWQiugI3aAPI+0Gfsc1uBZxL90HjBcAhjQCEVRlLYy4IEvSUcurw0LtBi?= =?us-ascii?Q?b4kscOrJ9Zb7c6FMnFkQtGmKsynLvAlLJhG/hJeh9nFll2lkdMVBl8CJeopm?= =?us-ascii?Q?5QDskhNV3neiOcyHkJmINAvfjS/uCvw=3D?= X-Exchange-RoutingPolicyChecked: SbxDlqiNd9ifSdHuuwom6Tkf+cBU8uPY/PupMH3vRlhdGmFpsv8mxR+wKsukivFxPQOLAhrLwRf6MHF44aqt+rRGUaB8wiXpftt/ogCa4/ockKnoBLSm28P11OS4qIxlk64amaBMtr2IZqk3Pah8dHNEdqNYeyp0cOYLYcBbjXqDBWTF8k3nWLHlWuZa4uRSeUgXDNW+GM7wyCcjhTYNjYdijbYgIIFa5Bqif3Kx0wHGuSmVOfmhiT+WjJy1EJSd/tI7zTFoXcN3N6jy8F950qmoIlCRTJ33gvV+qz3h4RnXqNKZ3DOi9Z5Gc1XrdrSn6/dy9z2oPIGvo3zibwEbRQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: f59b99d0-85fe-4d2e-05ba-08debb10dadc X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2026 10:23:39.9678 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jJUuhIdxE9P8NLJiSkfKp4rOhBeao0ph+8lwd6yZ1EKiKmsLrmrRe1b81gXbwEotdzNzDOZKqI/WlFlv5npznbzbbOnfDohvWB/P5My3uU0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR02MB9144 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI2MDA5MCBTYWx0ZWRfXycurf25tUK2T k8ey/7H/h9Lg+jLtMTvrkeO5gVQQmXybnBibG1KND3AJhxTSH1RT9L6JRp+hPAn+PnVJ+zZv4YL 3kkSL8SKnXdeSaXxGT3enewDqNPjye1xCR1NjoirGjjZOACfbpanSPwwMQlYntMEp78w/Q/6/y+ 5poV/Qn5wv3yYRHvZSxVkgQOoGihiU01mpPmsxgO6mGpUxY42MVEeRI7uReJyVRPzyjy+B6ERX+ vM4jg0iEyOZAarfR6Cmrqr9DcY/S0fMpMIW6Gj6g9JlW1TNccixLpaJYijcKu/0o7DUa5tSQs9y RYX+tZKyL70FcaiRBAI8KX8U/U5LJ9GDxcsoVrp+NBbOJytXS41ypzkPvtTf2XnTnfEm+HCTHYC u8Yztua/6UoSwvGj3mASXJ5omBXWnr3lOTYqAk90dweBE1rPkKeYjKh5auTleqwwIJ4HRFXZCoG hizkDfFNX8K1Gfpzy6A== X-Proofpoint-ORIG-GUID: bR_fAK7HKJnOcQbnl0UAiiW8_J2LXdvY X-Proofpoint-GUID: bR_fAK7HKJnOcQbnl0UAiiW8_J2LXdvY X-Authority-Analysis: v=2.4 cv=PazPQChd c=1 sm=1 tr=0 ts=6a1574ad cx=c_pps a=EVpx2ZihuBqvmejMdARm+g==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=VUi8bpU7OL1Oj2-RSIOF:22 a=64Cc0HZtAAAA:8 a=nPf_Rirb_Bu2LdNi0FsA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-26_02,2026-05-26_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation Message-ID-Hash: 3WNMVK2EXVIEFIN5F6AB7JV3IW5EOKX7 X-Message-ID-Hash: 3WNMVK2EXVIEFIN5F6AB7JV3IW5EOKX7 X-Mailman-Approved-At: Wed, 27 May 2026 12:45:09 +0000 CC: tejus.gk@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779886568553158500 Content-Type: text/plain; charset="utf-8" Introduce a new migration flag VIR_MIGRATE_TLS_PSK, that enables the use of the TLS-PSK-based authentication mechanism for encrypted migration. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- include/libvirt/libvirt-domain.h | 17 ++++++++++++++--- src/qemu/qemu_migration.h | 1 + tools/virsh-domain.c | 5 +++++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index 1066a0b3f1..88eb3e55aa 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1089,9 +1089,9 @@ typedef enum { VIR_MIGRATE_POSTCOPY =3D (1 << 15), =20 /* Setting the VIR_MIGRATE_TLS flag will cause the migration to attempt - * to use the TLS environment configured by the hypervisor in order to - * perform the migration. If incorrectly configured on either source or - * destination, the migration will fail. + * to use the X.509-based TLS authentication configured by the hypervi= sor. + * If incorrectly configured on either source or destination, the migr= ation + * will fail. * * Since: 3.2.0 */ @@ -1131,6 +1131,17 @@ typedef enum { * Since: 8.5.0 */ VIR_MIGRATE_ZEROCOPY =3D (1 << 20), + + /* Setting the VIR_MIGRATE_TLS_PSK flag will cause the migration to at= tempt + * to use the pre-shared key-based TLS authentication configured + * by the hypervisor. Setting both VIR_MIGRATE_TLS_PSK and VIR_MIGRATE= _TLS flags + * simultaneously will result in migration failure because both the fl= ags represent + * different types of TLS authentication schemes. If incorrectly confi= gured on either + * source or destination, the migration will fail. + * + * Since: 12.4.0 + */ + VIR_MIGRATE_TLS_PSK =3D (1 << 21), } virDomainMigrateFlags; =20 =20 diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 7e9410e1f7..7fbf959ee6 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -62,6 +62,7 @@ VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES | \ VIR_MIGRATE_POSTCOPY_RESUME | \ VIR_MIGRATE_ZEROCOPY | \ + VIR_MIGRATE_TLS_PSK | \ 0) =20 /* All supported migration parameters and their types. */ diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 76369e8694..286abd2f1c 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -11327,6 +11327,10 @@ static const vshCmdOptDef opts_migrate[] =3D { .type =3D VSH_OT_INT, .help =3D N_("bandwidth (in MiB/s) available for the final phase of m= igration") }, + {.name =3D "tls-psk", + .type =3D VSH_OT_BOOL, + .help =3D N_("use tls-psk for migration") + }, {.name =3D NULL} }; =20 @@ -11376,6 +11380,7 @@ doMigrate(void *opaque) { "tls", VIR_MIGRATE_TLS }, { "parallel", VIR_MIGRATE_PARALLEL }, { "suspend", VIR_MIGRATE_PAUSED }, + { "tls-psk", VIR_MIGRATE_TLS_PSK }, }; =20 #ifndef WIN32 --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=none dis=none) header.from=nutanix.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779888058705944.6796301774829; Wed, 27 May 2026 06:20:58 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 622AA41D1C; Wed, 27 May 2026 09:20:57 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id CF89843E21; Wed, 27 May 2026 08:46:20 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id E561641B07; Tue, 26 May 2026 06:53:40 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id E511D41AED for ; Tue, 26 May 2026 06:53:39 -0400 (EDT) Received: from pps.filterd (m0127840.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64Q9sbIA2820347 for ; Tue, 26 May 2026 03:23:43 -0700 Received: from sa9pr02cu001.outbound.protection.outlook.com (mail-southcentralusazon11023097.outbound.protection.outlook.com [40.93.196.97]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4eb8jt6kxe-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 26 May 2026 03:23:43 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by DM4PR02MB9144.namprd02.prod.outlook.com (2603:10b6:8:10c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.11; Tue, 26 May 2026 10:23:41 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0048.019; Tue, 26 May 2026 10:23:41 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=lMRfBZkNf36I2hyTetoTAwvSMthHHuJH2JYw6e9wS NM=; b=IbNtvVu9yJuE56efwRETa9E1GvntTTAlYOzqgEdNeDe8LeuP1zacMhC5R U28fDkXLWRtI0cwSP148jzEa7jYRBkZaX5ci6KUmgfqBA2YC0Tvggg6aoIvoSa0W 4JJCxfjO571UNY0CXwR+1HjeOCxWTuWATZ28erJ6qXVfKRGlKfcCJ5ahbTnGlHy1 U4gx3P6vS4lNs/XSbx+6ZPrG+ItA2ertsjn6+laUrGiDRpsF1fLZplb25yq+Xeai UcHjjW9GuGGl6GouJtLWo0R9Hyv/0JaBMyUWzevchbW01lxX5/I+v6MmfBFDRGEc PvH3yJV5WOQk/HapfjYwweO6qFS0A== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=OG5WS1bm6XVLPfV9269/Uui3zy/T/7ZVwi9H6SJrTXmfX71tIX35vOpzQeOcbCXCznY+DctPHp072k8dlLUvFLXtpFsgLo5+KGnXkFZUhguoVL0CQ5qnZgWCl6HlYsQywZ/oExi7Rv4ZYk02kEIrtw1AsNo5Y8w2AuIx0z71hZ3F3qJEgT+XJI7KBPUzCqG9OOyJjWW0/sf6fCPsXUTsTTG8mjcaLO6j28qyppN6GuTR9gjLBlAdBJiG4o/v1+FzgQfWYDohMMD7jTj28UoVSWw7rbHquP9bpfpT/y0EvOCV1Zu9+0r2X5JyTaLsGf/q1wo5dgTlwxq+d3JTOODeGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lMRfBZkNf36I2hyTetoTAwvSMthHHuJH2JYw6e9wSNM=; b=RWjBCKDLFqw4KkXaHbNBrlAdkPRw46zn3foOJYvTY+RlIGhc94gaDy5RbAGMenw18opiqLk9M6wIEyWIXOrVQllLV+mIr9K+RPVgfnk7XtTPt+EXpXhgdMS1tKzhC0Jlj/98esiaEBrv5d6lKrOkZkciAEQvhk8ESvkAtbwwkPjKWTEtFi7H7zkKDHsht4dP+qAsKA5hZMbJi4mVYvYw/al5+wPTAs5/8HbprsCXWznbpkZ4AfhAFhqCCQZ4IsFOw+JbPKNJz5C+km2z4DtT6ty21+t1OsoQWvglKiBsxEyp+niKdEprK6zwRFtL7p8CaLubS6hAZmxFXLBChl925A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lMRfBZkNf36I2hyTetoTAwvSMthHHuJH2JYw6e9wSNM=; b=ZzpSdA2K/PyJhlBwJrnzm/L8NGF8bto589ZhTzbewiN9arHHn4adoImFz1nNzOgDWjzRuKTU2AqeXuPLiMNyhjvqvnYLQzRcg11p2WSf9kVCPw1DVUotZ9jH09rHeyZvirDB0Py7DdLbfAIpX2PSJaskFtzm5VSHwso951ypgF51sjux+lElkWlhQZdIPqGQikwHgKgPZ74UzPBTsnRibCEIgn0c7flrVQXnr+iA6D2d6RCGMO6NwE7y1pnNEUc+IjOwPTtgE8JrfSU6PlESLBQ72JGkXomFAPfB29CY63C2CSg+M7OK0kLCYm7Zya8nQAYjrKQ0xUM8gKmncsg9Kw== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 3/7] qemu: Add support to build the tls-creds-psk object Date: Tue, 26 May 2026 10:23:26 +0000 Message-ID: <20260526102333.3379532-4-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> References: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR15CA0226.namprd15.prod.outlook.com (2603:10b6:930:88::15) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|DM4PR02MB9144:EE_ X-MS-Office365-Filtering-Correlation-Id: 29b5c82c-11ae-4cb9-7900-08debb10dbfd x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|6133799003|18002099003|56012099003|22082099003; X-Microsoft-Antispam-Message-Info: 2AT6yORwo9shti13AMKDUy8u2NoJokTi606GNKtIAFW97zGSX8JTBKQaJjmq72x365itGWlG1zFIQD4YhalGuaqVAX0JVeE3NXhlPyyifWFcinkzBdu6cadBj9OvHUrXlnzC/bv26mLoRQqeQ18WaVFweNLk6wHr8F4IAfaqsIZ9/FULlcDWFHt6ZSEEleL276wtG15J+LQY/6n1Pm+ZVGPL9m/VDbibOSOBdLpUwQymsfZrFYaaaBvnsDhe+Mr0Vl0jc3aIMF0rN4+WA4kMesgC5DE3EGnzy8cYppAVl55/n+h+JFVpCF151oa0AJM2HnLk0ZuGSmRe57/GxNmUYZ1nF4k6h+fpc3q6nVvWgxYepcFBOlNEGF5Wk9Kgc7E4Al9b9LiivoE8kPNgcLkgKMl2XKthIzPDbiig96nnvlfWP4Sq6LncgnKLZ+Q7t5GaaNhgMZRUrHg1xMb2cIuL6+c4i6MZ1X8yjM8khXYsd/nST+1rCRElhRScP/3VMD93QMmzy3T4c6oc4sPNXW+vLRGplGZLg+EX7Mi+mMbGqFIAfZz/9JJ5goHcdjV8nP4dKzY/Rf00QM0t7HcZGHsGnzbz36rOjpCb8b2lScdgGxWyw61LCzVXVNHmsep/FdqaytWPkmw3Hif4iZmFHuJzP0jxNnOrTP+yEj4Os2N2HCsh4Y7F+bzupx1KICcUZ68L X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(6133799003)(18002099003)(56012099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?/5Qv0+GYHaCjBUq/UgvJB8fXZWH3gNQdV/03w0bK5K6Yk+V9UBhY6tcXCodT?= =?us-ascii?Q?7z0c2qclbQ8P0G0SMcRyNQUNPRBmLLxCq1+4h1C4elaOpEtSRah8p1N5B4zf?= =?us-ascii?Q?uPI7hN6pk2Vx43UTD51H8YKQ6ezLJFxtPa4HGpxjMBY4aUNC6PX8uo3uNhVo?= =?us-ascii?Q?fKoUUipqAqQEBTjOy1nKF50gIxtIHJIx6pGDnN0+93440eE0KfJ6fHWPu9eE?= =?us-ascii?Q?sC8sgyJZdo6sq69sRq4QTpUdPWUV1zJltyTcxQKp6gwx7LHJ/0JOHP43DCTB?= =?us-ascii?Q?8NysN1d38iPH2inG8wHEXrQlCMvM+HfwgBq8nIDL31hQE+1LgftMblwaStyj?= =?us-ascii?Q?YCWwvpmJeBzFQ7Zfk7ENvnKNKwoT2f9x2UurSgxqfXVdFEvlzW4FAtsARHTa?= =?us-ascii?Q?A6taPfiUC3Xryf6ZGwM8tB9n58SzzJijGf8pKTWFHPQ8/NV/B+U4+w3bxZo9?= =?us-ascii?Q?JN/aNE8CI2oNo/I59uvY6FHaCl0dFxNV0mr6N5v7pZaB1DCLAlchwyk2+tsu?= =?us-ascii?Q?nzJ0qtzkWnJ2eDC94blt4rMzVrb8S8isjfjv8HRyEm8tNASF09lanUL4K8dU?= =?us-ascii?Q?hASkdA9fVwR9c+Iyw2v5rvWF1nU32uWlsIV6OZWZNgVpW7N1E1kpK6Pu5r68?= =?us-ascii?Q?etkfFAeVoRZvSAA9P/OgjvfY7HaQk9XXteFtPraR3Md7/y37AZZ4Fo0AAUSE?= =?us-ascii?Q?0BirfhxBIEQAvSp+hgWRA2tUITmaEvYYIbElM025FGElYu1G7CSIhZdGMjvp?= =?us-ascii?Q?aLp1ofzBgLutbCRbYRvq8RQxQYT98AimVTL75CRpY27Sio9ptsjXsV4Nl7gn?= =?us-ascii?Q?s7PGjOFa+elzEDkP8PvpixcG9+35TGlOlS6uEgPfvuzqfWCYWf4+4nhoOf7Z?= =?us-ascii?Q?N1RZUbd/5dMm5VvGs+CeTulTOgzT/RSldd/MUHw4y1RT6/3MsoR0dY4ewx6i?= =?us-ascii?Q?COXT/AvPq9C8kk3WowJGNfgXhFwNgxwTZ1xVkhGBt5rABIoNA2QILJrbNinq?= =?us-ascii?Q?NCHZ52lqvBPKhOGRCY6bnybl4MZ86UgDWnq3POBT5fAR999wrEn0TAzLC9w2?= =?us-ascii?Q?eDaC7B9O/3vxWUjBEmcUS7SwWS1a5brotb+vUx29Q96FUxjOLe8HZn/nuZbS?= =?us-ascii?Q?TGyasOJ+bDL84CoAMefDz+dIo6JtOwgoXk2q3VOcbPeNk/N9rb8au2VAZVXD?= =?us-ascii?Q?/QonSJYi7dDmmvGWhXJP3BWbjIFJuWU9wcM43suQ63NY7YmNMJhfqPsll9il?= =?us-ascii?Q?PJUedjslFXbZh5RIV87KIhtwr3aqzEdvqBX2eSuPTWnspA10nfqa0abSX4Ee?= =?us-ascii?Q?pGws3htrFwwNgTfFwPCFr9Z8piErIXkwCBCyh9cbVFxJzn325ldCSnaCLC4c?= =?us-ascii?Q?tv5P5T7F3EmmfTSLMC3ppbuoCtxdAZcEoYqUi9vCEn8BNKBWABh3Nvk31wa1?= =?us-ascii?Q?Jtj0IpFssBm200OSf15EuIW56BzVuS34fDoAdHZGjZPxDANgTDpByCXp7/sq?= =?us-ascii?Q?D9jpxxWd9pFABgJgYZX/d/kXhCMlSU3QVHz5Bxh5Ot9ir+cADb7T85WU7L+B?= =?us-ascii?Q?dgO15Z6PkzUQGxJozQYoUQmfCr0dBqJdpjXSMK86uLr77H6hhYqrDX76BrrF?= =?us-ascii?Q?yKi5WGtMLoXvvpJoS5si745BTf+IV2L590ASvB3xakmsseM3HIqtDBAucCtC?= =?us-ascii?Q?Y0+ghpaxBlJfNworWAvrkNPhrImA1DqAZrdwDw7pGpDBj2AvgZCUszqmA/rN?= =?us-ascii?Q?rJSrE6SpIlMuuQ2TX9gDrvhVEJ6cZqc=3D?= X-Exchange-RoutingPolicyChecked: XLxVgBu/wfJrewvN5S6iD1IjqZ1YUZGF6ko7evtprLLWk+S+PGPSHUoQTftPYXrY4v+joNFPZmVJ1QWeNREMIVtiQ31MQTkdta05w6rpXfH1cRQTl2sd9fhA7nxiy3NShcFMY0Alczz/QoALQBZ5kyfa7Lp2nJ7ap04ul8gpIni0Ewz1A/Pg9cF5ZyQO6Ia3PmRH/GQEUQlR37Gzmi3Ogd9Et2ov8J0/haTRqA0BDh6V05sq2xVZUcoNygp4q1MsCffqu3rLbaldtOyyZINZuLmJb75ysee/D2UmAS4muwFuTpRCRQMc3pF/PPdl7hDEJRBatDgTcYD4RHgs1JGHmw== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 29b5c82c-11ae-4cb9-7900-08debb10dbfd X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2026 10:23:41.8535 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CCOVF6oyvH3IefCZI4tzVOlBLdgZjFsglT4nmyO08nEMXidpaNkkj7VUCA+DJzqBhK4XyPkoztMjgUm9ljOUQ+mL+Sol1KIKlGkqsRfmtyA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR02MB9144 X-Authority-Analysis: v=2.4 cv=P60KQCAu c=1 sm=1 tr=0 ts=6a1574af cx=c_pps a=QAHxjCOqNlPon7uSvhmcVQ==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=_-M8LpHI31CeLmyZm6wg:22 a=64Cc0HZtAAAA:8 a=v5pMHTGtuYkU-VpJrWUA:9 X-Proofpoint-ORIG-GUID: wIJUmxvogjq7ToOX12f4V27zYe1rVk0T X-Proofpoint-GUID: wIJUmxvogjq7ToOX12f4V27zYe1rVk0T X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI2MDA5MCBTYWx0ZWRfXyq00VXa5laCb oJTJJzDIdPCptz0y0mUjXrPR6mKWLpSPwW1jQzEchC7wP6OjizJk9qGh6NSjtwiwSB0UIOSU4gI 66h9XgJaCRa8DLYvAvdsIbdxuWNK/9hZP53M0jttA/10VgG9P3PoEecnMbMZnei8AMBF+xUKZpb rwXbTukKBBlt+nc8EbbaLhkhp0o/tpsl8vmTkFcCwMvYPw5adkPybmfIj03FNyFqfRrHee9t3tv LoGEgM76qkVLp+Gn05zqUc8viAv1qvQ55CBu2WOmYoThm/1rzr+bPl2ykETjYDNH4KSpqFQ3HdL h5fCKLbUMm1ByAGj5p6L3meFHx8QaR4KOIddVjLbpGfQZsC2uXUuyZix8Qzdy71263VDTgUFE8D nbGfOnlf70/tZiHCbYK/WMa4I2hs/+zkK43dCF9X5Q3k0Ly8PIIkwxJDWysd+uzrpycd2BYN7eL DnncOyqmvC9z3Pk1IYw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-26_02,2026-05-26_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation Message-ID-Hash: FEB6B5XIVPXDLQS4MNPPAKJE2V27NIQG X-Message-ID-Hash: FEB6B5XIVPXDLQS4MNPPAKJE2V27NIQG X-Mailman-Approved-At: Wed, 27 May 2026 12:45:10 +0000 CC: tejus.gk@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779888060571158500 Content-Type: text/plain; charset="utf-8" Build the tls-creds-psk object with the following params: id, dir, endpoint, and username. Note: username is an optional parameter; if not provided, it defaults to the value "qemu". Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_command.c | 29 +++++++++++++++++++++++++++++ src/qemu/qemu_command.h | 8 ++++++++ 2 files changed, 37 insertions(+) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index a4445ef17a..69324a523f 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1332,6 +1332,35 @@ qemuBuildTLSx509CommandLine(virCommand *cmd, } =20 =20 +/* qemuBuildTLSPSKBackendProps: + * @tlsPSKpath: path to the TLS-PSK credentials file + * @listen: boolean listen for client or server setting + * @username: identifier to find the secret key of a client at the server + * @alias: alias for the TLS-PSK object + * @propsret: json properties to return + * + * Create a backend string for the tls-creds-psk object. + * + * Returns 0 on success, -1 on failure with error set. + */ +int +qemuBuildTLSPSKBackendProps(const char *tlsPSKpath, + bool isListen, + const char *username, + const char *alias, + virJSONValue **propsret) +{ + if (qemuMonitorCreateObjectProps(propsret, "tls-creds-psk", alias, + "s:dir", tlsPSKpath, + "s:endpoint", (isListen ? "server": "= client"), + "S:username", (isListen ? NULL: usern= ame), + NULL) < 0) + return -1; + + return 0; +} + + static int qemuBuildChardevCommand(virCommand *cmd, const virDomainChrSourceDef *dev, diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index 028d002ef9..b6c6403e07 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -72,6 +72,14 @@ qemuBuildTLSx509BackendProps(const char *tlspath, const char *secalias, virJSONValue **propsret); =20 +/* Generate the object properties for a tls-creds-psk */ +int +qemuBuildTLSPSKBackendProps(const char *tlsPSKpath, + bool isListen, + const char *username, + const char *alias, + virJSONValue **propsret); + /* Open a UNIX socket for chardev FD passing */ int qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev) --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=none dis=none) header.from=nutanix.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779888138157509.12009443247996; Wed, 27 May 2026 06:22:18 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id BAA633F341; Wed, 27 May 2026 09:22:16 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 719A941BF5; Wed, 27 May 2026 08:46:16 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id B142E41B07; Tue, 26 May 2026 06:52:47 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 50E8141AED for ; Tue, 26 May 2026 06:52:41 -0400 (EDT) Received: from pps.filterd (m0127837.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64Q9sPjc2759675 for ; Tue, 26 May 2026 03:23:46 -0700 Received: from sa9pr02cu001.outbound.protection.outlook.com (mail-southcentralusazon11023081.outbound.protection.outlook.com [40.93.196.81]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4eb854pn57-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 26 May 2026 03:23:45 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by DM4PR02MB9144.namprd02.prod.outlook.com (2603:10b6:8:10c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.11; Tue, 26 May 2026 10:23:43 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0048.019; Tue, 26 May 2026 10:23:43 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 X-Greylist: delayed 1737 seconds by postgrey-1.37 at lists.libvirt.org; Tue, 26 May 2026 06:52:41 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=WenGrimX3bMFwIFrwK3BMX2bA7mNH3Ojg0PQK2C8z Vs=; b=SilmGmnPh5LxsC6Ju1DoACQwaHYL2UBVLdKJHIR6+84c2jlcm2UUCmDx7 FA3mXJV7CWeMkaBco/B+8CZ55R5ezfd4IEpe9FdMCTaCieLLC1iAg5Aq2FydLwW7 YovRzbtRfgj26+H7rA2oDJaFqX/7+abE++WVQMxT+F8OkKy88EPnQQY693NEgrSD Se261+ZOnt/qt4qA/xMSKerGBl35SOjTSpAdsx3FPylAOfEDreyG1urf7ZwV+l9M LUYP07vgShk69pEuDyaZ5rOeY1P+C4OHGLVREzgqub8j41NtK51zllIt+rl8xiR4 jWOuYswr77l/vN+nH8ORSVHH/J0KA== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZEWrgJ3WXEpOwdTYO48Z5ms0zF3IufkA7cKbXeDDaZckoivlZyH3FoNkIMvqsxu578SsE4jwI+hOavUSY1H4HCCFQV2K8oM8EDouUaUysM65xELfKl2L1REjhDcVybUYUlu4GgmC1T4t8xhlB+MtXoo6+UV3VF/O2wsuJwQ3lhqBmapzYTnDveJuVay73VslSlQT7AN4P/avVnmKFDdJl66ppdvfa6HLFtO5aRbfhvc1kUlC7DgkCX/U6HAoX44mS+eCggZQTTfDjbyAH0SPSoMDvLBIf6FkRO6HkiYJWjaih/6G4QTuF+uZfJi/gZ/Axoph7SXIJoC3h7ZfjZklJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WenGrimX3bMFwIFrwK3BMX2bA7mNH3Ojg0PQK2C8zVs=; b=lGUMs0JjooRJlQz52XcNL1n1CxDwmrlRTwQzzTLh0ghxIiFMduW1hpy7yC8sua8Ktmj5hcLut2C102+O5ySHMTGmk+KsIKUrWLaOF10BgnMHj62vYpyTUXXF/BhHkKVmHRyAm54IsvX1QJwCGHZJ3zQuRURCLM8Bp7rYLqm0YzHOGNti9GGcR3qi73/CVdU4jutY+96LlN/X92/t5fR79pn9cbvneEzq8bDMU7PMK0FnsQhn1e/ylR9656NLLpzIWXGJ7Bn/wpfF6zM8FNa2vkGevXKSO6P6YRDBqCvVsNpZ5NhkX1u2o2TMRUJr/QOUMg/mZOABpNgACim78GZQtA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WenGrimX3bMFwIFrwK3BMX2bA7mNH3Ojg0PQK2C8zVs=; b=pBhuBs1xJC/gGAWr8nL/e6sL0hAKB91khRZatIAFTbnfB06DsCna6/FTrxGHthDrOgRSeWmgeA531aaTalFTiRcOBVgJkPbWQ89n9M5QZS5VtwUR59rebQZVkr+PWeki2mvfWXkwO2rjHJRSIAKqOfgdd9K0FM81IJ/Nw3+BTxrDoVrYBgRu5yJzOlTi4HNpTcm/BrYZ/W/rYAM9783ffLf8GWWPVChNHKjYmByje4vlEi033eUTg+vzgJY3p6KO0Zwya2KHx2ANuiVppQgxniA6x33MW1nU3HHFpZkAMPrgaCnsCsJwpeQrTM8SOxach6GPNXCXWEcJKUnL8g/VEA== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 4/7] qemu: rename tls-creds-x509 obj related functions Date: Tue, 26 May 2026 10:23:27 +0000 Message-ID: <20260526102333.3379532-5-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> References: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR19CA0006.namprd19.prod.outlook.com (2603:10b6:930:15::29) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|DM4PR02MB9144:EE_ X-MS-Office365-Filtering-Correlation-Id: 2a782b96-7d58-4982-e43b-08debb10dd22 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|6133799003|5023799004|3023799007|18002099003|56012099003|22082099003; X-Microsoft-Antispam-Message-Info: LxvbU2tv1Q+Ud/+nThLmKLb4qdwL32oQes/pfFnzp4YsIa85NbaaLCJcR4sHJIu2RVTchtsZ0nU5N2580DWwq+Q6HGqXg6I+oqT/CDn3jQtbcJ0GzROud0CijbBHiqR5dDkgWu/T6fOfUs2C/PKbAm26xanwPH85SOqa20hvOy/AzKFUgjZp1pGQgFQpDYERZqxBXYE4VUljQFz331RgnbBC6YNZpmxPbSQwpdRBQnUJHHWx+w1d/FErs2RvpECFvF2NlZyYaacmyf21POF+pfzE2TU1vOWxx0s+3lDO1cy2rgaa+rdcLPSuUKjOOIiNvOGzaGeMtxcqQPcngcO9qn8pgXllpUcttjCYMFz3UNxkoQS0FAPu0xw4F2jXT6SoYe9IYXDnmgcghLNAnFOoj+9BA/R20WTIYCvzCPWJy2Cp99t76pCobc89o9aQXb8jR01bp2JTmcLva+vjnLm7mYVM7ht7XhD5OtaeXW5akGLAH3CoIo+9mJQ+E3gyMrDkn5M9/A7jHQuNxHUDT5qht+6crqH3aBYqdlvBMMq6trKsmzVfjfHgWdvkdYRnanakulWWgCxItmfn3f99NG2Yr2dcBmyfqAmHYLznQw7SFRylZRU5P11hrWMNmsT7C4CnWOXtza3qDpjewB1d6Cvcmvy6hLa3r88BDat/H+m2XtoTK2oz2ztq+n26/YrwCiyi X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(6133799003)(5023799004)(3023799007)(18002099003)(56012099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?VOwx4ATstmqBntFDrHPMOXexrhvkgghYWfkrYHfq3rqwcH/SMUJbeJ70IPMF?= =?us-ascii?Q?I/z9PWtWkVnFkqYVRPqhs63QZH87uHXjUby0t7gf16YRsL1FJ4FcEbVVTFms?= =?us-ascii?Q?CFD6e+v0Vr8GAxt7S4e8qakf80IaFA/Q5NlwGxQSmg86/44QoIw8muTAdkcF?= =?us-ascii?Q?NoAQxM8HeYQLRYyhrDHGX4apL/pTQZw2ULTixZwFGQK2XKxwTn14M3BJfDIS?= =?us-ascii?Q?qGlRjHWXgDnuoaZDH5NreZOOFMAalgd74LgDMWq2MJFRe40rCttYSzG7a6J5?= =?us-ascii?Q?R6RBc/5HxG7xKqFeGbZyuOrIzBOlRe9EmuL+6c8wu84dIWv+X9NWaHvlmlFN?= =?us-ascii?Q?9bsfvTU5WOca3GwjjOd9Ytx+rZv/ssohS7Vv9yAjq0M/KNtockip4XRwgCsz?= =?us-ascii?Q?cYQt4j+3iJGg17XmYUbLphHV10X8hnWuX8u8CquUe3mm37wHR0SDzMQ/NP6f?= =?us-ascii?Q?uUALONeuJ4hwUzfPbDyeN0QSvMVj6eq52Bx9z30T7MkOeWoJqp3AzdkXXvkg?= =?us-ascii?Q?xIzIuEN9Jza1vQgxX4B/TphgMZ9urhjTNa5Zwwu4XdELR3Q/AHKUpmL+5kce?= =?us-ascii?Q?GfsWvLrr2SyUBvJ+OXOeY/NTSujU2Dq47AKjJMOeZiYJV5NvtFjOV+pe1dFG?= =?us-ascii?Q?v7fhrJCSMSd+hbo7hFpYTG0+vdFEfvh0w/BwVKNSvkFEhpmYXMSrJkSukzJE?= =?us-ascii?Q?Sdkb86kqwX4l+Gpqbnqi6BhsRqyXOws72PNZAjceGfG6w2tobfLjXy3zfTlq?= =?us-ascii?Q?dq22ADx6ML1A/4hA8oRZc/4L3vcLRe9pyg9tpnAAhRlYHshiV1p1m0Aji1mE?= =?us-ascii?Q?7oNstXSzo2/dBROrXj4TC2pFQjRwOukm/7fIXndsnN+HppjzofIy3BFhdctw?= =?us-ascii?Q?kypPBbVnku5ydIioJ5CBv4d/Cgb8hMng23y2MX3fGiOXIhsXPCSMPervDP0b?= =?us-ascii?Q?bcJBNbdZDMCz53Tx/9gvHmV38y50yqURcpBbOb30Z/P7T/87H0qPfei6ffL0?= =?us-ascii?Q?cN4eHvaEuEp7da1ZogGIzyG/NDp0s8AL0VZeHcskKJ/tllDwhrztG9b7CeAp?= =?us-ascii?Q?+vbUHHQcUmfOtHZk0RdwXAb447Yp3pXVoRYbCNh+txqTn3d1KE8i5nGcn8Bs?= =?us-ascii?Q?b2cObPsc0c05oO1nO+hAvanI9xbYQRoFui9DUjH1+AOc++z2z2MwebVjsfCz?= =?us-ascii?Q?rPz+HJS0RMgVgKQ1kmUU1zCglA9yGWNI11aRrg+Y7sD9hldH/MVllohhlrwA?= =?us-ascii?Q?tReJLYcFP9/q3QUUpYznx3IPi48H1K4r4MzUjPEA1YZVjOaYbLR0mjsubGqx?= =?us-ascii?Q?/iKuxALznlK1pXwm/1jo/nDi7ZYXI0NevKQ+et3PO/jbYFJdDHdFYFd6R1hX?= =?us-ascii?Q?v/9CFghGJZ6+rad7Cky1GEfg+xKglvXuguGvoQXVVaI6RxdtAWFxMjCHvMWI?= =?us-ascii?Q?FrrhzhGPur3omn1jNlEOabSzNa1Z72fMWCtCiaKjQa08Wi7B1Oq2eUVEXyB7?= =?us-ascii?Q?xJqQB39F/GSHSyqQ37ycVsIfMJmlZz26wdT9XVBt6awo7Z1GHsESsXPWhqXY?= =?us-ascii?Q?p/lSdxiGHtdQedNCqWRL4MJ2eEQIPAGrBNAjVIVb71NUl07Ou/ej7Lmdb/N3?= =?us-ascii?Q?Kc+EPGdwsnpXf8dHMFXpshzz86X53WHLy5cRVxI+DmQUZ05RMzHnTOV8Fa6R?= =?us-ascii?Q?njxqM1zZzo4PXXGbR3oSeBiBDHggOmMcvTzeVAGKUHVBarRdVRrsqUhiiFYS?= =?us-ascii?Q?4YwECJ+dgakSooVsYemYQt6mhJ0Z0RY=3D?= X-Exchange-RoutingPolicyChecked: jjFwpRKh1M+8Ne74U/2K44shrEuB03uUuQfCa+d7t+xSwldnQ389YvkfXI4qdhE1YXBesxe1XRrhzg08YBDCLrN94JahQJjP1zGW8tQ2f4F8212xprC+CJi95cDtfZfSSRP82SkyxyQ7CNjIDF9aUOQezItVGeDctxI8GvI0Xsllhnstf6g211H47jwPefUjCubKWqKkn+6LtRkzuTsaDtLSBf6AqW3EXi2fknX6CLHQ7KhJ9Qnw35+RuREqndkXq8vy8xeuXhuqmCsqcA6AbEXgD3K9XejPwGutWW4IlTTlbGEYVcy9+ylQCo7pMv1BPkYer11XS0+FDHuLqBxKGw== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2a782b96-7d58-4982-e43b-08debb10dd22 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2026 10:23:43.8454 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ggyE6Jwdz5j0Xh9oXCwi/jsIuAjoRrCeSsGOluU0j6Sl3t2hBj8jLrn5lH10DVj4gxTF5bt2B16NJ7f1SeCcQMqh93Pq0H/VO3NImXJYN9U= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR02MB9144 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI2MDA5MCBTYWx0ZWRfX57MeVHq6/VZd +eVWKPbkP/dEQ7MW7UHwbbHjJxTqKr4cDQkZQAV/FX6EB7+yx0ojJEmQt6klL+AT2VS1Gix3QXi bsxJGl5PHEL3qgSY5bI7TN/MjVw0Dv7IZAk79jWZ6yJDsErAf3LXqfvfjwXcVc94bianThrByR3 eBma4vkDREkd4QaY4U432ovp7PhzSLQE4Y3sli3ARh6I+A2JccSQ/jjisxi3sfYuKM95Scfjr6c Apgigtwm5U8H9f7AKfNS41smxye0lq4dU7mkoz1X4TheAv86SuVfhCJ8zdDU5AXfRb2ke5u/15C uBp8FoLSrlsVbWTV0K0Gpyez3aOCiO6xwsxBkESbo6RpwR9/rns4jZN2mhTZ63uulAUEdKV5er1 LIjPgBGKBfo4RysQqQRSOOK0KJE/f0x1Fv2hQhlBhxZ7bJp8hebSuDLhT5I7RENkGbXYTV5x/zt tstwkOa23gi/ne1MLZw== X-Proofpoint-ORIG-GUID: _23kxt5HUG15tJmhQGzFhuXRx-nZmbhe X-Proofpoint-GUID: _23kxt5HUG15tJmhQGzFhuXRx-nZmbhe X-Authority-Analysis: v=2.4 cv=QpluG1yd c=1 sm=1 tr=0 ts=6a1574b1 cx=c_pps a=EI6zmuMIMY+nXR31EdRrtw==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=Ap8k9tRZuQ82DLYWQqG7:22 a=64Cc0HZtAAAA:8 a=QIhr-27iAAAA:8 a=A1X0JdhQAAAA:8 a=tF8aEQz37MI5_kyPiasA:9 a=Vk-83Md3cH02LLM3:21 a=cgaYBWEFosGJW4rWv5Lf:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-26_02,2026-05-26_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation Message-ID-Hash: WTVXV7MPIUFQ46YPDBCFSQNAVRDMTQEM X-Message-ID-Hash: WTVXV7MPIUFQ46YPDBCFSQNAVRDMTQEM X-Mailman-Approved-At: Wed, 27 May 2026 12:45:10 +0000 CC: tejus.gk@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779888139072158500 Content-Type: text/plain; charset="utf-8" Append 'x509' to the function identifiers managing the tls-creds-x509 objects. This defines the functions' scope and prevents naming conflicts with the introduction of functions related to tls-creds-psk in subsequent commits. Additionally, update the TLS x509 object alias from "obj%s_tls0" to "obj%s_tlsx5090" along with relevant testcase changes. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_alias.c | 8 +- src/qemu/qemu_alias.h | 2 +- src/qemu/qemu_backup.c | 2 +- src/qemu/qemu_command.c | 2 +- src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_hotplug.c | 76 +++++++++---------- src/qemu/qemu_hotplug.h | 26 +++---- src/qemu/qemu_migration.c | 24 +++--- src/qemu/qemu_migration_params.c | 44 +++++------ src/qemu/qemu_migration_params.h | 14 ++-- src/qemu/qemu_postparse.c | 2 +- tests/qemumigparamsdata/tls-enabled.json | 2 +- tests/qemumigparamsdata/tls-enabled.reply | 2 +- tests/qemumigparamsdata/tls-enabled.xml | 2 +- tests/qemumigparamsdata/tls-hostname.json | 2 +- tests/qemumigparamsdata/tls-hostname.reply | 2 +- tests/qemumigparamsdata/tls-hostname.xml | 2 +- tests/qemumonitorjsontest.c | 4 +- tests/qemustatusxml2xmldata/upgrade-out.xml | 2 +- .../chardev-backends-json.x86_64-9.1.0.args | 8 +- .../chardev-backends-json.x86_64-latest.args | 8 +- .../chardev-backends.x86_64-9.1.0.args | 8 +- .../chardev-backends.x86_64-latest.args | 8 +- ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 6 +- ...isk-network-tlsx509-nbd.x86_64-latest.args | 6 +- ...-tlsx509-chardev-verify.x86_64-latest.args | 4 +- ...ial-tcp-tlsx509-chardev.x86_64-latest.args | 4 +- ...-tlsx509-secret-chardev.x86_64-latest.args | 4 +- 28 files changed, 138 insertions(+), 138 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index 400ce73283..9133389df1 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -872,15 +872,15 @@ qemuAliasForSecret(const char *parentalias, return g_strdup_printf("%s-secret%zu", parentalias, secret_idx); } =20 -/* qemuAliasTLSObjFromSrcAlias +/* qemuAliasTLSx509ObjFromSrcAlias * @srcAlias: Pointer to a source alias string * - * Generate and return a string to be used as the TLS object alias + * Generate and return a string to be used as the TLS X509 object alias */ char * -qemuAliasTLSObjFromSrcAlias(const char *srcAlias) +qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) { - return g_strdup_printf("obj%s_tls0", srcAlias); + return g_strdup_printf("obj%s_tlsx5090", srcAlias); } =20 =20 diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index eae08020dc..dd7bfdcc0f 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -89,7 +89,7 @@ char *qemuAliasForSecret(const char *parentalias, const char *obj, size_t secret_idx); =20 -char *qemuAliasTLSObjFromSrcAlias(const char *srcAlias) +char *qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); =20 char *qemuAliasChardevFromDevAlias(const char *devAlias) diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index a0544c83dc..9c496ee0c8 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -745,7 +745,7 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm, virJSONValue **tlsSecretProps) { qemuDomainObjPrivate *priv =3D vm->privateData; - g_autofree char *tlsObjAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_BACK= UP_TLS_ALIAS_BASE); + g_autofree char *tlsObjAlias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_= BACKUP_TLS_ALIAS_BASE); g_autoptr(qemuDomainSecretInfo) secinfo =3D NULL; const char *tlsKeySecretAlias =3D NULL; =20 diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 69324a523f..efa1d10a57 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1387,7 +1387,7 @@ qemuBuildChardevCommand(virCommand *cmd, tlsCertEncSecAlias =3D chrSourcePriv->secinfo->alias; } =20 - if (!