From nobody Wed Jun 24 21:48:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1782196342; cv=pass; d=zohomail.com; s=zohoarc; b=R5JbFuNkFPK37qZfmBqyQ8NHnqU35MPRWv1vwxk655n9KyE5Yy3Y0V0h3SITz1LsIQZPruYFXiVHS3U+t/MmdA3xvJ4S4vG7/kDSyWijBaEkaSqv3JyiI0I0MyNFiU4gdCto1HnYNET2yXKMzZEn9KisQvnE6S/9fmy1n+JYPaQ= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1782196342; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=dkCcFWWfLVa/6tJX8gsgBxtF11LJPYdHKxXHwWb1FzM=; b=FFlVAeM8O6ipMNOR1HiFJWAnVj8/VU7ARQsDXzC7RqVqUvnz16jfZ0RDKVS1N+KoPC6sy8Vj1iUU8G51goK3iff5QtYh5G9Ipwcs/XLHqbQX8Kutemh09ADWpVSwtaUxgEDE0fTKilkFRGByCdwCmFid6D+Gih4djlbj4ZAaPkg= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1782196342959851.3434710018676; Mon, 22 Jun 2026 23:32:22 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id D52223F942; Tue, 23 Jun 2026 02:32:21 -0400 (EDT) Received: from [172.19.199.7] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 0912B41D8A; Tue, 23 Jun 2026 02:27:24 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 65EA041CEE; Tue, 23 Jun 2026 02:26:57 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 78EBB41D0A for ; Tue, 23 Jun 2026 02:26:35 -0400 (EDT) Received: from pps.filterd (m0127840.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 65N0gK5f1714833 for ; Mon, 22 Jun 2026 23:26:34 -0700 Received: from cy7pr03cu001.outbound.protection.outlook.com (mail-westcentralusazon11020132.outbound.protection.outlook.com [40.93.198.132]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4ewq6sx0ev-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 22 Jun 2026 23:26:34 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by IA1PR02MB9231.namprd02.prod.outlook.com (2603:10b6:208:425::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.19; Tue, 23 Jun 2026 06:26:29 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0139.018; Tue, 23 Jun 2026 06:26:29 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=dkCcFWWfLVa/6tJX8gsgBxtF11LJPYdHKxXHwWb1F zM=; b=m4L3c8wRi1ZYwOdyiAlMsM0pZwurE9zKu9T88BTYMnsZBM8dzP9gwMHAc 8Gva2FpowUNY+704gI8tNmro3kpdCCPwKZJLV0azzy67h1asod6YKgQxQ/umFLed w9iZaqPQF+FBxeCpBoLyWWCtLKM8pIq1UJRe0rPSLeaboBa2kYFvrLfY+KMWGVEv +X1WY4LezA6iJyHCDMUhg2ZIg1mSX+q8R7teoyIqsJ4hoovks50y9pTtMlPmYK2u NgDrkn/9LHqssWVIxnP792MooqyKs8G4cb0gF4446I18iAteFJu58l21iOIQj6BE /zs7V27gVAiGshjzfE8Wji4cPhzZg== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EE2+YherFdMNOOjZqaTOxRYksLd0fl4CgKndPOFlsUL/GuWsskqsTtB4JqfQd24zQMzMIAwPwgALsuaaCbDewh6coZzAuMZBU1yUHGBcynoH76WBirbg1pktQaslDp5oK6bxZ6PI8qgAwW9ahh/o1qWJjIIvMeWpifDgcovH/Q4ABfb5swmNwIK7805PqnDbieMRqjzLqCFPZDgLEPkVCVZbNxT+UjXLdcUl2Q5hr5qC8j+1yy1+hxM57hMgjgkpCQerel8oGJpEBjC0fr0vE87xrXuE7w27fTmf/CXEI1HaMuD2aoG3LUUOtfOlhEvmbaGIcSBZsv8PDyCFF0mldg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dkCcFWWfLVa/6tJX8gsgBxtF11LJPYdHKxXHwWb1FzM=; b=zCjyDt2ufyZQMXcNxCKLOwwRff9DdhV/v/Ld7TinPq0cYm/Ee0UPOS1vvEU1UbGyMIpIn2aT9dpc/TAKTzrmgUTtDzUmYA818O7pzGW5aPq6kdvWsz3UXlW+pQoToSYcCuEyY4zRhLAu0yhI/PuHCvxzDNB+0lKYVM9D23lL9huLtYvrD771BX5E28K+nxz+zDU2ylG/ZvvW3mQSftjhGPIm0D7kqsCgGdNkpL7isMlLhafdvQULg+jKNkS5qMqXJeIBZZICKFOwmWuJKV2Asddua0xfCVyH8EEt2qkOeNyVaUuVsaGoWD7YZAlq9I1omeokhCWSpv3dDqp6mTTr9w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dkCcFWWfLVa/6tJX8gsgBxtF11LJPYdHKxXHwWb1FzM=; b=yJa6vREodfuIVvBfOFK1x6x4vU3dRaosga5kgpmXK1qVCv8rdkytUQQyWUE82Td9EYJPN8c3tVPVQzMV3cZl9KoyZDgx2vfX2DIEsl8BQCcjVu4fz8EGcA7e39rnlb43i3eNVVBbeiilKw/QMhexSs9RG21xlwhC6IdEhLmmqcbOg6/876M7TBn8QQH5SoHjF1t2RVfRX40fn2Q7DbrzYjQY+dsSJ7X+ijvbx3rB6mx3rI1yucVW22wv3d4feOZcRCnozn/1Qw31jnfKjIEWwvbhMDUnbUImXTW2DUWGzwvsMGXpRB/O2aj7DBP3sgvaOnbrZG1gDUgeKdoxH/+zgA== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v2 1/6] conf: Add a configuration param for TLS-PSK Date: Tue, 23 Jun 2026 06:25:59 +0000 Message-ID: <20260623062615.914208-2-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260623062615.914208-1-abhisek.panda1@nutanix.com> References: <20260623062615.914208-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CYZPR14CA0019.namprd14.prod.outlook.com (2603:10b6:930:8f::10) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|IA1PR02MB9231:EE_ X-MS-Office365-Filtering-Correlation-Id: d609c84e-700d-406c-41c3-08ded0f05c0a