From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1779873709; cv=pass; d=zohomail.com; s=zohoarc; b=GLKgGVK7lG489Dmk4kRZQz8l1sqMBl7FfKHbMpbTmkCt9QvEsXJk+H8brD4l2sVxE5kzVEn63j6H1Wij6CpTEP58omYkRxFO83fNVA8JZj6QPKwxpMjb6ak4T1mBXk+qo+xkOCeEGWz9mtaaNqxRbxt95Hf7xxlPYeAnieYrIJE= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779873709; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=/ksSn2lf51ymnybjtFLCiAD+EZ73H0Wj4Zr7yCoQ2Oc=; b=cdbQAH8rEayWMN8Wthro1ncVFxzYvKRETGAir82XpQ+bQlERW8QnbY3c/jau+e1FnzRdC1VltR+6TZgXcH4CTLQtWEHeCUvLuoXYaqnnwkEdf70NxClSYNgUWVtT21GhL/Xu9if1ScAkTQnf7rVxymYvP0rew3x4EPFu252Pvh8= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779873709449706.8633003510329; Wed, 27 May 2026 02:21:49 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 2750E41C50; Wed, 27 May 2026 05:21:48 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id EAE8941CC4; Wed, 27 May 2026 05:18:03 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id BCDD5419D3; Wed, 27 May 2026 05:17:47 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 12D0041B0B for ; Wed, 27 May 2026 05:17:45 -0400 (EDT) Received: from pps.filterd (m0127840.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8oeXx2157334 for ; Wed, 27 May 2026 02:17:45 -0700 Received: from co1pr03cu002.outbound.protection.outlook.com (mail-westus2azon11020077.outbound.protection.outlook.com [52.101.46.77]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4edg2a1tq4-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 02:17:44 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by BL3PR02MB9009.namprd02.prod.outlook.com (2603:10b6:208:3b8::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Wed, 27 May 2026 09:17:43 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0071.011; Wed, 27 May 2026 09:17:43 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=/ksSn2lf51ymnybjtFLCiAD+EZ73H0Wj4Zr7yCoQ2 Oc=; b=wjHRfkWWTQn0hj4gw0/xklcOPm3s2ubRnL3LmYplTTEBVVfRxH3e28pxB LctL4YT1GsWPf8gCx/BFmkN3kzssBbAmaZecu8y7hXiuLUOTmeri2yWEjhznbzc7 hra2RHzo+wYQnFMSCuks+PfU8MMCbECydYHQnyfiDUCLhXffd1poT4fTYwcjhN9/ yTQZZ/mPLeF4vC/BYWr1RF7U97omNeyRhzg8Wyq8D5w1cnHzMKcJPA09a2g/PkjD ovuMbmb8XTA63NNIy148zHO0TkjJt0BUuu2LXWkz9I1qgzHFYuisiKya7KL5ZFWe ngWAJUzDNWdha36icFMkN/TYFtaBg== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QcOi4raIiAbJ2l/8Lr3YqtfLdcI/PBW+9GmAY1VaFsTRn8ypicDaIv0O7TOa1kK/hjwAJcv3HMdKVV57ZDvExqauzaz2/sOEUEZZPzP06YDeUpJiwHdT1eUxmLdKDPYRjT1+SAwaROzbbB5mmvjFmusvA16kkevYobkvHgZjl/u59sE/bkNyqAM4QO71QPUeUI7n/vI4kpByf0Vd6h07k/fYNqS2UeFlVuFgZIZnJj3PPrubIduUO6hSolKPMrBGaH0YFHWi2Vks9lEdotP9uS/CUMj7yYDDDIh8Dfwj8cxypaLKJf8jI4HDyXHSZqKbRncaSy1WvEvFrLBABOuglQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/ksSn2lf51ymnybjtFLCiAD+EZ73H0Wj4Zr7yCoQ2Oc=; b=JnDgf08EiCezK4k82lYekXC6jid366glLhPUi5eicnpmNAhhRCIXAyO8nb3U8gpvtEAgin/I8xCJRxLwmfkFcAFYMxV692P7/HccuOf1StSQTk2xYOAddxNn1FuWh5d3f3BZfhllNqPOnaIflB5MEjBHm/boxX6W8SxOPScsU+n9/t9ktEHC/atp5epOLmETRcyE013j88uewQjSeLsDv3JmEIvD9LuVVd8l+cyRKNsxspDrL0Dh+9hFx8MHOcNHDsLUYZy3gVxfweOFzKoblHzyVf1HLtDPdTEhuL93KRpta3RkTP8j6VG7UmYHUigMs8wjCsSoOpKLUfdbg+CTrQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/ksSn2lf51ymnybjtFLCiAD+EZ73H0Wj4Zr7yCoQ2Oc=; b=YkLpzEFAar72WDni1gXUwt+BDLTj0TZrznvXDH/yplQyeMQEwZSFdF5eNaXzlXs1xeNsxXpZ4KUAjwjqoujCbWYIYUQ4Jxu4Hwif+IjSeuGkMxpDQF1DCcTIpD7Y76NzHDUGj1BYoGooAJohTGNOlE9XWfWbZ2tYV+GnJ0iUqP9MCMSZdwu63kPwqRZseettDPnrW+qN00gR6ZSR6Q8FHhr9F0NYsxXjZcI9SoOJSKB0WrbSmuL28E+2BJyf0ceRzCol9IdTUqSj2F269K90QoxmgH2dZDWsocHWDEixeiX7z94llXDiMLAct513dIBlDUOsvdC+u8w7Tqls9JyXEw== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 1/7] conf: Add configuration params for TLS-PSK Date: Wed, 27 May 2026 09:17:27 +0000 Message-ID: <20260527091735.3633179-2-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> References: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY8PR19CA0021.namprd19.prod.outlook.com (2603:10b6:930:44::20) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|BL3PR02MB9009:EE_ X-MS-Office365-Filtering-Correlation-Id: b31a7e85-e901-4371-3d03-08debbd0ce31 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|56012099006|3023799007|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: P+daXYW3FNJPD626/rwb2JW65MsDQ/mvRlVrJvFg3hrAWlcytcy1kwOs/Cx9LU68Agtq3JI8oID9dAnT0dm8e+7C3jAksz+gI5C0/oo164tr5Ux+V7xcLz+AIfBLY0K5kyNNJAcyxslS3kT5o5cwbXZ6MuxORXk15SItzxpfKWqWa7w8wHZteZqOb3rit1UwlafAQSajTr4KyzRra3WCgbE8c3hXO9cbwWwHo94rpFHawkmS7OlWBVe/EAeMFb81FBmXbXLvoVXkX49HDxkyGY5N6BNosVF10niDh1NyMotjR0tstFuRdiDrvEa5c6z9OjdZGfZN4lsmRnuAmdGoLTRcbQe1GR6ysGVVEzr4kd3KLUmdYaM074RW8EltNIkm7yQyqO2/SBs8uFZDLMxF5JkHxxB9L5KaDBiyXRLEsmJJnyc6bSuh9aNWtaDAVOQarfNxvrb70ZvG7Ql/dKBeGErmRYuJuV8NOmI7zckClHqTdLHXr1V2w1Kzi5GAagNkPy/WJ6MLc204SIKrGIALEtIgWa5ggH2TgpZazMF1uJZlUXW/F+pVE4LTh5pA8/TrIlvozyotnJIP3jXyowEQrBnC+Oh5Q9eLAOAtUm+oCtnA7RND9umXWrI2JJAVPYU1izWVTlvjvEXxbR+VXM0mQQL+WrK5XyQuUuauNM6xEOawKPhFkepaGnRBaxAr0FQW X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(56012099006)(3023799007)(18002099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?5Hg3J0FOoSPbB4Z4mwvPtpDX1sdQxE//mfopeRHqbILV12D3l53ykstMQ42n?= =?us-ascii?Q?1smBj9W6KCXjwlsxrCEG1LqyaArMUTtSvmA/YZwK2bOYBI2oGRdSOssRMU4S?= =?us-ascii?Q?zNs0zlQ6HswWw4mAqxWGO02hzg7mGj9xMDZD9/d+BZ+lEnuSHnZju3RNbqv8?= =?us-ascii?Q?eIB7xxIuB9ohXMxkEn836XmbqkLys9I75ugDzY52B8WlcwP1zL/tYDKuOcrx?= =?us-ascii?Q?aselR1jcEnoNw6tlR+0x7e+/aOy/GbpcPYXW1o3M9jCaqmPydTkxaJ8PETSa?= =?us-ascii?Q?MMH1me+SMPVAlrBpIZvWRRKj8Jp0bpvAn1Og430FbZy+5OHq8j4rNdTqkvRB?= =?us-ascii?Q?0I6fWay8b7woR2xLIDzwGcIeqUjRDJdcASGta2A0twVGMFw6QDFcDPRlPlSj?= =?us-ascii?Q?bIz/AAb36O9+F/xKCasMnOmJKlQKWIKGvAI+tXNPMzJ8isWGRcjzDc3KnUV2?= =?us-ascii?Q?uGIJw2w6mni+i8VJye+USIYxuv3kCZwnek6g5foXTzoHcshitimeflivScab?= =?us-ascii?Q?wVatsmJn4PIiwhtqqcRr30it3W8exNbFfI6WvSuuKydZcsNqCZ/48Bvou9Tp?= =?us-ascii?Q?eS5CBVAQvQpX2viWHJg1LhemUlYCeugzrYijt8v9tSoM8CPhEVLy+bF5I1Qj?= =?us-ascii?Q?O5SlFmvUMNoleeWCkzjU7V6nczFG6fsztJ1VewMZde0aMyhwjJuzVsTYQJdx?= =?us-ascii?Q?lyyhgSZ0x4x1gEUHwQAewKFPugwPwCzdRad0Z/sm1vQdyXxAIBZRv4xWw3y2?= =?us-ascii?Q?33xyIS+XtPrvSB2/yZDtPGEiaCI9eky9ZKRDrffIc+a2QFfssubjfES6AFRb?= =?us-ascii?Q?TvdUVjLGuIkO3OQFv3WjlF4NTvvd5KwH5k2GDSJe6T86hFwimCg4nFetetP4?= =?us-ascii?Q?nyYeb6RpoCJ6vce7stJK9KdZ1YGgbGbC+qfy0g67B59QeML/U8q6hEYZMd9g?= =?us-ascii?Q?3qXLGsDrSoheZQfAk1F7X3fe8DZsfm+kI7pfBR2x47c2WSuqx+daL9i+7JMa?= =?us-ascii?Q?CKwMOBwVx31KK4O4PaGZ8OQoL3Cp63q4jQeJ6rB69N3kHhjpkvcn45eJjiZg?= =?us-ascii?Q?4pNEn4qiOP0vMdOXn/ReZajcKRwFBSY0QTwZ5DDkBwMu0cu2Y4QfcUdHxzab?= =?us-ascii?Q?8JB9Q+Ft8eFG4tfFwM31X0JdDfFEGCvjn50oCDnJwKYbC2/umMAhHbvKN2Ro?= =?us-ascii?Q?Og5dJDBI5zdgPB/KMK/e49n3EwgQt6+YXKaKPoRsdG7ukcfZao+a4JQrMrRm?= =?us-ascii?Q?BD7f3FPE+T03Tnsg9ldIeh2NnSOfqjKiuvBjQJgFyMTynu8QqvfEqJ1dz9D4?= =?us-ascii?Q?bM3+npLoJVRtYzZHGigZftXnXUNOv+Ht8Q5s+Ek0Ad1oZjRsma0U8QaR8/+f?= =?us-ascii?Q?gGdZOHneVnBd6VVP31Txg6X1kueKYaO8yVu9OfmxwPnwNBt9x+u6ljrkeXFb?= =?us-ascii?Q?XZlXaudjj3zwUBBse08IWIHDBzQttX9pnWJrPN18xOCBA+60+hgUBaLnjs1E?= =?us-ascii?Q?hLYGCRKod7QIz4BDJAF5F+xhJMdGJQbCj9wEPTdKWxX72RY8Y3EiJZzar1rD?= =?us-ascii?Q?Ijd4Qj9SIlzl8EtiSCgf1mw9JHNMTguGI4BX4HivUdeDJYn7nBzAYQK55hVe?= =?us-ascii?Q?o72nxpUAGjPncBPMpbaT7Zeuf/Pqjr4xh2ue9i60qsCAkBc5p2UU9QL2lv3h?= =?us-ascii?Q?ZXcm4u/DdPCxM/h9+hD24Yj+ITjVy0KqYiFxplgtvG4LD+ewHtxmIfgOzBAn?= =?us-ascii?Q?I+XQjppiRji3Eut8DKhekNxOo470tTs=3D?= X-Exchange-RoutingPolicyChecked: jJmuSBfZXl86LxRw3tzYqVuFoBlDlrlp2sR9WEPcmR5WpsbvecBr3SiaZQV/kCdkRVRksjfUM4A/SXhh1vWXMSITPBdydqUOHU458okj+GB/QxgXBbkNZWmV9lrlQQHyP+1DByzd4olf1Pr0Ib5R2BzzBWw+SeCUxBdY5R5tl/0uo6kNtZ6Cxar7rUwKkaDyqJQ/ZwswlQorRBe1esY3kUibXJ56ExUgGieZJWGRyfSnm2eRl6Oujg4Ut4ZxJS9VGg2tJzruslA8j0LG50mjtmif7LLc7lBTHmQwG10roGnA8rZupPawL87yxLc6lcHFOpnAAvUMbzeGNVV+e+EeqQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: b31a7e85-e901-4371-3d03-08debbd0ce31 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 May 2026 09:17:43.0695 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: R1FcijZ8/yJDWhcp9N+nExqgWie7N50hz2ltUxRFHfaCTBNZDJE49POKfB6FU+BC4jzOLsITgq1ISiwW58YJkA6aZ66jCSm6Xb9IE5nyxb4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR02MB9009 X-Proofpoint-ORIG-GUID: lPL1_1Y_E6UMZBV3umlMBqaV8H8y3B48 X-Authority-Analysis: v=2.4 cv=fr7sol4f c=1 sm=1 tr=0 ts=6a16b6b8 cx=c_pps a=DYlabceQTmKUulxxkwl8KA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=_-M8LpHI31CeLmyZm6wg:22 a=64Cc0HZtAAAA:8 a=hvZuPmmjHhvV4XmtxV4A:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDA4OCBTYWx0ZWRfX7h934pDjUls/ WVIF4K7ElOz+VpplGoqLmmG7VQw1rPjq31Cyx4vfZ3c3Xoo8RHmE/TuSceS2WxFACEiDl5dO56a ruwMdQ1AxPMfOkOceg4eYGXxOp46J0hgn1NCG6ePLMgGEVSBYIx8ChIN6+bzebBOURuy0Phdr8C 8ko/qZG8PlJLl8UGOgXpKDjo8jlhhDS8EN68z47wzVH57m9pHwT4HW4MwSk5FeH2O85589V0XmB qSzeWY+WLteUZPRll/j34KPJhtLXha95umkoolIDFcdXVnY7BdkKh39SKtNB6P2rhBqoyqozTyL vL2nGXERuC51ylw57vvjEFoIgCWJ5yPv6NzjTkJEFMKSdJqHWHjk8d5MsyGER1V3W7n9T48Y83N E5l0MgRTU8HcYObU3+OdXM9LBG1ZVNLHvuzfQEGTEtWrTY5J2k62z6ZEYparJYVjLE/2Wg+YVx9 4qSiTaIbzKnPpuZQpdA== X-Proofpoint-GUID: lPL1_1Y_E6UMZBV3umlMBqaV8H8y3B48 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: 5CVH3CWQS5OFE4WHIRJFTHWWOBABZN52 X-Message-ID-Hash: 5CVH3CWQS5OFE4WHIRJFTHWWOBABZN52 X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779873710432158500 Content-Type: text/plain; charset="utf-8" For encrypted migration of VMs, QEMU provides the TLS-PSK authentication apart from TLS certificates. This mechanism relies on pre-shared keys (a secret key that is known to both sender and receiver prior to secure communication) for providing secure transfer of data. We store these keys in a pre-shared key file, where each line contains a pair of identifier and its corresponding key. During an encrypted migration, the parties negotiate which unique identifier to utilize, then parse the key file to extract the key matching the identifier. Add the "migrate_tls_psk_dir" parameter to qemu.conf to allow users to define the path containing the pre-shared keys. In case the user does not define this parameter and attempts to utilize TLS-PSK for migration, we fallback to the configurable "default_tls_psk_dir" parameter whose value is set to /etc/pki/qemu-psk by default. In addition, we get the client identity by parsing the migration URI, defaulting to 'qemu' if username is undefined. Example entry format in a PSK file: qemu:61aa7b2c93d4e8f10c25b6a782e3f4051a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/libvirtd_qemu.aug | 2 ++ src/qemu/qemu.conf.in | 19 +++++++++++ src/qemu/qemu_conf.c | 55 +++++++++++++++++++++++++++++- src/qemu/qemu_conf.h | 3 ++ src/qemu/qemu_migration.c | 2 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ tests/testutilsqemu.c | 2 ++ 7 files changed, 84 insertions(+), 1 deletion(-) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index eb790d48be..75639919fa 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -29,6 +29,7 @@ module Libvirtd_qemu =3D (* Config entry grouped by function - same order as example config *) let default_tls_entry =3D str_entry "default_tls_x509_cert_dir" | bool_entry "default_tls_x509_verify" + | str_entry "default_tls_psk_dir" | str_entry "default_tls_x509_secret_uuid" | str_entry "default_tls_priority" =20 @@ -68,6 +69,7 @@ module Libvirtd_qemu =3D | str_entry "migrate_tls_x509_secret_uuid" | str_entry "migrate_tls_priority" | bool_entry "migrate_tls_force" + | str_entry "migrate_tls_psk_dir" =20 let backup_entry =3D str_entry "backup_tls_x509_cert_dir" | bool_entry "backup_tls_x509_verify" diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 5eacd70022..5dfd3229e5 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -49,6 +49,17 @@ #default_tls_x509_verify =3D 1 =20 =20 +# Use of TLS-PSK requires the pre-shared key files to be present. +# The default is to keep them in /etc/pki/qemu-psk. This directory must co= ntain +# keys.psk - PSK key information +# +# If the directory does not exist, libvirtd will fail to start. If the +# directory doesn't contain the necessary files, VM migration will fail +# during TLS handshake if they are configured to use TLS-PSK. +# +#default_tls_psk_dir =3D "/etc/pki/qemu-psk" + + # Libvirt assumes the server-key.pem file is unencrypted by default. # To use an encrypted server-key.pem file, the password to decrypt # the PEM file is required. This can be provided by creating a secret @@ -437,6 +448,14 @@ #migrate_tls_force =3D 0 =20 =20 +# In order to override the default TLS pre-shared key files location for m= igration, +# supply a valid path to the key files. If the provided path does not exis= t, libvirtd +# will fail to start. If the path is not provided, but TLS-PSK-based migra= tion is +# requested, then the default_tls_psk_dir path will be used. +# +#migrate_tls_psk_dir =3D "/etc/pki/libvirt-migrate-psk" + + # In order to override the default TLS certificate location for backup NBD # server certificates, supply a valid path to the certificate directory. I= f the # provided path does not exist, libvirtd will fail to start. If the path is diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 9c32310096..f52c8d78dd 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -245,14 +245,16 @@ virQEMUDriverConfig *virQEMUDriverConfigNew(bool priv= ileged, cfg->passtStateDir =3D g_strdup_printf("%s/passt", cfg->stateDir); cfg->dbusStateDir =3D g_strdup_printf("%s/dbus", cfg->stateDir); =20 - /* Set the default directory to find TLS X.509 certificates. + /* Set the default directory to find TLS X.509 certificates and pre-sh= ared key files. * This will then be used as a fallback if the service specific * directory doesn't exist (although we don't check if this exists). */ if (root =3D=3D NULL) { cfg->defaultTLSx509certdir =3D g_strdup(SYSCONFDIR "/pki/qemu"); + cfg->defaultTLSPSKdir =3D g_strdup(SYSCONFDIR "/pki/qemu-psk"); } else { cfg->defaultTLSx509certdir =3D g_strdup_printf("%s/etc/pki/qemu", = root); + cfg->defaultTLSPSKdir =3D g_strdup_printf("%s/etc/pki/qemu-psk", r= oot); } =20 cfg->vncListen =3D g_strdup(VIR_LOOPBACK_IPV4_ADDR); @@ -380,6 +382,7 @@ static void virQEMUDriverConfigDispose(void *obj) =20 g_free(cfg->defaultTLSx509certdir); g_free(cfg->defaultTLSx509secretUUID); + g_free(cfg->defaultTLSPSKdir); =20 g_free(cfg->vncTLSx509certdir); g_free(cfg->vncTLSx509secretUUID); @@ -406,6 +409,8 @@ static void virQEMUDriverConfigDispose(void *obj) g_free(cfg->migrateTLSx509certdir); g_free(cfg->migrateTLSx509secretUUID); =20 + g_free(cfg->migrateTLSPSKdir); + g_free(cfg->backupTLSx509certdir); g_free(cfg->backupTLSx509secretUUID); =20 @@ -472,6 +477,9 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverCon= fig *cfg, if (virConfGetValueString(conf, "default_tls_priority", &cfg->defaultTLSpriority) < 0) return -1; + if ((rv =3D virConfGetValueString(conf, "default_tls_psk_dir", &cfg->d= efaultTLSPSKdir)) < 0) + return -1; + cfg->defaultTLSPSKdirPresent =3D (rv =3D=3D 1); =20 return 0; } @@ -611,6 +619,11 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverC= onfig *cfg, =20 #undef GET_CONFIG_TLS_CERTINFO_COMMON #undef GET_CONFIG_TLS_CERTINFO_SERVER + + if (virConfGetValueString(conf, "migrate_tls_psk_dir", + &cfg->migrateTLSPSKdir) < 0) + return -1; + return 0; } =20 @@ -1445,6 +1458,15 @@ virQEMUDriverConfigValidate(virQEMUDriverConfig *cfg) } } =20 + if (cfg->defaultTLSPSKdirPresent) { + if (!virFileExists(cfg->defaultTLSPSKdir)) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("default_tls_psk_dir directory '%1$s' does no= t exist"), + cfg->defaultTLSPSKdir); + return -1; + } + } + if (cfg->vncTLSx509certdir && !virFileExists(cfg->vncTLSx509certdir)) { virReportError(VIR_ERR_CONF_SYNTAX, @@ -1485,6 +1507,14 @@ virQEMUDriverConfigValidate(virQEMUDriverConfig *cfg) return -1; } =20 + if (cfg->migrateTLSPSKdir && + !virFileExists(cfg->migrateTLSPSKdir)) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("migrate_tls_psk_dir directory '%1$s' does not ex= ist"), + cfg->migrateTLSPSKdir); + return -1; + } + if (cfg->backupTLSx509certdir && !virFileExists(cfg->backupTLSx509certdir)) { virReportError(VIR_ERR_CONF_SYNTAX, @@ -1586,6 +1616,29 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *= cfg) =20 #undef SET_TLS_VERIFY_DEFAULT =20 + + /* + * If a "SYSCONFDIR" + "pki/libvirt--psk" exists, then assume som= eone + * has created a val specific area to place service specific key files. + * + * If the service specific directory doesn't exist, 'assume' that the + * user has created and populated the "SYSCONFDIR" + "pki/libvirt-defa= ult-psk". + */ +#define SET_TLS_PSK_DEFAULT(val) \ + do { \ + if (cfg->val ## TLSPSKdir) \ + break; \ + if (virFileExists(SYSCONFDIR "/pki/libvirt-"#val"-psk")) { \ + cfg->val ## TLSPSKdir =3D g_strdup(SYSCONFDIR "/pki/libvirt-"= #val"-psk"); \ + } else { \ + cfg->val ## TLSPSKdir =3D g_strdup(cfg->defaultTLSPSKdir); \ + } \ + } while (0) + + SET_TLS_PSK_DEFAULT(migrate); + + #undef SET_TLS_PSK_DEFAULT + return 0; } =20 diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 511ab77f71..ba7364dc89 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -130,6 +130,8 @@ struct _virQEMUDriverConfig { bool defaultTLSx509verifyPresent; char *defaultTLSx509secretUUID; char *defaultTLSpriority; + char *defaultTLSPSKdir; + bool defaultTLSPSKdirPresent; =20 bool vncAutoUnixSocket; bool vncTLS; @@ -169,6 +171,7 @@ struct _virQEMUDriverConfig { char *migrateTLSx509secretUUID; char *migrateTLSpriority; bool migrateTLSForce; + char *migrateTLSPSKdir; =20 char *backupTLSx509certdir; bool backupTLSx509verify; diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 4a43ab83b0..af981fb992 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -4355,6 +4355,7 @@ struct _qemuMigrationSpec { const char *protocol; const char *name; int port; + const char *username; } host; =20 struct { @@ -5460,6 +5461,7 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, spec.dest.host.protocol =3D uribits->scheme; spec.dest.host.name =3D uribits->server; spec.dest.host.port =3D uribits->port; + spec.dest.host.username =3D uribits->user; } =20 spec.fwdType =3D MIGRATION_FWD_DIRECT; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index 2582c6a09c..9782e45b59 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -4,6 +4,7 @@ module Test_libvirtd_qemu =3D test Libvirtd_qemu.lns get conf =3D { "default_tls_x509_cert_dir" =3D "/etc/pki/qemu" } { "default_tls_x509_verify" =3D "1" } +{ "default_tls_psk_dir" =3D "/etc/pki/qemu-psk" } { "default_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } { "default_tls_priority" =3D "@SYSTEM" } { "vnc_listen" =3D "0.0.0.0" } @@ -45,6 +46,7 @@ module Test_libvirtd_qemu =3D { "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } { "migrate_tls_priority" =3D "@SYSTEM" } { "migrate_tls_force" =3D "0" } +{ "migrate_tls_psk_dir" =3D "/etc/pki/libvirt-migrate-psk" } { "backup_tls_x509_cert_dir" =3D "/etc/pki/libvirt-backup" } { "backup_tls_x509_verify" =3D "1" } { "backup_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000"= } diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c index e7a61d0c6f..6c71272e80 100644 --- a/tests/testutilsqemu.c +++ b/tests/testutilsqemu.c @@ -401,6 +401,8 @@ int qemuTestDriverInit(virQEMUDriver *driver) cfg->nbdTLSx509certdir =3D g_strdup("/etc/pki/libvirt-nbd"); VIR_FREE(cfg->migrateTLSx509certdir); cfg->migrateTLSx509certdir =3D g_strdup("/etc/pki/libvirt-migrate"); + VIR_FREE(cfg->migrateTLSPSKdir); + cfg->migrateTLSPSKdir =3D g_strdup("/etc/pki/libvirt-migrate-psk"); VIR_FREE(cfg->backupTLSx509certdir); cfg->backupTLSx509certdir =3D g_strdup("/etc/pki/libvirt-backup"); =20 --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1779873793; cv=pass; d=zohomail.com; s=zohoarc; b=I5xNXSNyvdseS3DUkz0wiL5+EAMk52PeVroUrvfLQz6VKin7KwFs3FOMxP10ArjqJwityC8hd6Js07IZma2+6PHWBIOIs6hXbxBH74XKEuvQfmewhHkScOYJaZ4x0Fix3b+aJVHbnDCr48ZxsI2UwUEdtxp9UHJudHPGumlpxyM= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779873793; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=ac8dlzAj5GWFOIcMqkhXqtl1v+/lOB8v8ZmAzR3xAAA=; b=cKDOm1RWQnwsueW7f+WOMXiCf1TiHh+Sjz2OgkiicsOAP8yIOQYZApY4hvmEaxeyZOYXeuVp8H/OuFTG6a3km+d7zEWCr8Llb1cIcZCX1BxHhghG4mEksWxxNM6KkXs2OzNw5a1uVJMcu0Jv5nmvcntimXtf2SJUwPFpJUt1qTI= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 177987379373094.56683764927652; Wed, 27 May 2026 02:23:13 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id D2A3C41AD0; Wed, 27 May 2026 05:23:12 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 480CF41BAA; Wed, 27 May 2026 05:18:12 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id A167741B14; Wed, 27 May 2026 05:17:49 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id B3AFA41B0B for ; Wed, 27 May 2026 05:17:48 -0400 (EDT) Received: from pps.filterd (m0127843.