(objalias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(objalias =3D qemuAliasTLSx509ObjFromSrcAlias(charAlias))) return -1; =20 if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPat= h, diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index dde257bb70..99660e684f 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -9030,7 +9030,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSourc= e *src, return -1; } =20 - src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(parentAlias); + src->tlsAlias =3D qemuAliasTLSx509ObjFromSrcAlias(parentAlias); src->tlsCertdir =3D g_strdup(cfg->nbdTLSx509certdir); src->tlsPriority =3D g_strdup(cfg->nbdTLSpriority); =20 diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 8d45a6db9d..9e7055f5da 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1702,12 +1702,12 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsAlias) + const char *tlsx509Alias) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; =20 - if (!tlsAlias && !secAlias) + if (!tlsx509Alias && !secAlias) return; =20 virErrorPreserveLast(&orig_err); @@ -1715,8 +1715,8 @@ qemuDomainDelTLSObjects(virDomainObj *vm, if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0) goto cleanup; =20 - if (tlsAlias) - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + if (tlsx509Alias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsx509Alias, false)); =20 if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); @@ -1729,10 +1729,10 @@ qemuDomainDelTLSObjects(virDomainObj *vm, =20 =20 int -qemuDomainAddTLSObjects(virDomainObj *vm, - virDomainAsyncJob asyncJob, - virJSONValue **secProps, - virJSONValue **tlsProps) +qemuDomainAddTLSx509Objects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **secProps, + virJSONValue **tlsProps) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; @@ -1766,14 +1766,14 @@ qemuDomainAddTLSObjects(virDomainObj *vm, =20 =20 int -qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, - const char *tlsCertdir, - bool tlsListen, - bool tlsVerify, - const char *tlsPriority, - const char *alias, - virJSONValue **tlsProps, - virJSONValue **secProps) +qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps) { const char *secAlias =3D NULL; =20 @@ -1798,7 +1798,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, virDomainChrSourceDef *dev, char *devAlias, char *charAlias, - char **tlsAlias, + char **tlsx509Alias, const char **secAlias) { g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); @@ -1821,21 +1821,21 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *drive= r, if (secinfo) *secAlias =3D secinfo->alias; =20 - if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(*tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(charAlias))) return -1; =20 - if (qemuDomainGetTLSObjects(secinfo, - cfg->chardevTLSx509certdir, - dev->data.tcp.listen, - cfg->chardevTLSx509verify, - cfg->chardevTLSpriority, - *tlsAlias, &tlsProps, &secProps) < 0) + if (qemuDomainGetTLSx509Objects(secinfo, + cfg->chardevTLSx509certdir, + dev->data.tcp.listen, + cfg->chardevTLSx509verify, + cfg->chardevTLSpriority, + *tlsx509Alias, &tlsProps, &secProps) <= 0) return -1; =20 dev->data.tcp.tlscreds =3D true; =20 - if (qemuDomainAddTLSObjects(vm, VIR_ASYNC_JOB_NONE, - &secProps, &tlsProps) < 0) + if (qemuDomainAddTLSx509Objects(vm, VIR_ASYNC_JOB_NONE, + &secProps, &tlsProps) < 0) return -1; =20 return 0; @@ -1850,7 +1850,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, { g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); qemuDomainObjPrivate *priv =3D vm->privateData; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; =20 if (dev->type !=3D VIR_DOMAIN_CHR_TYPE_TCP || @@ -1858,7 +1858,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, return 0; } =20 - if (!(tlsAlias =3D qemuAliasTLSObjFromSrcAlias(inAlias))) + if (!(tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(inAlias))) return -1; =20 /* Best shot at this as the secinfo is destroyed after process launch @@ -1871,7 +1871,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, =20 qemuDomainObjEnterMonitor(vm); =20 - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + ignore_value(qemuMonitorDelObject(priv->mon, tlsx509Alias, false)); if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); =20 @@ -1892,7 +1892,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, g_autofree char *charAlias =3D NULL; g_autoptr(virJSONValue) devprops =3D NULL; bool chardevAdded =3D false; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; virErrorPtr orig_err; =20 @@ -1911,7 +1911,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, =20 if (qemuDomainAddChardevTLSObjects(driver, vm, redirdev->source, redirdev->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; =20 qemuDomainObjEnterMonitor(vm); @@ -1941,7 +1941,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 @@ -2127,7 +2127,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, bool teardowncgroup =3D false; bool teardowndevice =3D false; bool teardownlabel =3D false; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; bool need_release =3D false; bool guestfwd =3D false; @@ -2181,7 +2181,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, =20 if (qemuDomainAddChardevTLSObjects(driver, vm, chr->source, chr->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; =20 qemuDomainObjEnterMonitor(vm); @@ -2240,7 +2240,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 @@ -2256,7 +2256,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, g_autoptr(virJSONValue) devprops =3D NULL; g_autofree char *charAlias =3D NULL; g_autofree char *objAlias =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; bool releaseaddr =3D false; bool teardowncgroup =3D false; @@ -2294,7 +2294,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, if (qemuDomainAddChardevTLSObjects(driver, vm, rng->source.chardev, rng->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; } =20 @@ -2345,7 +2345,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 60ed0e174c..2d9b10204c 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -28,23 +28,23 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsAlias); + const char *tlsx509Alias); =20 int -qemuDomainAddTLSObjects(virDomainObj *vm, - virDomainAsyncJob asyncJob, - virJSONValue **secProps, - virJSONValue **tlsProps); +qemuDomainAddTLSx509Objects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **secProps, + virJSONValue **tlsProps); =20 int -qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, - const char *tlsCertdir, - bool tlsListen, - bool tlsVerify, - const char *tlsPriority, - const char *alias, - virJSONValue **tlsProps, - virJSONValue **secProps); +qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps); =20 int qemuDomainAttachDiskGeneric(virDomainObj *vm, diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index af981fb992..15e3571c99 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3326,7 +3326,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; qemuProcessIncomingDef *incoming =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; virObjectEvent *event =3D NULL; virErrorPtr origErr =3D NULL; int dataFD[2] =3D { -1, -1 }; @@ -3412,10 +3412,10 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, /* Migrations using TLS need to add the "tls-creds-x509" object and * set the migration TLS parameters */ if (flags & VIR_MIGRATE_TLS) { - if (qemuMigrationParamsEnableTLS(driver, vm, true, - VIR_ASYNC_JOB_MIGRATION_IN, - &tlsAlias, NULL, - migParams) < 0) + if (qemuMigrationParamsEnableTLSx509(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsx509Alias, NULL, + migParams) < 0) goto error; } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) @@ -3433,7 +3433,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, goto error; } =20 - nbdTLSAlias =3D tlsAlias; + nbdTLSAlias =3D tlsx509Alias; } =20 if (qemuMigrationDstStartNBDServer(driver, vm, incoming->address, @@ -4977,7 +4977,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(qemuMigrationCookie) mig =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; qemuMigrationIOThread *iothread =3D NULL; VIR_AUTOCLOSE fd =3D -1; unsigned long restore_max_bandwidth =3D priv->migMaxBandwidth; @@ -5070,10 +5070,10 @@ qemuMigrationSrcRun(virQEMUDriver *driver, spec->destType =3D=3D MIGRATION_DEST_FD) hostname =3D spec->dest.host.name; =20 - if (qemuMigrationParamsEnableTLS(driver, vm, false, - VIR_ASYNC_JOB_MIGRATION_OUT, - &tlsAlias, hostname, - migParams) < 0) + if (qemuMigrationParamsEnableTLSx509(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OUT, + &tlsx509Alias, hostname, + migParams) < 0) goto error; } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) @@ -5128,7 +5128,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - dconn, tlsAlias, tlsHostname, + dconn, tlsx509Alias, tlsHostnam= e, nbdURI, flags) < 0) { goto error; } diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_par= ams.c index dd47516742..c91ae89c9b 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1150,12 +1150,12 @@ qemuMigrationParamsSetString(qemuMigrationParams *m= igParams, } =20 =20 -/* qemuMigrationParamsEnableTLS +/* qemuMigrationParamsEnableTLSx509 * @driver: pointer to qemu driver * @vm: domain object * @tlsListen: server or client * @asyncJob: Migration job to join - * @tlsAlias: alias to be generated for TLS object + * @tlsx509Alias: alias to be generated for TLS X.509 object * @hostname: hostname of the migration destination * @migParams: migration parameters to set * @@ -1166,17 +1166,17 @@ qemuMigrationParamsSetString(qemuMigrationParams *m= igParams, * Returns 0 on success, -1 on failure */ int -qemuMigrationParamsEnableTLS(virQEMUDriver *driver, - virDomainObj *vm, - bool tlsListen, - int asyncJob, - char **tlsAlias, - const char *hostname, - qemuMigrationParams *migParams) +qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsx509Alias, + const char *hostname, + qemuMigrationParams *migParams) { qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; - g_autoptr(virJSONValue) tlsProps =3D NULL; + g_autoptr(virJSONValue) tlsx509Props =3D NULL; g_autoptr(virJSONValue) secProps =3D NULL; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); const char *secAlias =3D NULL; @@ -1202,28 +1202,28 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver, secAlias =3D priv->migSecinfo->alias; } =20 - if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALI= AS_BASE))) + if (!(*tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION= _TLS_ALIAS_BASE))) return -1; =20 - if (qemuDomainGetTLSObjects(priv->migSecinfo, - cfg->migrateTLSx509certdir, tlsListen, - cfg->migrateTLSx509verify, - cfg->migrateTLSpriority, - *tlsAlias, &tlsProps, &secProps) < 0) + if (qemuDomainGetTLSx509Objects(priv->migSecinfo, + cfg->migrateTLSx509certdir, tlsListen, + cfg->migrateTLSx509verify, + cfg->migrateTLSpriority, + *tlsx509Alias, &tlsx509Props, &secProp= s) < 0) return -1; =20 /* Ensure the domain doesn't already have the TLS objects defined... * This should prevent any issues just in case some cleanup wasn't * properly completed (both src and dst use the same alias) or * some other error path between now and perform . */ - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsAlias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias); =20 - if (qemuDomainAddTLSObjects(vm, asyncJob, &secProps, &tlsProps) < 0) + if (qemuDomainAddTLSx509Objects(vm, asyncJob, &secProps, &tlsx509Props= ) < 0) return -1; =20 if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_CREDS, - *tlsAlias) < 0) + *tlsx509Alias) < 0) return -1; =20 /* QEMU interprets an empty string for hostname as if it is not popula= ted */ @@ -1290,7 +1290,7 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, qemuMigrationParams *origParams, unsigned int apiFlags) { - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; =20 /* There's nothing to do if QEMU does not support TLS migration or we = were @@ -1299,10 +1299,10 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, !(apiFlags & VIR_MIGRATE_TLS)) return; =20 - tlsAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE= ); + tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_AL= IAS_BASE); secAlias =3D qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL, 0= ); =20 - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias); g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo, qemuDomainSecret= InfoFree); } =20 diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_par= ams.h index b7a829b85a..b578cf5091 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -115,13 +115,13 @@ qemuMigrationParamsApply(virDomainObj *vm, unsigned int apiFlags); =20 int -qemuMigrationParamsEnableTLS(virQEMUDriver *driver, - virDomainObj *vm, - bool tlsListen, - int asyncJob, - char **tlsAlias, - const char *hostname, - qemuMigrationParams *migParams); +qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsx509Alias, + const char *hostname, + qemuMigrationParams *migParams); =20 int qemuMigrationParamsDisableTLS(virDomainObj *vm, diff --git a/src/qemu/qemu_postparse.c b/src/qemu/qemu_postparse.c index 79e02e34ac..7e3e714fae 100644 --- a/src/qemu/qemu_postparse.c +++ b/src/qemu/qemu_postparse.c @@ -278,7 +278,7 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk, if (parseFlags & VIR_DOMAIN_DEF_PARSE_STATUS && disk->src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES && !disk->src->tlsAlias && - !(disk->src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(disk->info.a= lias))) + !