x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|23010399003|18002099003|22082099003|3023799007|6133799003|56012099006; X-Microsoft-Antispam-Message-Info: Qb5d2rjGqfqDTmoDV6e9emoKLNavid7fXUsJMfzM4Fu4IxwzrfV9LrYKvID73pE6DgbfqqXgISb9Kdemu3XNK4H2YEQsp203Jl5baL4BlMVZ3kgM9kkA/a3VUTXdf6WoYYmLSgIiW/QfOJiU9aJwCZoZhZeWZpDR1YiwmbJpHccOmLec45S+FO8QP6BxxLRzysTHY54Wa0uyU++93KK9SporK7cC9rP2v/X3BlLEYtp597JIAMBEi2EUQoFagrNsqry1a/7QTETevsonYTf/hG5CfW5HwSgjyDtXJTxcjiBDpb1UF974S4qxJ0B7x6nwiwBdTHkI/HrLR29duLbQRa8vqoGrHJML4K1LJPA5XEQ5UbFcJKr8mUJ0+IaGVHSUlOsw/i+QOvDmlJ1J5qcJhbu+Q5vZSmpGd1UEIPtMCKZNoftooTWWEel30rgw+aU1JicZdv9Pu3wK32KQj/vOxhsOgWOCSUp0/PUrbLu1V996wD/9pRrT7tUK4NtpdmeuyKXf0i7LJIx6rsI0izy8gCaKW78UyO6xQKmHwvx+oGqATZovpJt0YJMLCPkiRO16kxwwsvD4UtXODmi11XvM0MLdN3VM2kHJeeCEoedGvvdEbEAztIyErz4Bws3fqzPEkaOTQFbagZ236+idqeqMayaiNjei39MhAG4XFV27yvw= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(23010399003)(18002099003)(22082099003)(3023799007)(6133799003)(56012099006);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?WOBHDUbJSzeyQGTjSH5jc2Rockf1Qy1LiPv/lGIANfw8kcq4yRD47XTtltOJ?= =?us-ascii?Q?lx0lrnUK5q6vIONHXH6f0/Hrgs/xooVBBFy9hZ0ZTjtstQ3f6bBWG0wPnljX?= =?us-ascii?Q?eg0lAOlyuYdooXT2oRhSzQpFuRZmWjZN92DG2klDR0v7GoRVRS9iAwHyc+wE?= =?us-ascii?Q?8aH+jmu2wd6K7tba2SG9jzOICHEUeVAC7CQg6vsJTWH+MCipCpffSFBsTRs5?= =?us-ascii?Q?g027UbNriTqrEG27ha0lUredD/AHkrSM934HfeuJbweyxjaBNbJXiILt4buj?= =?us-ascii?Q?tulFWF7iWBmbu1JhXWA0/tJYMIm7T58QDFAoJOxcwyP6I/3pWpIPDxirdrD0?= =?us-ascii?Q?6Ho4MwP5XEP8anL+LYnFPnY03ZYuCK2AhPRhIiZ52wHsWkc5adgbx235iXJN?= =?us-ascii?Q?Q0Tlw/3pdxc4J8QD7JG4g/4RjByMeTRvFfFouv1bddm2hnf2iXMVU42JpfI6?= =?us-ascii?Q?zoVbYiyEj121brDU5txaytgyMpge33PlSwiFrYDvA6MmTwJ3gq3yM8iM2/4Y?= =?us-ascii?Q?q2nFvgtqRcl11xudpMmUOG+YlF7VIwuhZaFokC9a9PzfStbrYqvixieFC8hD?= =?us-ascii?Q?sWshjFZCdIWQtzmBxPXKfWBIPIFsRpDi7rocglUnHPjk+c09fYdIzGeOVm1z?= =?us-ascii?Q?WRYWAnK49aPDUhGARp7Q6apch83+/m46mj4U2S8oS2mIo84H9WHfoP+6rcie?= =?us-ascii?Q?7jCHWuE5faVOpTeeU6dCQwcLgmIzY/u9MPGuiAZI/vgZ6dqSrdo+uVY9Z+Mt?= =?us-ascii?Q?qx6YqKhtUVzr0Ir+pkoVjwiZXJDIhoKD8lXvH74ZTrQNFmu8QFuCogScRfgn?= =?us-ascii?Q?gjHwuqhmliQtaqjKLCqTpL3rR/uFPT5RVCEdrvt0Iv2Y77ZnanmiivsYytF/?= =?us-ascii?Q?XBf5YDYoDE2gMIbn7SjGbRPLBrDgLNR8BgcFBv5o5d7XS/RCn5V7KY2rpokB?= =?us-ascii?Q?st/Ot0UkXJKBlB/gwhGHPjUf5Q99MMPmnxMOSc99ZKw4DfkYukFkYKf5APhF?= =?us-ascii?Q?qkHWkzP6axE255FmEsceWd9dt5a8mJWgx37VxKk0RxWGgfHuoINr0CUwSVED?= =?us-ascii?Q?ppN8MmIrAm4rXCn7fslibjipWr6CJ3yLHxez3I9JqiRERPf4AasKSk6PXBCn?= =?us-ascii?Q?Cx9QY8z4QGpqERhbAYoOxWQB68HTLhm1J1uGvSHIErDuyoy8Kr0kY5Z9wcUQ?= =?us-ascii?Q?ICoHqjxNVIfb3H9nkzR14DjkRzNGLCGyOencCxXb0U4fJs9T4cd7vWUWVxHf?= =?us-ascii?Q?JsfmQ/qbzYcqe/6VBBZzigCPTt+VWennGNFBzXgGp/0v6fIEeuiKhROIReyz?= =?us-ascii?Q?eAdCYi3jLGuk/ej40BClHJySIz8Aqpam23Aqa6RV4HJ65/9wF4mGZ2t/qg/e?= =?us-ascii?Q?zSTV3Rt7uofdxoaj4JEYRD6Z2BiXGahCqz0k4n7ClzBWH1OKNpjw+sO9lKI+?= =?us-ascii?Q?p5bKvCMWzdTbR5J8PzCca5qPFu+Pvhr+4xOJEyTmzdVu0CfNg0Mh+w1USNb+?= =?us-ascii?Q?p2DqDIBgOt1NMUg3Tbuj8kkRBIbMqvr12g/RzdMdSQaGHM+DFNrGVM8fv4oX?= =?us-ascii?Q?dVcZy7ve4+yl65KAp691+aKdSgjn3+Wvk1DOFpHO3CJdUgbb779zhooetZBS?= =?us-ascii?Q?0UfcvGt8Jos7xvLhsb0/plPKkHHuBR6OkerNSWEBKIo2sqNXNCojK7tVjAO9?= =?us-ascii?Q?W4ujbG1ciSsdiAQBmOBfgQM23CjCe/OTxrPHRA4ZGesBEYkVL1Xp4FTV2Ac2?= =?us-ascii?Q?zLLeMItXJ49l14UaaQZbcJvP7I1kbeI=3D?= X-Exchange-RoutingPolicyChecked: aRJeOJo2TY9V5iMFsaJ91Rz/486EymESR5Zc8AINUb2iWRADw9m22RxbiBYzDolFf8HHQJfQWEe8kxYPZt9p6JZpRvv2gHlPLGFwcP9DGy6pIHYX0wHZjlcU7GdRZe6CIMlaYx56LuoLsJElWDsc8Yf1DsSnU90LJUY/aOIPHa7rp0mjnzzv7gTIVuonURmGpqdIxl1yZCAXkISTgdldyZs8/N2WmC2i/52Ai7zQBSh6NJh5IsHHICFJJ+9Z9jnLLiv2kWi5UKGTSSfz558b2YWZkd0y3BKWyfVTsw2+pWyGCDK8qW+qjbVCzzZvwPEppzYpI8+rMvmoWveavZrsdA== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: d609c84e-700d-406c-41c3-08ded0f05c0a X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jun 2026 06:26:28.8965 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mepKprqkr2FPBlCzDyAqYJWJNNcXuvqyVNg15V23v148DJAidfowxnSESJ4A5qA0wpPq2MAwY/1BVpT+8Ail4uL2DusPzy1CRWiEjbRPu58= X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR02MB9231 X-Proofpoint-Spam-Info: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX1+iOB101NXkf uOwVVMA0S21bPI5oUoHkZWBtdIJwMKSKt6Qdgl2Eytj0zoU3ApaaPeMM7z4VPgJgaOL3FN/vJcd 