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8mwQi2011672 for ; Wed, 27 May 2026 02:17:48 -0700 Received: from co1pr03cu002.outbound.protection.outlook.com (mail-westus2azon11020130.outbound.protection.outlook.com [52.101.46.130]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4edg3m9t4w-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 02:17:47 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by BL3PR02MB9009.namprd02.prod.outlook.com (2603:10b6:208:3b8::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Wed, 27 May 2026 09:17:45 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0071.011; Wed, 27 May 2026 09:17:45 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=ac8dlzAj5GWFOIcMqkhXqtl1v+/lOB8v8ZmAzR3xA AA=; b=Igapq5l/BHgzW7uq8WyLDE75Zr1tWbFrnqnAXm0BY5EHyWRB1OQRSrshc jPKx5yEB5k7y/6O5V8HDlen8tQXCMKxhn31Tlgqtt0kSev6frP1V+1F6r5vYKQxn E4I8rftujagyhyZQ1ZeD2QvzDH9ZADVZf3aefVMVzQvZGFjhz8Sn/JLVpFOn+RWu 2w8KzLnDKVW9K06JobMMDjBbVosYyDeGYOg2wS0KALEAJPXC0KstzdXH9hmqfRRQ sEyv5Vf5Rziyz/GTSA3HeEQYTVJKGcbbJDWu5uxeqAVz6AJWx/310jIaUNsfSX3w zhVU+fVTrGmb5ku0BBJM1PZC1BN3w== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=VcfwYgd0n52zrLluYNAQlnzvJWKthhdIC9Dgy6xoYIS816k5aR6lgf5y3qxxHBIJhqTG0DgoK4NISBY2QcWw9JK5sGNT4O4NRq/MTTMu6NB1Ef2GyN/36pHTHpeyzjTeirdLKEng1V4O7ya5GkDIZOkHqYGBebTJb9FXhh1tgq0GLWSDE6H+/ODzK6C39DNkOlmD18JPsIcW21BAlHFo0GBF23xwO8cGMyTn1329jX9WjnXZJzkz1EtYRxd1v0W8Xcy7KvyRVIWDOJniObH6jQwahlTduaQrJApLbh77jqjSyEgtEbYDGpziWJrWwkAkpnK/rRAgNiobbFg9182pQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ac8dlzAj5GWFOIcMqkhXqtl1v+/lOB8v8ZmAzR3xAAA=; b=Iz1aP5uktU2GqpZHnZmDf7aSuj7pW59oouGJu/BdxDpKPascJ/KCJHrhiuWkNeOYb/lddkUtIjXmmmHBdVsecSwId3w3PB0c0RZw6B/U5bT9kmCQEBxIZyYR4oTJ96lzsH40Zj4HMc6JcR5FYXCPxDROxpJKlmd+uDNu1sS4WjblGyietBKgiCepYFaAeeqTJ7S74+eogrGtr/LP++uFdf+6jKCpbOf6WP0HAdybc8iPTAElyev5ltzqWwdX8PzVOKVqmBEDWqIXLnczv+bLAxwmLmln19hV8taaye6zssWGeeZGsWg4JdhrIwL56Uld9ebXMtDb+Q73pLC0S/7LWQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ac8dlzAj5GWFOIcMqkhXqtl1v+/lOB8v8ZmAzR3xAAA=; b=Q2M+PigRfgmIGiOKvv/HvMPR9v524qNMSnd0oijb53HRfSF1fKZdyzSuEiRrXTxfuSvXOJlaRYqcatclmaXUci27OmSd4l+DNBcsRGwDl+WPoHGISD89vKtAqPpMU2ijXhneicUqqck0pP1AfS0MfQd+FIlaHzuAkjjD6bpcBuuNyMWA/uYz77cHF2PXYhmCCH+/YkViZi7AzZJhrWqEGy5kvaZmixVtag9jI3Yt8iBkf0p9QFEnSe5IcnaIz7J6X6lJ8dHO1XlpXt1fMnh3/GS+bnRYOtfp2YjieEMbpIJxL1d08XCHLW/gS+jKPsotzZ0qeo2QQ9ohkUlLKLGmTA== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 2/7] include: define VIR_MIGRATE_TLS_PSK flag Date: Wed, 27 May 2026 09:17:28 +0000 Message-ID: <20260527091735.3633179-3-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> References: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CYXPR02CA0049.namprd02.prod.outlook.com (2603:10b6:930:cd::29) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|BL3PR02MB9009:EE_ X-MS-Office365-Filtering-Correlation-Id: 20e43a74-4e59-437a-0c2c-08debbd0d068 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|6133799003|56012099006|3023799007|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: uHEVUpZLfPemCPUeqEyHmQ8VfgVpwd2GR2LA8/rEfHfpEPtU18NQSJQ0xFMi5rb9as2jz7UqvoUuA13YbgM8rJfEwS0fDPb+5wL18dnEaFeRKmJjxB1psVJeGBcgE/JLeJrrMIkhschZdt/SH/XrsQKmEn1U92btWClnlFP7u+FJSU5iQkInT+NVS2hIXAHP1YobkrRNQHdsmpVuak7cGW4S4krtFHAJba8mmC0no0Ru3lYZ1++aJwdTEdsam3p9bE79PCqS97la5I61wLkBN9E7SWHurprEy1dNsO/oKsvAAU2CMgZ+oozkRgOttPM9TDRgaD2/udHKJhkftxGVhexhoIRWCSh6DX2KzJ8OjDZ1/oQYD5Xb7CjOnl5JMooRQs4kluk5+Dxpaa5WljfCCjIvh5cvJW9VklfZvs1ZWt8WCPGMY+0yr9ToXNjtKAxlid3WHv/Zx6OP30UWSNRZgmh/e+q4usr5Gq9dazncaS1sBOMuGaesUbdoNO1kJGQEWjFlaeZisw7O7n68EcaibWC31WvrQRSYTNzkmjVR4e7jq4X+W9XNG4WRsJLVxuuAK3sScSZk/IZhRLTIXF+SwkX9G4CqeidXDhuaGIpiLf1ABSjI2pJ4HuQ7B/sxjEx3en9yBwNGjStncW8ZLQOd4tV9Q1+wki4iBbR1YTMWm9VXLHYarkZGQ4P7FRyecQX3 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(6133799003)(56012099006)(3023799007)(18002099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?N5+xUgUoUp+3k4OH9HPXofYUxGKNzbU0jV6UCLIdE/6fCDTAO7V1LGvEJC0S?= =?us-ascii?Q?Ey9lJf5yBPy/N3JYlEmMVWR7IkdWzmdEIjxCTXVAr1D6igYb1cH852wVDN4F?= =?us-ascii?Q?YdOlgwtmJcr82uAkOjdpWHUxxRCbP0L0QE6MAp4ul0ZFv/j/PjgWMfP1uy22?= =?us-ascii?Q?dUqBd+dV2xPYY6zfr/nGIUcGoXQDyBhv8qFeRDWHbhbOkMSkSbmZ+IHeE4TJ?= =?us-ascii?Q?Uh3NiDUAGp7PXXpqka65tZvFn4iC2yd02J4yYly0PxIg6f4d9A7LaC8OQYGG?= =?us-ascii?Q?smlmgkbjX125xcT39K8JNgVWFUlSBNlqaqiwVysSUQJUL+TleM8AVtYV0TSQ?= =?us-ascii?Q?UUIT6QEEXbsn218llqPm1F7zAVWJx6M0iknWqvLLP2hNDKCo96q0Y2yhOKGw?= =?us-ascii?Q?SUwcD+LGzTbbzTw+esfDkOKFXmwaq+c/kVewmqjg8Rak/3RGbCA/7KLXX2KJ?= =?us-ascii?Q?NVgxfaAHf5yR3ldzLXzcel9w42/uAgh48ZKzxFb4PCdejXmdNXpD2NAgCnFd?= =?us-ascii?Q?3WeAldhJyTOC2scmelx5zoJFDQIXKb6tY8yMxKGLmKuvYTM6OHf4vI/FPy/S?= =?us-ascii?Q?3uoO7X52hJuo1f2z6hl0WaX6820XaKyLOCF0r9gzNjh2HFiFSBag3JS/l+CS?= =?us-ascii?Q?kwtIoEVbDvhkd/GzEHQPxFb3IZX+Ik8g3oSBkoHiLvQ/GwMOQhFUCPXiPY0q?= =?us-ascii?Q?8uN7QoZ8va4ieCSc277roX+tVmm3jMfMueeKgztupcdsVLu3EjPCKALsGAdC?= =?us-ascii?Q?xBr4/V/cLTlEYRG9/HJoJE0lEkJ52X7M9jwN91jHspOc9PhJltjuVZ1LpN6z?= =?us-ascii?Q?Ffo9ECstzTOyWpzoNitGSqBEQKCHAYxmTF4KL92aL1BfkBd1+cBYhLpycLxg?= =?us-ascii?Q?67CTGC9pYBPmPF9ncL6MZoCf2wdNXMBHAmJft0azCIaUY6eDwt1b3qamXl5H?= =?us-ascii?Q?rIhsD/wcqGEloaw3Andeo6RiNwaEFAJczjbNF1yw215ocTvo5Znkl3emciM2?= =?us-ascii?Q?zRjIhnXM4b7aUseSfJsLrZwUSFdxmgNU/7JBDJG2N18RcXIo3iEQNPfjUUTw?= =?us-ascii?Q?QIIbERsVXU8eht5lWnm/Qv10nIQzF9b6xsO8hNgpK0XeIl9e0Pn5hkCtqQKa?= =?us-ascii?Q?RhzhhmcV09VIkEorD1xGxhOXa0KeJ4KGyyPih1YOWGU76moZrNMzTwR5kE8X?= =?us-ascii?Q?9PUq3PbKO93qOuU3jNoQRId6q3js0u/g+T2kybHP0cceT5PN0CVMfGelhOkH?= =?us-ascii?Q?OCkRalHf3aykMKqn17S+0p0/AbI3MPBGlmdQcQnEdlrr4QVvuF+EWbWdVtyU?= =?us-ascii?Q?/TBtTf5P/GzewqD6d4JP7CDvWpEo6H+A1ktuNKTZQE+V2FipONP4oX1l+d5p?= =?us-ascii?Q?c6LgJ7Am9wxpCEunvheCYvpWFq867WPiEwPr1qsk/qoVBixfAdJFDS5c/L8+?= =?us-ascii?Q?GsOGDk8qRk3GKhaIiZLc6vO9lg7SbVOuvwj0l/b2amgn+KlZ57i4Go4JNhrP?= =?us-ascii?Q?f/otYfOwjGgE2qQ+pnWqnJSsmxIJgJK4UDGVGn/3H1g4boy25WopcH6k/OYN?= =?us-ascii?Q?3glpa8hqlA03VdJajo+uOUZBzadcxnzVWKH6ae1LGgl/G+Dkog7viXv7O8JB?= =?us-ascii?Q?oUtzaGk6+pntjkZ7wQ9PLpEh+VkobXcLNeA1JzKiP+rhrtk0Ho00gdacehaR?= =?us-ascii?Q?tW6W2wtB5bb0yEUYdJ4Hj1t6DW7D0KUoJzqBewqGx7U3GWEclsgmDCklLARx?= =?us-ascii?Q?UQDIXEmqdu3vo93YEloDnEaBHwKPt7Q=3D?= X-Exchange-RoutingPolicyChecked: cvg00EpleqOPzSfV/l1koA3E2vdUTVFTAoAIqf8kFLK5s6ylV4kHN8XtjCBKkc1Z/hV9cCwHRvWsLaAqmoJIXVg7pR0IQbhtz3YcsE+15i0aUG2AN0AnO9d/zZyOYoqw32NQdLtkOjo2ycHRANc4S0UFwztwGC6X5HT0Xt8CZWzrJbGiWC24D/Jupzo8qIuY5nQtNE5Pjj1mzMIDKNWqPmfmQUfStRy7HSEq73Ca4J3Yh9j2+fhndRrOmFSUCVrX6NuZri+L4N0qeDmmZXwg6L6TMrHBbNGmYy40PzO7IxcO6SyDB4rR4PAhUHCx+T4WWaF0KQNngAuriEN68fWYqw== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 20e43a74-4e59-437a-0c2c-08debbd0d068 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 May 2026 09:17:45.8237 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LxUhqOM8yD6s/I9tx4NB9QZRf+cYCXRjppaZDroZYi4a7bSiYjr9ZBR6p2nA73HpAIJhb9yUK18t2jrcoz6a/Mlunbkf3upLvu7R9dlWGLA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR02MB9009 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDA4OCBTYWx0ZWRfX48EQIqI7iQ2S Ol1KVU1kgdRHi+pCV+VgT3XB0iqaNGkZMsUVOgzjZyAB0+aqIlv1Tl1ntk4gtAb/StJrE94lOyc 1Rd4BM5ImhCKqT2rB9jbJr0ZYhJHt5TYho5NSRRPkegYfvCu5/TkzkGFdrRNIB8btWt4iDjxC9H 55361hT/n3TOOUjgJfrPuYIjJEDn6CWczurSvRK4wJsyQIl9BsUa2YMkmDRzhrw72J0DIXZB8hW 6uqAUDWWsd9MrTx0y1IQE5ks6KkIlCKhk4Mo0DhnhbcbI5NK5klLIPA8a1+KWrg9Xyd3yArQCff pV0Tw+LlcoGrLx//J1D3qaS6LGUw+VV9jOblAs3TmUJq5gD3nxYGXo7q7c+ENuzQA3vsoohf8Tu DQqXymp/mTy3/qz34PI5Fk+bQyC7YEpDf77ebTMT992jhQbTG8qY8S3ghmPgxN1kH7NfJygTw1a 15XfIrL5lgfgeDgVPjQ== X-Authority-Analysis: v=2.4 cv=UZVhjqSN c=1 sm=1 tr=0 ts=6a16b6bb cx=c_pps a=9hhwatWKa7/vLw/BZzsOGQ==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=dEe9Ve2bX-KnNSUMM2s9:22 a=64Cc0HZtAAAA:8 a=nPf_Rirb_Bu2LdNi0FsA:9 X-Proofpoint-ORIG-GUID: 37btSBzuFrVpFNmaHPMm9XLQ_9TrVjHz X-Proofpoint-GUID: 37btSBzuFrVpFNmaHPMm9XLQ_9TrVjHz X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: Q4IX7FYDOY6G4GP3O26Y3EYQRQNPCQ4B X-Message-ID-Hash: Q4IX7FYDOY6G4GP3O26Y3EYQRQNPCQ4B X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779873795989154100 Content-Type: text/plain; charset="utf-8" Introduce a new migration flag VIR_MIGRATE_TLS_PSK, that enables the use of the TLS-PSK-based authentication mechanism for encrypted migration. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- include/libvirt/libvirt-domain.h | 17 ++++++++++++++--- src/qemu/qemu_migration.h | 1 + tools/virsh-domain.c | 5 +++++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index 1066a0b3f1..88eb3e55aa 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1089,9 +1089,9 @@ typedef enum { VIR_MIGRATE_POSTCOPY =3D (1 << 15), =20 /* Setting the VIR_MIGRATE_TLS flag will cause the migration to attempt - * to use the TLS environment configured by the hypervisor in order to - * perform the migration. If incorrectly configured on either source or - * destination, the migration will fail. + * to use the X.509-based TLS authentication configured by the hypervi= sor. + * If incorrectly configured on either source or destination, the migr= ation + * will fail. * * Since: 3.2.0 */ @@ -1131,6 +1131,17 @@ typedef enum { * Since: 8.5.0 */ VIR_MIGRATE_ZEROCOPY =3D (1 << 20), + + /* Setting the VIR_MIGRATE_TLS_PSK flag will cause the migration to at= tempt + * to use the pre-shared key-based TLS authentication configured + * by the hypervisor. Setting both VIR_MIGRATE_TLS_PSK and VIR_MIGRATE= _TLS flags + * simultaneously will result in migration failure because both the fl= ags represent + * different types of TLS authentication schemes. If incorrectly confi= gured on either + * source or destination, the migration will fail. + * + * Since: 12.4.0 + */ + VIR_MIGRATE_TLS_PSK =3D (1 << 21), } virDomainMigrateFlags; =20 =20 diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 7e9410e1f7..7fbf959ee6 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -62,6 +62,7 @@ VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES | \ VIR_MIGRATE_POSTCOPY_RESUME | \ VIR_MIGRATE_ZEROCOPY | \ + VIR_MIGRATE_TLS_PSK | \ 0) =20 /* All supported migration parameters and their types. */ diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 76369e8694..286abd2f1c 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -11327,6 +11327,10 @@ static const vshCmdOptDef opts_migrate[] =3D { .type =3D VSH_OT_INT, .help =3D N_("bandwidth (in MiB/s) available for the final phase of m= igration") }, + {.name =3D "tls-psk", + .type =3D VSH_OT_BOOL, + .help =3D N_("use tls-psk for migration") + }, {.name =3D NULL} }; =20 @@ -11376,6 +11380,7 @@ doMigrate(void *opaque) { "tls", VIR_MIGRATE_TLS }, { "parallel", VIR_MIGRATE_PARALLEL }, { "suspend", VIR_MIGRATE_PAUSED }, + { "tls-psk", VIR_MIGRATE_TLS_PSK }, }; =20 #ifndef WIN32 --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1779873872; cv=pass; d=zohomail.com; s=zohoarc; b=f0A/uKHYxqtaYT8WHIxYIqYmiD+agA1qqmZbayTQYMt7R4sFW72j4OglefxHzTK4r5XXajQhL7iJ5b4yA1dmwdYo1TVTCWMZAND4cQZMw/afy8IvCQZRRQQusBHMGNjDQ4buz/sKoP6CaI80yTtz1GO0B+QvA7AR2mYsidxCA9Q= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779873872; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=lMRfBZkNf36I2hyTetoTAwvSMthHHuJH2JYw6e9wSNM=; b=EkbiVxf4QDdAYUxJR94QmIjucOnpd6YiTG8Kgp1ldaoPJFJYIz0qHOPGVvRV/zLtUID/Q9NuR0Ogsw9eXAR0D8zNoU9zG33NdT2oDafc7/b3ttnl4sf51sWoneqcftbRK+i82eWW6TzgGMfzIiN110Y8SzEMo984TfWZN/qY/i0= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779873872844170.4712048860191; Wed, 27 May 2026 02:24:32 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id F109F41BBA; Wed, 27 May 2026 05:24:31 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 2E61641BA3; Wed, 27 May 2026 05:18:19 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 8F04A41B0B; Wed, 27 May 2026 05:17:51 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id A28FA41B14 for ; Wed, 27 May 2026 05:17:50 -0400 (EDT) Received: from pps.filterd (m0127842.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8mZTU2245329 for ; Wed, 27 May 2026 02:17:50 -0700 Received: from co1pr03cu002.outbound.protection.outlook.com (mail-westus2azon11020074.outbound.protection.outlook.com [52.101.46.74]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4edhn7sjq4-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 02:17:50 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by BL3PR02MB9009.namprd02.prod.outlook.com (2603:10b6:208:3b8::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Wed, 27 May 2026 09:17:48 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0071.011; Wed, 27 May 2026 09:17:48 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=lMRfBZkNf36I2hyTetoTAwvSMthHHuJH2JYw6e9wS NM=; b=0sLXQ4EJyyq49+y2dIps0+p9sVVZDYGp4UMBzy2ojJCHrUxdKXo+7z9tF 3PNuFLCBfRLCfwZSwhzaYjgXVP9ulgHG4QcGA2XxZ7l79BSIBn4YTuQiyDLz63qt NdFNhQhZidzwmMZv586lK57WdgY0tJpE1pNADFf4rDD0fllLxiYYrWe/ZGzX3itZ hQ7PLtUFPCLeQ5IKBVMe1Ub5rQ0H4LUrOiGTAUpjxKTeEd9st4NmmaQI5BoqNq6G Y/rm+T+5UjDovz8qY+fAwyyRSodQY3qf1CwrLcBJynhQvSrfSRb7FV+bL5APK16P Zwp8969BH5KBeUXJhLI0YZHT3CBew== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nP12kP4OHQkJmMaVgxaWjyRQp5fDybkSuJhmXL9qRZlKeu4B+o7WcjmWTbZsXy91o/+rwqGDLGbGOYUmDdvmoWQmnSylEWQCzyyNEHiDTXYnWPJzlqUwKgU/XoAF3zg7Uh0faHHsG+vDdbCOyAqioTT/vWmVylWapKxEgNUxd55tMhvOBWY96/ZKCQK2Io+tyx29lqbWzzsU8lcpbPRmhhlGlhhPfMUtPygWDvoOd9cOio93IiPyUspV+xaSyl4oPRmLcmGf/lAWVD5b3vvEYveRmRlNkace9lSblm8tdLrNC8uTsFwR9vgX0bUNtC4pc5ONNH/3ODPo03QusCD98g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lMRfBZkNf36I2hyTetoTAwvSMthHHuJH2JYw6e9wSNM=; b=ye1VA886GQyXTRMTVEH/BreWVSXB0tLRoH2113mAcS0i3jaeCaqgBlQEJRJ3pUQa9BJBFtESS2y5QFMBfwBuEbwccFqyAwR4/+2OuxNyGn+uluZg2i/O/EAXP2gWzBK2RdMBq0z1h7+L8z05g2CsyEdMUzinuKUNxk4PmWro4/7QhoB1cwHeI/AY3aLZ1ri+rTO5Je6uDGPInyDO/9mqXMliltrKayZfSfxF5AJnnJnCeuMGZpOW+lQ8iTJpEh+3hP1OZhbOA7/D/jYrK0kskJpLYapktBaJ7BRuHjpUep2NPgTrs2sc32kttwxmCbjvqoI0AKiFJQi36sRuFHne1w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lMRfBZkNf36I2hyTetoTAwvSMthHHuJH2JYw6e9wSNM=; b=WyMZl09kBo0n+C41HLbxV30uYNf3bRiL/k0kvOJmXUdg7kKG6l2Ecb/KKltFDqL0HBCkvE+hjz97EmkhS+xdGj6Sb3OSsopGa8SQkCiQmV+XLXh2zTr7zQI3cxB2zXQwhczGL1XdMvOPTBzhqbT2nmdGNC2XurNbwUudfapCu3eBYLV631UK9SvxLdQyMGTVwhyfJXA99zLnyj08JF1+AFFgKD3kzawXne9zeNRtnzLWhdlB8itS2K64yaTEY9aOVgc3KM5LcUWhKpxFNzpCIoQPgR6gU2v7Ze9eO+BCzu9E37YAR485xeS0S49Sxu+fSFRCq5PpIMebobhrNk3u5A== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 3/7] qemu: Add support to build the tls-creds-psk object Date: Wed, 27 May 2026 09:17:29 +0000 Message-ID: <20260527091735.3633179-4-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> References: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CYZPR20CA0022.namprd20.prod.outlook.com (2603:10b6:930:a2::21) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|BL3PR02MB9009:EE_ X-MS-Office365-Filtering-Correlation-Id: d3011867-4185-4104-d067-08debbd0d1b5 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|6133799003|56012099006|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: g8vHLR0NkJlTp2IxO6H6/npQlmINroLuOxR93L2TZ5xzCkulXAgZv6qB7lwiMPc7VS3DObx/Z/XmvsjSh0baIUuGC59aFEdemymYI9zKiPgY3bhtcoHtjBvyqMaJ9sPbLkBTfR/SBs85CFEaE+0dfYllZtBSK6C6JTPnqSpwNftRY2Fxn8VAV9pjIowPEL0xssIayTaaGO+wa9n7nOIehmLq5ZpxETwOhPEX7tGIF7+UfCEbMoLwDCdzVwIg5IsiuIB8/kpYZKqkas0Df87XyqjzIg+fkbzQnGhp8bMCd13ur3raPsQYpub1b986BPdgkaQZhLLF6pbSDfmTprskbNs4EJaUbA7NHgRgtocevNO9RO96D7+4KblaXct3N4wV0vIURzgfRfapgbaKm8NnVCg2YyxxeOYgcAWBjAiekGzaJqh62sPltntPf5M6MXuuPfZoyq4hW91AAsTaY5TuEHjjUCZOWdGq2msKNiMOogcjrRUpLTIVwMFFjpaingWm7lGJ/ZSF39n0HpGvH7erLr1GX9GvPlnK2kacPxT0oc1+2L0iE+pbsOQ3uhHbBVLEgOE/6zje5RVbNb6/pvsVxbR48Y+v/iMBxqWnQwPhI6QIxx/XJItSs7H9UdR/0BjMaM9rf1oGnm9d4Xd9qYkoWJT4WipX8sM052ji1j2OiU8G4MdlxeamrDt3o5Ke1Q9v X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(6133799003)(56012099006)(18002099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?WuHiAX9b58mgcb66Y3oxmKMz8n6I3a3FCWzFLU0A4bfLfUuZIyw2wh6r0o2H?