(disk->src->tlsAlias =3D qemuAliasTLSx509ObjFromSrcAlias(disk->in= fo.alias))) return -1; =20 return 0; diff --git a/tests/qemumigparamsdata/tls-enabled.json b/tests/qemumigparams= data/tls-enabled.json index 098d3ae148..c16d24684f 100644 --- a/tests/qemumigparamsdata/tls-enabled.json +++ b/tests/qemumigparamsdata/tls-enabled.json @@ -1,7 +1,7 @@ { "cpu-throttle-initial": 20, "cpu-throttle-increment": 10, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "tls-hostname": "", "max-bandwidth": 33554432, "downtime-limit": 300 diff --git a/tests/qemumigparamsdata/tls-enabled.reply b/tests/qemumigparam= sdata/tls-enabled.reply index e3ce8e7778..679df2d638 100644 --- a/tests/qemumigparamsdata/tls-enabled.reply +++ b/tests/qemumigparamsdata/tls-enabled.reply @@ -4,7 +4,7 @@ "cpu-throttle-increment": 10, "tls-hostname": "", "cpu-throttle-initial": 20, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "max-bandwidth": 33554432, "downtime-limit": 300 } diff --git a/tests/qemumigparamsdata/tls-enabled.xml b/tests/qemumigparamsd= ata/tls-enabled.xml index 554b6855d4..e786896165 100644 --- a/tests/qemumigparamsdata/tls-enabled.xml +++ b/tests/qemumigparamsdata/tls-enabled.xml @@ -2,7 +2,7 @@ - + diff --git a/tests/qemumigparamsdata/tls-hostname.json b/tests/qemumigparam= sdata/tls-hostname.json index 2943df769b..4fb1f011fe 100644 --- a/tests/qemumigparamsdata/tls-hostname.json +++ b/tests/qemumigparamsdata/tls-hostname.json @@ -1,7 +1,7 @@ { "cpu-throttle-initial": 20, "cpu-throttle-increment": 10, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "tls-hostname": "f27-1.virt", "max-bandwidth": 33554432, "downtime-limit": 300 diff --git a/tests/qemumigparamsdata/tls-hostname.reply b/tests/qemumigpara= msdata/tls-hostname.reply index f7e7a96bc5..07fa788135 100644 --- a/tests/qemumigparamsdata/tls-hostname.reply +++ b/tests/qemumigparamsdata/tls-hostname.reply @@ -4,7 +4,7 @@ "cpu-throttle-increment": 10, "tls-hostname": "f27-1.virt", "cpu-throttle-initial": 20, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "max-bandwidth": 33554432, "downtime-limit": 300 } diff --git a/tests/qemumigparamsdata/tls-hostname.xml b/tests/qemumigparams= data/tls-hostname.xml index addb5e68a4..099e28b5fc 100644 --- a/tests/qemumigparamsdata/tls-hostname.xml +++ b/tests/qemumigparamsdata/tls-hostname.xml @@ -2,7 +2,7 @@ - + diff --git a/tests/qemumonitorjsontest.c b/tests/qemumonitorjsontest.c index e34dbad7cd..67586bd84b 100644 --- a/tests/qemumonitorjsontest.c +++ b/tests/qemumonitorjsontest.c @@ -665,7 +665,7 @@ qemuMonitorJSONTestAttachChardev(virDomainXMLOption *xm= lopt, "'server':false}}}"); =20 chr->data.tcp.tlscreds =3D true; - chrSourcePriv->tlsCredsAlias =3D qemuAliasTLSObjFromSrcAlias("alia= s"); + chrSourcePriv->tlsCredsAlias =3D qemuAliasTLSx509ObjFromSrcAlias("= alias"); chr->logfile =3D g_strdup("/test/log"); CHECK("tcp", false, "{'id':'alias'," @@ -675,7 +675,7 @@ qemuMonitorJSONTestAttachChardev(virDomainXMLOption *xm= lopt, "'port':'1234'}}," "'telnet':false," "'server':false," - "'tls-creds':'objalias_tls0'," + "'tls-creds':'objalias_tlsx5090'," "'logfile':'/test/log'}}}"); =20 } diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml b/tests/qemustatus= xml2xmldata/upgrade-out.xml index c7bc7128df..bd2323862d 100644 --- a/tests/qemustatusxml2xmldata/upgrade-out.xml +++ b/tests/qemustatusxml2xmldata/upgrade-out.xml @@ -414,7 +414,7 @@ - + diff --git a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args = b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args index dce4a582d2..c0fc1ea722 100644 --- a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args +++ b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev '{"id":"charchannel10","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5679"}},"telnet":true,"serv= er":true,"wait":false}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect":2,"tls-creds":"objcharchannel11_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect":2,"tls-creds":"objcharchannel11_tlsx5090"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect":2,"tls-creds":"objcharchannel12_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect":2,"tls-creds":"objcharchannel12_tlsx5090"}}}= ' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev '{"id":"charchannel13","backend":{"type":"udp","data":{"remote":{= "type":"inet","data":{"host":"127.0.0.1","port":"2222"}}}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args= b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args index 2b7e614e8b..925d2f25e3 100644 --- a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args +++ b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev '{"id":"charchannel10","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5679"}},"telnet":true,"serv= er":true,"wait":false}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect-ms":2000,"tls-creds":"objcharchannel11_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect-ms":2000,"tls-creds":"objcharchannel11_tlsx5090"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel12_tls0"}= }}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel12_tlsx50= 90"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev '{"id":"charchannel13","backend":{"type":"udp","data":{"remote":{= "type":"inet","data":{"host":"127.0.0.1","port":"2222"}}}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args b/tes= ts/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args index 81773dcacd..c5924d44c5 100644 --- a/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args +++ b/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev socket,id=3Dcharchannel10,host=3D1.2.3.4,port=3D5679,telnet=3Don,= server=3Don,wait=3Doff \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect=3D= 2,tls-creds=3Dobjcharchannel11_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect=3D= 2,tls-creds=3Dobjcharchannel11_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect=3D2,tls-creds=3Dobjcharchannel12_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect=3D2,tls-creds=3Dobjcharchannel12_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev udp,id=3Dcharchannel13,host=3D127.0.0.1,port=3D2222,localaddr=3D,= localport=3D0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args b/te= sts/qemuxmlconfdata/chardev-backends.x86_64-latest.args index 9708b18735..092f5f7921 100644 --- a/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args +++ b/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev socket,id=3Dcharchannel10,host=3D1.2.3.4,port=3D5679,telnet=3Don,= server=3Don,wait=3Doff \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect-ms= =3D2000,tls-creds=3Dobjcharchannel11_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect-ms= =3D2000,tls-creds=3Dobjcharchannel11_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect-ms=3D2000,tls-creds=3Dobjcharchannel12_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect-ms=3D2000,tls-creds=3Dobjcharchannel12_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev udp,id=3Dcharchannel13,host=3D127.0.0.1,port=3D2222,localaddr=3D,= localport=3D0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64= -latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_= 64-latest.args index 77d38c3020..0e758834fc 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest= .args @@ -27,9 +27,9 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -no-shutdown \ -boot strict=3Don \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0= x2"}' \ --object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","da= ta":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","key= id":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","di= r":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority"= :"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ --blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-h= ostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct= ":true,"no-flush":false}}' \ +-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tlsx5090-secret0"= ,"data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1",= "keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}= ' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tlsx5090"= ,"dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"prior= ity":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tlsx5090-sec= ret0"}' \ +-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tlsx5090","tls-hostname":"te= st-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"di= rect":true,"no-flush":false}}' \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"li= bvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource= control=3Ddeny \ diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.a= rgs b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args index fb68ac54fb..675e266400 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args @@ -27,9 +27,9 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -no-shutdown \ -boot strict=3Don \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0= x2"}' \ --object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","da= ta":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","key= id":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","di= r":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordi= d":"objlibvirt-1-storage_tls0-secret0"}' \ --blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","node-name":"libvirt-1= -storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ +-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tlsx5090-secret0"= ,"data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1",= "keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}= ' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tlsx5090"= ,"dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passw= ordid":"objlibvirt-1-storage_tlsx5090-secret0"}' \ +-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tlsx5090","node-name":"libvi= rt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"li= bvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource= control=3Ddeny \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64= -latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_= 64-latest.args index f8f1bb8502..787ecbb5ec 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest= .args @@ -31,8 +31,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-stor= age","id":"ide0-0-0","bootindex":1}' \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir"= :"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x2"}' \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest= .args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args index f8f1bb8502..787ecbb5ec 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args @@ -31,8 +31,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-stor= age","id":"ide0-0-0","bootindex":1}' \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir"= :"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x2"}' \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64= -latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_= 64-latest.args index 492d1be626..59f7b7be83 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest= .args @@ -32,8 +32,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ -object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qt= kGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey= 0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"= @SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir"= :"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priorit= y":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x3"}' \ --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=none dis=none) header.from=nutanix.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779888086145281.1792264169211; Wed, 27 May 2026 06:21:26 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id D5C8541B90; Wed, 27 May 2026 09:21:24 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 0678942411; Wed, 27 May 2026 08:46:26 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 1D7DE41B07; Tue, 26 May 2026 06:54:43 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 0F123419C3 for ; Tue, 26 May 2026 06:54:40 -0400 (EDT) Received: from pps.filterd (m0127837.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64Q9sPCw2759665 for ; Tue, 26 May 2026 03:23:47 -0700 Received: from sa9pr02cu001.outbound.protection.outlook.com (mail-southcentralusazon11023101.outbound.protection.outlook.com [40.93.196.101]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4eb854pn5a-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 26 May 2026 03:23:47 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by DM4PR02MB9144.namprd02.prod.outlook.com (2603:10b6:8:10c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.11; Tue, 26 May 2026 10:23:45 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0048.019; Tue, 26 May 2026 10:23:45 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=IxI5Cb3SpbH4kmdv7hmECF7r/od7rJ9eHeQt7bcnb 40=; b=tAHI67hFQH5T1vc/T9SbiSwfzMSDk7xZ8Q8OxJeBrD5oR26a7u0n6eWfE 5tMJFV9al88ZINZZzqFGKUbwDLhHTaijZf6sx8suMXZXaB/2exC4tmQ/7JCZ0rKi uz2tkWdVKTibwBdlLREzTif6lqIsKQ72LKL++4wN6gmmcaRGNC65tSZty16UAP0V uwQE8KBZA6uNQhFGutIEVdJC1xjgPthmaPXEr6KfXDE0l4EnTEYPjve2o/FU+UMS dIwViJxtz0fJ4CCk8rEtXfCDi56jovEumRff/Dmr9nc1CIzQBzw8R/eyGUoVLzkO R4px2P7N5BArNDZK7fQBqp2QryV5Q== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PhibdGPDmeoXHl/XtSl3NigOQHozI5m7OXW95xJmFemSptJGP0sna0NUpwoD6p7I1Y7dKcgMkr7tRG43VGSy+1k9Ctf0n+4hhIsCOy7RROK7G6CHMbdjVJZrTX+rQGOt3TsUtQGnn98bag/5JxektFLYWMpFwHQCtj/ub9QL/p/TBwBQZR+BqJfmaX1pAxYrCjwC9yjeJHbWR7gT4+GmcK4xtTxE+dp4RydhBPiw+6/5t1RVcl+rQjVc1mjEj1tpNaBXWD54UZTzF56auV7H+9MzUikuvB5hi6FCCvqWD5mq4QDlk+hu6CJLT1MXpThavu4y0LmPdpdJZqZYsuXQtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IxI5Cb3SpbH4kmdv7hmECF7r/od7rJ9eHeQt7bcnb40=; b=YpYJn2evzk7rJ0kPWphpqMTKVCqHQTXoscbV5bXPxdfzFAItCNz4Fgyx6JpfoYkwrPJBETzmsI0YzBPlmZOePx2NGkt9krVa/+Sv7fP6QT9fPel7UT8/R2E+7zqs6zMlexkv5E7f7ms2D53MsAMgxY11USkPwfJx0PqfT1b5S9iV/jvfwBbTLoBQsGJLmDtesKaJMk9ha08D2Zx0sYEsoAx/rzfnNdJ/fSO89ZUnqUdtcyK/ARrDuZQso4vjNEzje2j4sAzxFAhe3ds0C349XkHbp/s6hVnGi0VM4uuUt03kzy1rxYPJE8F9YTd1teEvHV1+3I7pZeuOJ1eGzfwB1w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IxI5Cb3SpbH4kmdv7hmECF7r/od7rJ9eHeQt7bcnb40=; b=Z0HPGY1fMGBiQium/XRQPndUa7EH75FFxgSuDKhqqmiUgTDgfxNgMC81F4kH9BKGjyG+whE07pzECmlPYa4vUpqXQW9Q1qL91tnFCFipJDbafwQ0kPi6FllgWNXUJefLRuha7LCahDfRAGTH9bmx2rvyk9R07JbuLNMsvM03KF0AcLPUHgM/6UHR6asdTbjCw6yPLMHz9fX/Fjlpu5JXGKScjSDhxqeGTUWAbZ7FYOyxloyNyxExURLni3KnjVgS1HZU/IDubDG1J1Y6ZCBkyE+jA+haxb57T/2TaRIgXLLLAUKU8zKhAbUfnzaJEH1aGMNW5Mc1E/hohSbvexuAWw== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 5/7] qemu: Manage tls-creds-psk object lifecycle Date: Tue, 26 May 2026 10:23:28 +0000 Message-ID: <20260526102333.3379532-6-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> References: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR15CA0075.namprd15.prod.outlook.com (2603:10b6:930:18::7) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|DM4PR02MB9144:EE_ X-MS-Office365-Filtering-Correlation-Id: ef297327-6aa4-43fa-3551-08debb10de50 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016|5023799004|3023799007|18002099003|56012099003|22082099003; X-Microsoft-Antispam-Message-Info: VVOmKeE+FEbIfiwKhnhKg8ju4YSRPY2OBF7poi2mC0JEqiUVQBYCgjfLBqyy/JDsGhjGeIr4EPljZhWnSzLS8LYEnY6rMEJurfVTJDxEOowGZ1YItyRp/NJZDpfZ0AqwDwpMTmwTUhZNyhIACEluLqOdrL8lwiOuKycUFisRORU1z/WwaQ0IhVnQ79LDkCbOXq3ZOnJZ5sQendNQhEecSfRE1CU3SM7IBDSALQ+Jp8h2YSqxwsz+wV41hhBiUgUaaAQU9jQo0GEv+L4Yq+aPd6S5pX7UprnxFwjmF/vYDc/rgzuicsP5Jz9lYCywSNmwMDya3mT8Pc+l7FNWd9Cl2Pxhq5nTzl7Q7lJzlE2JhH86/gnTXoWshJtrakTociHGWKEpIQ3Rm9YzlSOpgVWiu3oBKrqn3+MRKkeQV524RPeD2ly8ZWNVeOMzSpdzL8jHlA8/djNB/pQK72pH8XLxex9ZOEclvlQZh2FON3rMLoZ+wlxUDHnfPJstikMHhxTL5nbDCab/pN5vQ9gz560eGUDWEPmvNeNU7TpWs6H9TmnJf46lgvzyBWbBHAlMmAXHVFgX2WikejVzzA9KwBAzHDE4yla7MYp4QzEuRK4iZukvsDSQ1P6XvAkYfY5n+IOS3MFO5WI58wbwTX9LZ213gfQIJ1Wx7WZGPzJoHaS4Y34YCAAQU/72TfghP7b3kRWM X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(5023799004)(3023799007)(18002099003)(56012099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?mbuXniealw+GkTLqqID/+snklxPj0KPGbdnEFyvyUnIE/E8Emxb9n0zXaGTv?