6IAGf+Cmf4b7CVaH+KcQ0ueJBcG/+Cg= X-Proofpoint-GUID: I2hA51hAMXJMoXh7v0fa78yfOsXiFgen X-Proofpoint-ORIG-GUID: I2hA51hAMXJMoXh7v0fa78yfOsXiFgen X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX7XyWiHOG5G3n NA17jEVDu5JiT0oIX46Uy2tIPrKdBw2WPB2L0xWzGu4fboH8nbV+kABCp51oF59kb+9KLJ+1O7X GAyE5E4MNJJY48oe1MaIgu9nVMyjqNnKmbZVrsuEuT4pWdaTjlrzN1+RdF0ib2IibHAz+bhW/3N BIaHBUe0fF9R+v182VBoQ5GVnBc2r4MjTocGb8Kgh8VHlhVyeDVwZtQbwK97sr0xIZYjdzSnTbM yNaBBSCVNfJ6CT6+/PF8eFdFZ6BVxh1YCLM+8GfxW2ldVsWOzoFnRxliH4c01dVPWK99s3mt8yQ brTnD210iZDC8iuxvnBqfgTVHnl4RIADm0dyuixkajTYWPpMhzFy3is47WrHAmmyEOLj2Frgy40 aZUOSebJ4j0fHLoYOgkB3dA1uBpCe8U9jAbkiq8UBWouCSSoESdZ4fE2iRsGlsQtv5LLXJFZ90W xaRfIE6OcgV+mtXRCHg== X-Authority-Analysis: v=2.4 cv=YuY/gYYX c=1 sm=1 tr=0 ts=6a3a271a cx=c_pps a=APpQm0mLgNUAkX6qZvPSjQ==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=_-M8LpHI31CeLmyZm6wg:22 a=64Cc0HZtAAAA:8 a=-2AbmpwzriJMpJNtN8kA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-23_01,2026-06-22_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: IGWLON4P4EUTOEKAO2NY2DS3K5BO2EVV X-Message-ID-Hash: IGWLON4P4EUTOEKAO2NY2DS3K5BO2EVV X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1782196343344158500 Content-Type: text/plain; charset="utf-8" For encrypted migration of VMs, QEMU provides the TLS-PSK authentication apart from TLS certificates. This mechanism relies on pre-shared keys (a secret key that is known to both sender and receiver prior to secure communication) for providing secure transfer of data. Libvirt handles the lifecycle of pre-shared keys, managing their generation, persistent storage, and cleanup. Add the "migrate_tls_psk_length" configuration attribute to qemu.conf to allow users to define the size of the pre-shared key. Signed-off-by: Abhisek Panda --- src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf.in | 8 ++++++++ src/qemu/qemu_conf.c | 10 ++++++++++ src/qemu/qemu_conf.h | 1 + src/qemu/test_libvirtd_qemu.aug.in | 1 + 5 files changed, 21 insertions(+) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index 311992e441..d58f995282 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -68,6 +68,7 @@ module Libvirtd_qemu =3D | str_entry "migrate_tls_x509_secret_uuid" | str_entry "migrate_tls_priority" | bool_entry "migrate_tls_force" + | int_entry "migrate_tls_psk_length" =20 let backup_entry =3D str_entry "backup_tls_x509_cert_dir" | bool_entry "backup_tls_x509_verify" diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 97b0141cf6..7f36bd1a68 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -437,6 +437,14 @@ #migrate_tls_force =3D 0 =20 =20 +# The TLS-PSK authentication relies on pre-shared keys for providing secur= e transfer of data. +# When TLS-PSK is enabled for the migration operation, Libvirt manages the= lifecycle of the +# pre-shared key files. For the key generation process, users can specify = the pre-shared +# key size in bytes. The default value is set to 32 bytes. +# +#migrate_tls_psk_length =3D 32 + + # In order to override the default TLS certificate location for backup NBD # server certificates, supply a valid path to the certificate directory. I= f the # provided path does not exist, libvirtd will fail to start. If the path is diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index e30b146634..d6abb82fed 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -77,6 +77,8 @@ VIR_LOG_INIT("qemu.qemu_conf"); #define QEMU_BACKUP_PORT_MIN 10809 #define QEMU_BACKUP_PORT_MAX 10872 =20 +#define QEMU_MIGRATE_TLS_PSK_LENGTH 32 + VIR_ENUM_IMPL(virQEMUSchedCore, QEMU_SCHED_CORE_LAST, "none", @@ -616,6 +618,10 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverC= onfig *cfg, =20 #undef GET_CONFIG_TLS_CERTINFO_COMMON #undef GET_CONFIG_TLS_CERTINFO_SERVER + + if (virConfGetValueUInt(conf, "migrate_tls_psk_length", &cfg->migrateT= LSPSKLength) < 0) + return -1; + return 0; } =20 @@ -1594,6 +1600,10 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *= cfg) =20 #undef SET_TLS_VERIFY_DEFAULT =20 + if (cfg->migrateTLSPSKLength =3D=3D 0) { + cfg->migrateTLSPSKLength =3D QEMU_MIGRATE_TLS_PSK_LENGTH; + } + return 0; } =20 diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 