= =?us-ascii?Q?QMotVGSAgZRPrB40hJLNvT4491hj4OMAdqmZpEK0kHbF6bFiq7FgPl23cfBk?= =?us-ascii?Q?NRxOXpZOcH3zRHsqym0oIrHC0nN2ruxUr/w+foM4pX3+FvN65Qc4yNYgswtf?= =?us-ascii?Q?V6DLi9U1I9u2OW9T69shsc0eY4iW+fN/7wlv2l4Lhdb+m/1Ra6zt3AM3ssvZ?= =?us-ascii?Q?iEWXcycnfl5J3rsFAmnxBOU7rUfoCuMVx9pBn7ix56zvSiptbw/BQ03tPv44?= =?us-ascii?Q?RJDER7BynzybNBmsuXUNG67KXtQRg0NTJ9wFvzvJq4HtBLjBjoj6Ri62zgA9?= =?us-ascii?Q?bRH4BHfiS8UwsQedmz0E5aKkQqsIQmBIIeM3SplSuESYdt5ZcneWljntVtKK?= =?us-ascii?Q?+NgRbgOJuC/zLgIAH0FiTpikbbtBenYTAE83CEke/Po4nOrBKnh8BB7ncfnS?= =?us-ascii?Q?ZTyXtMc9onRExn1+exP8WzZ/c1plXDHOOw1/mJy0z5NDk1Zi0XumlUX4ZqLP?= =?us-ascii?Q?P7ZFxHlY5HennSr5d6iqJOCbiXWTdrVAVOd1gDbkmkA8krotHYAj4bGy6sfD?= =?us-ascii?Q?6lSKeuWTGe79C0fl3Z6thVOun5/uZoZrtWw6Tz3skkmN8Q1oEIRAxP649tCp?= =?us-ascii?Q?mQsZLdq7NZIZ5K7Z2kpkLkfNDO7STCYGvljyX8IQ6NmYG1HIExU+DB8hzdWJ?= =?us-ascii?Q?I5lFxWOa0UBVShWYydLnq/AyIePxrmpOSs8u294lLXFWFOaJgGTBIb3iMQAP?= =?us-ascii?Q?6EVBAe3InOu80langA3LZysZMvDv0hiM1alnU1YSMmOBeLL+yTNeh2w4Y+b3?= =?us-ascii?Q?8lEVie8vPxmGqhKh3LWBaiP/ERqr+R6XN/ed9qaGQPQUBYXxNSlQqeY16e8K?= =?us-ascii?Q?P/LmQSwNgjcL34quQHpLOaRF4g8wzWABikxrZ7Qr/61J+d2gqV2et0gu/Eyr?= =?us-ascii?Q?N9I99ECNKWXiH/0RUbiCWif94jQoXZQTzdtoDeQRgrIPN8st7nK0yMsUEwTL?= =?us-ascii?Q?vtMa8eXnnLkBoYmXIujhE08BL7PZtXCgGsEikdeWlnblRmZn3XF2XV4JY3Pv?= =?us-ascii?Q?VpJ3yTEYpdaODF6+1+RDxClkbuQN0zVtwK2owIBwC6JDQLIodW5tuzRNAW19?= =?us-ascii?Q?k/8viI3PocQZXWHREsWHi6yFxcH05diBDoaTMb3Inkk8HE+KQGexErYwTWbq?= =?us-ascii?Q?VuiBc4Np0IPw7EzB0RWM534/C6F8cHrFTlz9EVHxtAnjcS6x0eCzDhM+DwyT?= =?us-ascii?Q?tVE8ndt1FlWnQ8G/W+68OilzGAf2075H9KwBRE4e7WLPV4B9Ev2nV7JxyaA6?= =?us-ascii?Q?ozfLKpUNWSu/ESqOPi/BmuRHqPw2kKafRmzTvzvGdNPL9BHz21RnLv0PoPyZ?= =?us-ascii?Q?RRFdljvLj9G3kCHDwZo82YCG+69mV0T4vf6G1gfVudNcjuchY7IL/ruPNMv7?= =?us-ascii?Q?mFeO4A7+Yugo+i0HXlgSRCwwQvQZ2MPWKpDUMN7Ea6xAgcBPScTqSDFl/w+2?= =?us-ascii?Q?9WopNwNSOLQA/9i/uxWapCQNbPXWePECgxpHgmHZVGJeCuhKYuEyQOz1j9Zz?= =?us-ascii?Q?5ha4VG5H8Fzq959RBLKsErijWVaXvCWNI+efJzZvEsr+/tt4XZzQV4fdiGzd?= =?us-ascii?Q?QkMpTHDlwSZfVDUxSeNOhxeoSdVo8KJ3Au+4UvHhF3rt1jcU1rkt5LaZwwlC?= =?us-ascii?Q?8tDS1zd/ETdygHxi2ZAq9O05Dn3bKsJ+UlnK+SqTI94AfAbmbOgqZE6zVwkg?= =?us-ascii?Q?LgK9sU1aNoL+lM4i+n8xFlHG4IZNgcE=3D?= X-Exchange-RoutingPolicyChecked: rAKyIDhEVIRcmx0Kx5PHCR7K8364MDUl+J4zA0NKlxg2Gtr6bBYJ4vvh+RVq6hhI2vJ96LtBf3yF+hJciFUlH1XY7cjr4BnQKnVg5hpbXtu32QqoXFHfkgEpO5vnNH6rPkiHkDD8Hdu4ZxXkXG5/S0XqvqEAZGMPf/gz/+yJL4N3uM4NnEgy6m739RG1JMAEmd8efyeBI7OiUGL7dlv6CShuHxuwc6S5Q0Nq42aYxCFuSk8j5VqWM7xJ9i8zYiEbccegBuOkn6Tb0ppIAxyLiyT6SUM0Dyqk1wyfgmE+8a7MA4pMuvEk43zh9z3R+93Yp+Re21DrZasJWcKKzSv0HA== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: d3011867-4185-4104-d067-08debbd0d1b5 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 May 2026 09:17:47.9864 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: KyDcXXJo7dilL5jp73Fl1LBkSYw2weB2PbTIbJ8UfycvPrgjZNbuz4DpW+sp0dB5SREkLvMKDrbaGJvtVuoMZz5tPPwVwk8BparrwaYRCtE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR02MB9009 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDA4OCBTYWx0ZWRfX/woz80zqUMhz h8I4/DS8bdtC1r3omlnbveLarTrVVSdBx1BGuZPhbywfcftugEEoRvR5Ae1H1ku1yCpNMM4nkWa ofRkChZENPOCdcvn6kXUX2GO/SYeeJNlt88kB6Ms0JHyqHwq14TpyWkdzoZ/So0QLaLnTnuCBDi oRLZ1CEQdbmCiZcp1nL+Z1j9niXM3Mir31VWNltWjwuNLoeY5zOBpxJ8gWMvsz5jE8aKTs8f5b/ QMhs7i6YzkT2Q6vqiQQftk2W8IXldcM5A2ym4C8HXxkuJgsnxOBoHvep46IKiXfMr5nc67cNbiS e6VGzlrXKbcvKo/p+ghsGfI25+AArlFEORoxNoDd3vlPqhOsTv6Bj0Ocje/5hcA19L0Ov7Eea2v XAYkvgGVT1rt2rm7C8TGUBgU7f18aZeVZnS4tJZvpPi+U94EgLL8KC6HuqMdglN7A1XwTQITZgX Ywy0XkmkWgLjkvTwJMQ== X-Proofpoint-ORIG-GUID: CLnNkleUo1w5QbZvoYkBvuZbK-wR4W2w X-Proofpoint-GUID: CLnNkleUo1w5QbZvoYkBvuZbK-wR4W2w X-Authority-Analysis: v=2.4 cv=f/l4wuyM c=1 sm=1 tr=0 ts=6a16b6be cx=c_pps a=WjvyLEvnPukujdTL3r9oMw==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=VUi8bpU7OL1Oj2-RSIOF:22 a=64Cc0HZtAAAA:8 a=v5pMHTGtuYkU-VpJrWUA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: VSYXQFHHBO5I62XK4MFPPYUNXK7UOBN3 X-Message-ID-Hash: VSYXQFHHBO5I62XK4MFPPYUNXK7UOBN3 X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779873875152154100 Content-Type: text/plain; charset="utf-8" Build the tls-creds-psk object with the following params: id, dir, endpoint, and username. Note: username is an optional parameter; if not provided, it defaults to the value "qemu". Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_command.c | 29 +++++++++++++++++++++++++++++ src/qemu/qemu_command.h | 8 ++++++++ 2 files changed, 37 insertions(+) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index a4445ef17a..69324a523f 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1332,6 +1332,35 @@ qemuBuildTLSx509CommandLine(virCommand *cmd, } =20 =20 +/* qemuBuildTLSPSKBackendProps: + * @tlsPSKpath: path to the TLS-PSK credentials file + * @listen: boolean listen for client or server setting + * @username: identifier to find the secret key of a client at the server + * @alias: alias for the TLS-PSK object + * @propsret: json properties to return + * + * Create a backend string for the tls-creds-psk object. + * + * Returns 0 on success, -1 on failure with error set. + */ +int +qemuBuildTLSPSKBackendProps(const char *tlsPSKpath, + bool isListen, + const char *username, + const char *alias, + virJSONValue **propsret) +{ + if (qemuMonitorCreateObjectProps(propsret, "tls-creds-psk", alias, + "s:dir", tlsPSKpath, + "s:endpoint", (isListen ? "server": "= client"), + "S:username", (isListen ? NULL: usern= ame), + NULL) < 0) + return -1; + + return 0; +} + + static int qemuBuildChardevCommand(virCommand *cmd, const virDomainChrSourceDef *dev, diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index 028d002ef9..b6c6403e07 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -72,6 +72,14 @@ qemuBuildTLSx509BackendProps(const char *tlspath, const char *secalias, virJSONValue **propsret); =20 +/* Generate the object properties for a tls-creds-psk */ +int +qemuBuildTLSPSKBackendProps(const char *tlsPSKpath, + bool isListen, + const char *username, + const char *alias, + virJSONValue **propsret); + /* Open a UNIX socket for chardev FD passing */ int qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev) --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1779874185; cv=pass; d=zohomail.com; s=zohoarc; b=HzkXHPEkR5jcrpu8WXCh+ikpAU9cK3NvLbPN071gyxeZHCMDOKm4GZ7gEjO2R295UDKRhIxjPf3fisYPne0IzLBsqs+w1cLsSxqF/MWQy+xamNwcMMKHlJj4Z/7Jo6lVNrYb0DG6wh6o0GRPXs1t9O6cX3ujfS5YxqabPvIzzOM= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779874185; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=WenGrimX3bMFwIFrwK3BMX2bA7mNH3Ojg0PQK2C8zVs=; b=LdWt3GdInQOTPN/Q36cD8KCqigA0I+PgmPve+Z3jzQKAPS1Tbku2wkuQ83oIM23fGR8IhycLNf7Pu6zYRsvaq34ulMVr20663Jn5zpv7e51rmJWecw7l9xEufizNKyQusIEjS6vcuVXDg8LrY6V00F+6MeSf4WmuXy9uG3Kd9LU= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 177987418562595.26151649810322; Wed, 27 May 2026 02:29:45 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 33A1341BFA; Wed, 27 May 2026 05:29:44 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id B4DAE41D9F; Wed, 27 May 2026 05:18:27 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id DFF7D41B8E; Wed, 27 May 2026 05:18:07 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 2CBBD41B1C for ; Wed, 27 May 2026 05:17:53 -0400 (EDT) Received: from pps.filterd (m0127840.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8odYG2157316 for ; Wed, 27 May 2026 02:17:52 -0700 Received: from co1pr03cu002.outbound.protection.outlook.com (mail-westus2azon11020077.outbound.protection.outlook.com [52.101.46.77]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4edg2a1tqd-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 02:17:52 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by BL3PR02MB9009.namprd02.prod.outlook.com (2603:10b6:208:3b8::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Wed, 27 May 2026 09:17:50 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0071.011; Wed, 27 May 2026 09:17:50 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=WenGrimX3bMFwIFrwK3BMX2bA7mNH3Ojg0PQK2C8z Vs=; b=T2UNTV0NjioovWOQHTGE9GAbk9MEVfUPzSZ3v5s7mqmtfR8A983+xyONr KAH9gKawInYxTIykGQREHrwfHclmDEdHsLmCCqVwIMGcEvLsAeo0mQDAXeiykd2j fc2T4wOncOAdw3VCKxckn09IiC6Ktl0DvQJ1V+vThw+bVVrHsc/PxrA4EZKuEyP5 +RVjh3uimxwT2yk0FRjuicupbYpkEsKqCmDXxInm1XX4sy7CVZkLhEE6oVUpyhX2 vAMekVaVZZWmg+n5zdryb+vlsEcYIE8gvcfotvpG3+I9ZivfTJ6PbL0gWii2RSB/ 2li1cn/HK7G4bI0ML+PVEngx8pj2Q== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ctl0jWAH1159ptU2v2M7ihkbcO9ymJAjOnhSp2tdE/JimI/Msr7MVIzAb1hDgOFqvfc7nycpHWeSIXjFJbi/7kYfvCu3CkkEmMEv3hBmUYZVIbmvVPpRFC3P9WginH+P9G1MgcnpYYl234z6fDkQBE23vBqqPrjyb1G5HOLG7lC/Xrb66m/fOIHALFikBh/YpxI0DP0DQtU23MN78wPCTjdybsh6P5r+qnncV7+U92obIhQm65F+PotsaHMVNtcTODwlmD0LufBkQL2ohHXhZBIJuuHRFXR4IJLXCn3UqOz1mO91l2W05srN96AxJ9pB2DOS1Z5ofpBhmeSwOXwQ+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WenGrimX3bMFwIFrwK3BMX2bA7mNH3Ojg0PQK2C8zVs=; b=vkGTGwJwqfKTAJGcS9lOsVWhONYoB8078a+mQrKOhpb1ccR1U0TU/EJpFCoo8VHMTu9mZ/Y9Syp3rfrWP760hD+jmtMl8KejId45rxHWaIRnf4a0kqR7E7gJkpSUj8VXLIZVF+wXCOupcPJhxGrr73xWG95iUpK33Ggx9Jsb04K+A4sPJcvqd4iuhRxDRLJVHTlf5t/P3PQV+qPPHUEaPc9JgMMHMiK4rtwUtF98qjVjpp92BJCdi7nf3fDlHfyFNDXbMMFXBfx5Lk61zaQV9yQ9hsQE/M/efAV1s/lKH85e0P4paeEs7njteYc9Zy5c1Es7YfF1cbk0Ci3K/8Ox/A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WenGrimX3bMFwIFrwK3BMX2bA7mNH3Ojg0PQK2C8zVs=; b=ciEBCiVnvvJ12bY7Ulwz6Ms41nNQiZ7DLYWhZ06szXJPEkUwL1PJabd102mNn6zwRzQmt/YLKJB6C8txYkZn6lkxueb164B6r1iAfKT2JYsbvCpr+pIByaXFuw4PcL5mMdv51+ScvI5au2G+tnoHEfxCURtLlYl1pkjgtxfh6p7hG5pnOOArAPWI8ahmfB0v3e3FEdAcdMyowX7JdH6P0etpew1BEVSULJGfMsX2uXLlkNvyMoeDNO4ZWYa97rlRpguu01xOB6f3IutV3jTDbhUnf8N3rKexRr7kGtRDYepvmCznGKBSMpGGlnGgF8Gbj2VltsNP9afm/KLtBiYUjw== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 4/7] qemu: rename tls-creds-x509 obj related functions Date: Wed, 27 May 2026 09:17:30 +0000 Message-ID: <20260527091735.3633179-5-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> References: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR19CA0118.namprd19.prod.outlook.com (2603:10b6:930:64::22) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|BL3PR02MB9009:EE_ X-MS-Office365-Filtering-Correlation-Id: 2c0e15c1-e937-4bc0-4ce2-08debbd0d30b x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|6133799003|56012099006|3023799007|5023799004|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: VTIznZClFj33zecHMzZ2Vz3p9jE8JbQsCB2zf+zXoVwIZinHZXBSxntTCZBhh6QW3C5EDUA9yZoW41D4Wb6scAoYf+iUxaFjssVOiH5pfZvas3Tl0OvGl5nFFdvGpsupeiSodUWWJd6bubC+E6vmLuU0XHpDMHCMre8PYF4FvBlxCoADL6J7NrIZXSSljOxM4gHdgUpoD+tLkzGFkrjPd2ND6bsE56RHg4Bg0lFepavxb5jhkd+raoWPVHmmD4Kpom0m+YNUns+ZxTLMJYYiP+oRw3VT3l2YSp7h1gENQys1xzfWwbll1et4IjR5Yn+V6Se85U7x00spFiFrlbXI7AlRJXzfrViN88ucLcVzoom+RvLC4WBQKGHdiyTTjKRl4xpNVegtdK0Yqm1gSRFtFjlJVFDEZQkxUxttP3Me29ZnYl1V4s3azfzvz3KxU5NKSCbhA+dwfOu0srhoC1J+TNpeh5R4Jo19XVj/SsFs8V3Iihe8WEcQiI9AW9rVmzoXrTGnelk9ADZOtfHeGUQBRyR7jte5oXJU4gA8PROi7ElIt+wea8te2+cylD9rOS1UqbyFsJ24S8Ankz7VT0tGxWmBEwJFd1xxXoon+LAp0Z/fV40TFur6eG/6+n7MOp898PKKTbhdkPPF+HIm8OhUNIJg+y2T3AcPOmFFqxMjrtDqs4VwZ3Pgs6UZrVGlnb/p X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(6133799003)(56012099006)(3023799007)(5023799004)(18002099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?svjhOgrpKRJj7jQE1TUW0jPm5SC1rqDeJvnH1WF4U9jPOJPTXB1fHRVtbS8I?= =?us-ascii?Q?hRib0c9jgUFsayCFFHWvdKLATc9yKgvrsbLnDPStl5wb90rjjqHc1b2a4Tf1?= =?us-ascii?Q?0NbxojTK3dMWyvpxqdScqoXbCqhlCluodFd6cMnG/cXdfXkQrHrf1OzqjUZY?= =?us-ascii?Q?Ro6PViMDH03X2mq/+zB2/cXbGuUKgiuP7xPlpFVy1mQ3IECjdzwYjsG30vab?= =?us-ascii?Q?akp82vD+k0/13Itz4DQa3JK02asr6/kw37bQ17AzkkHcqO21GvtsmbpgUdLr?= =?us-ascii?Q?4cTO+hwrFvCPhPdOjqUYPGsRzHjlNeZuAxbjgG8+ERprDMrpMNUocoGX6Gga?= =?us-ascii?Q?vtVYJZr4e5+ZQUK6/1TON9ZYhaxLRyG8WgrIAux0ZPzX3jKmq+5zrI7gwM32?= =?us-ascii?Q?cgDAWBFN6AXBNbVUHBbzbn6TTCzWwo0SRl3BSt5sWJeJeZ9Xb9qPu9GgC6Ev?= =?us-ascii?Q?hg+w7jQiXnRZeKhAvtGOVKDh3mAUPRPt0pW0UFPuGdegNDh+SczzFA+BhN6g?= =?us-ascii?Q?ZN+/McPEhvZx+q+MoQSM5WkEPyWXp0kFuSvhVIsbG25Q62ziJ2a0Qc9CD94E?= =?us-ascii?Q?zrsZ/8VOPAsVo8P1Mk1q91kVHolXcxoOg+Q5kCbRz89DoOPWH3saMOf8LCpg?= =?us-ascii?Q?+wrw2IjlvELB92gmHprCX+kXAnuvDOtXHXNWicwcvPUtgfK8QQ5IA//ZGTIz?= =?us-ascii?Q?8qz28fDBzIy+MVqSOZaZKV/9R1wm7uLkg7WhOxehjtP6Fb39S+Q0xDfZc3WR?= =?us-ascii?Q?y3jzfy8ctr5f9fAK50ljh8DgDkoEKz3YT7OvyAQaqk3OBHBm1XHPJvW+3TeF?= =?us-ascii?Q?6UYWzv82JrvNRLbn9JbvQaSgRCe0pUxClX534OfTEa4Zg55HwehvyE3GvIMx?= =?us-ascii?Q?8KrAz6TbewV/tWUyYfF0MCGTWK8ahBdRuEqwqS1O0ZpkWR3FR8CaMbudYbYR?= =?us-ascii?Q?VQdnw9aopGjyP8kKAS/NZ86KFeH+2ag40GanxaP5u5eyavsUxR2mcmLkTXEC?= =?us-ascii?Q?pEDstGvOKe0b0XuN2IJUuNT1+5zPjrjpNyV1gfcxsHHX8fWs24RFm3FGYRSM?= =?us-ascii?Q?3ffzT0NtBZN13edjFOoLu10LwrjJzPfJQlEgTigfkyuTeKGb486L1hBHgvZj?= =?us-ascii?Q?m5qhh6deQfOy9NtfbupmeIBcpWVfMXAzwRGmIBm+vCWT1yNGXurT9m0/0tHm?= =?us-ascii?Q?ZB485a/zJZ/Mc+1b5W4L51KWiEjQiCfw0Pd0fxdBWKhzTCtJW8yDnx6km/rj?= =?us-ascii?Q?nho/7b7A28HVQDukctEeBD141nFUgCcNHv/iBPJ/o00abGkgszcMv9J/5Bco?= =?us-ascii?Q?o1kq8d4peKDhv7dOUct1FxM/qPFtcHBEoyQlTGGTzt41pgHEV4FsH2bwGYB7?= =?us-ascii?Q?TD1KEWKA79nZYR9f3km2mqkHDPXGuc6cHCt9l3H4lp2wnJTIsGFyOmXolaZE?= =?us-ascii?Q?9WFS8JoKCDNDbjBb0zIEiwiiwdsAhqB+vGpvfGjJJc4V029xk/g8FkPkgrST?= =?us-ascii?Q?B1y1x6aRIWXZznRt3FrKh5JO0jTsxkL+rn+CPsdwc19h/D0b4NMGeKRYFDLT?= =?us-ascii?Q?uJZoZjDj40OWTQPJWBLhVdSX24UM3VuYqePDzjEHBMEL2AERUnGyIMyS9XQK?= =?us-ascii?Q?iqJq446KsCj9BHN5rbUkQBGLNlAhvd54ZmyugsBDDDnWUdMnwrP9ng+AykJB?= =?us-ascii?Q?feimOoS6LBrLPjAzHhp9Pv0iKvGpvt48JyOC7ZsPFO7Avj8jGqcOztEoUEOc?= =?us-ascii?Q?HWLQU+mKqNkoxGYAyXWytCYe+L1a+pY=3D?= X-Exchange-RoutingPolicyChecked: Qf9q09GZAxYxk9W3ox4SxyfdYGBwxv1M5NLQAkjdliRCb2NwnCU4ciC9rDsUXAxKDQxPnrsg6My91osmNzmQGIrecMegxTg/rQYP/979eSMXE8NW+I5UW7mAIaQAE5dp59LSHEh4c9Ba6R6cAsinHJIWThvOMGcylcgwuRdzEb4Lyo4xvjb8KCeOem+4cDYl64B2H2CRTiR7m2Bv2RjED4TN/FdbS1T6YmIWPTNZiKmCKFiyedhuft8Wg7CCq3y7vthma54Ixyl+5qt5CHWqSHf+7tn2Cu2faT6ib6VFDk9JzRMYV1tlRT4wNBy20GEqRt8Ku8IzYUyofQ73ZSFdKQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2c0e15c1-e937-4bc0-4ce2-08debbd0d30b X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 May 2026 09:17:50.2902 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: te9Xye4BEhd1jMk+2uiI4t9lzIBcbUiu9+cLKQYYeAWEFsm9qFOTqUyZ6+IrNuW0pn1OwUwA9LqE90fnmlUHpvxVp8WmAVUZ1KEtj8Fgqrs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR02MB9009 X-Proofpoint-ORIG-GUID: aaB9zHzShYZQ4rgh9v64MGN4n5AONVV9 X-Authority-Analysis: v=2.4 cv=fr7sol4f c=1 sm=1 tr=0 ts=6a16b6c0 cx=c_pps a=DYlabceQTmKUulxxkwl8KA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=_-M8LpHI31CeLmyZm6wg:22 a=64Cc0HZtAAAA:8 a=QIhr-27iAAAA:8 a=A1X0JdhQAAAA:8 a=tF8aEQz37MI5_kyPiasA:9 a=Vk-83Md3cH02LLM3:21 a=cgaYBWEFosGJW4rWv5Lf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDA4OCBTYWx0ZWRfXzZ671DD2rNg3 jwNUQ6Tq5JkSbI0/zmJ14UUAntwA4cZy8BxiM2Xc4MBV/2j38lv12jBoXJDaPYQWPrks+Ie2HMW lyf3gOVY/Soa4conjZo7XO+Kyy61TQfrAOzcEAsQ/8Tu+xTwiBE6G17q19JG5fFSqyavn1CB9pi o37OigurXdbqAh2CwMC+8y4Z0RI9DBiRpbz4bqte/Tz0jb86v8g3uSPrCiUYkjx5M90/SpSntWB VcCwm5o7hYblQaA4oN+Ly0s311+ZF2W16mMORkfd6gUXbvVt4afSK17EEFBv0BJBg1UGxfZWqHX jnnYZBodwnELD537wiBUFMqX6OPDrW6Dx7jVzLkgrlCqzkd+i28WwWhI11VKDjnHovp5mdDcF+S 5cfVNuusEL8K1BpJspTFfM5N7HWeHBIx34bZRj2HZW67jjCPJXtri8UEvBZG3u7oV/qfiyYRUr2 VYZ1JUJo3Q7ABUesj3w== X-Proofpoint-GUID: aaB9zHzShYZQ4rgh9v64MGN4n5AONVV9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: MUHKGF45UDQ3UDROJU3ZC6INFLMW4JQW X-Message-ID-Hash: MUHKGF45UDQ3UDROJU3ZC6INFLMW4JQW X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779874186744158500 Content-Type: text/plain; charset="utf-8" Append 'x509' to the function identifiers managing the tls-creds-x509 objects. This defines the functions' scope and prevents naming conflicts with the introduction of functions related to tls-creds-psk in subsequent commits. Additionally, update the TLS x509 object alias from "obj%s_tls0" to "obj%s_tlsx5090" along with relevant testcase changes. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_alias.c | 8 +- src/qemu/qemu_alias.h | 2 +- src/qemu/qemu_backup.c | 2 +- src/qemu/qemu_command.c | 2 +- src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_hotplug.c | 76 +++++++++---------- src/qemu/qemu_hotplug.h | 26 +++---- src/qemu/qemu_migration.c | 24 +++--- src/qemu/qemu_migration_params.c | 44 +++++------ src/qemu/qemu_migration_params.h | 14 ++-- src/qemu/qemu_postparse.c | 2 +- tests/qemumigparamsdata/tls-enabled.json | 2 +- tests/qemumigparamsdata/tls-enabled.reply | 2 +- tests/qemumigparamsdata/tls-enabled.xml | 2 +- tests/qemumigparamsdata/tls-hostname.json | 2 +- tests/qemumigparamsdata/tls-hostname.reply | 2 +- tests/qemumigparamsdata/tls-hostname.xml | 2 +- tests/qemumonitorjsontest.c | 4 +- tests/qemustatusxml2xmldata/upgrade-out.xml | 2 +- .../chardev-backends-json.x86_64-9.1.0.args | 8 +- .../chardev-backends-json.x86_64-latest.args | 8 +- .../chardev-backends.x86_64-9.1.0.args | 8 +- .../chardev-backends.x86_64-latest.args | 8 +- ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 6 +- ...isk-network-tlsx509-nbd.x86_64-latest.args | 6 +- ...-tlsx509-chardev-verify.x86_64-latest.args | 4 +- ...ial-tcp-tlsx509-chardev.x86_64-latest.args | 4 +- ...