= =?us-ascii?Q?bJloComysLCJvUxzpLryx+V/5HDRJVHz12bqds5dYjYQXwBP6Fq5WFihqymG?= =?us-ascii?Q?naeYtNFmNe/ukB7hMe+7h/Vd2Ksl1/OgoAK24BqXhGS/vXqqlxd4wtwbQWkU?= =?us-ascii?Q?llzTe2EphcvY7kq+nHsEnav74eZJApYe/vth++j7sKcOEeG9isJdSS2fSpYs?= =?us-ascii?Q?L991kbsR3QCezDZU5vFOxaML4zzoxDJQkYUWstG2UQi166ojJJxhK1yt/oNW?= =?us-ascii?Q?++w4x3TRDBkTUCZbrfSGk1z1a/odqzQ+h5Gk2N/l80xbsZt1FKT9QV9Oa1Go?= =?us-ascii?Q?mTMrBFS5tluGVvk189Me8POe7gXMMGPJ+AZAiIFk50JmHswyWB+1rQO70a+i?= =?us-ascii?Q?KLkTE3BZNs8I5p0BFfA7k7WntVV5R3gTE/c0g63ANtVzB+z4kgbq6UW5oKLP?= =?us-ascii?Q?ol6UHUkK/84z15Fzev82Tj9DE0ClHjNmX0/Bzp3JMS2xB6/FqjcM8jMxG5+n?= =?us-ascii?Q?zkKEUayiq9EnSuipnRK9Ao7qVGQIdjksa+b6+8oqotp5yiCDrHpB8jHzjCev?= =?us-ascii?Q?A4+EUUL3ysp7VPX0VmvINmVRT3xvMbnr9l7vGSHeDNiUeh+DeWiQoAwsxyqQ?= =?us-ascii?Q?LdwPRaIqZxoKQi8udbfEkOy6eS4k8DW4QdHVjgiD78A+n2N537XrkCGkKIFX?= =?us-ascii?Q?SqE3wQxhIaSRcYWKNS2B/0UAAyb/+NUNj5fyw8SpeXkotCzTc3bTAXiF1Vm1?= =?us-ascii?Q?Lya3unk1eL1E1k91XzxToGs6WVcdILKDwt64eNmdIg5luIPN5k8eV4URMtNe?= =?us-ascii?Q?GFpILwL5NUZQ2kwbMV7VJyYRbPHeo9MqrQXLEhrS9RiW1GiYnZ6qQMq8iK5u?= =?us-ascii?Q?wksz/7Sd9bGmf5heKb4SpQHsl9Dx8RatNmn0kB+saSKsgqCGNOxIz7pLZSdL?= =?us-ascii?Q?FtZfk32dmfquK8g3BbOQ9zJcDH8X7oojdeJtIpIw1T8mYcPvfcjclRF3jopl?= =?us-ascii?Q?OjGqko0RUrLYGXiaIZ0lf183Id6yKB5Q+n2y7ObRQwmcxK9Bu/fr4NnypodR?= =?us-ascii?Q?aCIBAIFcfTYO56LYELwn48pDkRicLv73xIKMSvPxuQv4L1zI757ewdw/rYKY?= =?us-ascii?Q?DIJL5ZXK1Iw8t3tfiAy84ENca+rPAwtJuNa6QpnnCurWyAjYsB7tsP95Mp4v?= =?us-ascii?Q?6a3FDSscy67EKqAiWW6IS0BWJtBRFl0dR77HWMKGmEWvWHKUDdefPN/UxGZO?= =?us-ascii?Q?Q/TKsVs4cYcyfymtCgL8VqKlPmfuQk3WOu2w6qpL6mqGhLTl1UVyTb7hHLy5?= =?us-ascii?Q?a6NzBWcGqISZQ8QVf5H1nm4IQDZLTHvYg5r1UQ4HO6/GmunvRyaaN3+kEfWn?= =?us-ascii?Q?xnxrzBIah2UEXQfOyK/xQBTVkYXjPzGbcVd9ZkaeUgGT+28SUvt8xYttiaFQ?= =?us-ascii?Q?GoS1ogLnzSjGbptz85YmoowHR2hbX1v3eRQhSnspga1r+5n8HINP6x7065j8?= =?us-ascii?Q?zHPxSynK654NcHlvdg1KYyee9DyH4X3B1znHLTHXxOGM76dQwIKDf1/yNq/E?= =?us-ascii?Q?TM5ib6ZDVlHQefGG569KloqGUG10Ev3NfF9vQu9M2rA8qgvjPhNWxbIdvG0v?= =?us-ascii?Q?xgWsHanGjUSsCqddmWvUzc7MXl4AS66p5A+cVT012BZ/fIb/SJKrucl7GBH2?= =?us-ascii?Q?/NpWzfZw98U44tT7PtB8pQ3Zx2aHfZTW/y9LqDotpbrt/FnrdxOkmjyxaBKX?= =?us-ascii?Q?MB78A5xPkoN6yWwx49OMSddcOwjbyxg=3D?= X-Exchange-RoutingPolicyChecked: V9u+IZVhUC7g13Z8OgpUMM5obUcWcPbbuYeOObsC2MjJYiqX9AJP8yCMBVT33H9FGOO7iCXvnyhuHvinMtLvk70YZc6K6kd9JSNu8LLRq8bz/Wl1EWU7tcdgXA8+uyT96KhDwjVksNysWRciLQOPIt6ap7SMStOW5Ow9tUFKIBozfoG/YIaob2anZvSm1YUpQrqhgrP8hgpEa0SYiF3zVpILyG7RHOQMdRklBQPLXVhi9h0ZFcPyxjsW6TXP24xN0OWNhP5iHs3+ebRiOkZT8RUnJR74Ya5k9kLd1OMfFFjQeNyYqbs28IStF/75NnraUwMPcQpdrEBCLvXAIxrHfQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: ef297327-6aa4-43fa-3551-08debb10de50 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2026 10:23:45.7618 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: l6ExbGDuVjqTU8HuNv4XLBZN3CO8RzB/3/MN20/eWNmXD/W0fnMDNkDccUAutageh0jYX+Ow9iSBwN1MvOhaGpfKgrkDR0a7Dp499gJ0EsU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR02MB9144 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI2MDA5MCBTYWx0ZWRfXxALPMXC2B8b5 KnVHaGh4IRkY4U0V2DanQECF05QCo9ZOrM0y2oSLK9sZdm/eYdd6P7zW18IL//a7NfsCNkCHM+P gk0zqbqb4jEkmk6h9YSzKXp8IKytGM+Pp2waHs8cBedSaj85bKyNaW8aP573KmyuFzQ1eBxf2k3 ps8riSz29nftMVj77TsKVCffI0iY+XwDL4wC6rKPz5fJWMNiXC6R90lbpyBv/kFW5dut9e4b8uC eVFRUfc39VQ4Gna7jRwd3zlJJJvb9lCLSugir3xWBLVRpJhfc7cY3pUwtyikPLl+07TjhiUgWRn K7J+kc49UiLiqJjKgGRw6pJvtVE0jP2NktNYNXkb/9unP6MPYRH+Y2f1FIDqa/E4lwbwM4FrH+G NcztZ8AUZquZ8c/paueqz7hNoxd11lb7GBWNGiwqbgiSTzJfBZwhcWWkGJ3l7HuwtQPGWbKJ0vC lnZiDX2Xu1VJJrqG6Pw== X-Proofpoint-ORIG-GUID: YylI17Wg_QNJtwg7cJu7ZG6BDtr-JyH_ X-Proofpoint-GUID: YylI17Wg_QNJtwg7cJu7ZG6BDtr-JyH_ X-Authority-Analysis: v=2.4 cv=QpluG1yd c=1 sm=1 tr=0 ts=6a1574b3 cx=c_pps a=8P4KAFraM2L8FVmDPFuExA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=Ap8k9tRZuQ82DLYWQqG7:22 a=64Cc0HZtAAAA:8 a=MrYkCSYsHe1TiHtX4lQA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-26_02,2026-05-26_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation Message-ID-Hash: R242ZHQ7E7APJP7QDEBJQRKIAKZ37BRZ X-Message-ID-Hash: R242ZHQ7E7APJP7QDEBJQRKIAKZ37BRZ X-Mailman-Approved-At: Wed, 27 May 2026 12:45:10 +0000 CC: tejus.gk@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779888086787158500 Content-Type: text/plain; charset="utf-8" To enable TLS-PSK-based authentication scheme, add support for instantiating the tls-creds-psk object through QEMU monitor. In order to remove the TLS-related objects from a QEMU instance, augment the qemuDomainDelTLSObjects handler to also consider the TLS-PSK object. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_alias.c | 11 +++++ src/qemu/qemu_alias.h | 3 ++ src/qemu/qemu_hotplug.c | 59 +++++++++++++++++++++++--- src/qemu/qemu_hotplug.h | 15 ++++++- src/qemu/qemu_migration_params.c | 73 ++++++++++++++++++++++++++++++-- src/qemu/qemu_migration_params.h | 9 ++++ 6 files changed, 159 insertions(+), 11 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index 9133389df1..4d61d7d2fe 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -883,6 +883,17 @@ qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) return g_strdup_printf("obj%s_tlsx5090", srcAlias); } =20 +/* qemuAliasTLSPSKObjFromSrcAlias + * @srcAlias: Pointer to a source alias string + * + * Generate and return a string to be used as the TLS PSK object alias + */ +char * +qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias) +{ + return g_strdup_printf("obj%s_tlspsk0", srcAlias); +} + =20 /* qemuAliasChardevFromDevAlias: * @devAlias: pointer do device alias diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index dd7bfdcc0f..2a0c7ca7c3 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -92,6 +92,9 @@ char *qemuAliasForSecret(const char *parentalias, char *qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); =20 +char *qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias) + ATTRIBUTE_NONNULL(1); + char *qemuAliasChardevFromDevAlias(const char *devAlias) ATTRIBUTE_NONNULL(1); =20 diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 9e7055f5da..296da1f195 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1702,12 +1702,13 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsx509Alias) + const char *tlsx509Alias, + const char *tlsPSKAlias) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; =20 - if (!tlsx509Alias && !secAlias) + if (!tlsx509Alias && !secAlias && !tlsPSKAlias) return; =20 virErrorPreserveLast(&orig_err); @@ -1721,6 +1722,9 @@ qemuDomainDelTLSObjects(virDomainObj *vm, if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); =20 + if (tlsPSKAlias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsPSKAlias, false)); + qemuDomainObjExitMonitor(vm); =20 cleanup: @@ -1759,7 +1763,7 @@ qemuDomainAddTLSx509Objects(virDomainObj *vm, virErrorPreserveLast(&orig_err); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, NULL); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, NULL, NULL); =20 return -1; } @@ -1881,6 +1885,49 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, } =20 =20 +int +qemuDomainAddTLSPSKObjects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **tlsPSKProps) +{ + qemuDomainObjPrivate *priv =3D vm->privateData; + virErrorPtr orig_err; + + if (!tlsPSKProps) + return 0; + + if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0) + return -1; + + if (tlsPSKProps && *tlsPSKProps && + qemuMonitorAddObject(priv->mon, tlsPSKProps, NULL) < 0) + goto error; + + qemuDomainObjExitMonitor(vm); + return 0; + + error: + virErrorPreserveLast(&orig_err); + qemuDomainObjExitMonitor(vm); + virErrorRestore(&orig_err); + return -1; +} + + +int +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir, + bool tlsListen, + const char *username, + const char *alias, + virJSONValue **tlsPSKProps) +{ + if (qemuBuildTLSPSKBackendProps(tlsPSKdir, tlsListen, username, alias,= tlsPSKProps) < 0) + return -1; + + return 0; +} + + static int qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, virDomainObj *vm, @@ -1941,7 +1988,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 @@ -2240,7 +2287,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 @@ -2345,7 +2392,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 2d9b10204c..835f57ded1 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -28,7 +28,8 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsx509Alias); + const char *tlsx509Alias, + const char *tlsPSKAlias); =20 int qemuDomainAddTLSx509Objects(virDomainObj *vm, @@ -46,6 +47,18 @@ qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinf= o, virJSONValue **tlsProps, virJSONValue **secProps); =20 +int +qemuDomainAddTLSPSKObjects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **tlsPSKProps); + +int +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir, + bool tlsListen, + const char *username, + const char *alias, + virJSONValue **tlsPSKProps); + int qemuDomainAttachDiskGeneric(virDomainObj *vm, virDomainDiskDef *disk, diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_par= ams.c index c91ae89c9b..1c6ab6fc8a 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1216,7 +1216,7 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *drive= r, * This should prevent any issues just in case some cleanup wasn't * properly completed (both src and dst use the same alias) or * some other error path between now and perform . */ - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias, NULL); =20 if (qemuDomainAddTLSx509Objects(vm, asyncJob, &secProps, &tlsx509Props= ) < 0) return -1; @@ -1237,6 +1237,69 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driv= er, } =20 =20 +/* qemuMigrationParamsEnableTLSPSK + * @driver: pointer to qemu driver + * @vm: domain object + * @tlsListen: server or client + * @asyncJob: Migration job to join + * @tlsPSKAlias: alias to be generated for TLS-PSK object + * @username: hostname of the migration destination + * @tls_psk_directory: directory containing the TLS-PSK key file + * @migParams: migration parameters to set + * + * Create the TLS PSK objects for the migration and set the migParams valu= e. + * + * Returns 0 on success, -1 on failure + */ +int +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsPSKAlias, + const char *username, + qemuMigrationParams *migParams) +{ + qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; + g_autoptr(virJSONValue) tlsPSKProps =3D NULL; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + + if (!cfg->migrateTLSPSKdir) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("host migration TLS-PSK directory not configured")); + return -1; + } + + if (!jobPriv->migParams->params[QEMU_MIGRATION_PARAM_TLS_CREDS].set) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("TLS migration is not supported with this QEMU binar= y")); + return -1; + } + + if (!(*tlsPSKAlias =3D qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_T= LS_ALIAS_BASE))) + return -1; + + if (qemuDomainGetTLSPSKObjects(cfg->migrateTLSPSKdir, tlsListen, + username, *tlsPSKAlias, &tlsPSKProps) < 0) + return -1; + + /* Ensure the domain doesn't already have the TLS-PSK objects defined.= .. + * This should prevent any issues just in case some cleanup wasn't + * properly completed (both src and dst use the same alias) or + * some other error path between now and perform . */ + qemuDomainDelTLSObjects(vm, asyncJob, NULL, NULL, *tlsPSKAlias); + + if (qemuDomainAddTLSPSKObjects(vm, asyncJob, &tlsPSKProps) < 0) + return -1; + + if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_C= REDS, + *tlsPSKAlias) < 0) + return -1; + + return 0; +} + + /* qemuMigrationParamsDisableTLS * @vm: domain object * @migParams: Pointer to a migration parameters block @@ -1281,8 +1344,8 @@ qemuMigrationParamsTLSHostnameIsSet(qemuMigrationPara= ms *migParams) * @asyncJob: migration job to join * @apiFlags: API flags used to start the migration * - * Deconstruct all the setup possibly done for TLS - delete the TLS and - * security objects and free the secinfo + * Deconstruct all the setup possibly done for TLS - delete the TLS X.509,= TLS-PSK + * and security objects and free the secinfo */ static void qemuMigrationParamsResetTLS(virDomainObj *vm, @@ -1292,6 +1355,7 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, { g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; =20 /* There's nothing to do if QEMU does not support TLS migration or we = were * not asked to enable it. */ @@ -1301,8 +1365,9 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, =20 tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_AL= IAS_BASE); secAlias =3D qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL, 0= ); + tlsPSKAlias =3D qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIA= S_BASE); =20 - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias, tlsPSKAl= ias); g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo, qemuDomainSecret= InfoFree); } =20 diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_par= ams.h index b578cf5091..07f5812065 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -123,6 +123,15 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, const char *hostname, qemuMigrationParams *migParams); =20 +int +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsPSKAlias, + const char *username, + qemuMigrationParams *migParams); + int qemuMigrationParamsDisableTLS(virDomainObj *vm, qemuMigrationParams *migParams); --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=none dis=none) header.from=nutanix.