1d29f35c5d..c18aedf59c 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -170,6 +170,7 @@ struct _virQEMUDriverConfig { char *migrateTLSx509secretUUID; char *migrateTLSpriority; bool migrateTLSForce; + unsigned int migrateTLSPSKLength; =20 char *backupTLSx509certdir; bool backupTLSx509verify; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index c4cf9cf634..7e337825fd 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -45,6 +45,7 @@ module Test_libvirtd_qemu =3D { "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } { "migrate_tls_priority" =3D "@SYSTEM" } { "migrate_tls_force" =3D "0" } +{ "migrate_tls_psk_length" =3D "32" } { "backup_tls_x509_cert_dir" =3D "/etc/pki/libvirt-backup" } { "backup_tls_x509_verify" =3D "1" } { "backup_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000"= } --=20 2.43.7 From nobody Wed Jun 24 21:48:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1782196267; cv=pass; d=zohomail.com; s=zohoarc; b=Z/YsBlXly3jvnVzYcwmbUGjmSXhp/dd1ld3g13l5MwJTkxGHjcxaS0wFF0IMg4e3gn5ov7rLbNyrHs4KGQ74dcm5Ez7UwCpxby53T93QKgfgIEj6P5nArY8VfUad1eHT0aT11RDKs3dYmy7Eq8ZP4EqcNAHpqKzPvamonhLPrAs= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1782196267; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=sz31sjLrvsTFqHoEKIbqTQ8fHyVITezu5MhGxsCRDuY=; b=J61yEzYMznHbCW8dB+ORm8Flfb/YxYid+3e1FI3YGJI4d5mGgSfghWa9oySmZnswhRTvMQr0vbpop6NTQYwSeC6ZUU/r4Yf2ALobKOImppp/6Ef761NpboFS5pWhdU3mHzdTAH6QHf5NKCfgpXQwIjBOHMZug/cizE/Xs15BDBI= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1782196267580450.61548016137715; Mon, 22 Jun 2026 23:31:07 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 5CC8F41CDD; Tue, 23 Jun 2026 02:31:06 -0400 (EDT) Received: from [172.19.199.7] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 7095B41D78; Tue, 23 Jun 2026 02:27:10 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id BDEEB41CCA; Tue, 23 Jun 2026 02:26:47 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 8240C41CBC for ; Tue, 23 Jun 2026 02:26:33 -0400 (EDT) Received: from pps.filterd (m0127843.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 65N0fX8E1812181 for ; Mon, 22 Jun 2026 23:26:32 -0700 Received: from bl0pr03cu003.outbound.protection.outlook.com (mail-eastusazon11022072.outbound.protection.outlook.com [52.101.53.72]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4ewryh5wh7-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 22 Jun 2026 23:26:32 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by IA1PR02MB9231.namprd02.prod.outlook.com (2603:10b6:208:425::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.19; Tue, 23 Jun 2026 06:26:30 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0139.018; Tue, 23 Jun 2026 06:26:30 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=sz31sjLrvsTFqHoEKIbqTQ8fHyVITezu5MhGxsCRD uY=; b=O9niNa2F17Ld9PQV9n+Lg1LnVlWEfe09hFEMRjWpPBaNdFb4y8/seT6z3 PUgYl06ywoSfdJFuXItys/WUCUqt/idI6DutoDpEZZj/Bx67z13M3lEze2aLKe8u yMk31/qD9PPJ+bX8F929QNqo6ya7nGA4zPXcBYqcHTYPp4A9OZgSquJt7aQkk83C SQTFJUos7/FqnnYgTX+juz8XRcAbzUMnzDeOKusxdoqVWRR3zZCSuWi74ulblJuu IdUKzsZlEmeybL713NjSz7oECJkAM6FAjlIuaNYlFkpDHRIw0wQEqLWL5p+y3BFv WF+XPeilq+sGuprT3aa/+RcYuOibg== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=d+56ALPjDDh8+nVOnwwv6q9T0OkBM5riK29wGHPqg1FF4+U/U+HelXSYySQkFmR4H4C597pGbGFNBJ8VwjwCagGmH+aqEbTllgla0eEwLlngh4Eeoj6ZWmL0l05qj7Z6g46xWCfnLMGnbVxkhFqEKoz/Zs2rOJCnRotmfMfg4c9LSiPiPGKl4mtZGseUPI3T6gsPlY3wlRGk8QsU8RTExxBTqOxb+AtmeuOF8ae/vsaVd/attzBrkPnRxVuVSOi91WjD/GSO1RCPdcEEQL88jFfEonBg03Ht0uT0W0/7WiOFpiG9oYaSXP02884QJHgzk0N9UH/bb5pkcFRNYXfRBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sz31sjLrvsTFqHoEKIbqTQ8fHyVITezu5MhGxsCRDuY=; b=c2yYVic4Cf/ltt6sntjLeRm9fYfCrb4Kp3J0BpF+2tse6hNV7sy+OTJpXUUbyh7H0+r1MyEXWCcmUnaE8XadMEkQDvmZeQiY0YbhNLJJImCHkZchHUIgQgMVp7vV6oyGyJ+CD2DWeh/Zf5PA/Hfl3CZ1lhFtU5b7vbLaepPtjp7JZk1pAlgtzGymnyXys+MgmoVHbR0/1YPtTZ0SrbZQXgHY7IEftcsrWWWAt0NqKbR7Ilzls8rRUbkyL2QlbhytKyMuqqo+bfJX3WIZaIXnQg5bMySd+wKUgyBcD+G4AKWNBAQN9MtTA76lbdA+NlmDCHJug/ygMYXzxm+QqGHhNg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sz31sjLrvsTFqHoEKIbqTQ8fHyVITezu5MhGxsCRDuY=; b=R63gr0XjEEW6b8l0XbTSJLWELe9uyXNXh6bbAUrMylw4NeNHjuwDhw4vwv5U9g3Q7KMqZm7RXaxt0MTqT0RpaFfJtTc0ggCBZDa3rcMrpKc62+g1cVrQUFW/77Bn3oKiiy5V9Xr1estDo5tkCM3UcxGJs7C0dN2/A8WYRgPciyXaTMyM7cbd2+qjlrq+j3FmXmExAonZ+EoyXwKdGZ4/Wob9p/o5TxgNnq+oYqsQUWlCpBUSYwIRa9Yq1tZ6tPWVA7N9Gjz8Uyc6lLiWIr5gETqqqS3+zIDcmuVw1Aj+4u4mEkRvVoLRXy4/WZgr2EU5ksWiFHQk6XJbkRlRj6owXQ== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v2 