-tlsx509-secret-chardev.x86_64-latest.args | 4 +- 28 files changed, 138 insertions(+), 138 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index 400ce73283..9133389df1 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -872,15 +872,15 @@ qemuAliasForSecret(const char *parentalias, return g_strdup_printf("%s-secret%zu", parentalias, secret_idx); } =20 -/* qemuAliasTLSObjFromSrcAlias +/* qemuAliasTLSx509ObjFromSrcAlias * @srcAlias: Pointer to a source alias string * - * Generate and return a string to be used as the TLS object alias + * Generate and return a string to be used as the TLS X509 object alias */ char * -qemuAliasTLSObjFromSrcAlias(const char *srcAlias) +qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) { - return g_strdup_printf("obj%s_tls0", srcAlias); + return g_strdup_printf("obj%s_tlsx5090", srcAlias); } =20 =20 diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index eae08020dc..dd7bfdcc0f 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -89,7 +89,7 @@ char *qemuAliasForSecret(const char *parentalias, const char *obj, size_t secret_idx); =20 -char *qemuAliasTLSObjFromSrcAlias(const char *srcAlias) +char *qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); =20 char *qemuAliasChardevFromDevAlias(const char *devAlias) diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index a0544c83dc..9c496ee0c8 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -745,7 +745,7 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm, virJSONValue **tlsSecretProps) { qemuDomainObjPrivate *priv =3D vm->privateData; - g_autofree char *tlsObjAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_BACK= UP_TLS_ALIAS_BASE); + g_autofree char *tlsObjAlias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_= BACKUP_TLS_ALIAS_BASE); g_autoptr(qemuDomainSecretInfo) secinfo =3D NULL; const char *tlsKeySecretAlias =3D NULL; =20 diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 69324a523f..efa1d10a57 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1387,7 +1387,7 @@ qemuBuildChardevCommand(virCommand *cmd, tlsCertEncSecAlias =3D chrSourcePriv->secinfo->alias; } =20 - if (!(objalias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(objalias =3D qemuAliasTLSx509ObjFromSrcAlias(charAlias))) return -1; =20 if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPat= h, diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index dde257bb70..99660e684f 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -9030,7 +9030,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSourc= e *src, return -1; } =20 - src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(parentAlias); + src->tlsAlias =3D qemuAliasTLSx509ObjFromSrcAlias(parentAlias); src->tlsCertdir =3D g_strdup(cfg->nbdTLSx509certdir); src->tlsPriority =3D g_strdup(cfg->nbdTLSpriority); =20 diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 8d45a6db9d..9e7055f5da 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1702,12 +1702,12 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsAlias) + const char *tlsx509Alias) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; =20 - if (!tlsAlias && !secAlias) + if (!tlsx509Alias && !secAlias) return; =20 virErrorPreserveLast(&orig_err); @@ -1715,8 +1715,8 @@ qemuDomainDelTLSObjects(virDomainObj *vm, if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0) goto cleanup; =20 - if (tlsAlias) - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + if (tlsx509Alias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsx509Alias, false)); =20 if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); @@ -1729,10 +1729,10 @@ qemuDomainDelTLSObjects(virDomainObj *vm, =20 =20 int -qemuDomainAddTLSObjects(virDomainObj *vm, - virDomainAsyncJob asyncJob, - virJSONValue **secProps, - virJSONValue **tlsProps) +qemuDomainAddTLSx509Objects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **secProps, + virJSONValue **tlsProps) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; @@ -1766,14 +1766,14 @@ qemuDomainAddTLSObjects(virDomainObj *vm, =20 =20 int -qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, - const char *tlsCertdir, - bool tlsListen, - bool tlsVerify, - const char *tlsPriority, - const char *alias, - virJSONValue **tlsProps, - virJSONValue **secProps) +qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps) { const char *secAlias =3D NULL; =20 @@ -1798,7 +1798,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, virDomainChrSourceDef *dev, char *devAlias, char *charAlias, - char **tlsAlias, + char **tlsx509Alias, const char **secAlias) { g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); @@ -1821,21 +1821,21 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *drive= r, if (secinfo) *secAlias =3D secinfo->alias; =20 - if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(*tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(charAlias))) return -1; =20 - if (qemuDomainGetTLSObjects(secinfo, - cfg->chardevTLSx509certdir, - dev->data.tcp.listen, - cfg->chardevTLSx509verify, - cfg->chardevTLSpriority, - *tlsAlias, &tlsProps, &secProps) < 0) + if (qemuDomainGetTLSx509Objects(secinfo, + cfg->chardevTLSx509certdir, + dev->data.tcp.listen, + cfg->chardevTLSx509verify, + cfg->chardevTLSpriority, + *tlsx509Alias, &tlsProps, &secProps) <= 0) return -1; =20 dev->data.tcp.tlscreds =3D true; =20 - if (qemuDomainAddTLSObjects(vm, VIR_ASYNC_JOB_NONE, - &secProps, &tlsProps) < 0) + if (qemuDomainAddTLSx509Objects(vm, VIR_ASYNC_JOB_NONE, + &secProps, &tlsProps) < 0) return -1; =20 return 0; @@ -1850,7 +1850,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, { g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); qemuDomainObjPrivate *priv =3D vm->privateData; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; =20 if (dev->type !=3D VIR_DOMAIN_CHR_TYPE_TCP || @@ -1858,7 +1858,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, return 0; } =20 - if (!(tlsAlias =3D qemuAliasTLSObjFromSrcAlias(inAlias))) + if (!(tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(inAlias))) return -1; =20 /* Best shot at this as the secinfo is destroyed after process launch @@ -1871,7 +1871,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, =20 qemuDomainObjEnterMonitor(vm); =20 - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + ignore_value(qemuMonitorDelObject(priv->mon, tlsx509Alias, false)); if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); =20 @@ -1892,7 +1892,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, g_autofree char *charAlias =3D NULL; g_autoptr(virJSONValue) devprops =3D NULL; bool chardevAdded =3D false; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; virErrorPtr orig_err; =20 @@ -1911,7 +1911,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, =20 if (qemuDomainAddChardevTLSObjects(driver, vm, redirdev->source, redirdev->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; =20 qemuDomainObjEnterMonitor(vm); @@ -1941,7 +1941,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 @@ -2127,7 +2127,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, bool teardowncgroup =3D false; bool teardowndevice =3D false; bool teardownlabel =3D false; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; bool need_release =3D false; bool guestfwd =3D false; @@ -2181,7 +2181,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, =20 if (qemuDomainAddChardevTLSObjects(driver, vm, chr->source, chr->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; =20 qemuDomainObjEnterMonitor(vm); @@ -2240,7 +2240,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 @@ -2256,7 +2256,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, g_autoptr(virJSONValue) devprops =3D NULL; g_autofree char *charAlias =3D NULL; g_autofree char *objAlias =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; bool releaseaddr =3D false; bool teardowncgroup =3D false; @@ -2294,7 +2294,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, if (qemuDomainAddChardevTLSObjects(driver, vm, rng->source.chardev, rng->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; } =20 @@ -2345,7 +2345,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 60ed0e174c..2d9b10204c 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -28,23 +28,23 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsAlias); + const char *tlsx509Alias); =20 int -qemuDomainAddTLSObjects(virDomainObj *vm, - virDomainAsyncJob asyncJob, - virJSONValue **secProps, - virJSONValue **tlsProps); +qemuDomainAddTLSx509Objects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **secProps, + virJSONValue **tlsProps); =20 int -qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, - const char *tlsCertdir, - bool tlsListen, - bool tlsVerify, - const char *tlsPriority, - const char *alias, - virJSONValue **tlsProps, - virJSONValue **secProps); +qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps); =20 int qemuDomainAttachDiskGeneric(virDomainObj *vm, diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index af981fb992..15e3571c99 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3326,7 +3326,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; qemuProcessIncomingDef *incoming =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; virObjectEvent *event =3D NULL; virErrorPtr origErr =3D NULL; int dataFD[2] =3D { -1, -1 }; @@ -3412,10 +3412,10 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, /* Migrations using TLS need to add the "tls-creds-x509" object and * set the migration TLS parameters */ if (flags & VIR_MIGRATE_TLS) { - if (qemuMigrationParamsEnableTLS(driver, vm, true, - VIR_ASYNC_JOB_MIGRATION_IN, - &tlsAlias, NULL, - migParams) < 0) + if (qemuMigrationParamsEnableTLSx509(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsx509Alias, NULL, + migParams) < 0) goto error; } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) @@ -3433,7 +3433,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, goto error; } =20 - nbdTLSAlias =3D tlsAlias; + nbdTLSAlias =3D tlsx509Alias; } =20 if (qemuMigrationDstStartNBDServer(driver, vm, incoming->address, @@ -4977,7 +4977,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(qemuMigrationCookie) mig =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; qemuMigrationIOThread *iothread =3D NULL; VIR_AUTOCLOSE fd =3D -1; unsigned long restore_max_bandwidth =3D priv->migMaxBandwidth; @@ -5070,10 +5070,10 @@ qemuMigrationSrcRun(virQEMUDriver *driver, spec->destType =3D=3D MIGRATION_DEST_FD) hostname =3D spec->dest.host.name; =20 - if (qemuMigrationParamsEnableTLS(driver, vm, false, - VIR_ASYNC_JOB_MIGRATION_OUT, - &tlsAlias, hostname, - migParams) < 0) + if (qemuMigrationParamsEnableTLSx509(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OUT, + &tlsx509Alias, hostname, + migParams) < 0) goto error; } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) @@ -5128,7 +5128,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - dconn, tlsAlias, tlsHostname, + dconn, tlsx509Alias, tlsHostnam= e, nbdURI, flags) < 0) { goto error; } diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_par= ams.c index dd47516742..c91ae89c9b 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1150,12 +1150,12 @@ qemuMigrationParamsSetString(qemuMigrationParams *m= igParams, } =20 =20 -/* qemuMigrationParamsEnableTLS +/* qemuMigrationParamsEnableTLSx509 * @driver: pointer to qemu driver * @vm: domain object * @tlsListen: server or client * @asyncJob: Migration job to join - * @tlsAlias: alias to be generated for TLS object + * @tlsx509Alias: alias to be generated for TLS X.509 object * @hostname: hostname of the migration destination * @migParams: migration parameters to set * @@ -1166,17 +1166,17 @@ qemuMigrationParamsSetString(qemuMigrationParams *m= igParams, * Returns 0 on success, -1 on failure */ int -qemuMigrationParamsEnableTLS(virQEMUDriver *driver, - virDomainObj *vm, - bool tlsListen, - int asyncJob, - char **tlsAlias, - const char *hostname, - qemuMigrationParams *migParams) +qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsx509Alias, + const char *hostname, + qemuMigrationParams *migParams) { qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; - g_autoptr(virJSONValue) tlsProps =3D NULL; + g_autoptr(virJSONValue) tlsx509Props =3D NULL; g_autoptr(virJSONValue) secProps =3D NULL; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); const char *secAlias =3D NULL; @@ -1202,28 +1202,28 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver, secAlias =3D priv->migSecinfo->alias; } =20 - if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALI= AS_BASE))) + if (!(*tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION= _TLS_ALIAS_BASE))) return -1; =20 - if (qemuDomainGetTLSObjects(priv->migSecinfo, - cfg->migrateTLSx509certdir, tlsListen, - cfg->migrateTLSx509verify, - cfg->migrateTLSpriority, - *tlsAlias, &tlsProps, &secProps) < 0) + if (qemuDomainGetTLSx509Objects(priv->migSecinfo, + cfg->migrateTLSx509certdir, tlsListen, + cfg->migrateTLSx509verify, + cfg->migrateTLSpriority, + *tlsx509Alias, &tlsx509Props, &secProp= s) < 0) return -1; =20 /* Ensure the domain doesn't already have the TLS objects defined... * This should prevent any issues just in case some cleanup wasn't * properly completed (both src and dst use the same alias) or * some other error path between now and perform . */ - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsAlias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias); =20 - if (qemuDomainAddTLSObjects(vm, asyncJob, &secProps, &tlsProps) < 0) + if (qemuDomainAddTLSx509Objects(vm, asyncJob, &secProps, &tlsx509Props= ) < 0) return -1; =20 if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_CREDS, - *tlsAlias) < 0) + *tlsx509Alias) < 0) return -1; =20 /* QEMU interprets an empty string for hostname as if it is not popula= ted */ @@ -1290,7 +1290,7 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, qemuMigrationParams *origParams, unsigned int apiFlags) { - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; =20 /* There's nothing to do if QEMU does not support TLS migration or we = were @@ -1299,10 +1299,10 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, !(apiFlags & VIR_MIGRATE_TLS)) return; =20 - tlsAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE= ); + tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_AL= IAS_BASE); secAlias =3D qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL, 0= ); =20 - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias); g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo, qemuDomainSecret= InfoFree); } =20 diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_par= ams.h index b7a829b85a..b578cf5091 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -115,13 +115,13 @@ qemuMigrationParamsApply(virDomainObj *vm, unsigned int apiFlags); =20 int -qemuMigrationParamsEnableTLS(virQEMUDriver *driver, - virDomainObj *vm, - bool tlsListen, - int asyncJob, - char **tlsAlias, - const char *hostname, - qemuMigrationParams *migParams); +qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsx509Alias, + const char *hostname, + qemuMigrationParams *migParams); =20 int qemuMigrationParamsDisableTLS(virDomainObj *vm, diff --git a/src/qemu/qemu_postparse.c b/src/qemu/qemu_postparse.c index 79e02e34ac..7e3e714fae 100644 --- a/src/qemu/qemu_postparse.c +++ b/src/qemu/qemu_postparse.c @@ -278,7 +278,7 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk, if (parseFlags & VIR_DOMAIN_DEF_PARSE_STATUS && disk->src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES && !disk->src->tlsAlias && - !(disk->src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(disk->info.a= lias))) + !(disk->src->tlsAlias =3D qemuAliasTLSx509ObjFromSrcAlias(disk->in= fo.alias))) return -1; =20 return 0; diff --git a/tests/qemumigparamsdata/tls-enabled.json b/tests/qemumigparams= data/tls-enabled.json index 098d3ae148..c16d24684f 100644 --- a/tests/qemumigparamsdata/tls-enabled.json +++ b/tests/qemumigparamsdata/tls-enabled.json @@ -1,7 +1,7 @@ { "cpu-throttle-initial": 20, "cpu-throttle-increment": 10, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "tls-hostname": "", "max-bandwidth": 33554432, "downtime-limit": 300 diff --git a/tests/qemumigparamsdata/tls-enabled.reply b/tests/qemumigparam= sdata/tls-enabled.reply index e3ce8e7778..679df2d638 100644 --- a/tests/qemumigparamsdata/tls-enabled.reply +++ b/tests/qemumigparamsdata/tls-enabled.reply @@ -4,7 +4,7 @@ "cpu-throttle-increment": 10, "tls-hostname": "", "cpu-throttle-initial": 20, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "max-bandwidth": 33554432, "downtime-limit": 300 } diff --git a/tests/qemumigparamsdata/tls-enabled.xml b/tests/qemumigparamsd= ata/tls-enabled.xml index 554b6855d4..e786896165 100644 --- a/tests/qemumigparamsdata/tls-enabled.xml +++ b/tests/qemumigparamsdata/tls-enabled.xml @@ -2,7 +2,7 @@ - + diff --git a/tests/qemumigparamsdata/tls-hostname.json b/tests/qemumigparam= sdata/tls-hostname.json index 2943df769b..4fb1f011fe 100644 --- a/tests/qemumigparamsdata/tls-hostname.json +++ b/tests/qemumigparamsdata/tls-hostname.json @@ -1,7 +1,7 @@ { "cpu-throttle-initial": 20, "cpu-throttle-increment": 10, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "tls-hostname": "f27-1.virt", "max-bandwidth": 33554432, "downtime-limit": 300 diff --git a/tests/qemumigparamsdata/tls-hostname.reply b/tests/qemumigpara= msdata/tls-hostname.reply index f7e7a96bc5..07fa788135 100644 --- a/tests/qemumigparamsdata/tls-hostname.reply +++ b/tests/qemumigparamsdata/tls-hostname.reply @@ -4,7 +4,7 @@ "cpu-throttle-increment": 10, "tls-hostname": "f27-1.virt", "cpu-throttle-initial": 20, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "max-bandwidth": 33554432, "downtime-limit": 300 } diff --git a/tests/qemumigparamsdata/tls-hostname.xml b/tests/qemumigparams= data/tls-hostname.xml index addb5e68a4..099e28b5fc 100644 --- a/tests/qemumigparamsdata/tls-hostname.xml +++ b/tests/qemumigparamsdata/tls-hostname.xml @@ -2,7 +2,7 @@ - + diff --git a/tests/qemumonitorjsontest.c b/tests/qemumonitorjsontest.c index e34dbad7cd..67586bd84b 100644 --- a/tests/qemumonitorjsontest.c +++ b/tests/qemumonitorjsontest.c @@ -665,7 +665,7 @@ qemuMonitorJSONTestAttachChardev(virDomainXMLOption *xm= lopt, "'server':false}}}"); =20 chr->data.tcp.tlscreds =3D true; - chrSourcePriv->tlsCredsAlias =3D qemuAliasTLSObjFromSrcAlias("alia= s"); + chrSourcePriv->tlsCredsAlias =3D qemuAliasTLSx509ObjFromSrcAlias("= alias"); chr->logfile =3D g_strdup("/test/log"); CHECK("tcp", false, "{'id':'alias'," @@ -675,7 +675,7 @@ qemuMonitorJSONTestAttachChardev(virDomainXMLOption *xm= lopt, "'port':'1234'}}," "'telnet':false," "'server':false," - "'tls-creds':'objalias_tls0'," + "'tls-creds':'objalias_tlsx5090'," "'logfile':'/test/log'}}}"); =20 } diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml b/tests/qemustatus= xml2xmldata/upgrade-out.xml index c7bc7128df..bd2323862d 100644 --- a/tests/qemustatusxml2xmldata/upgrade-out.xml +++ b/tests/qemustatusxml2xmldata/upgrade-out.xml @@ -414,7 +414,7 @@ - + diff --git a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args = b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args index dce4a582d2..c0fc1ea722 100644 --- a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args +++ b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev '{"id":"charchannel10","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5679"}},"telnet":true,"serv= er":true,"wait":false}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect":2,"tls-creds":"objcharchannel11_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect":2,"tls-creds":"objcharchannel11_tlsx5090"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect":2,"tls-creds":"objcharchannel12_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect":2,"tls-creds":"objcharchannel12_tlsx5090"}}}= ' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev '{"id":"charchannel13","backend":{"type":"udp","data":{"remote":{= "type":"inet","data":{"host":"127.0.0.1","port":"2222"}}}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args= b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args index 2b7e614e8b..925d2f25e3 100644 --- a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args +++ b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev '{"id":"charchannel10","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5679"}},"telnet":true,"serv= er":true,"wait":false}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect-ms":2000,"tls-creds":"objcharchannel11_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect-ms":2000,"tls-creds":"objcharchannel11_tlsx5090"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel12_tls0"}= }}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel12_tlsx50= 90"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev '{"id":"charchannel13","backend":{"type":"udp","data":{"remote":{= "type":"inet","data":{"host":"127.0.0.1","port":"2222"}}}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args b/tes= ts/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args index 81773dcacd..c5924d44c5 100644 --- a/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args +++ b/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev socket,id=3Dcharchannel10,host=3D1.2.3.4,port=3D5679,telnet=3Don,= server=3Don,wait=3Doff \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect=3D= 2,tls-creds=3Dobjcharchannel11_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect=3D= 2,tls-creds=3Dobjcharchannel11_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect=3D2,tls-creds=3Dobjcharchannel12_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect=3D2,tls-creds=3Dobjcharchannel12_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev udp,id=3Dcharchannel13,host=3D127.0.0.1,port=3D2222,localaddr=3D,= localport=3D0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args b/te= sts/qemuxmlconfdata/chardev-backends.x86_64-latest.args index 9708b18735..092f5f7921 100644 --- a/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args +++ b/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev socket,id=3Dcharchannel10,host=3D1.2.3.4,port=3D5679,telnet=3Don,= server=3Don,wait=3Doff \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect-ms= =3D2000,tls-creds=3Dobjcharchannel11_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect-ms= =3D2000,tls-creds=3Dobjcharchannel11_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect-ms=3D2000,tls-creds=3Dobjcharchannel12_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","di= r":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect-ms=3D2000,tls-creds=3Dobjcharchannel12_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev udp,id=3Dcharchannel13,host=3D127.0.0.1,port=3D2222,localaddr=3D,= localport=3D0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64= -latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_= 64-latest.args index 77d38c3020..0e758834fc 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest= .args @@ -27,9 +27,9 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -no-shutdown \ -boot strict=3Don \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0= x2"}' \ --object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","da= ta":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","key= id":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","di= r":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority"= :"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ --blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-h= ostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct= ":true,"no-flush":false}}' \ +-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tlsx5090-secret0"= ,"data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1",= "keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}= ' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tlsx5090"= ,"dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"prior= ity":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tlsx5090-sec= ret0"}' \ +-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tlsx5090","tls-hostname":"te= st-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"di= rect":true,"no-flush":false}}' \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"li= bvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource= control=3Ddeny \ diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.a= rgs b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args index fb68ac54fb..675e266400 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args @@ -27,9 +27,9 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -no-shutdown \ -boot strict=3Don \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0= x2"}' \ --object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","da= ta":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","key= id":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","di= r":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordi= d":"objlibvirt-1-storage_tls0-secret0"}' \ --blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","node-name":"libvirt-1= -storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ +-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tlsx5090-secret0"= ,"data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1",= "keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}= ' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tlsx5090"= ,"dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passw= ordid":"objlibvirt-1-storage_tlsx5090-secret0"}' \ +-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tlsx5090","node-name":"libvi= rt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"li= bvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource= control=3Ddeny \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64= -latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_= 64-latest.args index f8f1bb8502..787ecbb5ec 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest= .args @@ -31,8 +31,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-stor= age","id":"ide0-0-0","bootindex":1}' \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir"= :"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x2"}' \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest= .args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args index f8f1bb8502..787ecbb5ec 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args @@ -31,8 +31,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-stor= age","id":"ide0-0-0","bootindex":1}' \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir"= :"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x2"}' \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64= -latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_= 64-latest.args index 492d1be626..59f7b7be83 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest= .args @@ -32,8 +32,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ -object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qt= kGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey= 0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"= @SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir"= :"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priorit= y":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x3"}' \ --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1779874336; cv=pass; d=zohomail.com; s=zohoarc; b=k07lJESJQsZMIJDTOO8k4s/vvrmLLPRr5w8NE2ULsBVjZJx4/N9xqzGSI7OLiN5vWp4+icNraTfRAgo5Bx6CvmuDJ4ovlJ2FSaNto+n0yG2a1Rf77fGC3AX/wRZdAH0DdygVoXF4nVV0n2s7FwrQYawnnaN/9bje5U/Q4P3+Ejw= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779874336; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=IxI5Cb3SpbH4kmdv7hmECF7r/od7rJ9eHeQt7bcnb40=; b=JCx80UDZfrUGTGprLEK5FWBUNXARlZxp7kyR0u0lKzE6t5WjGlK0aRdhckWKK/WzhZ2+wCTu/wk21ZAm+N9WgRrFE63k43ZYgS01AqUG97RC9r3Ua3fQ7kcSBFxxNrYp/amaIs1yO5d5IBIZWXGh3wM/O0jw5evQC9M4IMSpxXo= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779874336498206.85174002547842; Wed, 27 May 2026 02:32:16 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 236B741B20; Wed, 27 May 2026 05:32:15 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 299C941DE1; Wed, 27 May 2026 05:18:35 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id DB06941B78; Wed, 27 May 2026 05:18:20 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 9A9C241B9A for ; Wed, 27 May 2026 05:17:55 -0400 (EDT) Received: from pps.filterd (m0127838.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8opNV2175267 for ; Wed, 27 May 2026 02:17:54 -0700 Received: from co1pr03cu002.outbound.protection.outlook.com (mail-westus2azon11020097.outbound.protection.outlook.com [52.101.46.97]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4ed82b3884-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 02:17:54 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by BL3PR02MB9009.namprd02.prod.outlook.com (2603:10b6:208:3b8::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Wed, 27 May 2026 09:17:52 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0071.011; Wed, 27 May 2026 09:17:52 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=IxI5Cb3SpbH4kmdv7hmECF7r/od7rJ9eHeQt7bcnb 40=; b=acF3uCwP8q7KHe7FTaYwussc8fHCkliIK6ZZeVhvnM/FQRWF/cgUuV+RQ AQrfRuiFUoy0RuWBZD7e+t84vOzcmFhzGbjVpdZmEbukW0hSlVWycZ8wRvPYMSMA ZMTeIFkUqN+hRBUhG3BXk2gIwusXf+spa25aEVvEyZhAmc9dl9K+fbU32Y0Yw3fZ r0J5oecJNMEDf/VqswbtAzcFHaFiuOscCs4WuoqIvhDv6dPyJAa/7EDgMKdDN70q vXjupgZhZdcidHI4ouf2JOrXB6azrHXrNOXDF/78Vzwfm2eYGfGUT6f8pWuy+u6G 4w2xyn3za3o3Rc3GsF4/7EJKpJ1Ow== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HFHebA8gk6yrsCEgul2dmjeEYc185CPIcjA1OTrHX6XPoPk9mleqdKhGeT+40cs3KLmKJIiVhvSv/fdo9FznjRWmTY1vEyEQDmt59tss864Eoh13qkxcA4iekcgV0s6R6gZZudWUAndVvLkkNuZVQG+g5XzkLgDYcdXIq8shFCACRcpmYsH+xdz8sdKgEATSgOXGq2EPX84OhQVnV++OQId3ZJH5VgwzAJYIMFtvH0FtTlT0aPgmIyP/Y/MW71944ejdXfwefEQJhD+/frI2pfWG6dDcPTDgnG6X+lpnjQfT15gopMU7GKnBHCmwDbcoZtw4KqFqAW8F5wZUx9e0Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IxI5Cb3SpbH4kmdv7hmECF7r/od7rJ9eHeQt7bcnb40=; b=MayrSvL0loL+f9rv1vwdJVaeeqHJiNN4DAOv6CbRL4Esr1hhOC3dEy6cbAVTbEXz9m9JKXDfHGtR6R5E/YpKh6rEMhWxzi6IWT68dUbG1xK6AkBoYDp3ZUGWVcSvZ0+M/2wZQbWCMM8epDTJpIcjmZ7ofhSl+gUvhx2HL97b597qRFnYqY2WfTO0BxW6K2axm1D44wPTwZKTYZO6dduSRobModtV3/NgC6Mz6LNCQL9Z+FuN1uIUD++C8YbmUMqasEFQMO8bUc6KXlC11kGcw1iOtcVC0rXdH7CW6WPK8Nd1ENJSPjpnR7v8FJA1wfT5ZmP1XGQmSAWgvu9P1sHfUw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IxI5Cb3SpbH4kmdv7hmECF7r/od7rJ9eHeQt7bcnb40=; b=LkUZfjILgyVV+mNHRSgE4+12sdTbnHz8rymB/BM+r6fAHCRdEBCF6SvGGS9K9iziQmZfNlqUYdOHlNBlxYgGKjwVrsDRF2EUesAneArBo+73dHtnwoGkizx4m4rPvjEyGZGTP9/Vv+QBtJ9FXoQ/NBgLTt58D50ISafPVSFqk4GK1qgfbJ6Nz/AizPQYrDyPO5/AvVOhL+zXHzjy1sRCzS2g+mcC5sZWZfY+aPNSOITelSp/uhnO0bsqVDYo2G23JBzKNS5BZOWCI2lPaPe8wlZd46bIMGMASjuosqJiTNC05K+QSAEYN5pykq5TDRUHcUMc9eCOnfNfDQzPSRgUPQ== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 5/7] qemu: Manage tls-creds-psk object lifecycle Date: Wed, 27 May 2026 09:17:31 +0000 Message-ID: <20260527091735.3633179-6-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> References: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR13CA0034.namprd13.prod.outlook.com (2603:10b6:930:11::19) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|BL3PR02MB9009:EE_ X-MS-Office365-Filtering-Correlation-Id: 7b7fd9ac-e937-4bcd-5e42-08debbd0d477 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|56012099006|3023799007|5023799004|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: Aek44wHKXgk0sLDOilEAGe0JJsm0Hy++XLfDegjYVwUwUlWVMsVRlt9DL4kBTN6TtOafVc+ox1t91Cw6unQRg+ngXyAEDYEb/nnAU7hVWuJhO6TIDDT14TJxxGMKJWzdAnSU1CHlsKFLQFt5A9M46XldVpoi2s7DCnuj5lnQUvqIFjsJ/yoMMuYgEI1zAcY7wKS9Hf/2ZmZBp/Pwh0AuKJ3tdL6dnx/yshlmq3rdM8s88HnyeVipKlotj+42zbsacTBtY2uaAYlOFNXXHzYga9TnHmFqhVZCgBEu+dEDPCT7p8por1g3sHg8ObiBbdQEMYIK9WOKJtNT2U23amYVvHxGgQi3oz//Gho7VGwUNBM973ZrVD6cdQz+l9wJLAfQRj21ilq6tGr0W+LCcUwtRMcF9Tw7432pX3IeJ+magSOrjnjaKX+GCqyUPjjCQFIx8hh52dyGKmn6lvTn0yJ7+wQy8Zy79MEesrqgS/osphf19yAjDMJIQzsI/Y94LjsWJLtwJa3frwPF7Yh+DWlmGbqkiOFZbEjbmAmO4nbMvFBDlJ8pf/pHhWrbTyrmXp8wg1fC/gkrEMuquuM0xgJ98IYkYmauLNFag5ruGWif2J76X4lnyJ0JJXs/sPDIaNXAr0fVkgLYEmCqplT/b/zSafbfCw5iU6o6/0CaX9r65XyO06FthAf6prLRWNXTIPjY X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(56012099006)(3023799007)(5023799004)(18002099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?f8rQnU/yol42Rho342W7yRhGqvNK/VVoXeY2w6GkzPU4cNHviAyFbbdWVTcf?= =?us-ascii?Q?uUmzs4Xoy6eM8KWAszrPBjwLR3+mU5Q3DJwUOUqHaoLCEIZEPHkofwnftbvw?= =?us-ascii?Q?K4RtHKNLC7CoVwLPUe39QlpjWqk/u+avNMia0oMZtdfqXO06vOmxdFQ+0F6d?= =?us-ascii?Q?tc+rA/0Kl46X3Cu0/3sV0jU/4ncWlipb93RXcLFaV6d0CYwuWdEoFCU6dRv5?= =?us-ascii?Q?ezd0C24wFnhJhrcDJewmwk1YuJqw8pe6U/GD/1lGfN0p3ixsjygGTTTRkCzM?= =?us-ascii?Q?S6WH++73RLlKiEAqNaRUNi68C1MNRmRzxBvWk/8EpBcb0lv/tYoInC7Rdou7?= =?us-ascii?Q?5NZ5bjE8yK0fXcW+eufuy8ByDx1XnWmoVJgJor5rfSHqqBw/ZNVXgYff7RzB?= =?us-ascii?Q?b533ZG/9Ed3uMKFhZCTguPITQFEGYu9a/b5U6NZ0yXOCpsIDqY3N35xBZJFx?= =?us-ascii?Q?zLg6I71b7u3vwWU70jqhd6MV0Lkxr2fEpEFzbILmepqKBhlp50DNJecG4qmS?= =?us-ascii?Q?pDqU4gJh7Xf6gbSW8ts7e7Fnlt/Z2Tblr0/Tfr2GsgruJ0P36dhN4WG5cFwV?= =?us-ascii?Q?hrSNa+h5ZUC3NP5kzGPpyfhbjqxcFDYm/H5hFS5b9Qu9bva9dmyp6gzznWUJ?= =?us-ascii?Q?fXwvkkko4OPnykMagcwSx6jvwMSem9wR10Rr2WXcgtZZ/Q4aiwMPzCl83vci?= =?us-ascii?Q?4wZcn0nyhqMSqcdZkigdQ0SrsQguKcsxjW84aBETRET4cpvEEsUOFgReeNk3?= =?us-ascii?Q?kVLQ3TkAMeicOPK7OnJBQsIxOFtWFPHY5Ro4LiCuONXMYv3fZbTgoVTfjiw1?= =?us-ascii?Q?esSuxAZ8sktv6iy54QTDou/j5jGR8Lm+0799kKc/GdlK38yKo2y0q0KB15fl?= =?us-ascii?Q?Yve6JC3dnx8+QVD9NEUBfPbtI1EEISgzpW2HEu6YDAk0aP46foPMaJfcumqH?= =?us-ascii?Q?mMSOglMg9QEcnqmYRaAM3Uag1DiQ/AES5A4l/s/bcwpkj7P9UlU4+luTx9Ux?= =?us-ascii?Q?ka/Qls8MWNDqPVvWh/+U6aKUNdCsFJFj9ezeA5OEVRHr4TWnXj33O/HxIyBR?= =?us-ascii?Q?0L65fmkW8EUM00yPEBZvwH5te1hg42nLDjtKlrsUuTEXBRlDJ9ytfGAbNyq7?= =?us-ascii?Q?itvh5vmJKlAXbY7C8kvEW5B0+WCq/vXWtmhwrvEBGMSluSSiwlF5IWISaPhs?= =?us-ascii?Q?vHCRsOBijg+m4XYAtnDg7txRbJQrEYXyvw3eEaZOB/slfp/ea3Q5BKnYTL6y?= =?us-ascii?Q?9OqWo2AFuCku6b3Z+eQYihECgjeBwkse6BDsp4/fNE1AmaURIY/VUiTpYQW/?= =?us-ascii?Q?CssWy41kOIgfCcUBWqIvBB2YVagolWpiOD8qZvvuJlf/9ecxoplJ+Bk+tnZM?= =?us-ascii?Q?p7MhKT/qSD2qTcLkfKpM08w0+9ppSxRAxHwlqzFaw8Hl0bV9SPWM91Ty0oJ8?= =?us-ascii?Q?Wei7gsXeidWenYB0XPxZNrFoNF220nejPrRI7KAuKv7QzymPc23nRGab6gVi?= =?us-ascii?Q?0ff+agKtL3GoZ3eOG6cC+AUQF8Us9zkiZBjTGEodPbUytSu1d605dxQ8tu7z?= =?us-ascii?Q?qgcLQppRNuoMwX7IJXel+0k7hWJjrfNG3GAOjDwER9/sJBG4h+tBso+R9q66?= =?us-ascii?Q?l8HSORxPGcrT5UQ5PjydqkUnUZuS53nvXc0UgZapjZz0fkTpXY9/hkw8i28V?= =?us-ascii?Q?1eplycOR5Sad5YENYAsF4SfCehuZs7cQRSsDr0uINTTUQAhMD7o1bnAsa8M+?= =?us-ascii?Q?1BG1yrE2H6XeWOXU80ijVLGF29Aq6AY=3D?= X-Exchange-RoutingPolicyChecked: L6M0d9rmdawVTiU/flN24XEvC7qcG5KPbCct5s/eaCqkhSUwro/oqhF1Ir5wp6cWxwxZOGvmkQBoW7phGhohzafILNL8DpDd9zhKGYzB+hMTRulWomNiE3qiCt7l0W5ljDJvMxWs1Lu0H4FAsvNlf4KS03B4SpNQaIJ0CN7OiWskqzz+ixf8WsVh8qkuxc3m8HPpy7YBdQaT+tnCMQ/MhSKwzg9QsxQnAt+bmqXTzCY9xa2Zx/jYXWRA83HtDNmMs7W0570kQ9So/C5MWyc3PRT7Uxq/DA0nAST+UtCx2v2//sqCWHlAevtlpRMISBnpJkBBSjxUzjDxrDfdjG7doQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7b7fd9ac-e937-4bcd-5e42-08debbd0d477 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 May 2026 09:17:52.6454 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: nnR9Av82wcNXzireLZBtk6x8Ig03WwhZ+9NmlY2mo+MwIOEexZ1gwlMHUOKXiZqPHtp67+uo5HiWGeGtouPsnxyTQOiaKt61OxQPDMC3Pco= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR02MB9009 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDA4OCBTYWx0ZWRfX1xfTHozxMTp4 TsKKnzJ13QfAuQ30cWFvgb/JadgmOsP2rxTdemudo7gvgs2IPeMYpVX9hKmEVF6QZOXjaj5s4dV W1UPtFCdbxdwIBtdGSLmy58hLZR7reSioKDXFxsS2C3l5rd8V5xhmiIzXhm46U161iInuk9uVgE fA0J9SRrmwqDK3QZhLU1Ct+pPlkkX/QuYnpesz/D7ZDQZoQtMUJS9TK1KP2mTbS/cn/AMsjAvZc u6GKMV4zpdGPDSv/X7bWsTSfEKETsjo3Z7lC6XSIqHjBvCm3cEL+byDkeCwnqzzI3pObfjpVLrD jxWaDbGh9/rDJlniikItKZJ5n2E4ZdkLmLk1Ax0CdLdZKbol+3fa/lwXJH6SD2tAqfS91Gc4ehE klXliag5o9oOygiHiiBvThAHawHPYGEO2HhaXNG4L10b2/hj0NQTr2Psdbos6JeJaTWjN/fBsyc eAeyWSAxqT/9GkW78Gw== X-Proofpoint-GUID: sGQe9BObvDDEpjFg8d6Rjjvsb_X-ebZP X-Proofpoint-ORIG-GUID: sGQe9BObvDDEpjFg8d6Rjjvsb_X-ebZP X-Authority-Analysis: v=2.4 cv=E9j9Y6dl c=1 sm=1 tr=0 ts=6a16b6c2 cx=c_pps a=R5cN8vbp9YvQ/U9ozU3BWw==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=1L6crL_YRTbalZ11mEUO:22 a=64Cc0HZtAAAA:8 a=MrYkCSYsHe1TiHtX4lQA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: 5BMYYML5HTQNLQX2TZBRZTOKROA5FIBF X-Message-ID-Hash: 5BMYYML5HTQNLQX2TZBRZTOKROA5FIBF X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779874337450158500 Content-Type: text/plain; charset="utf-8" To enable TLS-PSK-based authentication scheme, add support for instantiating the tls-creds-psk object through QEMU monitor. In order to remove the TLS-related objects from a QEMU instance, augment the qemuDomainDelTLSObjects handler to also consider the TLS-PSK object. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_alias.c | 11 +++++ src/qemu/qemu_alias.h | 3 ++ src/qemu/qemu_hotplug.c | 59 +++++++++++++++++++++++--- src/qemu/qemu_hotplug.h | 15 ++++++- src/qemu/qemu_migration_params.c | 73 ++++++++++++++++++++++++++++++-- src/qemu/qemu_migration_params.h | 9 ++++ 6 files changed, 159 insertions(+), 11 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index 9133389df1..4d61d7d2fe 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -883,6 +883,17 @@ qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) return g_strdup_printf("obj%s_tlsx5090", srcAlias); } =20 +/* qemuAliasTLSPSKObjFromSrcAlias + * @srcAlias: Pointer to a source alias string + * + * Generate and return a string to be used as the TLS PSK object alias + */ +char * +qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias) +{ + return g_strdup_printf("obj%s_tlspsk0", srcAlias); +} + =20 /* qemuAliasChardevFromDevAlias: * @devAlias: pointer do device alias diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index dd7bfdcc0f..2a0c7ca7c3 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -92,6 +92,9 @@ char *qemuAliasForSecret(const char *parentalias, char *qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); =20 +char *qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias) + ATTRIBUTE_NONNULL(1); + char *qemuAliasChardevFromDevAlias(const char *devAlias) ATTRIBUTE_NONNULL(1); =20 diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 9e7055f5da..296da1f195 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1702,12 +1702,13 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsx509Alias) + const char *tlsx509Alias, + const char *tlsPSKAlias) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; =20 - if (!tlsx509Alias && !secAlias) + if (!tlsx509Alias && !secAlias && !tlsPSKAlias) return; =20 virErrorPreserveLast(&orig_err); @@ -1721,6 +1722,9 @@ qemuDomainDelTLSObjects(virDomainObj *vm, if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); =20 + if (tlsPSKAlias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsPSKAlias, false)); + qemuDomainObjExitMonitor(vm); =20 cleanup: @@ -1759,7 +1763,7 @@ qemuDomainAddTLSx509Objects(virDomainObj *vm, virErrorPreserveLast(&orig_err); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, NULL); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, NULL, NULL); =20 return -1; } @@ -1881,6 +1885,49 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, } =20 =20 +int +qemuDomainAddTLSPSKObjects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **tlsPSKProps) +{ + qemuDomainObjPrivate *priv =3D vm->privateData; + virErrorPtr orig_err; + + if (!tlsPSKProps) + return 0; + + if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0) + return -1; + + if (tlsPSKProps && *tlsPSKProps && + qemuMonitorAddObject(priv->mon, tlsPSKProps, NULL) < 0) + goto error; + + qemuDomainObjExitMonitor(vm); + return 0; + + error: + virErrorPreserveLast(&orig_err); + qemuDomainObjExitMonitor(vm); + virErrorRestore(&orig_err); + return -1; +} + + +int +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir, + bool tlsListen, + const char *username, + const char *alias, + virJSONValue **tlsPSKProps) +{ + if (qemuBuildTLSPSKBackendProps(tlsPSKdir, tlsListen, username, alias,= tlsPSKProps) < 0) + return -1; + + return 0; +} + + static int qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, virDomainObj *vm, @@ -1941,7 +1988,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 @@ -2240,7 +2287,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 @@ -2345,7 +2392,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 2d9b10204c..835f57ded1 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -28,7 +28,8 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsx509Alias); + const char *tlsx509Alias, + const char *tlsPSKAlias); =20 int qemuDomainAddTLSx509Objects(virDomainObj *vm, @@ -46,6 +47,18 @@ qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinf= o, virJSONValue **tlsProps, virJSONValue **secProps); =20 +int +qemuDomainAddTLSPSKObjects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **tlsPSKProps); + +int +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir, + bool tlsListen, + const char *username, + const char *alias, + virJSONValue **tlsPSKProps); + int qemuDomainAttachDiskGeneric(virDomainObj *vm, virDomainDiskDef *disk, diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_par= ams.c index c91ae89c9b..1c6ab6fc8a 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1216,7 +1216,7 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *drive= r, * This should prevent any issues just in case some cleanup wasn't * properly completed (both src and dst use the same alias) or * some other error path between now and perform . */ - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias, NULL); =20 if (qemuDomainAddTLSx509Objects(vm, asyncJob, &secProps, &tlsx509Props= ) < 0) return -1; @@ -1237,6 +1237,69 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driv= er, } =20 =20 +/* qemuMigrationParamsEnableTLSPSK + * @driver: pointer to qemu driver + * @vm: domain object + * @tlsListen: server or client + * @asyncJob: Migration job to join + * @tlsPSKAlias: alias to be generated for TLS-PSK object + * @username: hostname of the migration destination + * @tls_psk_directory: directory containing the TLS-PSK key file + * @migParams: migration parameters to set + * + * Create the TLS PSK objects for the migration and set the migParams valu= e. + * + * Returns 0 on success, -1 on failure + */ +int +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsPSKAlias, + const char *username, + qemuMigrationParams *migParams) +{ + qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; + g_autoptr(virJSONValue) tlsPSKProps =3D NULL; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + + if (!cfg->migrateTLSPSKdir) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("host migration TLS-PSK directory not configured")); + return -1; + } + + if (!jobPriv->migParams->params[QEMU_MIGRATION_PARAM_TLS_CREDS].set) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("TLS migration is not supported with this QEMU binar= y")); + return -1; + } + + if (!(*tlsPSKAlias =3D qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_T= LS_ALIAS_BASE))) + return -1; + + if (qemuDomainGetTLSPSKObjects(cfg->migrateTLSPSKdir, tlsListen, + username, *tlsPSKAlias, &tlsPSKProps) < 0) + return -1; + + /* Ensure the domain doesn't already have the TLS-PSK objects defined.= .. + * This should prevent any issues just in case some cleanup wasn't + * properly completed (both src and dst use the same alias) or + * some other error path between now and perform . */ + qemuDomainDelTLSObjects(vm, asyncJob, NULL, NULL, *tlsPSKAlias); + + if (qemuDomainAddTLSPSKObjects(vm, asyncJob, &tlsPSKProps) < 0) + return -1; + + if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_C= REDS, + *tlsPSKAlias) < 0) + return -1; + + return 0; +} + + /* qemuMigrationParamsDisableTLS * @vm: domain object * @migParams: Pointer to a migration parameters block @@ -1281,8 +1344,8 @@ qemuMigrationParamsTLSHostnameIsSet(qemuMigrationPara= ms *migParams) * @asyncJob: migration job to join * @apiFlags: API flags used to start the migration * - * Deconstruct all the setup possibly done for TLS - delete the TLS and - * security objects and free the secinfo + * Deconstruct all the setup possibly done for TLS - delete the TLS X.509,= TLS-PSK + * and security objects and free the secinfo */ static void qemuMigrationParamsResetTLS(virDomainObj *vm, @@ -1292,6 +1355,7 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, { g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; =20 /* There's nothing to do if QEMU does not support TLS migration or we = were * not asked to enable it. */ @@ -1301,8 +1365,9 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, =20 tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_AL= IAS_BASE); secAlias =3D qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL, 0= ); + tlsPSKAlias =3D qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIA= S_BASE); =20 - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias, tlsPSKAl= ias); g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo, qemuDomainSecret= InfoFree); } =20 diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_par= ams.h index b578cf5091..07f5812065 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -123,6 +123,15 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, const char *hostname, qemuMigrationParams *migParams); =20 +int +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsPSKAlias, + const char *username, + qemuMigrationParams *migParams); + int qemuMigrationParamsDisableTLS(virDomainObj *vm, qemuMigrationParams *migParams); --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1779874426; cv=pass; d=zohomail.com; s=zohoarc; b=laz5Cc9/LXpzA1p14aR7pMuDoiibYzGf5XRgMEJuv4c4luFWXi1jtEIOmUoQ0FSPaATmijQ1otqdvyyEMaLzHhSE+l0udKFxKuyP7pL7GVUxXLLJ7BY9bxXzhLbz2UK69vQK7xApRoBYgOV8ccdd57ZvZsxs9+xE23zH/pByLg4= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779874426; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=hFeEq/Zv30wooBTV9jPTK4mr/ZIU7X6UPOQdIVsLhj8=; b=cBQVrjKBvBj0+9nt/Ffo/ZpMmv9PRiqHeLgHZ7F+nFNLU+xxUzg6vv5TNGKlJdAZnhuQ4Llwd7turQt8aYAlJe2QYw03VIfJFN90q4MhxRhjV8wtH7XBqcE1ierA7LdlDGg1f0ncP6U7N+YZH4DCqrWTIqf4l1P66yjqRV2bxkU= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779874426802846.467572322027; Wed, 27 May 2026 02:33:46 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 4568641B2F; Wed, 27 May 2026 05:33:45 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id F2FCC41E1C; Wed, 27 May 2026 05:18:47 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 72B9041B93; Wed, 27 May 2026 05:18:39 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 4FCFB41C1D for ; Wed, 27 May 2026 05:17:57 -0400 (EDT) Received: from pps.filterd (m0127843.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8mhWM2011353 for ; Wed, 27 May 2026 02:17:56 -0700 Received: from co1pr03cu002.outbound.protection.outlook.com (mail-westus2azon11020102.outbound.protection.outlook.com [52.101.46.102]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4edg3m9t56-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 02:17:56 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by BL3PR02MB9009.namprd02.prod.outlook.com (2603:10b6:208:3b8::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Wed, 27 May 2026 09:17:54 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0071.011; Wed, 27 May 2026 09:17:54 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=hFeEq/Zv30wooBTV9jPTK4mr/ZIU7X6UPOQdIVsLh j8=; b=b7KbOtO+uqS/J+s6ZrZhdFj8f8CZgKXu8NaU+DAcavcp3nNSaxMOtGWKa WdJPYC/+76tMGuyqX6VnRe5CGWYf+tgzSqeXGcHZfDdQv5ubiw/qs7thw+ajiRff 1FAZFWrsP0vsA/Ppi3sDCwTTeFektnyYofNbBU/661mY2xdtdlvy8i2c0NYS64w1 Kp61oxRHK5w0BHctw8ziiFiLVm+cg47TnnndY1gz81JGg2JDy270lIQlZFl7YKt+ g4sYjoKniZbtxB+r3jNkMmJWXlmGBDIufEf1yDDpkAaMwlfcpqMJv0D20bTOULOD PuGKS6sR2DWUlod5ea1kFMkJYPSfA== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PsQcEnbfi0RJ12FMBFsVKk5J7bRGg6U5TQf/yJOQKF/rq/5a5IyujnPtO/wbDPlUBAw1w6a73KDF6jhN3BE+85lRVv/BhAxB2FZ6/1nAs7UwDBZE4vHWD+koNZLodslDf8j+5seHiRdvIqpy8DTNXJ5VWwUHhi/cMKh6wNkCqZfWNVliXYP2M7M15FM8iEJI+qNMXO6lTiLQh/hicXahx35lQKn1KiMEqp76k6CdRufbB79IMAWZ1Yqfw/nsQaRGA+1ExVoKeHN8AS5KpatN5Mpi/QSvGSgBZdcnAt8O+2aUTbw46/K1onTNzfRhZWKDXrk8D8V+0+E3F/kJI7f2kQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hFeEq/Zv30wooBTV9jPTK4mr/ZIU7X6UPOQdIVsLhj8=; b=sAX5Hj0CLDxl9eRT3YI/LwzLjfuO8yWkx1jua7MGJIAphI3N7FoAdYkYdgQ8degvLXTAZN27BlHezQ7a4e+n9sE8+lsJu4ti/Sw6QqXF/TUV3LxHjQQc7G7WKcD1esXeOmJT93P2p71Uo7CNtRG6olnaIJkjvrVWy2vNP++M5ru5Sc4an1SEdT8Q3QFySPo+snxLG9ZePLJYFGvVUrcRaqAslETMrsu4uVds3a8prgVgqLt10EfkgW/rmP+FrKcOVWmtw950qMOzR06WNmow1FXI4kNqyJdwCN+QeihHmZRaegYafpYf3wu+AjX6qPlx9NDixcmEHIT7H/ZzpDdB3Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hFeEq/Zv30wooBTV9jPTK4mr/ZIU7X6UPOQdIVsLhj8=; b=cCm5YhBA0bzdpc/kAi++jkG++eehYPEXxGSvcJcshWfao6FlwCbi9p9FpepJRjwMlfp+tlBx4Fje47g3DA6Mso1FIc/5Tt4xEULMIzF7PpwhhGQiABRnx1hpwPnBAu4JJKsnqm0nBeJ6UrKr+R7EnLnM4v43GkynXVQGEPPdqZ9iIiVw3Yk1XCg+IPIDf2KeFFsCN1+u49YGkGVHfcmwiVle+sH1g3C0P12YfGGteHMTT0WV/0Pwx0g88e7cwFMPeEgq6RSK9uZm7kKecporUhFQxksOO/kihDahi+LsobwE1pApuVpEl3Pt9JuDE3Pq/iLx3kbOvZJjv9mV72uktQ== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 6/7] qemu: Set up the migrate TLS-PSK objects Date: Wed, 27 May 2026 09:17:32 +0000 Message-ID: <20260527091735.3633179-7-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> References: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5P221CA0063.NAMP221.PROD.OUTLOOK.COM (2603:10b6:930:4::38) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|BL3PR02MB9009:EE_ X-MS-Office365-Filtering-Correlation-Id: bb599e29-24cf-46ce-77d1-08debbd0d5a9 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|6133799003|56012099006|3023799007|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: JYOsFZJ55YHh7+ZK/CYY2a8k0YTS5UoOYwoXDAGeFXInGxMzp62xvBQk4pZMq2zHTgtiLFYEHB2fHtz3vQCCqCzZFxo9mP0ZZi5R7ILyVMyr8LQjuH6gxI9P/5lhaKMHOpNPn5pXo1yg4SgiYsYNLBJPka81xKc0HWJqasheLiY0E+A/Vv1DBq8az5DPCs6c3iP/QoyPfvTzeFkxMECwsZfrwRSwewXAOoASkoTGV7Ikzzmja4TZRHcSqx2QJI7REo5BZi16DuKKpOKAsCts4L+nG1N33d6IVAO4lHzGN+PZfD0el6yXqeyKxwVCsZSxUJ0e2MRGxYEcYKbtmzB4NgdmUwMMly8gTK2TH1ByUjhCOryUo+tMyfM6b3KaQiTMwTRkvDUqBSmT/TDu2YKPZ/0gkLINZ/onnFLxSEYvzwwva9AKG0eBumMCMLzE3CW22B841yEjuAPQvswIXOT06FyUESF2sQRbebw2SbgMkP36htPzE67i+4xn8qJhqnQHuaLrRWuaLbhpGWUS2ZN7JukF3s48dT7LceiJiREGYl4aSg8v45ePm1TFiQzzDnS+pRHps3c8Afb6dUGoRItwooslDbmPF8mM9Hq4LVGB3/9/f3TtsJJQe69JL7f84L6ia5G6XRz67FU1WNqG4ivfHVXI7V4IxljdQCau3GhbJZr5UW/vqCHw+VJBuXN3nUyi X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(6133799003)(56012099006)(3023799007)(18002099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?yCMrPUXGGbwgzU+CwMD92FN3/kPH16QY0UnGy3X8o0EmekdBI5rLowqW+ZZi?= =?us-ascii?Q?qX8N4Za4kjmJfSpPB5FXFE+V8a5bnnhhLy/SsuennbaZkq9zpIID/H4n+2vN?= =?us-ascii?Q?0ULKaJznht2foLBKCUSnN6cUtdhFcGpWSrcxbN8ibH8cGwSPZWnt0Byu/kFl?= =?us-ascii?Q?Z+0UKz7u9ThX15RGxkGI/gH7NA5cwaa083GP7mnFp0whmG93j6GJQCLflO1A?= =?us-ascii?Q?THl8zEaD1yQZRkhKYyS3XlohDcTQQPucQwhvMdgZ3UMiuZrVTlV555F3qVgH?= =?us-ascii?Q?UWswGVqyC6bIwXZbrfWyx3Oknm14jMR6yds5kErXPC7PTV28EvWfuH2Wfn/0?= =?us-ascii?Q?cljKMgJ601d1//tT9zOvK+IVTmWiKBwVYRenY0tvyL2UGDw97Z8CZkZUgsWS?= =?us-ascii?Q?6PhR8fA4FLBhSLNe63DYJ5NKmJXXegzS2lS8hGhXdmIE8+rKyj4iObEyqsjw?= =?us-ascii?Q?42kejTfcH+wfohW5z6qbnB5OhzC0Qq4WzUn/auTlHXMb5iKVdShmY8rxWyMf?= =?us-ascii?Q?dCzDj74j8oRIQw5Qrm0K79reXD8bFc2VmUoWC/yVgokoFZyxgfcytWsLkRq/?= =?us-ascii?Q?vAaTjdA1FkGTdO/ueedKoEwS5o80z+Vpl+D60pBE0jPp11nrIyGyPp8chdwF?= =?us-ascii?Q?OMKArvALQXybKkRa4FWasgMqGBmQD9pqJXNRS6MNjFjF+xzgaLtjKGVZG9y4?= =?us-ascii?Q?rMzNQfi6VUPtZqQXN01FbwZkDaTcQsFSTxxmjLnte1Y9S8OP0clyFbpZCObq?= =?us-ascii?Q?AxMERQgzEPaSR7MJPdiF1M3QWKN1ZLKje/Oop5sdW6Ni3ZLoVmyXlEVL5IFo?= =?us-ascii?Q?iQ7OPyVGsCzHlpsr7lNTtxcZ2Gvg0fRr+vyVwN+Tx4/IJgfDhiUWVfem3Q3p?= =?us-ascii?Q?ukoxJUHI/ghxRVdupcyGpS7YAUh0R62/Kr9Rf+Yv9kbv8z12PBdqwMCLthB3?= =?us-ascii?Q?Izve2TWabCBnQ/Af31yUbEnDarA9N4VcBJiq/woRaiSkCGul38Oqr1HXpXdy?= =?us-ascii?Q?8ftxsNK5DeB0xvlXEeczzzLHYJElCXr1gmv+zdik0Jm2alFkMLPsMQs4IO1n?= =?us-ascii?Q?FEuRrQ8dEPwDQSZrH0vRTKwdscVwLzfcDThxDN4O/WFnHXI+wDbqYNad6JSs?= =?us-ascii?Q?jPbpV8ZfvyQLjSFgf763/ZSj2mwVuAB5pc+DPq4R6AhtvEagCUeBn0XS+u6/?= =?us-ascii?Q?mPsqm84Z914tBtgZlKpHptIPhYtQLlla2ueIu9whi5Gz2mT7WuTOQgeW0883?= =?us-ascii?Q?zAdxoJbRHohfxgSp2ASSd5e3ZMB8gfL8wEA2Y5QAO5A4fTeQX+bWC5iri3ur?= =?us-ascii?Q?h1rExLDhObzYpQV214ZdlcyyPzg4b6IUVQOzQAHiRvkEi69eSskTbSPZDGKl?= =?us-ascii?Q?4DilofpC0u/a3ACkNl+A7T6/WAfzRsPg9zJRKGurSFMyz65L9LfyqQQV2nfM?= =?us-ascii?Q?rEbr+xPMudKmAQktqLhyj5DYhKN4oU0d5bg7fXeDnLkvAnxoUQc4xfN27En1?= =?us-ascii?Q?7W6kUVouzupBKJ/hGwH4cb1zO3w9czfNrr6zPcQJmG1T03sm1NKEazNrWugc?= =?us-ascii?Q?xXBHd3tIoORArRt0qyv6+xAdhx+DaI77xspulFnX5AFaEJJcZU/2BGBIjDJ3?= =?us-ascii?Q?9T2RCa4pP2RoHcoyjY7A93tJ8ZTbbfvBG2uZCNyRevDrlZrukciZ/JL6OFK3?= =?us-ascii?Q?LBsanUf9pi1B0GcmmtHp6I1tJRBVCXPWzb0tUBCYAFZ/A7BNpfJcTJVXek4D?= =?us-ascii?Q?zeJ+5Y41xrH15G5HGwkwxht2ZudrzdU=3D?= X-Exchange-RoutingPolicyChecked: DOJx0LlYyXllYs0u/Utp4A8rTNiJzkqpIcn+rnGCFjvvProVzCc2WX5VtvnbnjSTDJ8lRjFjNjBreQl/un5jfvn4eHHT7jXV/sE3jkUiWP0DHQNGtTQtZ9EdK4/CozMgQ1hIZ+iytU9Q4LTBZEGDI/WNF+kq2iSuGtzC912jo3AaYf0jqG+vJ9vQj1w6C0NUEIrt5iBXN35i4FueAtAw64BbmMDufwqULDd5vMcSSLM6Z2nCAbhtBfQfKtD4Hx6a/mFGY2E+MudiODKtqY1mVGeY4XDgTYJXrKXCxyF0jwafn9tGGFuQm0zBbOyqif/FJpq+PFwJKYoiB9sZgsZnIQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: bb599e29-24cf-46ce-77d1-08debbd0d5a9 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 May 2026 09:17:54.6240 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rt535S/f5kucRLM+H/Y7FMa84s2gy+Ym/cHzRQlYK31KFxNBC8NRTmcR/XewVdqjRGrY0eiu3SIgbb9xNPP8IzotJYwSJihEH4W7Z20BQ10= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR02MB9009 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDA4OSBTYWx0ZWRfX2rVizTBYq3Ip W4tFEqBGASDqDsP/N3Z3MEUn5rXRxmDYUESFhmeSElns0b7/Pwy5lqReJciA2rSp+8BcOxbYcmd 5wccnKSWkdEWpbQAugemZe/8+G1wbxZraZU2FH7srSdz05i8oKc/WF409HHt0AANPVZkD0o2DkS NncLlbLV8LVGqk2HJ3rhpwwMb9tIwGQvvW62bO97utglz0+0xmI7pHTSmyri6FBDtunWpycxaPB STqHrzlkZ6DBDO4ySlpIA9+IzRoQe/SUEosfDk36vdbaID4+BpcMwsq96BOIZoh5b85xXaSYpQq /R5joubdHxbjuradoT886dS6YxntavH30XTtPSPfjmk182VlmzBABzUuLf3Gi0tIX8mKH9abBIh 1Ys5I8QoaH6SuumQf4EyurJaCncVdye5m+3XJxQNC4BQwpVE3r8ggn4i1ZFWeHAA4uGHlmKfAER C1w2rqhLIWqYMVIHjEg== X-Authority-Analysis: v=2.4 cv=UZVhjqSN c=1 sm=1 tr=0 ts=6a16b6c4 cx=c_pps a=6N00tFO2at9SeXRP/8dOoQ==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=dEe9Ve2bX-KnNSUMM2s9:22 a=64Cc0HZtAAAA:8 a=VcTBNfi96I99wvbPXXwA:9 X-Proofpoint-ORIG-GUID: UvGGxk_sjai-uRc0gO5Hap3xWBcjOUge X-Proofpoint-GUID: UvGGxk_sjai-uRc0gO5Hap3xWBcjOUge X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: XQZ3LO2U4ROW543IG7C6BXMS433CJVN4 X-Message-ID-Hash: XQZ3LO2U4ROW543IG7C6BXMS433CJVN4 X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779874427883158500 Content-Type: text/plain; charset="utf-8" Enable TLS-PSK based secure migration at the source and destination, if and only if the VIR_MIGRATE_TLS_PSK flag is set. To prevent configuration conflicts, report an error in case a user attempts to enable both TLS-PSK and TLS x509 certificate authentication methods simultaneously. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu.conf.in | 8 +-- src/qemu/qemu_migration.c | 110 +++++++++++++++++++++++++++----------- 2 files changed, 82 insertions(+), 36 deletions(-) diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 5dfd3229e5..fa4f711592 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -440,10 +440,10 @@ #migrate_tls_priority =3D "@SYSTEM" =20 =20 -# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not req= uested -# automatically. Setting 'migate_tls_force' to "1" will prevent any migrat= ion -# which is not using VIR_MIGRATE_TLS to ensure higher level of security in -# deployments with TLS. +# By default TLS is requested using either VIR_MIGRATE_TLS or VIR_MIGRATE_= TLS_PSK +# flags, thus not requested automatically. Setting 'migate_tls_force' to "= 1" will +# prevent any migration which is not using either VIR_MIGRATE_TLS or VIR_M= IGRATE_TLS_PSK +# to ensure higher level of security in deployments with TLS. # #migrate_tls_force =3D 0 =20 diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 15e3571c99..239d547bb0 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3078,9 +3078,9 @@ qemuMigrationSrcBegin(virConnectPtr conn, =20 if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); goto cleanup; } =20 @@ -3327,6 +3327,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; qemuProcessIncomingDef *incoming =3D NULL; g_autofree char *tlsx509Alias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; virObjectEvent *event =3D NULL; virErrorPtr origErr =3D NULL; int dataFD[2] =3D { -1, -1 }; @@ -3335,6 +3336,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, bool relabel =3D false; bool tunnel =3D !!st; int ret =3D -1; + int tls_creds_type =3D 0; int rv; =20 if (STREQ_NULLABLE(protocol, "rdma") && @@ -3409,17 +3411,36 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, /* Save original migration parameters */ qemuDomainSaveStatus(vm); =20 - /* Migrations using TLS need to add the "tls-creds-x509" object and - * set the migration TLS parameters */ - if (flags & VIR_MIGRATE_TLS) { - if (qemuMigrationParamsEnableTLSx509(driver, vm, true, - VIR_ASYNC_JOB_MIGRATION_IN, - &tlsx509Alias, NULL, - migParams) < 0) - goto error; - } else { - if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + /* Migrations using TLS can support two types of credential + * objects: "tls-creds-x509" and "tls-creds-psk". Set the migration + * TLS parameters based on the chosen credential type. + */ + tls_creds_type =3D flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK); + switch (tls_creds_type) { + case 0: + if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS: + if (qemuMigrationParamsEnableTLSx509(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_I= N, + &tlsx509Alias, NULL, + migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS_PSK: + if (qemuMigrationParamsEnableTLSPSK(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsPSKAlias, NULL, + migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK: + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("Both TLS x509 and TLS PSK are enabled simultaneously")); goto error; + default: + break; } =20 if (mig->nbd && @@ -3825,9 +3846,9 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, =20 if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); return -1; } =20 @@ -4978,6 +4999,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(qemuMigrationCookie) mig =3D NULL; g_autofree char *tlsx509Alias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; qemuMigrationIOThread *iothread =3D NULL; VIR_AUTOCLOSE fd =3D -1; unsigned long restore_max_bandwidth =3D priv->migMaxBandwidth; @@ -4988,6 +5010,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, bool cancel =3D false; unsigned int waitFlags; g_autoptr(virDomainDef) persistDef =3D NULL; + int tls_creds_type =3D 0; int rc; =20 if (bandwidth > 0) @@ -5061,23 +5084,46 @@ qemuMigrationSrcRun(virQEMUDriver *driver, /* Save original migration parameters */ qemuDomainSaveStatus(vm); =20 - if (flags & VIR_MIGRATE_TLS) { - const char *hostname =3D NULL; - - /* We need to add tls-hostname whenever QEMU itself does not - * connect directly to the destination. */ - if (spec->destType =3D=3D MIGRATION_DEST_CONNECT_HOST || - spec->destType =3D=3D MIGRATION_DEST_FD) - hostname =3D spec->dest.host.name; - - if (qemuMigrationParamsEnableTLSx509(driver, vm, false, - VIR_ASYNC_JOB_MIGRATION_OUT, - &tlsx509Alias, hostname, - migParams) < 0) - goto error; - } else { - if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + /* Migrations using TLS can support two types of credential + * objects: "tls-creds-x509" and "tls-creds-psk". Set the migration + * TLS parameters based on the chosen credential type. + */ + tls_creds_type =3D flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK); + switch (tls_creds_type) { + case 0: + if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS:{ + const char *hostname =3D NULL; + + /* We need to add tls-hostname whenever QEMU itself does not + * connect directly to the destination. */ + if (spec->destType =3D=3D MIGRATION_DEST_CONNECT_HOST || + spec->destType =3D=3D MIGRATION_DEST_FD) + hostname =3D spec->dest.host.name; + + if (qemuMigrationParamsEnableTLSx509(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_O= UT, + &tlsx509Alias, hostname, + migParams) < 0) + goto error; + break; + } + case VIR_MIGRATE_TLS_PSK: { + if (qemuMigrationParamsEnableTLSPSK(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OU= T, + &tlsPSKAlias, spec->dest.h= ost.username, + migParams) < 0) + goto error; + break; + } + case VIR_MIGRATE_TLS|VIR_MIGRATE_TLS_PSK: + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("Both TLS and TLS-PSK are enabled simultaneously")); goto error; + default: + break; } =20 if (qemuMigrationParamsSetULL(migParams, QEMU_MIGRATION_PARAM_MAX_BAND= WIDTH, @@ -6553,9 +6599,9 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, =20 if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only wit= h VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); return -1; } =20 --=20 2.39.3 From nobody Sat May 30 15:30:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1779874626; cv=pass; d=zohomail.com; s=zohoarc; b=Wlo74u0ZY5dzIDNLJOpg2KSvIuA8KAj49gRoHAk+/0n1kQuPNXaufMiOn1gvl4goWxsxsxV5Lzx3wC6S7dAub0IdHdnJ9/LIvPskNVJqVT2pD2x6NX/8SQ/uS6mcCLwAlyKh5I83OJjDrLCFJCsMXrY3ClKz4AlWDdbE+Fas7Eo= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1779874626; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=jfavpghykEyjImwjUYK4iwl3+e4dtQr99Qb9ewZ4gKg=; b=FdkQDerTlkrpl9ynrFET2woxIdHV+yJ3rwBU3D1X8+gmRmb/9S69IshU84lU7I3giZkvroidV2pX52NmcqX/WNX61YX61EJD2NlAdWturk8Qpoln3pRqgWluiMWSEApbzrcfvFai1eTSB8XHHx8yhPMBRzZT9+pHyk2USViQjVg= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1779874626282904.689340965678; Wed, 27 May 2026 02:37:06 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 2CDEB3F86A; Wed, 27 May 2026 05:37:05 -0400 (EDT) Received: from [172.19.199.9] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 3702F41E15; Wed, 27 May 2026 05:20:22 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id E888B41AD0; Wed, 27 May 2026 05:20:12 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 6B65941B1E for ; Wed, 27 May 2026 05:18:00 -0400 (EDT) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8mjv22035763 for ; Wed, 27 May 2026 02:17:59 -0700 Received: from dm5pr21cu001.outbound.protection.outlook.com (mail-centralusazon11021142.outbound.protection.outlook.com [52.101.62.142]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4edg591tas-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 02:17:59 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by BL3PR02MB9009.namprd02.prod.outlook.com (2603:10b6:208:3b8::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.12; Wed, 27 May 2026 09:17:57 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0071.011; Wed, 27 May 2026 09:17:57 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=jfavpghykEyjImwjUYK4iwl3+e4dtQr99Qb9ewZ4g Kg=; b=MY6EPN3LmP8wdOmnmniXpnD9fRMsOhn4XQSljrb6FtU6Xl6KYa/8m829y UHHN8HQXZaHaXxPZTjwqls9vuz3W0gitCkezGbNCywCfnnWjSdtgsU1iqA4UPS/b eKBuhYkOCjpXE8B5djLYTm7WxQct6ogIPy1wOeHKYuqs9aNV/sktGiFnGVIG9/44 McTNCYMFqZerydBB+2emZbf/VP2fwlX7YpO5wOjcwHOwHWm8jKj3s24jTF0WhZWS /j7ej8/ZRneEY9FqveLCDUfHIZ46Ub2vQqLwKpw5HkDEomTdpXYEs4srqgiMjPkC /ejf7nF8rpfQ2cwPRN5HJo6q/Pqww== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Bb3rWJX2JG4Mx8Wku9aXKB/WOmq7MmEahFGxysKQ4KwTHP+uMhajL/OEZZ961Pj1zGd/JSz6si5EJaFEoQN616T/GQQ13luwYFD9bKp4Jv8SeCrRbKVKeNb9/LYaJRQptgJaRllfLqhkI8dMrAJLtsJv5R1fL9euENq8YPIKkHi6OdxbzIldQoXsWpU2ROeDeqheEGv4O2W78VDH+GSep/iCh0uH2VrV/EacmnrSwmcedIQSAldC8MgZuaiys+IgCW9H3QbCZOA5xrI7//ukAP+iz9SZ87Ezr3hnag2IUBTcyeyPl2oI2/3+zcZLr8KAtPdgumnhpf4E8ZE0ttMmkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jfavpghykEyjImwjUYK4iwl3+e4dtQr99Qb9ewZ4gKg=; b=EGNUn5zUPk44EWqUpwwy87P3eMNb3KOYTRVyGO4jZjuHm+yDu/YG15e4hCPvBaKQWgg6uMySWvgdc9QhqPALQb7snP0N23gD36zgJMLiSAmj8hrVaJR8ZPLJ9UShC+OkIx7/5HNAJ9rxFqUxBQEcH7TaBi54otpysjt8+mYP4Hko1p+weKxq9R3YTfZee3e3UbeJoQtuERHOf161ixAlDXDK5sP8w0AlsDRssOc5kY+P0HEXbmy18UXfbkGiff0oKa/+N6nEShDvrp14cz7TFlQLpGlDyp5iZtQaZzV7KoNZhESF0dK2H/J3s3zHyQmuAGkenCTuFc30JPWcJuCMKw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jfavpghykEyjImwjUYK4iwl3+e4dtQr99Qb9ewZ4gKg=; b=x787sp6i9zBeC0L62cv6IFK7qrlgrUq/AL3AhYigC6U62+I7uSBQdi7AsFraVho8J5j/faN2cqC2Lj3jzxL+f/Ph4fhdjbwR2uFhtTVS+YX1V5ybwY+u3yBvT0F18yeogD/uPzqwZOhHc17zHabL6WwBcFbydTCoR+8OaOud5J2BFpEhfsvfg2Xdp00DkTWstKMWRZIWgKFAQxJdrK+joJWUNRMh7nIxJsgGykGcoPqLeILxVuKxwSu3xbI95I/7zKRru5gLNejybhXzWHLcdiBIm6VRxlKHs5bS6vwkwGxSFv9+J/2UI/GqwPPYzCdLljFVVmyc9v8zD+QBVMZ0jA== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v1 7/7] include: define VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY Date: Wed, 27 May 2026 09:17:33 +0000 Message-ID: <20260527091735.3633179-8-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> References: <20260527091735.3633179-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5P221CA0115.NAMP221.PROD.OUTLOOK.COM (2603:10b6:930:1f::12) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|BL3PR02MB9009:EE_ X-MS-Office365-Filtering-Correlation-Id: 4f9aa384-65cc-409f-af76-08debbd0d71e x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|6133799003|56012099006|3023799007|18002099003|22082099003; X-Microsoft-Antispam-Message-Info: CWeNRmj1C5RWZi1D4mCFe2XmjVLNVL0IAo3L+rhTPZ6mbBK/Nzpv7cG/VAn1FfvxqpxfEJOv925nLgdPA8VWpcf0nK2jR8QdzHEya1m650LR/FpNxnuoavxbunAQtmc5nFj0hlL6F5ravFUYC9Ub5rTQuzRtfb5wGRXgNSPqXNM/F0TMxvOCycLzkhaNncbfas1FIC8iSj11qZkvUaiAf9GeIIujkxZtR2EX3Hrbz5FCEUQ0f/oP/JmqyvtJTHTnSAIjxmTuCS4NHmhMao4n3K9oVB1ENRdtdcVfBiLVoW+lbW1NdV4BYKn+pOn6cFgaR8Hqw3V46fayuyfof04n0F7TX9zyETg4IkJJFVianjpj2cdCEIqxATmKfHb2fndXW5WQYTV4d2vL7g4MDhhZkNZxHN+ohqlW8DLGtKqM45tET+3tePbxEaYqaQ726gzF2r/5TcmT4vNEe0faRI4EsFyhApWEhPLKN2fa8tMRzKYEd2+QnzUIet2rOzRMUEmS6D2+zuYeBIRctpx0yiyy7AzaLi3nuD2j3MxFxnQSLcN8XBAyYlpW+gmNdjIjSvGwGxvVZGjEIkUxp4NalWzuHBIUn/+PO/dGCaGTPiRkIK+gRGWl28V5mNMyOEsuASmnDZ+NvZpstLog8MYQICn+b/xgglXJwy412u871FKBZZ4KG0LW7Acp444N0UgFwvEb X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(6133799003)(56012099006)(3023799007)(18002099003)(22082099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?bDJvVFR6MHVZeGVkMzZ4TUhvd1hiSUxYMjFVSStYWTI2blJqSVRxMi9rdk9V?= =?utf-8?B?a0pTVTZDQUpTR2RLd2MzTEE4OW1zcGh2UW9CS1FJYUpCb0JyY1lSRUttVENB?= =?utf-8?B?UkFwRUNVUmtmMXhveEhXY0VFdWY4OFZDeGFCNTYzeWF3dGFtU2dYbEkrd2FR?= =?utf-8?B?azdzckFYeDZjemhkVkh6QmVPZWFGTjlIb3ZxOGVIVFVTS2RVV2NoNmNCUWxn?= =?utf-8?B?NGdhYTg5azNzNkhJMFNWY2FtNHo0QjVkR09NclJxbW41d1VESnhJdENsZ0RO?= =?utf-8?B?YkRqRDZiaktVOG5DN2RHQXlKMVdOYTNoV20xRGJySHNhMWcxVUVwOHJvSEpH?= =?utf-8?B?OHhlOHFUZkIrWjBBNjRJMWluUWFzM1VnZkpIZ1ZBQloxVHFKS0NDdGRNTmNL?= =?utf-8?B?d3IwR3E5aWl6R1FGcnl1M00wUHg4c3prbzlVV0ZyRWFRWTA3Y2tVQWl0NXgr?= =?utf-8?B?T2MvSiszbi9EZzJoR0c3ZVRKSXNDdmJwVkpoaU8vbTZURzh2WUFXazZxblM3?= =?utf-8?B?K083NWlLSURVV21iR2s2Z1pzNWNmUG10MkpMKytlK1VUcitCUG83bXVtOVlV?= =?utf-8?B?cUdSUlJ1Y3F4RnRDTUJiSUEyZnBCbll1V1ZkcFdGUTdVdmQ1cWptZ0tmcjZW?= =?utf-8?B?QWExYWRKZURYS1ZnTkNiUy9CNUx0enp5MGdnRFgwbDk2ck40S0lvdWJBZmNT?= =?utf-8?B?ejVIZWhmN1k4UVo5UkZDRURYQ3M0K1J3TWtSWmNoZU5MQXl4dGJFWklWMlQr?= =?utf-8?B?RlBvZW1XUnljcURTV3hsbVlZSlQxZHIxZU1hK2pXTnZzbXNQcUxMVGo0Q3F3?= =?utf-8?B?SnRsSlBGVUhURUlIVDJ1YWZ4dVlQTVo3eHNjRkdyRXZ0ZzJQVy9FeEk1aEJs?= =?utf-8?B?WE1ZSWIyRitDODNsRlhVWDJsWFI0ZXdrMGZOQmdNZmoxdVBrdSt2akFDNlcz?= =?utf-8?B?RmY3THE5Z2ptQU1CMWppUWxpSWRDb21uZDI2WHVjdXZDd0ZXTGdKT2ZRMGpT?= =?utf-8?B?aDkyRkdLaWtxVkpjTHIyeHZPOFV1Q2s5cXkrcnVmNW1QOHVpRGQveEsvV0Jm?= =?utf-8?B?RFFlNGgrSEh1ZXZMWlFhZGYycXhKdlNwcnlDR0pSVUVUMDlMaVBzbklVS0p6?= =?utf-8?B?RHFhSE5XK0ZaS3ZWNTB3WVYvN1liekVPZCttOGRndy9FRmZ5dXo1NE9ISE04?= =?utf-8?B?ZjVJTWkrRExqbjNHcHMweXl6dTROUTVNdkh4MnYyREZKVDBSVEluSitpL0pr?= =?utf-8?B?d1FmNHA2K1RIYzE2WWhNdlJRbUYwTnJybnlVR1o3Z2Fsb1IrUmF0UEpZUDNq?= =?utf-8?B?U2xVdm5VdFhaQnBJbWtYbDE0eVJOUVlOQXpmUzY2RDI0SHdycDBHVmJjTXpu?= =?utf-8?B?ZlhVSjUyQ2MwNWRwVkh5MXZUd2U4bnlLSkFCaXh1N2VZeTFXREFxOEJYUzdR?= =?utf-8?B?VnJ4UGkvVTI4Wm9QNm5XS0d1WnRQWTlsZ0dwRU5SMnBHQ0FrelhCZHk1UXEy?= =?utf-8?B?L1VSakFkVE04dzZxcVZvcnRrOTJEZ1dSM3hPWTlkTkJzT1BnYjhLT0NRbnRv?= =?utf-8?B?TEJEMmYreTJ4NXZFT01tZi9MaUdodVcwdzZZVC9qUnh0MVlzL2s2MW9XaVEr?= =?utf-8?B?bGhVUnNjckZRb0JUaVcvYm5zS1Erb0dNOU9MeWFBL1BvWENjdGxrMXI0VnQ4?= =?utf-8?B?NlA3a3VXVEsyWTFJMnVyYmVrVnhoVlpTZHI4RFRGZnc4UEcrUXhQVEswL3JU?= =?utf-8?B?VmJ4UzUyRFF4YVV6aG9sMkc4RUhzY2V0NWZ5Zm9ucWc4NkdHVGord1gzTFc5?= =?utf-8?B?aWlJTjAvR0dYVnYwaDZmOUZ6bDdIdFlWaW1DdEN5aVRvNUQ3Q1VjNFNFVUVM?= =?utf-8?B?VThCcWhxYlFtaktobjgrV3piV1Q1alJVR0htM3Q1Vk95Wm9aOGtjR0tKSEor?= =?utf-8?B?WXh3K3NndkN2WDA0UWUxbVIxMDdIQ1c3UWErMkRYTXV4dnJiMlBSUUJTMEtl?= =?utf-8?B?cUpSenVWdEZTdHEweEk2SVYyUDd6MWtvV0EvWDFPbVNpWHVZeFpmY3Vidm9P?= =?utf-8?B?a3N3SWZUcG1GLzdkZnB0clludTFVTDlTSm1KTzZJamRpUW9tU05IRGRYSnFq?= =?utf-8?B?VnYwK2xDUTM4YXZ6d1JYUXJUZlpQamxqMFk4V09rbm1iRThGTHVoNlZiZks1?= =?utf-8?B?SkJ4MkFWdHpmdHZodXNKQmRsWlBLd011NnhIZVVBaVR5NE1NdHU0UG5CNVcz?= =?utf-8?B?L0h6b0Frc25RVUxHNm9zZTR0Yy8zS1JDbGluOTZpcUZWL1VPQ3d4d29HbSt3?= =?utf-8?B?Y2MvTzJraGxnK0swek5VOXdObTgxUG1zbFdqVFNyeUx6UXpKOXcxN0VLVEw4?= =?utf-8?Q?062Mico5vF5Sh1FQ=3D?= X-Exchange-RoutingPolicyChecked: myZf3v0VdGwGy4gQQF90gUwIzUDqAPOrj660ClquPIF33/DTqtGrQ3uD11V0ezr/Mb3U18ksT4Xf2kyHCYpzfYRUVBDcz87j6stuqJrRBBrQlw/HRccE/L7BGEaJyBUfWs6qt2UF+FsKprLi5+hnlN3jVp2Lr2v6JFuMII9GpUd9E2my/F5f7Wx/k/ZTIo0NGU2gx97BH/fGOJD28gZH/0Fdl2cuZrxrZJz9Q42VW/sQYQl3hyPO/Fqd0SRMgE8evO0EXm58vFdr9dkInb0Dc0Nu735ljEx0HVX3JIXXMENMpLBm5Y+G5juaJBQZWiJipRUgvevlAAggtgoOoTF7FA== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4f9aa384-65cc-409f-af76-08debbd0d71e X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 May 2026 09:17:57.1129 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: lXYkzd8g0YQ7+qAWjzMTvrydN5Bc9+MDil+SADi283djTn0iJVF8UOslQIXQqquGS5Dxed5uYpBmJUVW8KdtlQpZw0ed2TYYwuRpfL+vinE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL3PR02MB9009 X-Proofpoint-ORIG-GUID: rj1w0wxeVNTOQG_Iv-FZwRLg4h9TQV0h X-Proofpoint-GUID: rj1w0wxeVNTOQG_Iv-FZwRLg4h9TQV0h X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDA4OCBTYWx0ZWRfXwB9Az85kUr19 qXrsuqDlCgecBkywzAf/cC31rBerRYecMDmYHZ3RBmXhXw4BVjRkPEhEOLTyFVKZ3zCuGp+stfA 4/bAvrXjDW3MVZ85MALQ5KcsfcFMdqTtNqBtIZz9djEbrf2303TxpS/2zU3ZOBFgLZK3BomJ3/j heSPzyRsL2l/sFuARwXBJUrIB0aQAHexJU+1f8RK5UqGiMW8BeRBBazrNrLd8Syhc6EdLSQ6ZdN K1BxDXVlXJgT8D7HMKLQj254Q+ra+L8MNF5HuyIE/zlKuZfwe49WYv2HUBzpNoIRaAdTtmd7Hqr n1IPE6q/kIuUVegeMBZkegBf8su9nGMPmIhMCmrfBzlmtyhzf51zMguWBINM/gj8yxnjcwlub06 UdxR0Udp41/0t0aZJx4Zj4qPg/ta/t8p6u5v+1/k1XcbsSHa2oFXkHfb3BMY6uw+zfkPUe25wH/ tcYujIyDZ2g/LBzY5Mg== X-Authority-Analysis: v=2.4 cv=aNnAb79m c=1 sm=1 tr=0 ts=6a16b6c7 cx=c_pps a=A3wBdPz/itNY2Bh/0u/a6g==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=0LlEyIVc8U2lsR7dKhuH:22 a=64Cc0HZtAAAA:8 a=BgFrhowzrF4dcxJIR14A:9 a=QEXdDO2ut3YA:10 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: WWNA4YMX4TTTO7XPZTORJ2SCFIT4DZG3 X-Message-ID-Hash: WWNA4YMX4TTTO7XPZTORJ2SCFIT4DZG3 X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1779874628973154100 Content-Type: text/plain; charset="utf-8" During an encrypted migration, the parties negotiate a unique identifier, then QEMU parses the key file and extracts the matching key. By default, the key file=E2=80=99s location is defined in either "migrate_tls_psk_dir" or "default_tls_psk_dir" in qemu.conf. To use a different key file for a particular migration session, a user can provide custom directory path of the key file using the "VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY" migration parameter. If this parameter is set, the defined path supersedes the "migrate_tls_psk_dir" or "default_tls_psk_dir" configurations provided in qemu.conf. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- include/libvirt/libvirt-domain.h | 14 ++++++ src/qemu/qemu_driver.c | 24 ++++++---- src/qemu/qemu_migration.c | 78 ++++++++++++++++++++------------ src/qemu/qemu_migration.h | 2 + src/qemu/qemu_migration_params.c | 41 +++++++++++++---- src/qemu/qemu_migration_params.h | 5 ++ tools/virsh-domain.c | 7 +++ 7 files changed, 127 insertions(+), 44 deletions(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index 88eb3e55aa..f600771c08 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1479,6 +1479,20 @@ typedef enum { */ # define VIR_MIGRATE_PARAM_TLS_DESTINATION "tls.destination" =20 +/** + * VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY: + * + * virDomainMigrate* params field: override the path of the directory cont= aining + * the pre-shared key files. + * + * Normally the pre-shared key files on a host is stored at a specific pat= h specified + * in the configuration file. When a user wants to use a unique or custom = pre-shared key + * for migration, this parameter can be used to override the pre-shared ke= y files' path. + * + * Since: 12.4.0 + */ +# define VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY "tls.psk_directory" + /* Domain migration. */ virDomainPtr virDomainMigrate (virDomainPtr domain, virConnectPtr dconn, unsigned long flags, const char *dname, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index eda1f42054..8e4d415874 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -11004,7 +11004,7 @@ qemuDomainMigratePrepare2(virConnectPtr dconn, return qemuMigrationDstPrepareDirect(driver, dconn, NULL, 0, NULL, NULL, /* No cookie= s */ uri_in, uri_out, - &def, origname, NULL, NULL, 0, NU= LL, + &def, origname, NULL, NULL, 0, NU= LL, NULL, migParams, flags); } =20 @@ -11055,7 +11055,7 @@ qemuDomainMigratePerform(virDomainPtr dom, */ ret =3D qemuMigrationSrcPerform(driver, dom->conn, vm, NULL, NULL, dconnuri, uri, NULL, NULL, NULL, N= ULL, NULL, 0, - NULL, + NULL, NULL, migParams, cookie, cookielen, NULL, NULL, /* No output cookies in v2 */ flags, dname, bandwidth, false); @@ -11230,7 +11230,7 @@ qemuDomainMigratePrepare3(virConnectPtr dconn, cookieout, cookieoutlen, uri_in, uri_out, &def, origname, NULL, NULL, 0, - NULL, migParams, flags); + NULL, NULL, migParams, flags); } =20 static int @@ -11256,6 +11256,7 @@ qemuDomainMigratePrepare3Params(virConnectPtr dconn, g_autofree char *origname =3D NULL; g_autoptr(qemuMigrationParams) migParams =3D NULL; const char *nbdURI =3D NULL; + const char *tls_psk_directory =3D NULL; =20 virCheckFlags(QEMU_MIGRATION_FLAGS, -1); if (virTypedParamsValidateTemplate(params, nparams, qemuMigrationParam= etersValidation) < 0) @@ -11278,7 +11279,10 @@ qemuDomainMigratePrepare3Params(virConnectPtr dcon= n, &nbdURI) < 0 || virTypedParamsGetInt(params, nparams, VIR_MIGRATE_PARAM_DISKS_PORT, - &nbdPort) < 0) + &nbdPort) < 0 || + virTypedParamsGetString(params, nparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + &tls_psk_directory) < 0) return -1; =20 virTypedParamsGetStringList(params, nparams, VIR_MIGRATE_PARAM_MIGRATE= _DISKS, @@ -11333,7 +11337,7 @@ qemuDomainMigratePrepare3Params(virConnectPtr dconn, uri_in, uri_out, &def, origname, listenAddress, migrate_disks, nbdPort, - nbdURI, migParams, flags); + nbdURI, tls_psk_directory, migPar= ams, flags); } =20 =20 @@ -11461,7 +11465,7 @@ qemuDomainMigratePerform3(virDomainPtr dom, =20 ret =3D qemuMigrationSrcPerform(driver, dom->conn, vm, xmlin, NULL, dconnuri, uri, NULL, NULL, NULL, NULL, N= ULL, 0, - NULL, migParams, + NULL, NULL, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, true); @@ -11489,6 +11493,7 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, const char *dname =3D NULL; const char *uri =3D NULL; const char *graphicsuri =3D NULL; + const char *tls_psk_directory =3D NULL; const char *listenAddress =3D NULL; g_autofree const char **migrate_disks =3D NULL; g_autofree const char **migrate_disks_detect_zeroes =3D NULL; @@ -11529,7 +11534,10 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, &nbdURI) < 0 || virTypedParamsGetString(params, nparams, VIR_MIGRATE_PARAM_PERSIST_XML, - &persist_xml) < 0) + &persist_xml) < 0 || + virTypedParamsGetString(params, nparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + &tls_psk_directory) < 0) goto cleanup; =20 =20 @@ -11580,7 +11588,7 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directory, migP= arams, cookiein, cookieinlen, cookieout, cookie= outlen, flags, dname, bandwidth, true); cleanup: diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 239d547bb0..79d11732a7 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3320,6 +3320,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3432,7 +3433,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, if (qemuMigrationParamsEnableTLSPSK(driver, vm, true, VIR_ASYNC_JOB_MIGRATION_IN, &tlsPSKAlias, NULL, - migParams) < 0) + tls_psk_directory, migPara= ms) < 0) goto error; break; case VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK: @@ -3533,6 +3534,7 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3546,9 +3548,10 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, bool taint_hook =3D false; =20 VIR_DEBUG("name=3D%s, origname=3D%s, protocol=3D%s, port=3D%hu, " - "listenAddress=3D%s, nbdPort=3D%d, nbdURI=3D%s, flags=3D0x%x= ", + "listenAddress=3D%s, nbdPort=3D%d, nbdURI=3D%s," + "tls_psk_directory=3D%s, flags=3D0x%x", (*def)->name, NULLSTR(origname), protocol, port, - listenAddress, nbdPort, NULLSTR(nbdURI), flags); + listenAddress, nbdPort, NULLSTR(nbdURI), NULLSTR(tls_psk_dir= ectory), flags); =20 if (!(flags & VIR_MIGRATE_OFFLINE)) { cookieFlags =3D QEMU_MIGRATION_COOKIE_GRAPHICS | @@ -3641,6 +3644,7 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, protocol, port, listenAddress, migrate_disks, nbdPort, nbdURI, + tls_psk_directory, migParams, flags) < 0) { goto stopjob; } @@ -3806,6 +3810,7 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3867,6 +3872,7 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, port, autoPort, listenAddress, migrate_disks, nbdPort, nbdURI, + tls_psk_directory, migParams, flags); } =20 @@ -3903,7 +3909,7 @@ qemuMigrationDstPrepareTunnel(virQEMUDriver *driver, return qemuMigrationDstPrepareAny(driver, dconn, cookiein, cookieinlen, cookieout, cookieoutlen, def, origna= me, st, NULL, 0, false, NULL, NULL, 0, - NULL, migParams, flags); + NULL, NULL, migParams, flags); } =20 =20 @@ -3944,6 +3950,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3959,12 +3966,12 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, "cookieout=3D%p, cookieoutlen=3D%p, uri_in=3D%s, uri_out=3D%= p, " "def=3D%p, origname=3D%s, listenAddress=3D%s, " "migrate_disks=3D%p, nbdPort=3D%d, " - "nbdURI=3D%s, flags=3D0x%x", + "nbdURI=3D%s, tls_psk_directory=3D%s, flags=3D0x%x", driver, dconn, NULLSTR(cookiein), cookieinlen, cookieout, cookieoutlen, NULLSTR(uri_in), uri_out, *def, origname, NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), - flags); + NULLSTR(tls_psk_directory), flags); =20 *uri_out =3D NULL; =20 @@ -4072,7 +4079,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, NULL, uri ? uri->scheme : "tcp", port, autoPort, listenAddress, migrate_disks, nbdPort, - nbdURI, migParams, flags); + nbdURI, tls_psk_directory, migParams,= flags); cleanup: if (ret !=3D 0) { VIR_FREE(*uri_out); @@ -4993,7 +5000,8 @@ qemuMigrationSrcRun(virQEMUDriver *driver, const char **migrate_disks_detect_zeroes, const char **migrate_disks_target_zero, qemuMigrationParams *migParams, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; @@ -5114,7 +5122,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, if (qemuMigrationParamsEnableTLSPSK(driver, vm, false, VIR_ASYNC_JOB_MIGRATION_OU= T, &tlsPSKAlias, spec->dest.h= ost.username, - migParams) < 0) + tls_psk_directory, migPara= ms) < 0) goto error; break; } @@ -5444,7 +5452,8 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, const char **migrate_disks_detect_zeroes, const char **migrate_disks_target_zero, qemuMigrationParams *migParams, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { g_autoptr(virURI) uribits =3D NULL; int ret =3D -1; @@ -5521,7 +5530,7 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, &spec, dconn, graphicsuri, migrate_disks, migrate_disks_detect_zero= es, migrate_disks_target_zero, - migParams, nbdURI); + migParams, nbdURI, tls_psk_directory); } =20 if (spec.destType =3D=3D MIGRATION_DEST_FD) @@ -5584,7 +5593,7 @@ qemuMigrationSrcPerformTunnel(virQEMUDriver *driver, ret =3D qemuMigrationSrcRun(driver, vm, persist_xml, cookiein, cookiei= nlen, cookieout, cookieoutlen, flags, bandwidth, &= spec, dconn, graphicsuri, NULL, NULL, NULL, - migParams, NULL); + migParams, NULL, NULL); =20 cleanup: VIR_FORCE_CLOSE(spec.dest.fd.qemu); @@ -5623,7 +5632,7 @@ qemuMigrationSrcPerformResume(virQEMUDriver *driver, ret =3D qemuMigrationSrcPerformNative(driver, vm, NULL, uri, cookiein, cookieinlen, cookieout, cookieoutlen, flags, - 0, NULL, NULL, NULL, NULL, NULL, m= igParams, NULL); + 0, NULL, NULL, NULL, NULL, NULL, m= igParams, NULL, NULL); =20 virCloseCallbacksDomainAdd(vm, conn, qemuMigrationAnyConnectionClosed); =20 @@ -5731,7 +5740,7 @@ qemuMigrationSrcPerformPeer2Peer2(virQEMUDriver *driv= er, cookie, cookielen, NULL, NULL, /* No out cookie w= ith v2 migration */ flags, bandwidth, dconn, NULL,= NULL, NULL, - NULL, migParams, NULL); + NULL, migParams, NULL, NULL); =20 /* Perform failed. Make sure Finish doesn't overwrite the error */ if (ret < 0) @@ -5798,6 +5807,7 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *driv= er, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned long long bandwidth, bool useParams, @@ -5824,12 +5834,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *dr= iver, "dname=3D%s, uri=3D%s, graphicsuri=3D%s, listenAddress=3D%s,= " "migrate_disks=3D%p, migrate_disks_detect_zeroes=3D%p, " "migrate_disks_target_zero=3D%p, nbdPort=3D%d, nbdURI=3D%s, " - "bandwidth=3D%llu, useParams=3D%d, flags=3D0x%x", + "tls_psk_directory=3D%s, bandwidth=3D%llu, useParams=3D%d, f= lags=3D0x%x", driver, sconn, dconn, NULLSTR(dconnuri), vm, NULLSTR(xmlin), NULLSTR(dname), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, migrate_disks_detect_= zeroes, migrate_disks_target_zero, nbdPort, - NULLSTR(nbdURI), bandwidth, useParams, flags); + NULLSTR(nbdURI), NULLSTR(tls_psk_directory), bandwidth, useP= arams, flags); =20 /* Unlike the virDomainMigrateVersion3 counterpart, we don't need * to worry about auto-setting the VIR_MIGRATE_CHANGE_PROTECTION @@ -5919,6 +5929,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *dri= ver, nbdURI) < 0) goto cleanup; =20 + if (tls_psk_directory && + virTypedParamsAddString(¶ms, &nparams, &maxparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + tls_psk_directory) < 0) + goto cleanup; + if (qemuMigrationParamsDump(migParams, ¶ms, &nparams, &maxparams, &flags) < 0) goto cleanup; @@ -6022,7 +6038,7 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *driv= er, flags, bandwidth, dconn, g= raphicsuri, migrate_disks, migrate_dis= ks_detect_zeroes, migrate_disks_target_zero, - migParams, nbdURI); + migParams, nbdURI, tls_psk= _directory); } =20 if (ret =3D=3D 0) @@ -6199,6 +6215,7 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *drive= r, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags, const char *dname, @@ -6217,11 +6234,12 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *dri= ver, =20 VIR_DEBUG("driver=3D%p, sconn=3D%p, vm=3D%p, xmlin=3D%s, dconnuri=3D%s= , uri=3D%s, " "graphicsuri=3D%s, listenAddress=3D%s, " - "migrate_disks=3D%p, nbdPort=3D%d, nbdURI=3D%s, flags=3D0x%x= , " - "dname=3D%s, bandwidth=3D%lu", + "migrate_disks=3D%p, nbdPort=3D%d, nbdURI=3D%s, tls_psk_dire= ctory=3D%s, " + "flags=3D0x%x, dname=3D%s, bandwidth=3D%lu", driver, sconn, vm, NULLSTR(xmlin), NULLSTR(dconnuri), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), + NULLSTR(tls_psk_directory), flags, NULLSTR(dname), bandwidth); =20 if (flags & VIR_MIGRATE_TUNNELLED && uri) { @@ -6323,7 +6341,7 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *drive= r, persist_xml, dname, uri, g= raphicsuri, listenAddress, migrate_dis= ks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams= , bandwidth, + nbdPort, nbdURI, tls_psk_d= irectory, migParams, bandwidth, !!useParams, flags); } else { ret =3D qemuMigrationSrcPerformPeer2Peer2(driver, sconn, dconn, vm, @@ -6363,6 +6381,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, @@ -6412,7 +6431,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, dconnuri, uri, graphicsuri,= listenAddress, migrate_disks, migrate_disk= s_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, + nbdPort, nbdURI, tls_psk_di= rectory, migParams, flags, dname, ba= ndwidth, &v3proto); } else { @@ -6422,7 +6441,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, ret =3D qemuMigrationSrcPerformNative(driver, vm, persist_xml, uri= , cookiein, cookieinlen, cookieout, cookieoutlen, flags, bandwidth, NULL, NULL, = NULL, NULL, NULL, - migParams, nbdURI); + migParams, nbdURI, tls_psk_dir= ectory); } if (ret < 0) goto endjob; @@ -6497,7 +6516,8 @@ qemuMigrationSrcPerformPhase(virQEMUDriver *driver, int *cookieoutlen, unsigned int flags, unsigned long bandwidth, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; @@ -6527,7 +6547,7 @@ qemuMigrationSrcPerformPhase(virQEMUDriver *driver, flags, bandwidth, NULL, graphicsuri, migrate_disks, migrate_disks_detect_= zeroes, migrate_disks_target_zero, - migParams, nbdURI) < 0) + migParams, nbdURI, tls_psk_directory= ) < 0) goto cleanup; =20 virCloseCallbacksDomainAdd(vm, conn, qemuMigrationAnyConnectionClosed); @@ -6573,6 +6593,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, @@ -6588,12 +6609,13 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, VIR_DEBUG("driver=3D%p, conn=3D%p, vm=3D%p, xmlin=3D%s, dconnuri=3D%s,= " "uri=3D%s, graphicsuri=3D%s, listenAddress=3D%s, " "migrate_disks=3D%p, nbdPort=3D%d, " - "nbdURI=3D%s, " + "nbdURI=3D%s, tls_psk_directory=3D%s, " "cookiein=3D%s, cookieinlen=3D%d, cookieout=3D%p, cookieoutl= en=3D%p, " "flags=3D0x%x, dname=3D%s, bandwidth=3D%lu, v3proto=3D%d", driver, conn, vm, NULLSTR(xmlin), NULLSTR(dconnuri), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), + NULLSTR(tls_psk_directory), NULLSTR(cookiein), cookieinlen, cookieout, cookieoutlen, flags, NULLSTR(dname), bandwidth, v3proto); =20 @@ -6616,7 +6638,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, graphicsuri, listenAddress, migrate_disks, migrate_disks_det= ect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directo= ry, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, v3proto= ); @@ -6636,14 +6658,14 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, - flags, bandwidth, nbdURI); + flags, bandwidth, nbdURI, tls_= psk_directory); } =20 return qemuMigrationSrcPerformJob(driver, conn, vm, xmlin, persist_xml= , NULL, uri, graphicsuri, listenAddress, migrate_disks, migrate_disks_detect_= zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directory, = migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, v3proto); diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 7fbf959ee6..6154037c0d 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -140,6 +140,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags); =20 @@ -158,6 +159,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_par= ams.c index 1c6ab6fc8a..d6099894c5 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1258,17 +1258,13 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driv= er, int asyncJob, char **tlsPSKAlias, const char *username, + const char *tls_psk_directory, qemuMigrationParams *migParams) { qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; g_autoptr(virJSONValue) tlsPSKProps =3D NULL; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); - - if (!cfg->migrateTLSPSKdir) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("host migration TLS-PSK directory not configured")); - return -1; - } + const char *pskDirectory =3D qemuMigrationParamsGetTLSPSKDirectory(dri= ver, tls_psk_directory); =20 if (!jobPriv->migParams->params[QEMU_MIGRATION_PARAM_TLS_CREDS].set) { virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", @@ -1279,8 +1275,8 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, if (!(*tlsPSKAlias =3D qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_T= LS_ALIAS_BASE))) return -1; =20 - if (qemuDomainGetTLSPSKObjects(cfg->migrateTLSPSKdir, tlsListen, - username, *tlsPSKAlias, &tlsPSKProps) < 0) + if (qemuDomainGetTLSPSKObjects(pskDirectory, tlsListen, + username, *tlsPSKAlias, &tlsPSKProps) <= 0) return -1; =20 /* Ensure the domain doesn't already have the TLS-PSK objects defined.= .. @@ -1847,3 +1843,32 @@ qemuMigrationParamsGetTLSHostname(qemuMigrationParam= s *migParams) =20 return hostname; } + + +/** + * qemuMigrationParamsGetTLSPSKDirectory: + * @migParams: Migration params object + * @tls_psk_directory: path containing the TLS-PSK key file provided by th= e client + * + * Identifies the correct value of the directory that stores the pre-share= d keys + * required for the TLS-based authentication based on the precedence. + */ +const char * +qemuMigrationParamsGetTLSPSKDirectory(virQEMUDriver *driver, + const char *tls_psk_directory) +{ + const char *pskDirectory =3D NULL; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + + if (tls_psk_directory) { + pskDirectory =3D tls_psk_directory; + } else { + if (!cfg->migrateTLSPSKdir) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("host migration TLS-PSK directory not configured"= )); + return NULL; + } + pskDirectory =3D cfg->migrateTLSPSKdir; + } + return pskDirectory; +} diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_par= ams.h index 07f5812065..eec08f3c69 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -130,6 +130,7 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, int asyncJob, char **tlsPSKAlias, const char *username, + const char *tls_psk_directory, qemuMigrationParams *migParams); =20 int @@ -199,3 +200,7 @@ qemuMigrationCapsGet(virDomainObj *vm, =20 const char * qemuMigrationParamsGetTLSHostname(qemuMigrationParams *migParams); + +const char * +qemuMigrationParamsGetTLSPSKDirectory(virQEMUDriver *driver, + const char *tls_psk_directory); diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 286abd2f1c..c939274881 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -11667,6 +11667,13 @@ doMigrate(void *opaque) VIR_MIGRATE_PARAM_TLS_DESTINATION, opt) < = 0) goto save_error; =20 + if (vshCommandOptString(ctl, cmd, "tls-psk-directory", &opt) < 0) + goto out; + if (opt && + virTypedParamsAddString(¶ms, &nparams, &maxparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, opt) = < 0) + goto save_error; + if ((rv =3D vshCommandOptULongLong(ctl, cmd, "available-switchover-ban= dwidth", &ullOpt)) < 0) { goto out; } else if (rv > 0) { --=20 2.39.3