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779886660969503.99013401984917; Wed, 27 May 2026 05:57:40 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id AB5BB41B8F; Wed, 27 May 2026 08:57:38 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 9467941E00; Wed, 27 May 2026 08:45:54 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id A4E5041B0D; Tue, 26 May 2026 06:23:54 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 5DEE641AE1 for ; Tue, 26 May 2026 06:23:53 -0400 (EDT) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64Q9raAk3258551 for ; Tue, 26 May 2026 03:23:52 -0700 Received: from ph0pr06cu001.outbound.protection.outlook.com (mail-westus3azon11021089.outbound.protection.outlook.com [40.107.208.89]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4ebbs0ecgv-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 26 May 2026 03:23:52 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by MW6PR02MB9765.namprd02.prod.outlook.com (2603:10b6:303:247::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.20; Tue, 26 May 2026 10:23:48 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0048.019; Tue, 26 May 2026 10:23:47 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=hFeEq/Zv30wooBTV9jPTK4mr/ZIU7X6UPOQdIVsLh j8=; b=XmPojnNF3dYZGOJnVsgqkgXZuOqyZ3rai9jZ5Wyb1sQqcHTKkjJ3WVc3i pXMq77ID88pDNydR1udOH86me5p9VtiBSiA+bv5M8j3JSOEfmA8fjeUCd5u1oPxJ 37ZKZoycEwa7elJF6ycPTpb41p4ftFnRoef7BhWlxFMt9yE6AkkZS5rhbXZbiMLB jutoflyrEFcbwlye1MJ+fWowMqV1qoN5N/XNY/7lzT72Jyv1ZYKXiw0/xgronM6l NxEIczlNsRNEv8p2nqVKlJntVKIsg4sci9aMm5c9VOJgQYCIARHW9xctg9ptG7y3 NdRZnZTrnGpJ51WoDNeYkVGMB1LqQ== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=iQ3RFUO7yPiUetgLcmp3K3CkX+EZ++RSuKBpIZ/0y/ws01ClQssyP13wlDV32xEp8ekZXgp8lHgmMSF+55MRqqt8xmpwE4dceZZRCOmd3E3ME8RlNzHnS+HsZegHfF2WChltk0Dvb54TXvXhykHax/g4QtoDkyMGJCVLgau1hHyBrJH3O63sfjhbdDxBc9yUOdjVo3aHsWw0L64gDBowu3KJgNt0Ts/IyS+IfanfwlUlfI+OeIAkGo3SC6KxaJOX2dt7IqPj7sIyqmSSwVk99VL2zL7qwgWw4NfivFjbqzy91qQQVcJ9bTGHOtU0Hu08zfyq6k3r3nWAYCGXfp9oSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hFeEq/Zv30wooBTV9jPTK4mr/ZIU7X6UPOQdIVsLhj8=; b=m8fZ8OfDc0FppjG9NXvYJleKpqE2JeTTYTB6XypUD2bpmu+Gaj03tMs/LFp476LzKcv/jhHmbCKQmUIzLaGG/Azwn8wPwYU6vvZqMY+HqGG0LzhoiyikXoG+S/WNyVhFAhTwDALZxAfMwsAR2rYlH56Ly3oTnZnNjtHLUZO9MMQ+KxaG/nDed81ic/Ildl8Auhr5XvIUmdcZiqKFzmcrECGzpfFUcElThwIlwyKQhIwnyferpjOpchA/CzfOyF2zpkELVHsiqvkvuA+YeXJrW8yoYupJQmcq0XE6EKyVGNwo+atSJx4lRlCIK2FTeSFmjh/dbrkuYkFsGS4jifRzTA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hFeEq/Zv30wooBTV9jPTK4mr/ZIU7X6UPOQdIVsLhj8=; b=Fd8YNVE68LBVyFcfprk0kWpEDuvTbUjAVD640RJr7rmMxvGmTYtZkHNeVtFOEQiPbpWz/GZWf0Fl+Qwnkws7jb/o9CDTnHTpsP9pomYKKqI1XakNPfK7cR4BGYDgW6pJ+lisJbhtOyTcKCb7IVTvrgOcLeF78ZlPjcEiIKChbP/Oid+z76B2YYVRp16aoMWHmroEe5ILhAt99jsMGj2iCQYspspi1+YHYaNrlux25Ffoi3+kN4C+2qRmNKZulJCSOWICp83s64slHSZmBDx54yP1ZN9fhOdKnU4VqPBmrnoNfmWdhesPvqDl2IfF9xyAWIUYhYNryTJ98ARJkkIgPQ== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 6/7] qemu: Set up the migrate TLS-PSK objects Date: Tue, 26 May 2026 10:23:29 +0000 Message-ID: <20260526102333.3379532-7-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> References: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR10CA0028.namprd10.prod.outlook.com (2603:10b6:930:1c::21) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|MW6PR02MB9765:EE_ X-MS-Office365-Filtering-Correlation-Id: bb3aac97-390f-4cc5-0a2f-08debb10df89 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|18002099003|56012099003|6133799003|22082099003|3023799007; X-Microsoft-Antispam-Message-Info: qNou1GpOIB7Ob5kKJh5KYoyiEyNmawsF/oSqgqp3F3+hG93RJGbN4YelJmXPiH9jeqW4mzZYWmnkdePycmS7D5UAZRm2/DVdP0URXVYzRkto+8F0Rx+MPxv4+dXTKw6UiVJ3obo5gwojWyUu+TEv0CPxMWeWhMVyFe3TcAr3uql4s3Bz5xkPcLdQhD2OSFHrZcr/tz16T9cG7pIiMQ2x4443kdzKxDoWwD52/uvlbrvGdJxLQgQi7xUJ7tmOMrVZa8UwSZJz5ZN3C9VPxNUsYLvvtwO292O85UtXakolavLwKam1lK6jFVscD3Xq4eJrdxy63jUXggQb2RaKUEKLb6TNbaphy7kjm7/EBT+ETp35CorChUAJmKJrZ4x4JtrvX1HvhdmtoeCSKLwMZJP9ERjB6JJPGZYGg8GCxvFoJ/Rv+5cRxyKlnHm5QJMb0KAoAEOCmymgNl+nytYeQI7RaDC3djj42JgrQFR7xU9h0COuCr1V8xYz3jo0wafIwMEiP/7HL3wvkf4qmKBLAveBGDykwQ+av70BLpVwDp1L6ORXMwqB0jOS3PQle+t6zfj0gLuO+DXNSG3jiKDRwLCMfqqtZTYfUdThJg43P1AUP3yFr/YzufQr86X0Eu+tuuqrjWk3LNg0lKkXqiOPbgwyPK1lZnSdtyXSJxJ8Hjl/Nx0vhqAWLhIsHOdWVB8Rysge X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(18002099003)(56012099003)(6133799003)(22082099003)(3023799007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?3z9tDdAB8w6+Ya6xqRtDPLLQzJyk/z0bxSxJ8uc1cxCz4zdsrZ4QAXTgpGsN?= =?us-ascii?Q?azmlIMEZP4vHJVFGIu5+7S7HGtO9I/nX9NM0ggyEsQJRClJ8b65L6gD7BmNm?= =?us-ascii?Q?6oHlAY9pWQmkuEXlGaYC3XW7Or7Y7OtWU9cCkl1ICaUQ2mw3GYIOTiI6I04A?= =?us-ascii?Q?3C9iyNdPi5VYZR9kjqdqwZ+d/0+rHWbt1Kp2FUV7kg24emkmPDYsHPMQZhCE?= =?us-ascii?Q?TAgitQdJAqaqBU/DfoPpzOX3ayw1ofdLrcXi1xJ8oCndkyYNgZXUyLQ8EAzk?= =?us-ascii?Q?v+hYfFOdGR8p6YZPRxhSc21OQbnBCu0ZVRGz78TxtRTwPKn88t6gOAPRMd4K?= =?us-ascii?Q?3qU2QcVA9qFvu5nAn5MWh07v7k9bcFHDFgiPV5nkchzfubduEni8/SJJBAay?= =?us-ascii?Q?PnptkSgLEsqqWdnTrbScqOa9dQkDV2qj/t2BD0Awj6uUGkih2GLcUs0rj1AN?= =?us-ascii?Q?iSnxeOHXOIGGAffuzpzc3tLVaipQpwImxQKdvMcNyP5E8PgmD2KLYBGJCo23?= =?us-ascii?Q?LKcC/b4EbO80k72SBijHAqRhdZ1hhg51G5a/nYQ+SwcXbkXzeIlHSVzgrrV4?= =?us-ascii?Q?Y70h9NDzEUgN9N54xsBAXwH8YGT/bNIUMo1gqrRUzWYFhONWr0oe+M86fufC?= =?us-ascii?Q?gc+U8TQZsU1Z7IUswtGZFm3igdnu8FgHMHPVHD3rc1Yz7RwfVNLUqVyd2Zc4?= =?us-ascii?Q?M8HrloR6IH7ZTJYsEtfz2xufPVxMqsHCGzuWEc0d4eOPJGEPbkQCQcESceYR?= =?us-ascii?Q?bkOQc7/VLWj0rzK0p/k+w+JqqeJJJL7EbFvUKIZuXmBVS8pIlitQSbWyiPRa?= =?us-ascii?Q?lMFHzkmH5zFdR7BMCQKpi6HhqGuyWMKCySMumPdNIbAlRx3K6g5WClwNxxBe?= =?us-ascii?Q?mzx1wZpg0Vvzg9owBhDtGISb308SkbPnH+8Q1ls2uSd7/Ctq+0lgulIMaf+Q?= =?us-ascii?Q?DqZ3gD0kE4y+1XEvZtpZ/ned4CTge46FHAcPXCR6GcQyvMtdvRcWVvWAuipr?= =?us-ascii?Q?CR+0mb/9/HJCIXP1ZgiCuaQeWwFTi6mK8WxJRErr4zMkAoSN0yqrBbdiAugn?= =?us-ascii?Q?wgjXg3N5liVF2uN0BmYCVtU4UIVB7sFq7CpN8CBk1WZ5skspi1U78uLLxc3q?= =?us-ascii?Q?H3suDsHNDcdm4/7I+a+wXRIhE6SolCG5CpXEBW1Cq6bpBRB5Pp66At2yjmQ4?= =?us-ascii?Q?h++4Qz4QKFlOgqMte8b/4Q/jaqO8OWsSRq2V6QX1gwg0Fs01Y5439VLa/a46?= =?us-ascii?Q?T9yMVMiwlmWEaYtXXqs5wN3MHNvx2GKpmmYG1tqJrnqq/r9IPHxno6nLhBzm?= =?us-ascii?Q?n8AMRhqvWpOM9C2EHgSXIdbujIHdIUrP8AguLFyo/xLvEKYGTZmuCELioffp?= =?us-ascii?Q?pTbqeR9llJByoBnfpIoRJ7zxS66jo5RA76DR+LVTIEWIG8MRwcLEl08ORNrO?= =?us-ascii?Q?3D5IFr6YqpPfavFBfGqCzYV51jFHoa0/E5ZeXdBte96Mq7ZhymVynv4gF9xS?= =?us-ascii?Q?z5wbN/9Aru/XvpgXRrrHYH6ZILu+qMtq3goiov4pEFg/+o3wlJYtsKkKECX2?= =?us-ascii?Q?iHdAr1/Oi0UYQiXJaADH51oRmJxBpq+t5RBYWR2BeKQqIbgjHqucKyNMncrb?= =?us-ascii?Q?sYE/cJGftq5jgpJZ+iutjZR+5C4ndFOT2Atc628g/yS2+3Q+Qy9GTQRCMYPe?= =?us-ascii?Q?W3yUbAKu+az3NbQAONxIEuGA02HVlyGuDK7u690cUaljcr47o7daONucNsdp?= =?us-ascii?Q?byDJCh/sasQeZUvlUiq3WKUM8O7Elj8=3D?= X-Exchange-RoutingPolicyChecked: lf9p2FjEpyBpgsVJ14GwUcEUN0gM2i6tgwB1Tc0uC6Q1DcbiviUHZVo7jrBINqapKg5sbv4HzrsVBui9g2QrUK4yO+SPCa1rQjyCjApfiCbZlklyEgmk4qvcP26iAZNvaG8HVjvZBsycG+2K3BRMO8TXPXOVdkOaJtorJLj6xhKyp234pu6zz2Of5PHhpxj0jqMZZfv3lqPwxLwK4rqq0S7MLSDD4St4W5h7gly9B8dFfKi+z3gB/pANLIjc5esBf0/gvKlm5eTIRMJoW5jDvpcULppXNFB0Kg+qI1UPGbjfcS4R04eyQB8zwd9vrWOmikANsBbU1g4VNOTBWi5UCQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: bb3aac97-390f-4cc5-0a2f-08debb10df89 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2026 10:23:47.8092 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: nWg1vRyKmajx3lag/oGomBdF2EyLCfPC7Udh9kSDpFZufo+sIgrxeYq05umj3p48eDs/7ia+x5yjpV32115Fm62U2LwHpB3VvG2l4HW8DJY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR02MB9765 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI2MDA5MCBTYWx0ZWRfX/yVGOP/oJUpG g26Ip6DLrr+7af7KdD/eheeTOkPmSMfcCBHxi3OMr7ibZ+jfPCvrcsXwZ7C7oZAqVdTsGQGCCaR n1gSBD87qGetvWO0gmNraVv4VQhceOxbDIIAWB1SXEi2oxwH2xEPSvEXYcpTatyukbyZ+2Ji8KW Lav2hitWKI3pJFaRQa20dy33O1CnUlTDuHz5K6B32C6uETYzs5tjBEKJDHbx0aekAVe5VgI8fVk cYpr1VztrXNnVEs/U+8GVlLqRZuXHmpN1D3fwDAYkOZOOZOKwk4QZo4B/CYLr3PDS2O5u7xwZer feIVCAQolDbTujed9apjVW3Ua8EnoY0oOYQ/hGIk47d9Wae1vQvBNPJtf+jFHmnW/I6iRLnbQMd RtOH05lP2KoWBrKyONZFUuM2vAFjm65lBIs7+0/eYfzUEM6rXiYZZinI5+AzbHSvXxuUAtqrARx ka28mtqkQmPAsV5cGtg== X-Proofpoint-GUID: wBQBPxlO6v3trHZOWM3c9MTCRjvS3ngO X-Proofpoint-ORIG-GUID: wBQBPxlO6v3trHZOWM3c9MTCRjvS3ngO X-Authority-Analysis: v=2.4 cv=dOaWXuZb c=1 sm=1 tr=0 ts=6a1574b8 cx=c_pps a=rgmdkwC1tPsVJMj+r4rvFA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=0LlEyIVc8U2lsR7dKhuH:22 a=64Cc0HZtAAAA:8 a=VcTBNfi96I99wvbPXXwA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-26_02,2026-05-26_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation Message-ID-Hash: TYZ6BUL4B3UFTZK3OXNJPQLPCT2FHQA6 X-Message-ID-Hash: TYZ6BUL4B3UFTZK3OXNJPQLPCT2FHQA6 X-Mailman-Approved-At: Wed, 27 May 2026 12:45:09 +0000 CC: tejus.gk@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779886663108158500 Content-Type: text/plain; charset="utf-8" Enable TLS-PSK based secure migration at the source and destination, if and only if the VIR_MIGRATE_TLS_PSK flag is set. To prevent configuration conflicts, report an error in case a user attempts to enable both TLS-PSK and TLS x509 certificate authentication methods simultaneously. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu.conf.in | 8 +-- src/qemu/qemu_migration.c | 110 +++++++++++++++++++++++++++----------- 2 files changed, 82 insertions(+), 36 deletions(-) diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 5dfd3229e5..fa4f711592 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -440,10 +440,10 @@ #migrate_tls_priority =3D "@SYSTEM" =20 =20 -# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not req= uested -# automatically. Setting 'migate_tls_force' to "1" will prevent any migrat= ion -# which is not using VIR_MIGRATE_TLS to ensure higher level of security in -# deployments with TLS. +# By default TLS is requested using either VIR_MIGRATE_TLS or VIR_MIGRATE_= TLS_PSK +# flags, thus not requested automatically. Setting 'migate_tls_force' to "= 1" will +# prevent any migration which is not using either VIR_MIGRATE_TLS or VIR_M= IGRATE_TLS_PSK +# to ensure higher level of security in deployments with TLS. # #migrate_tls_force =3D 0 =20 diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 15e3571c99..239d547bb0 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3078,9 +3078,9 @@ qemuMigrationSrcBegin(virConnectPtr conn, =20 if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); goto cleanup; } =20 @@ -3327,6 +3327,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; qemuProcessIncomingDef *incoming =3D NULL; g_autofree char *tlsx509Alias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; virObjectEvent *event =3D NULL; virErrorPtr origErr =3D NULL; int dataFD[2] =3D { -1, -1 }; @@ -3335,6 +3336,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, bool relabel =3D false; bool tunnel =3D !!st; int ret =3D -1; + int tls_creds_type =3D 0; int rv; =20 if (STREQ_NULLABLE(protocol, "rdma") && @@ -3409,17 +3411,36 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, /* Save original migration parameters */ qemuDomainSaveStatus(vm); =20 - /* Migrations using TLS need to add the "tls-creds-x509" object and - * set the migration TLS parameters */ - if (flags & VIR_MIGRATE_TLS) { - if (qemuMigrationParamsEnableTLSx509(driver, vm, true, - VIR_ASYNC_JOB_MIGRATION_IN, - &tlsx509Alias, NULL, - migParams) < 0) - goto error; - } else { - if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + /* Migrations using TLS can support two types of credential + * objects: "tls-creds-x509" and "tls-creds-psk". Set the migration + * TLS parameters based on the chosen credential type. + */ + tls_creds_type =3D flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK); + switch (tls_creds_type) { + case 0: + if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS: + if (qemuMigrationParamsEnableTLSx509(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_I= N, + &tlsx509Alias, NULL, + migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS_PSK: + if (qemuMigrationParamsEnableTLSPSK(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsPSKAlias, NULL, + migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK: + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("Both TLS x509 and TLS PSK are enabled simultaneously")); goto error; + default: + break; } =20 if (mig->nbd && @@ -3825,9 +3846,9 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, =20 if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); return -1; } =20 @@ -4978,6 +4999,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(qemuMigrationCookie) mig =3D NULL; g_autofree char *tlsx509Alias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; qemuMigrationIOThread *iothread =3D NULL; VIR_AUTOCLOSE fd =3D -1; unsigned long restore_max_bandwidth =3D priv->migMaxBandwidth; @@ -4988,6 +5010,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, bool cancel =3D false; unsigned int waitFlags; g_autoptr(virDomainDef) persistDef =3D NULL; + int tls_creds_type =3D 0; int rc; =20 if (bandwidth > 0) @@ -5061,23 +5084,46 @@ qemuMigrationSrcRun(virQEMUDriver *driver, /* Save original migration parameters */ qemuDomainSaveStatus(vm); =20 - if (flags & VIR_MIGRATE_TLS) { - const char *hostname =3D NULL; - - /* We need to add tls-hostname whenever QEMU itself does not - * connect directly to the destination. */ - if (spec->destType =3D=3D MIGRATION_DEST_CONNECT_HOST || - spec->destType =3D=3D MIGRATION_DEST_FD) - hostname =3D spec->dest.host.name; - - if (qemuMigrationParamsEnableTLSx509(driver, vm, false, - VIR_ASYNC_JOB_MIGRATION_OUT, - &tlsx509Alias, hostname, - migParams) < 0) - goto error; - } else { - if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + /* Migrations using TLS can support two types of credential + * objects: "tls-creds-x509" and "tls-creds-psk". Set the migration + * TLS parameters based on the chosen credential type. + */ + tls_creds_type =3D flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK); + switch (tls_creds_type) { + case 0: + if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS:{ + const char *hostname =3D NULL; + + /* We need to add tls-hostname whenever QEMU itself does not + * connect directly to the destination. */ + if (spec->destType =3D=3D MIGRATION_DEST_CONNECT_HOST || + spec->destType =3D=3D MIGRATION_DEST_FD) + hostname =3D spec->dest.host.name; + + if (qemuMigrationParamsEnableTLSx509(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_O= UT, + &tlsx509Alias, hostname, + migParams) < 0) + goto error; + break; + } + case VIR_MIGRATE_TLS_PSK: { + if (qemuMigrationParamsEnableTLSPSK(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OU= T, + &tlsPSKAlias, spec->dest.h= ost.username, + migParams) < 0) + goto error; + break; + } + case VIR_MIGRATE_TLS|VIR_MIGRATE_TLS_PSK: + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("Both TLS and TLS-PSK are enabled simultaneously")); goto error; + default: + break; } =20 if (qemuMigrationParamsSetULL(migParams, QEMU_MIGRATION_PARAM_MAX_BAND= WIDTH, @@ -6553,9 +6599,9 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, =20 if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); return -1; } =20 --=20 2.39.3 From nobody Sat May 30 15:30:48 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=none dis=none) header.from=nutanix.