2/6] qemu: Manage a pre-shared key's lifecycle Date: Tue, 23 Jun 2026 06:26:00 +0000 Message-ID: <20260623062615.914208-3-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260623062615.914208-1-abhisek.panda1@nutanix.com> References: <20260623062615.914208-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY3P220CA0006.NAMP220.PROD.OUTLOOK.COM (2603:10b6:930:fb::8) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|IA1PR02MB9231:EE_ X-MS-Office365-Filtering-Correlation-Id: e62c4871-8242-44b5-7cea-08ded0f05d35 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|23010399003|18002099003|22082099003|3023799007|6133799003|56012099006; X-Microsoft-Antispam-Message-Info: 3P53corIkp0a7tbM3IhOvwK3uGPWuPQoJOcAl1PxgS6Z4oCElATNAaK2D4ZbtfQa/cbc0It6QnnLSrcSa3UTY78/VhyrPJUjP//P7cBL1eMIVqMcGITAFVI9o4Vw/WIak97jgOYHqvjIqC5tW4dpkxww0yV0rcrS4cIsZVas25QU6E/kI+TVAbkHV4kpfD23m1LPhRiZXezdJuP5zwuF15TrpBqZSyoJHo1V8Zdx30DAqbTkT0h69qZxdyD2eFyqOeAM8ZYZUlGP0BGiYC/vKJd6+EJD+tBB6g2my+TLIu9deAHgu5S3hfXpn8D+BEMHxv7cwzgXvcUc6RtSkLnQPfSkciq6gcwy458i5BwQC66l6FgE9kUoU4lvG6iShr/+CAHYdwMKpVoumFcEPsDETk6uBIomTktmmkZaUgA/GhAPs6EYF1yS1yIkLTEl6JDMiBLXHkaP3c39q6JU9bhD+A1xeT3lPxjZaT9FbSadgyvqC7/3ttOQF/+UZ+BJjHKO1dnup3wCrJuqebzoRbqXUt/7/rV9kqHyBPsagaRqXEIYNN/Xexsj2LW8vMvnBrIVvNRItYZ6vlCnd1rWdBQM5atYnHRnS9fZW2fDL5kjgU/n+071Fbl2kloQVLutlFwDmm/B7x0khJmsjakoaisyXQmk/+ETEP09fypD6sp5jWA= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(23010399003)(18002099003)(22082099003)(3023799007)(6133799003)(56012099006);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Dryq7OoAGfUv0wTXJyUW+DMiP9bjMUC6qv+ue3X7hclbb3QyoEtberm0AW/f?= =?us-ascii?Q?X2P+/anUxP7KeveZV/v0/72uTw9vI8mfSMd8lOndkCa2sScMAoM9hC74Cxr0?= =?us-ascii?Q?8oKSKtRdfIgTnKkJ2IN2xpSbokc+D53638WSbq/OT9NRkVFyKp7Y1CQWYuYn?= =?us-ascii?Q?zr8Ug8fWWfpn658D3UUWoQ/v79ebMwPrU2JEM2gq4rFdVhvhJCohyQtR/lBV?= =?us-ascii?Q?6mj+aKfE0HhKuXyNk3FJgoItXPvMq/u0/dKp87y06FDmz2ZCucdr7KvTShec?= =?us-ascii?Q?pp89x98Q7Lf2BpYTjmgBLvcrp/IdbR7x5HVxCU3p7yFQTROcjnyXXwU6j+dk?= =?us-ascii?Q?hIpsBg8K9RPg3DPzEOFMQYMnllN+v8btbQ7IMdmoo9NBNHql3Opna4jjOP2J?= =?us-ascii?Q?RXbxS6qOYhWNe/0XFNpHIgLCXSgNrPX4T7x0MHXB3vQloU1PoE/uOnYFyKw9?= =?us-ascii?Q?MopA7zaFa96OOFVaBf/pcz6JsVjSKJZ/2QXkVoDQjiIAA7po+gteVPtDThi3?= =?us-ascii?Q?nM74HaNdRSYYxpndh8Gj4YJpr1GqcqRxw5NVqKdUCKRw7XXYqGHvGKUMinld?= =?us-ascii?Q?JW03KqVjMLfXDLUA0b1hS89Tzw/vF11/d/TEGZxUmCA6TqLAh6UBkIzJv4Se?= =?us-ascii?Q?NDh0HsLAeBDmmti/ZDfq/FxPvO23EQirLN22Hx/qEccOScaHjxkhdxHpCZqD?= =?us-ascii?Q?itrfG7vK8yE6DZVUngcFkvvWy9mFzS60ZhCD8k43cWJMmlS/C0Cv9I5bfPjd?= =?us-ascii?Q?wjje7ec+D/N7AT1nf9x6mjPRFc4rbiIEKjVg01nsiPelwLg9qEWQAoohJl9a?= =?us-ascii?Q?BCffFl3ZNfEoMUleRfTEWQPrbW1I2r/eXaGn+G7y6tDC99UHJeVCMc3n8co8?= =?us-ascii?Q?JOBEbcFhhjpO+r7Iw6HH6ejrMp7Yjzcm9Dn6AivmjnpqQKqrLjJELS4PmdTx?= =?us-ascii?Q?Tszp5in6k67t7I1RI0+yV4GHoouyPR27BlPVBEJFuenCtjLQjy74JgueJ7KO?= =?us-ascii?Q?FJrOpDNmSdFHm3l2Jw4d8GTCHX4KXTacap6E4w27Nko9CKNkOFSJ0ltTVMxS?= =?us-ascii?Q?4one48jRjfQOCF1lzWSif7ZnwzAJvA7sFtJI4N8ntGP0B103VmGAWjXI8uPR?= =?us-ascii?Q?VXm7eOClc9m9TF8Kn3hYVfjejyDFtXmV6aL4v1OLVi99x2vEbykaUNYhsN7E?= =?us-ascii?Q?NjGJwQB9B3l51Ou6YkavCEoEhV3SgD1OyAEN5ZW8nIbPvHazNVrL8KzCnjsA?= =?us-ascii?Q?lh2heC5v477+RJoTOo2lE3VP2IftpHKt2SMDODAqK/jIoxKLObKJe9bOJeEO?= =?us-ascii?Q?49A3LbvQKFkZXbvW4Fcm3OPF8/izCnWznp3CkhpvhjclseRrtw6/EFQlQtwY?= =?us-ascii?Q?rc1+K9K6zZynAzR+dUzXo7dmy8D9p2pCOsc5kpeowFoEj5xpCzuQZDDOvo1R?= =?us-ascii?Q?UGfdpvuqu6jT4c9GswvbIbG5aLrIf9gv7x0vvmESFGZCBfM46uLQToyt3q/E?= =?us-ascii?Q?IAxcZqPcLWrW1Rh9DVp5qE351TMXgoRMgpsipQswofgB6MoLDjfyRCx3rLoB?= =?us-ascii?Q?Ev2lIW9XdZSGiGkvdkhC4gH9b8fC4GNtzasEHVgWk/0ZeDjkEcUnzZvCZK4H?= =?us-ascii?Q?gpZsMeA72NhuykTmqLoTK5tPDGiNbV7VF601xit+YaGkNX40eZ3Hxt5yyu/e?= =?us-ascii?Q?uZBQXEX5hGcnmMyLbj6UpLsPsPjMtvFdxJAlo9aICEfF/VXSrtjgW0Yb3Xmp?= =?us-ascii?Q?f/IfOnWtyd5EDtYHl+wt3GCMWE/yfLY=3D?= X-Exchange-RoutingPolicyChecked: TLejYDK3gSHHy/6iWKnyRTwkzX7XM2vjlfs03Yz/OqsWqiWhOPriEezzcAIkipbIajEAE3CafzgEH8jWOBBGislYSjmYvXvgVRI6avH5HTUh3PwwfoY2iESQIajdQGTdewNckJEnAILK8uDkw0XFC7Xdkl1KDvt6zxda6GJ/RZvkRKn2R8qjqT2rDLz/mQ8kFm0nbP86RniPO2qWcfUlIdJKP6rWJZ3CFHJD24TjiFuDvSJs4zH6dEl/lLTaVPQtk8FhwKTBgjSQtuHdcr5w79G/S5qIs8XN705kYzDq49PXvTAvoeHEK8+eCTDl+g+Jp+RvEsHHFB7n+OGk61TVEA== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: e62c4871-8242-44b5-7cea-08ded0f05d35 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jun 2026 06:26:30.8563 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ooQBR/8gXIru4aGdJgg5OMrKhDqZFJok5WRYnzeADdFS/JyMrxxLeXrYxHuEOt6cca2Y9qBa3npVGNkX5fPIqJF5RgKrBDeOsP41KrZVfjk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR02MB9231 X-Proofpoint-GUID: 6skw7tghJBvPHhBuJ_f0EOfAk6_cknsl X-Proofpoint-ORIG-GUID: 6skw7tghJBvPHhBuJ_f0EOfAk6_cknsl X-Authority-Analysis: v=2.4 cv=M6p97Sws c=1 sm=1 tr=0 ts=6a3a2718 cx=c_pps a=INeTqmUF62tx7pR8qDg5kQ==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=dEe9Ve2bX-KnNSUMM2s9:22 a=64Cc0HZtAAAA:8 a=aEckxmtWx37Z73UOMxEA:9 X-Proofpoint-Spam-Info: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX1uB45+bMD3p8 INbpA1SIMCFmpM4lQEVgYKUO4tx6biC/DhaWpLJbXcZ8BbxhI+rtxqmcWukGuI45o/B29aGgg4L RCmbnlJ58PfzBQQSLm5Ngez2HJTKYbc= X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX7w/r9n97QzKL o1UcJD5xuh6bY1RvXHllhpI7/duCtHj1odnCY8lxwbW5XBs6uDVqs336zUVJ3tMn5CrQoFoKzpB vVgTpAlqPB8QV2AHQ0pNugj2Zc7drMiwEbGEcWhVr9+QUEU6O8a9VFLY3SiJwncT1oV7B30D2tB r3YOdTbvEVuqTWSZvOUDPHlSFu89i9a6tOWP67qAv7lZTggEW0fIlEf8onABJeblRNqd6wJZ9vd b42ZXUep18qPxYo1gu0zXrjBj7ezJFMJ7B1Z3IXMB4gq6+7+CMUBNXc13lGQLJis4XLF6D8M7Wo TNkYy3beJviYJu6XfJIrrFZOtHuDDg4xmWpD9qNs3WnsUfr1VRnn1MgyKj7rJGww3dngq+5ErYm blZ8gY1kMgDq7tuu/I6IPZ3HaL4idfyzRfoStTdhUQc1QaZu7wyuysWaV4yJPVsksSDBwCFOC2N fSKgrm6I3moSZo/CzYA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-23_01,2026-06-22_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: OXYQ7OKVAT6AJAWUEAQAGKGFDRKXL6TI X-Message-ID-Hash: OXYQ7OKVAT6AJAWUEAQAGKGFDRKXL6TI X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1782196269320158500 Content-Type: text/plain; charset="utf-8" For enabling a TLS-PSK-enabled VM migration, we rely on the VIR_MIGRATE_TLS migration flag and existence of ca-cert.pem on the source. If the migration flag is set and ca-cert.pem doesn't exist on the source, then Libvirt fallbacks to PSK-based migration instead of X.509. Subsequently, it handles the generation, persistent storage, and cleanup of pre-shared keys on both source and destination. For a migration session, Libvirt generates a random key of the specified length, and then stores the content, "qemu:", at //keys.psk on the source host. Subsequently, it sends the key to destination by embedding it within the migration cookie. The destination's Libvirt extracts the key from the migration cookie, and then persistently store it exactly the same way as the source. Upon migration completion or any failure, both source and destination Libvirt deletes the directory containing the session's keys.psk. Signed-off-by: Abhisek Panda --- src/qemu/qemu_migration.c | 53 ++++++++++++ src/qemu/qemu_migration_cookie.c | 125 +++++++++++++++++++++++++++++ src/qemu/qemu_migration_cookie.h | 5 ++ tests/qemumigrationcookiexmltest.c | 12 +-- 4 files changed, 190 insertions(+), 5 deletions(-) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 4a43ab83b0..72e13f854b 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1503,6 +1503,35 @@ qemuMigrationSrcIsAllowedHostdev(const virDomainDef = *def) } =20 =20 +static bool +qemuMigrationCACertExists(virQEMUDriver *driver) +{ + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + g_autofree char *cert_path =3D g_strdup_printf("%s/ca-cert.pem", cfg->= migrateTLSx509certdir); + if (!virFileExists(cert_path)) + return false; + + return true; +} + + +static void +qemuMigrationDeletePSKDir(virQEMUDriver *driver, virDomainObj *vm) +{ + char uuidstr[VIR_UUID_STRING_BUFLEN]; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + g_autofree char *dir_path =3D NULL; + + virUUIDFormat(vm->def->uuid, uuidstr); + dir_path =3D g_strdup_printf("%s/%s", cfg->stateDir, uuidstr); + + if (virFileIsDir(dir_path) && + virFileDeleteTree(dir_path) < 0) + VIR_WARN("Failed to delete the directory %s containing the pre-sha= red keys for migration of domain %s", + dir_path, vm->def->name); +} + + static int qemuDomainGetMigrationBlockers(virDomainObj *vm, int asyncJob, @@ -2725,6 +2754,10 @@ qemuMigrationSrcBeginXML(virDomainObj *vm, if (!