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779886842430962.3542634412527; Wed, 27 May 2026 06:00:42 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id F333D41C5A; Wed, 27 May 2026 09:00:40 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 3980041E3F; Wed, 27 May 2026 08:46:00 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 724933F351; Tue, 26 May 2026 06:23:56 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 1AB963F351 for ; Tue, 26 May 2026 06:23:54 -0400 (EDT) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64Q9raAl3258551 for ; Tue, 26 May 2026 03:23:53 -0700 Received: from ph0pr06cu001.outbound.protection.outlook.com (mail-westus3azon11021089.outbound.protection.outlook.com [40.107.208.89]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4ebbs0ecgv-2 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Tue, 26 May 2026 03:23:53 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by MW6PR02MB9765.namprd02.prod.outlook.com (2603:10b6:303:247::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.48.20; Tue, 26 May 2026 10:23:50 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0048.019; Tue, 26 May 2026 10:23:49 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=jfavpghykEyjImwjUYK4iwl3+e4dtQr99Qb9ewZ4g Kg=; b=0yRuFEJGKb0pJ4iNXwb6bbq0ZE0Ph6+2+r4+mqa20toZnt83yVxYwuzix 1CRbkEAEvKmQ/GwbhFmn2K3FuAsA1ufrD+Lj8CXsLrm1ueMYPEFr/nzqC3PqsAeb hdmgwQAN7X0Ehnhop0qI2zzz6WLn3/wdLGucDqpHxp7yAyBHCg93wqobmCc0qNpI MaEyiU5TEkiQp6CQRe0mczGV3A+mu0Wfbuz+GX2xA3CwgOJz+xPvxgLJmIglQvcS CYDd2Fw+PQClubFP9hv1yBTqDYd+M+MN2H3fFdb63M3sikcGFzO02wTFzmYcgE3a OndTEAvGJ8VBdCV2r7IdkPD+rPIAw== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YES2LpjgqPzQ3sCJOw70voO086Ax9MYjevzhg1OSHGti8H7k52l/AJKu9G5VJUQSXIgLis/8Dzi0jVYlI3HK/5sLeq2cK+J/zGXyt796JeS7neIPSp1C/NPzgf0sVuhEhm2/1ZsQIGnNnVCmxllA0gBZVfzGn6PJt177cXq3Pff2WV9EAq/5aVic16/OPJLDVTP7ITg/ETtLq3e0bANkKa7vLLC8jTD/LwzVBaPLKmnEDx/loZYnCWmd2sM4YzyKkSrGNVZQp7up5rnldJKKHqh+FPyJGBU0CNfDCV3Mw60V+8vL/dA0Fw1uSRW9kWc6ITnCqX+pgWoxekM7pK1SLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jfavpghykEyjImwjUYK4iwl3+e4dtQr99Qb9ewZ4gKg=; b=U41obBzCfsMt+Ic3vIVg+22ajwFc3FMTQuED/PSvZZbn1nUtakKH66l6qwebIvXouAa2M/Ypc3uOYkmNhsiVTSiMcWYlIk6381Wjyuq0nf20bzY2WM5XZ/SmQ75IpWVTEYYXqfWfCf5xp96PsqoIZVWYXuOkjshUEY0GrcSdnfYX83IRaZD2aIHNqG3AmKlhRf4/eEvUacAKxZYYEO9H+JpLsYM663LDfqfW5rRFHgaKoQb2T80VDNWUodp33cROl6C7GIKSqA0LAEzUkGFQKrIKRAjAH6qkD84UgZOPD14yfqBRfKfux3TzolgFDM7dOyeAF3lWJTdq6ecbvOSVIw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jfavpghykEyjImwjUYK4iwl3+e4dtQr99Qb9ewZ4gKg=; b=ZPUmA+5hGPLhkearVkDl/GtjsJ9sgDRTN1XYE9cUMarafEU4Xdc3k5AGa/f6pQzw4aQqjNKU+8oDNz5jcRcRgsajNk9+KwaSkhjAY31x7PJJUtSFO1TiseVGrXSVTnK0+Wg/ICFXs0mKrvR68XkoFx4dGho2hwTTzcWfEwok5PSOnhPxrejp8aDi1GxXF3zXxcXYP0jYS1V+pbHbmoJRJesnalAKcPZaP83qvP+S9bWwQSVfC5qxGN2cZFbhk5LzYTM1XPFDYHdPHMO2/ebSPclsqE/TXyd4KB1eBSHYpKQC1HCi0Hvmi9sgb/sj68gTbruovPgoBPhvO43dpRoEMg== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 7/7] include: define VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY Date: Tue, 26 May 2026 10:23:30 +0000 Message-ID: <20260526102333.3379532-8-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> References: <20260526102333.3379532-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR03CA0007.namprd03.prod.outlook.com (2603:10b6:930:8::27) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|MW6PR02MB9765:EE_ X-MS-Office365-Filtering-Correlation-Id: 59d66f48-bbd3-4f8d-dbdb-08debb10e0bc x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|18002099003|56012099003|6133799003|22082099003|3023799007; X-Microsoft-Antispam-Message-Info: EZdW/XxC1Y+D92U1r4YCOhCmxIgE7Y4FjjadObeA4iqJEtga46odvHTUUL2TH5mASmWxz+A5e+EqeV8qyON3Z5OyIjhyas8V9M9Uo3jq82LgMhggi5ZGDKqj7DOa7soxt9nUIuA5ZklpU5potlUIZQc+9o0/3L8TX5vuffStfNq4desIlcGxmaHQsWGMGuZJbRRToGTpnQhKv37IaPUrW26hSJdPft6/Sh7obWcZ1RylQXT5GjM1aQJ49yZQMSZMXr6w67D8GZ9khiky5eWnVS2m9z/kXx51iemwzhiZU47ySA6LeDh3wXsdkU9FPSCTq/vpaqYc+DjLLl2AmrpXyWEGuqqSa/iajz/dr8U/CIfXR7cqgW78Io0tsQiqL0SyE40Ms0g3XSIbjM9f3L1630xnWR4i0Q/Gf85MGoUtcPT1ZKwYBg5iAJcnwGqlr2jKdbDwEW1oPfb29zcLLgN23jGGr9IxDGUezTnUm34X8PGbAWTdkfVCQKZrOIQt+hqfJFshbxFUayMGav6lb/C7DGoSmoW8zVHL8as+EZrcszwpryUID8X4gv+YjF+yJ3oJrGR1Nk5xNWkYRcEpOvFD8HS8Rk4DZ8g8HQBGAY+4aFGLWLT+dNlgr8xtVPJ359dOL2+HY+LzohvMI7K/5pPbKBgKrCSaR8bXyuFRNWJhM6kXnKkoGJpXuRFUBDtDJAgQ X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(18002099003)(56012099003)(6133799003)(22082099003)(3023799007);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?amo3dnQwRzlZNnoxL1FmbkJDWkh1RndybzV4ZFV6YnFQb0J4N0hvMjlic0h5?= =?utf-8?B?cnBWQis0R1JwVXlxZ3pnOHFQaU43M1RMRHl5Uzh2VXRpakJOcWJZYzZQYjNZ?= =?utf-8?B?T20wdHBZLy8rdzJSb09ZS1RaMFU4SUMzdTZZZHhXenJlL1NoQUt3aEVnQTZQ?= =?utf-8?B?OHlwTTMxUmUxaDFJWTFlT0lsT3lIZU13cEkzS21ZbFMzZWZKR0IzbXdnT0pz?= =?utf-8?B?MERMeFpzTkhJQnh4UTQwUkxxS2JjWGExWm5HbVdoT3VlZzVmNU0xOTZKYVdi?= =?utf-8?B?NEJpUDNyMkhBQ0M3SDAvMWtIVWJuTzRXSml1YWhhTFU4aTJFdmxCTTRDWFpB?= =?utf-8?B?NGdQY3hGcVhjVVA4dnZVUlM1cmJRdnpxRGJ0MTJabnMxNTZVNTZYcS9DTGZn?= =?utf-8?B?V3FxNDlCaXJ4S040KytERVc1MUxldlM4TlB6bEd6dUt3UnRHcHRWdC83Nkg4?= =?utf-8?B?cGhLWUxPZHhOVHBTakJpczhtVnFMSlBNWkF4cVg2SFhLOXRrMVloS0tMYVFq?= =?utf-8?B?RnFtbCtnb1VieCtDcGNMSThldU5ZaEdma3htSFErQlhXV2ZsdlZDelpWd213?= =?utf-8?B?SEVSTU9aYzZYaklKOXhuMTF5LzVtSUYzN0Q0Um9SZmowKzdVMTZISGx5L2tH?= =?utf-8?B?VzJTYzlKNklBOUhiY3ZwUzUwd0VmVFFSbnBnVzRMYU9xTHZvZzhUWkpBRldY?= =?utf-8?B?Nk5Bd1FOdW14QWVIUkZkQmt6U3k0SjA1RWZ4clg5cnlUN09XZzUxT3IzVkpO?= =?utf-8?B?WEIycFFvRmdVRTdqUmh6QlRMRmVkQXBlOC9Qa2trMldtQzY1OWVUR0NMMlNX?= =?utf-8?B?b1d5YlQwdUtrTit1RDFXNHl2NHhmcUkyTzA0Y0tsYXJsdEJrbDUybUtSclpR?= =?utf-8?B?OVFLd0E2RXNpdkdUOHd5Qnh3a2J2dGpyZFdIVTE4eG9RSVQ4QU9Sb1BSTEts?= =?utf-8?B?M1c1SzV2czVxTUp3aDVTWHh3VUtXVHlxWDgrZlFUM0pqTm5RTFhsMXQzSXZu?= =?utf-8?B?VEFhNFdiZjIzbXpPK3hPVW9KUFNyUDVXL2pOemtTYytWbkpSZGd5VFFJNS9T?= =?utf-8?B?Z3dlcEZPeWlaR1BCeE9OUXRnSzFnU0RDVUlpOVFoZXcwU2lrS1dybDRZN01a?= =?utf-8?B?ZFFVVFlTTlhtK3gxTmhPODRzZzV6b09MMU54bkh6bkp5TFpQSEdyWUtVMWx2?= =?utf-8?B?QklzZERsYlZhV2IvK1lueEZDSytMUFRtQVRMYWc0NGtMNE9kWGx1amczV0xi?= =?utf-8?B?Z1prenhCNmp5aHFRUFhBeURtNTFRazR4bGtYRzU5bTJ4dlhUU09xUDVnQ2FO?= =?utf-8?B?WWRmR0NYL0ZOUE11SkV5WWsxYXYxRmkwNm92RXlmMmNHM1dGNzNtaFBUNjJv?= =?utf-8?B?V3ZJdlB3SUlyWEp5L001T1JBL0VnV3VTTDl3YTV4cjFveHFUMU9XOURMbmVh?= =?utf-8?B?Tk01V1pnTitCd1NCNE5KOFY2M1EyRm1yMmFDaHkyYkhiaUg1TlhBZUE3OU1P?= =?utf-8?B?aERUWTc0N2xiQ2QwOUszRmZSTlh1MkN6bER0YUpWL3ZTL3J2VXdERE05MWUr?= =?utf-8?B?emdDNjM3cmwrY3NDQXdGcWViUnVpaGNqTHZaVG1Jd2xiYU4rUExXNURSZVVn?= =?utf-8?B?V0VDdUx6YVhmYit4MlNsS05hTmwwTkRQUnpZejEwWWdRZEZWMGx6M3FORGhS?= =?utf-8?B?QlJZdE1wREVLM0JlYThnaFhmZFk4amREWURjem1YWUJIQ21UR25oRGIzUm5i?= =?utf-8?B?eW9lTXk0aThaWWo5WWxpbGNvUjlZdFlWenVvdld0eW5qR0lad3dmZlN1QU00?= =?utf-8?B?dEkrbHRZcXNkQy9mdThXTFlzaThRdUQxTGh2MnJXMHVTZUVVeEdicmtScXpT?= =?utf-8?B?dDFyaFFtNnhsWnpZYWxES3pKRThxc1d6WGhqMUZsc1RyTysyTFhkV3IwTExD?= =?utf-8?B?Mlp4K1pOSlFKT1YrNUtTN0hGMUNhVTdzNTFWSmFLUUJGa0tPM3Z6Sm5VZUVZ?= =?utf-8?B?Z05lSmIvQ0pQSWxObmR3K1Z4WGVKMitOQ3UzUitWa3BMeGtQWldGWnYrZ29r?= =?utf-8?B?eFZGSVZMeGtNRG9zdEh5MXJzdFhHUmZzSy9MLzBtV1hyR0xxdDNacStTNDFP?= =?utf-8?B?dk1TK0hVbDhmRHpORFFMNnFrdmZGclpmVGE2cS9iQXRLb0JsMHlRS0l3MDM5?= =?utf-8?B?Yk1zVmNOYUs0U3IvZ1U0QVA4ZVJqaHdkRnh6dTY0cEhpQ2RTTWtoQ1o2SWRj?= =?utf-8?B?TE44RW9sTFcra3ViUmk5eWhhQmRCTGp3MURlbVRsMmhqSGJMZG1WMkxxVTIz?= =?utf-8?B?Z2RPc2tLU3ByZXVFL201SzU5RXhiWW1hNDIxV2p3a05OTjl3WSs2Z0VxUzVy?= =?utf-8?Q?raKuumc2FMr9PcYo=3D?= X-Exchange-RoutingPolicyChecked: s6xZD36zd2fk016DKAtHgvI6v0amqGLjUyQPKGttEdQzB+wLRSYRNCo5Q5FyUr1Sm2Mb5H6WXC+byKK3+XEfZpLA3AOpH3XGrutCfCZJZI9pHzDbaQ8P301PH7RL8bBItOwJdIotvnAACRkRmz+pWKpQyVaNOCwsVIuezD3qQZkMxAeOnXU75TWhKNf7xKvnsRicr/LWXWQJpQsWem7KPl2BETDPfzeVv4DICVO0axKfkuBxj0zTdSuBLBlnxs+skJhS9EvMp7EGSclh90ApR7g93QBvSzCSusirKqYbza/RU39UfAXg7eqEyGqsiLCPFPMfMnxyw4aNI5xSri0g4Q== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 59d66f48-bbd3-4f8d-dbdb-08debb10e0bc X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 May 2026 10:23:49.8723 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Sw1mfPAsQ9Uv6olmMZpvg7/zJovNdUY3pWTApa46hQ0t9a8t0s9+OA8z/A5H1oreZ9U4GkimaniHOlPw8rHe0ZHMyA2uW6fHn3jOwXJ/GTs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW6PR02MB9765 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI2MDA5MCBTYWx0ZWRfX4ATbtWS4XoXY zwzcFB1uLu0U6WBT0l9fwPGh261DYN8qZQOXJCM7JJD4G/8xNebZ3wJkHHfBiyUqPzO/TljT6CH uz4WjUcSfv0EUBCh57tf2EkzoRC5UXwRMcojRlea6UxSvRMO4yjKvFN71rupP02oW+UNhv5fDKu SeymVyiElbwrSK0bX2Y/vVe3hUfuFOHR8pAg20N/GY5O336RluKVYC8f7Om+FM4vF7Zxkbhw1/J 4ptJOrMQF9al8sfnTkT7ZLnECJ8rcYeatT3sFRTvPC3b5kLivA+FKsnQCZ1PGAhGV6uxCfPG0j7 B/XFF2lV428mNIKkSYXh+G93Fhx5MSI/UlVWV/qqruRSBifDmaBhbGYdSDxBfNbKE399lj8pTRr +LuY2OmIETIlAHo66HnB5Z/9agaNO5tDDG7aRToJGghxIfoKpus4Jq/Gpc375x2Ss+EEfm8rhWp h4IHP6hGTUGAlCGa9Hw== X-Proofpoint-GUID: WnYQCGiuUA97HS7ZBSwiQFPF924n74Jl X-Proofpoint-ORIG-GUID: WnYQCGiuUA97HS7ZBSwiQFPF924n74Jl X-Authority-Analysis: v=2.4 cv=dOaWXuZb c=1 sm=1 tr=0 ts=6a1574b9 cx=c_pps a=rgmdkwC1tPsVJMj+r4rvFA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=0LlEyIVc8U2lsR7dKhuH:22 a=64Cc0HZtAAAA:8 a=BgFrhowzrF4dcxJIR14A:9 a=QEXdDO2ut3YA:10 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-26_02,2026-05-26_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation Message-ID-Hash: UZHT7OLVL4J24ELJGTLKM3MCI7NXNIIT X-Message-ID-Hash: UZHT7OLVL4J24ELJGTLKM3MCI7NXNIIT X-Mailman-Approved-At: Wed, 27 May 2026 12:45:10 +0000 CC: tejus.gk@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779886844575158500 Content-Type: text/plain; charset="utf-8" During an encrypted migration, the parties negotiate a unique identifier, then QEMU parses the key file and extracts the matching key. By default, the key file=E2=80=99s location is defined in either "migrate_tls_psk_dir" or "default_tls_psk_dir" in qemu.conf. To use a different key file for a particular migration session, a user can provide custom directory path of the key file using the "VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY" migration parameter. If this parameter is set, the defined path supersedes the "migrate_tls_psk_dir" or "default_tls_psk_dir" configurations provided in qemu.conf. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- include/libvirt/libvirt-domain.h | 14 ++++++ src/qemu/qemu_driver.c | 24 ++++++---- src/qemu/qemu_migration.c | 78 ++++++++++++++++++++------------ src/qemu/qemu_migration.h | 2 + src/qemu/qemu_migration_params.c | 41 +++++++++++++---- src/qemu/qemu_migration_params.h | 5 ++ tools/virsh-domain.c | 7 +++ 7 files changed, 127 insertions(+), 44 deletions(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index 88eb3e55aa..f600771c08 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1479,6 +1479,20 @@ typedef enum { */ # define VIR_MIGRATE_PARAM_TLS_DESTINATION "tls.destination" =20 +/** + * VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY: + * + * virDomainMigrate* params field: override the path of the directory cont= aining + * the pre-shared key files. + * + * Normally the pre-shared key files on a host is stored at a specific pat= h specified + * in the configuration file. When a user wants to use a unique or custom = pre-shared key + * for migration, this parameter can be used to override the pre-shared ke= y files' path. + * + * Since: 12.4.0 + */ +# define VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY "tls.psk_directory" + /* Domain migration. */ virDomainPtr virDomainMigrate (virDomainPtr domain, virConnectPtr dconn, unsigned long flags, const char *dname, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index eda1f42054..8e4d415874 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -11004,7 +11004,7 @@ qemuDomainMigratePrepare2(virConnectPtr dconn, return qemuMigrationDstPrepareDirect(driver, dconn, NULL, 0, NULL, NULL, /* No cookie= s */ uri_in, uri_out, - &def, origname, NULL, NULL, 0, NU= LL, + &def, origname, NULL, NULL, 0, NU= LL, NULL, migParams, flags); } =20 @@ -11055,7 +11055,7 @@ qemuDomainMigratePerform(virDomainPtr dom, */ ret =3D qemuMigrationSrcPerform(driver, dom->conn, vm, NULL, NULL, dconnuri, uri, NULL, NULL, NULL, N= ULL, NULL, 0, - NULL, + NULL, NULL, migParams, cookie, cookielen, NULL, NULL, /* No output cookies in v2 */ flags, dname, bandwidth, false); @@ -11230,7 +11230,7 @@ qemuDomainMigratePrepare3(virConnectPtr dconn, cookieout, cookieoutlen, uri_in, uri_out, &def, origname, NULL, NULL, 0, - NULL, migParams, flags); + NULL, NULL, migParams, flags); } =20 static int @@ -11256,6 +11256,7 @@ qemuDomainMigratePrepare3Params(virConnectPtr dconn, g_autofree char *origname =3D NULL; g_autoptr(qemuMigrationParams) migParams =3D NULL; const char *nbdURI =3D NULL; + const char *tls_psk_directory =3D NULL; =20 virCheckFlags(QEMU_MIGRATION_FLAGS, -1); if (virTypedParamsValidateTemplate(params, nparams, qemuMigrationParam= etersValidation) < 0) @@ -11278,7 +11279,10 @@ qemuDomainMigratePrepare3Params(virConnectPtr dcon= n, &nbdURI) < 0 || virTypedParamsGetInt(params, nparams, VIR_MIGRATE_PARAM_DISKS_PORT, - &nbdPort) < 0) + &nbdPort) < 0 || + virTypedParamsGetString(params, nparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + &tls_psk_directory) < 0) return -1; =20 virTypedParamsGetStringList(params, nparams, VIR_MIGRATE_PARAM_MIGRATE= _DISKS, @@ -11333,7 +11337,7 @@ qemuDomainMigratePrepare3Params(virConnectPtr dconn, uri_in, uri_out, &def, origname, listenAddress, migrate_disks, nbdPort, - nbdURI, migParams, flags); + nbdURI, tls_psk_directory, migPar= ams, flags); } =20 =20 @@ -11461,7 +11465,7 @@ qemuDomainMigratePerform3(virDomainPtr dom, =20 ret =3D qemuMigrationSrcPerform(driver, dom->conn, vm, xmlin, NULL, dconnuri, uri, NULL, NULL, NULL, NULL, N= ULL, 0, - NULL, migParams, + NULL, NULL, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, true); @@ -11489,6 +11493,7 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, const char *dname =3D NULL; const char *uri =3D NULL; const char *graphicsuri =3D NULL; + const char *tls_psk_directory =3D NULL; const char *listenAddress =3D NULL; g_autofree const char **migrate_disks =3D NULL; g_autofree const char **migrate_disks_detect_zeroes =3D NULL; @@ -11529,7 +11534,10 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, &nbdURI) < 0 || virTypedParamsGetString(params, nparams, VIR_MIGRATE_PARAM_PERSIST_XML, - &persist_xml) < 0) + &persist_xml) < 0 || + virTypedParamsGetString(params, nparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + &tls_psk_directory) < 0) goto cleanup; =20 =20 @@ -11580,7 +11588,7 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directory, migP= arams, cookiein, cookieinlen, cookieout, cookie= outlen, flags, dname, bandwidth, true); cleanup: diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 239d547bb0..79d11732a7 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3320,6 +3320,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3432,7 +3433,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, if (qemuMigrationParamsEnableTLSPSK(driver, vm, true, VIR_ASYNC_JOB_MIGRATION_IN, &tlsPSKAlias, NULL, - migParams) < 0) + tls_psk_directory, migPara= ms) < 0) goto error; break; case VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK: @@ -3533,6 +3534,7 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3546,9 +3548,10 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, bool taint_hook =3D false; =20 VIR_DEBUG("name=3D%s, origname=3D%s, protocol=3D%s, port=3D%hu, " - "listenAddress=3D%s, nbdPort=3D%d, nbdURI=3D%s, flags=3D0x%x= ", + "listenAddress=3D%s, nbdPort=3D%d, nbdURI=3D%s," + "tls_psk_directory=3D%s, flags=3D0x%x", (*def)->name, NULLSTR(origname), protocol, port, - listenAddress, nbdPort, NULLSTR(nbdURI), flags); + listenAddress, nbdPort, NULLSTR(nbdURI), NULLSTR(tls_psk_dir= ectory), flags); =20 if (!