(flags & VIR_MIGRATE_OFFLINE)) cookieFlags |=3D QEMU_MIGRATION_COOKIE_CAPS; =20 + if ((flags & VIR_MIGRATE_TLS) && + !qemuMigrationCACertExists(driver)) + cookieFlags |=3D QEMU_MIGRATION_COOKIE_TLS_PSK; + if (!(mig =3D qemuMigrationCookieNew(vm->def, priv->origname))) return NULL; =20 @@ -4232,6 +4265,9 @@ qemuMigrationSrcConfirmPhase(virQEMUDriver *driver, privJob->stats.mig.downtime =3D privMigJob->stats.mig.downtime; } =20 + if ((flags & VIR_MIGRATE_TLS) && !qemuMigrationCACertExists(driver)) + qemuMigrationDeletePSKDir(driver, vm); + if (flags & VIR_MIGRATE_OFFLINE) return 0; =20 @@ -5275,6 +5311,9 @@ qemuMigrationSrcRun(virQEMUDriver *driver, error: virErrorPreserveLast(&orig_err); =20 + if ((flags & VIR_MIGRATE_TLS) && !qemuMigrationCACertExists(driver)) + qemuMigrationDeletePSKDir(driver, vm); + if (qemuDomainObjIsActive(vm)) { int reason; virDomainState state =3D virDomainObjGetState(vm, &reason); @@ -7029,6 +7068,9 @@ qemuMigrationDstFinishActive(virQEMUDriver *driver, QEMU_MIGRATION_COOKIE_STATS) < 0) VIR_WARN("Unable to encode migration cookie"); =20 + if (flags & VIR_MIGRATE_TLS) + qemuMigrationDeletePSKDir(driver, vm); + qemuMigrationDstComplete(driver, vm, inPostCopy, VIR_ASYNC_JOB_MIGRATION_IN, vm->job); =20 @@ -7039,6 +7081,9 @@ qemuMigrationDstFinishActive(virQEMUDriver *driver, * overwrites it. */ virErrorPreserveLast(&orig_err); =20 + if (flags & VIR_MIGRATE_TLS) + qemuMigrationDeletePSKDir(driver, vm); + if (qemuDomainObjIsActive(vm)) { if (doKill) { qemuProcessStop(vm, VIR_DOMAIN_SHUTOFF_FAILED, @@ -7197,6 +7242,14 @@ qemuMigrationProcessUnattended(virQEMUDriver *driver, else qemuMigrationSrcComplete(driver, vm, job); =20 + /* + * Attempt to clean up the directory containing the pre-shared keys + * for the domain. Since, we cannot determine if the migration has + * enabled the VIR_MIGRATE_TLS flag with pre-shared keys, we clean up + * the directory unconditionally. + */ + qemuMigrationDeletePSKDir(driver, vm); + qemuMigrationJobFinish(vm); =20 if (!virDomainObjIsActive(vm)) diff --git a/src/qemu/qemu_migration_cookie.c b/src/qemu/qemu_migration_coo= kie.c index 7311a8294b..7734966983 100644 --- a/src/qemu/qemu_migration_cookie.c +++ b/src/qemu/qemu_migration_cookie.c @@ -20,9 +20,11 @@ =20 #include #include +#include =20 #include "locking/domain_lock.h" #include "virerror.h" +#include "virfile.h" #include "virlog.h" #include "virnetdevopenvswitch.h" #include "virstring.h" @@ -52,6 +54,7 @@ VIR_ENUM_IMPL(qemuMigrationCookieFlag, "allowReboot", "capabilities", "block-dirty-bitmaps", + "psk", ); =20 =20 @@ -149,6 +152,66 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC(qemuMigrationBlockDirtyB= itmapsDisk, qemuMigrationBlockDirtyBitmapsDiskFree); =20 =20 +static int +qemuPersistTLSPSKHelper(int pskFD, + const char *pskPath, + const void *opaque) +{ + const char *key =3D opaque; + g_autofree char *psk_content =3D NULL; + + psk_content =3D g_strdup_printf("qemu:%s", key); + + if (safewrite(pskFD, psk_content, strlen(psk_content)) < 0) { + virReportSystemError(errno, + _("Unable to write the pre-shared key to file= '%1$s'"), + pskPath); + return -1; + } + + return 0; +} + + +static int +qemuMigrationPersistPSK(qemuMigrationCookie *mig, virQEMUDriverConfig *cfg) +{ + char uuidstr[VIR_UUID_STRING_BUFLEN]; + g_autofree char *dir_path =3D NULL; + g_autofree char *key_path =3D NULL; + + virUUIDFormat(mig->uuid, uuidstr); + dir_path =3D g_strdup_printf("%s/%s", cfg->stateDir, uuidstr); + key_path =3D g_strdup_printf("%s/keys.psk", dir_path); + + if (virDirCreate(dir_path, 0700, cfg->user, cfg->group, + VIR_DIR_CREATE_ALLOW_EXIST) < 0) { + virReportSystemError(errno, + _("Could not create the directory %1$s for st= oring PSKs"), + dir_path); + goto error; + } + + if (mig->tlsPSK) { + if (virFileRewrite(key_path, S_IRUSR, cfg->user, + cfg->group, qemuPersistTLSPSKHelper, + mig->tlsPSK) < 0) + goto error; + } else { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("The