(flags & VIR_MIGRATE_OFFLINE)) { cookieFlags =3D QEMU_MIGRATION_COOKIE_GRAPHICS | @@ -3641,6 +3644,7 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, protocol, port, listenAddress, migrate_disks, nbdPort, nbdURI, + tls_psk_directory, migParams, flags) < 0) { goto stopjob; } @@ -3806,6 +3810,7 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3867,6 +3872,7 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, port, autoPort, listenAddress, migrate_disks, nbdPort, nbdURI, + tls_psk_directory, migParams, flags); } =20 @@ -3903,7 +3909,7 @@ qemuMigrationDstPrepareTunnel(virQEMUDriver *driver, return qemuMigrationDstPrepareAny(driver, dconn, cookiein, cookieinlen, cookieout, cookieoutlen, def, origna= me, st, NULL, 0, false, NULL, NULL, 0, - NULL, migParams, flags); + NULL, NULL, migParams, flags); } =20 =20 @@ -3944,6 +3950,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3959,12 +3966,12 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, "cookieout=3D%p, cookieoutlen=3D%p, uri_in=3D%s, uri_out=3D%= p, " "def=3D%p, origname=3D%s, listenAddress=3D%s, " "migrate_disks=3D%p, nbdPort=3D%d, " - "nbdURI=3D%s, flags=3D0x%x", + "nbdURI=3D%s, tls_psk_directory=3D%s, flags=3D0x%x", driver, dconn, NULLSTR(cookiein), cookieinlen, cookieout, cookieoutlen, NULLSTR(uri_in), uri_out, *def, origname, NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), - flags); + NULLSTR(tls_psk_directory), flags); =20 *uri_out =3D NULL; =20 @@ -4072,7 +4079,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, NULL, uri ? uri->scheme : "tcp", port, autoPort, listenAddress, migrate_disks, nbdPort, - nbdURI, migParams, flags); + nbdURI, tls_psk_directory, migParams,= flags); cleanup: if (ret !=3D 0) { VIR_FREE(*uri_out); @@ -4993,7 +5000,8 @@ qemuMigrationSrcRun(virQEMUDriver *driver, const char **migrate_disks_detect_zeroes, const char **migrate_disks_target_zero, qemuMigrationParams *migParams, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; @@ -5114,7 +5122,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, if (qemuMigrationParamsEnableTLSPSK(driver, vm, false, VIR_ASYNC_JOB_MIGRATION_OU= T, &tlsPSKAlias, spec->dest.h= ost.username, - migParams) < 0) + tls_psk_directory, migPara= ms) < 0) goto error; break; } @@ -5444,7 +5452,8 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, const char **migrate_disks_detect_zeroes, const char **migrate_disks_target_zero, qemuMigrationParams *migParams, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { g_autoptr(virURI) uribits =3D NULL; int ret =3D -1; @@ -5521,7 +5530,7 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, &spec, dconn, graphicsuri, migrate_disks, migrate_disks_detect_zero= es, migrate_disks_target_zero, - migParams, nbdURI); + migParams, nbdURI, tls_psk_directory); } =20 if (spec.destType =3D=3D MIGRATION_DEST_FD) @@ -5584,7 +5593,7 @@ qemuMigrationSrcPerformTunnel(virQEMUDriver *driver, ret =3D qemuMigrationSrcRun(driver, vm, persist_xml, cookiein, cookiei= nlen, cookieout, cookieoutlen, flags, bandwidth, &= spec, dconn, graphicsuri, NULL, NULL, NULL, - migParams, NULL); + migParams, NULL, NULL); =20 cleanup: VIR_FORCE_CLOSE(spec.dest.fd.qemu); @@ -5623,7 +5632,7 @@ qemuMigrationSrcPerformResume(virQEMUDriver *driver, ret =3D qemuMigrationSrcPerformNative(driver, vm, NULL, uri, cookiein, cookieinlen, cookieout, cookieoutlen, flags, - 0, NULL, NULL, NULL, NULL, NULL, m= igParams, NULL); + 0, NULL, NULL, NULL, NULL, NULL, m= igParams, NULL, NULL); =20 virCloseCallbacksDomainAdd(vm, conn, qemuMigrationAnyConnectionClosed); =20 @@ -5731,7 +5740,7 @@ qemuMigrationSrcPerformPeer2Peer2(virQEMUDriver *driv= er, cookie, cookielen, NULL, NULL, /* No out cookie w= ith v2 migration */ flags, bandwidth, dconn, NULL,= NULL, NULL, - NULL, migParams, NULL); + NULL, migParams, NULL, NULL); =20 /* Perform failed. Make sure Finish doesn't overwrite the error */ if (ret < 0) @@ -5798,6 +5807,7 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *driv= er, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned long long bandwidth, bool useParams, @@ -5824,12 +5834,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *dr= iver, "dname=3D%s, uri=3D%s, graphicsuri=3D%s, listenAddress=3D%s,= " "migrate_disks=3D%p, migrate_disks_detect_zeroes=3D%p, " "migrate_disks_target_zero=3D%p, nbdPort=3D%d, nbdURI=3D%s, " - "bandwidth=3D%llu, useParams=3D%d, flags=3D0x%x", + "tls_psk_directory=3D%s, bandwidth=3D%llu, useParams=3D%d, f= lags=3D0x%x", driver, sconn, dconn, NULLSTR(dconnuri), vm, NULLSTR(xmlin), NULLSTR(dname), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, migrate_disks_detect_= zeroes, migrate_disks_target_zero, nbdPort, - NULLSTR(nbdURI), bandwidth, useParams, flags); + NULLSTR(nbdURI), NULLSTR(tls_psk_directory), bandwidth, useP= arams, flags); =20 /* Unlike the virDomainMigrateVersion3 counterpart, we don't need * to worry about auto-setting the VIR_MIGRATE_CHANGE_PROTECTION @@ -5919,6 +5929,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *dri= ver, nbdURI) < 0) goto cleanup; =20 + if (tls_psk_directory && + virTypedParamsAddString(¶ms, &nparams, &maxparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + tls_psk_directory) < 0) + goto cleanup; + if (qemuMigrationParamsDump(migParams, ¶ms, &nparams, &maxparams, &flags) < 0) goto cleanup; @@ -6022,7 +6038,7 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *driv= er, flags, bandwidth, dconn, g= raphicsuri, migrate_disks, migrate_dis= ks_detect_zeroes, migrate_disks_target_zero, - migParams, nbdURI); + migParams, nbdURI, tls_psk= _directory); } =20 if (ret =3D=3D 0) @@ -6199,6 +6215,7 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *drive= r, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags, const char *dname, @@ -6217,11 +6234,12 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *dri= ver, =20 VIR_DEBUG("driver=3D%p, sconn=3D%p, vm=3D%p, xmlin=3D%s, dconnuri=3D%s= , uri=3D%s, " "graphicsuri=3D%s, listenAddress=3D%s, " - "migrate_disks=3D%p, nbdPort=3D%d, nbdURI=3D%s, flags=3D0x%x= , " - "dname=3D%s, bandwidth=3D%lu", + "migrate_disks=3D%p, nbdPort=3D%d, nbdURI=3D%s, tls_psk_dire= ctory=3D%s, " + "flags=3D0x%x, dname=3D%s, bandwidth=3D%lu", driver, sconn, vm, NULLSTR(xmlin), NULLSTR(dconnuri), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), + NULLSTR(tls_psk_directory), flags, NULLSTR(dname), bandwidth); =20 if (flags & VIR_MIGRATE_TUNNELLED && uri) { @@ -6323,7 +6341,7 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *drive= r, persist_xml, dname, uri, g= raphicsuri, listenAddress, migrate_dis= ks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams= , bandwidth, + nbdPort, nbdURI, tls_psk_d= irectory, migParams, bandwidth, !!useParams, flags); } else { ret =3D qemuMigrationSrcPerformPeer2Peer2(driver, sconn, dconn, vm, @@ -6363,6 +6381,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, @@ -6412,7 +6431,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, dconnuri, uri, graphicsuri,= listenAddress, migrate_disks, migrate_disk= s_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, + nbdPort, nbdURI, tls_psk_di= rectory, migParams, flags, dname, ba= ndwidth, &v3proto); } else { @@ -6422,7 +6441,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, ret =3D qemuMigrationSrcPerformNative(driver, vm, persist_xml, uri= , cookiein, cookieinlen, cookieout, cookieoutlen, flags, bandwidth, NULL, NULL, = NULL, NULL, NULL, - migParams, nbdURI); + migParams, nbdURI, tls_psk_dir= ectory); } if (ret < 0) goto endjob; @@ -6497,7 +6516,8 @@ qemuMigrationSrcPerformPhase(virQEMUDriver *driver, int *cookieoutlen, unsigned int flags, unsigned long bandwidth, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; @@ -6527,7 +6547,7 @@ qemuMigrationSrcPerformPhase(virQEMUDriver *driver, flags, bandwidth, NULL, graphicsuri, migrate_disks, migrate_disks_detect_= zeroes, migrate_disks_target_zero, - migParams, nbdURI) < 0) + migParams, nbdURI, tls_psk_directory= ) < 0) goto cleanup; =20 virCloseCallbacksDomainAdd(vm, conn, qemuMigrationAnyConnectionClosed); @@ -6573,6 +6593,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, @@ -6588,12 +6609,13 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, VIR_DEBUG("driver=3D%p, conn=3D%p, vm=3D%p, xmlin=3D%s, dconnuri=3D%s,= " "uri=3D%s, graphicsuri=3D%s, listenAddress=3D%s, " "migrate_disks=3D%p, nbdPort=3D%d, " - "nbdURI=3D%s, " + "nbdURI=3D%s, tls_psk_directory=3D%s, " "cookiein=3D%s, cookieinlen=3D%d, cookieout=3D%p, cookieoutl= en=3D%p, " "flags=3D0x%x, dname=3D%s, bandwidth=3D%lu, v3proto=3D%d", driver, conn, vm, NULLSTR(xmlin), NULLSTR(dconnuri), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), + NULLSTR(tls_psk_directory), NULLSTR(cookiein), cookieinlen, cookieout, cookieoutlen, flags, NULLSTR(dname), bandwidth, v3proto); =20 @@ -6616,7 +6638,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, graphicsuri, listenAddress, migrate_disks, migrate_disks_det= ect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directo= ry, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, v3proto= ); @@ -6636,14 +6658,14 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, - flags, bandwidth, nbdURI); + flags, bandwidth, nbdURI, tls_= psk_directory); } =20 return qemuMigrationSrcPerformJob(driver, conn, vm, xmlin, persist_xml= , NULL, uri, graphicsuri, listenAddress, migrate_disks, migrate_disks_detect_= zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directory, = migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, v3proto); diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 7fbf959ee6..6154037c0d 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -140,6 +140,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags); =20 @@ -158,6 +159,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_par= ams.c index 1c6ab6fc8a..d6099894c5 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1258,17 +1258,13 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driv= er, int asyncJob, char **tlsPSKAlias, const char *username, + const char *tls_psk_directory, qemuMigrationParams *migParams) { qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; g_autoptr(virJSONValue) tlsPSKProps =3D NULL; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); - - if (!cfg->migrateTLSPSKdir) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("host migration TLS-PSK directory not configured")); - return -1; - } + const char *pskDirectory =3D qemuMigrationParamsGetTLSPSKDirectory(dri= ver, tls_psk_directory); =20 if (!jobPriv->migParams->params[QEMU_MIGRATION_PARAM_TLS_CREDS].set) { virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", @@ -1279,8 +1275,8 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, if (!(*tlsPSKAlias =3D qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_T= LS_ALIAS_BASE))) return -1; =20 - if (qemuDomainGetTLSPSKObjects(cfg->migrateTLSPSKdir, tlsListen, - username, *tlsPSKAlias, &tlsPSKProps) < 0) + if (qemuDomainGetTLSPSKObjects(pskDirectory, tlsListen, + username, *tlsPSKAlias, &tlsPSKProps) <= 0) return -1; =20 /* Ensure the domain doesn't already have the TLS-PSK objects defined.= .. @@ -1847,3 +1843,32 @@ qemuMigrationParamsGetTLSHostname(qemuMigrationParam= s *migParams) =20 return hostname; } + + +/** + * qemuMigrationParamsGetTLSPSKDirectory: + * @migParams: Migration params object + * @tls_psk_directory: path containing the TLS-PSK key file provided by th= e client + * + * Identifies the correct value of the directory that stores the pre-share= d keys + * required for the TLS-based authentication based on the precedence. + */ +const char * +qemuMigrationParamsGetTLSPSKDirectory(virQEMUDriver *driver, + const char *tls_psk_directory) +{ + const char *pskDirectory =3D NULL; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + + if (tls_psk_directory) { + pskDirectory =3D tls_psk_directory; + } else { + if (!cfg->migrateTLSPSKdir) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("host migration TLS-PSK directory not configured"= )); + return NULL; + } + pskDirectory =3D cfg->migrateTLSPSKdir; + } + return pskDirectory; +} diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_par= ams.h index 07f5812065..eec08f3c69 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -130,6 +130,7 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, int asyncJob, char **tlsPSKAlias, const char *username, + const char *tls_psk_directory, qemuMigrationParams *migParams); =20 int @@ -199,3 +200,7 @@ qemuMigrationCapsGet(virDomainObj *vm, =20 const char * qemuMigrationParamsGetTLSHostname(qemuMigrationParams *migParams); + +const char * +qemuMigrationParamsGetTLSPSKDirectory(virQEMUDriver *driver, + const char *tls_psk_directory); diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 286abd2f1c..c939274881 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -11667,6 +11667,13 @@ doMigrate(void *opaque) VIR_MIGRATE_PARAM_TLS_DESTINATION, opt) < = 0) goto save_error; =20 + if (vshCommandOptString(ctl, cmd, "tls-psk-directory", &opt) < 0) + goto out; + if (opt && + virTypedParamsAddString(¶ms, &nparams, &maxparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, opt) = < 0) + goto save_error; + if ((rv =3D vshCommandOptULongLong(ctl, cmd, "available-switchover-ban= dwidth", &ullOpt)) < 0) { goto out; } else if (rv > 0) { --=20 2.39.3