pre-shared key for TLS-PSK migration is miss= ing in the migration cookie")); + goto error; + } + + return 0; + + error: + if (virFileExists(dir_path)) + virFileDeleteTree(dir_path); + return -1; +} + + void qemuMigrationCookieFree(qemuMigrationCookie *mig) { @@ -165,6 +228,7 @@ qemuMigrationCookieFree(qemuMigrationCookie *mig) g_free(mig->name); g_free(mig->lockState); g_free(mig->lockDriver); + g_free(mig->tlsPSK); g_clear_pointer(&mig->jobData, virDomainJobDataFree); virCPUDefFree(mig->cpu); qemuMigrationCookieCapsFree(mig->caps); @@ -575,6 +639,48 @@ qemuMigrationCookieAddCaps(qemuMigrationCookie *mig, } =20 =20 +static int +qemuMigrationCookieAddTLSPSK(qemuMigrationCookie *mig, virQEMUDriver *driv= er) +{ + gnutls_datum_t psk_key =3D {NULL, 0}; + g_autofree char *key =3D NULL; + size_t key_len; + int ret; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + + ret =3D gnutls_key_generate(&psk_key, cfg->migrateTLSPSKLength); + if (ret < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Generation of a pre-shared key failed")); + return -1; + } + key_len =3D (psk_key.size*2) + 1; + key =3D g_new0(char, key_len); + + ret =3D gnutls_hex_encode(&psk_key, key, &key_len); + if (ret < 0) { + gnutls_free(psk_key.data); + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Hex encoding of a PSK key failed")); + return -1; + } + + mig->tlsPSK =3D g_steal_pointer(&key); + mig->flags |=3D QEMU_MIGRATION_COOKIE_TLS_PSK; + + ret =3D qemuMigrationPersistPSK(mig, cfg); + if (ret < 0) { + gnutls_free(psk_key.data); + g_free(mig->tlsPSK); + mig->tlsPSK =3D NULL; + return -1; + } + + gnutls_free(psk_key.data); + return 0; +} + + static void qemuMigrationCookieGraphicsXMLFormat(virBuffer *buf, qemuMigrationCookieGraphics *grap) @@ -890,6 +996,9 @@ qemuMigrationCookieXMLFormat(virQEMUDriver *driver, if (mig->flags & QEMU_MIGRATION_COOKIE_BLOCK_DIRTY_BITMAPS) qemuMigrationCookieBlockDirtyBitmapsFormat(buf, mig->blockDirtyBit= maps); =20 + if (mig->flags & QEMU_MIGRATION_COOKIE_TLS_PSK) + virBufferAsprintf(buf, "%s\n", mig-= >tlsPSK); + virBufferAdjustIndent(buf, -2); virBufferAddLit(buf, "\n"); return 0; @@ -1396,6 +1505,10 @@ qemuMigrationCookieXMLParse(qemuMigrationCookie *mig, qemuMigrationCookieBlockDirtyBitmapsParse(ctxt, mig) < 0) return -1; =20 + if (flags & QEMU_MIGRATION_COOKIE_TLS_PSK) { + mig->tlsPSK =3D virXPathString("string(./migration-key[1])", ctxt); + } + return 0; } =20 @@ -1471,6 +1584,10 @@ qemuMigrationCookieFormat(qemuMigrationCookie *mig, qemuMigrationCookieAddCaps(mig, dom, party) < 0) return -1; =20 + if (flags & QEMU_MIGRATION_COOKIE_TLS_PSK && + qemuMigrationCookieAddTLSPSK(mig, driver) < 0) + return -1; + if (qemuMigrationCookieXMLFormat(driver, priv->qemuCaps, &buf, mig) < = 0) return -1; =20 @@ -1494,6 +1611,8 @@ qemuMigrationCookieParse(virQEMUDriver *driver, unsigned int flags) { g_autoptr(qemuMigrationCookie) mig =3D NULL; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + int ret; =20 /* Parse & validate incoming cookie (if any) */ if (cookiein && cookieinlen && @@ -1537,6 +1656,12 @@ qemuMigrationCookieParse(virQEMUDriver *driver, } } =20 + if ((flags & QEMU_MIGRATION_COOKIE_TLS_PSK) && mig->tlsPSK) { + ret =3D qemuMigrationPersistPSK(mig, cfg); + if (ret < 0) + return NULL; + } + if (vm && flags & QEMU_MIGRATION_COOKIE_STATS && mig->jobData && vm->j= ob->current) mig->jobData->operation =3D vm->job->current->operation; =20 diff --git a/src/qemu/qemu_migration_cookie.h b/src/qemu/qemu_migration_coo= kie.h index 254372234d..fd3b4c5a56 100644 --- a/src/qemu/qemu_migration_cookie.h +++ b/src/qemu/qemu_migration_cookie.h @@ -35,6 +35,7 @@ typedef enum { QEMU_MIGRATION_COOKIE_FLAG_ALLOW_REBOOT, QEMU_MIGRATION_COOKIE_FLAG_CAPS, QEMU_MIGRATION_COOKIE_FLAG_BLOCK_DIRTY_BITMAPS, + QEMU_MIGRATION_COOKIE_FLAG_TLS_PSK, =20 QEMU_MIGRATION_COOKIE_FLAG_LAST } qemuMigrationCookieFlags; @@ -53,6 +54,7 @@ typedef enum { QEMU_MIGRATION_COOKIE_CPU =3D (1 << QEMU_MIGRATION_COOKIE_FLAG_CPU), QEMU_MIGRATION_COOKIE_CAPS =3D (1 << QEMU_MIGRATION_COOKIE_FLAG_CAPS), QEMU_MIGRATION_COOKIE_BLOCK_DIRTY_BITMAPS =3D (1 << QEMU_MIGRATION_COO= KIE_FLAG_BLOCK_DIRTY_BITMAPS), + QEMU_MIGRATION_COOKIE_TLS_PSK =3D (1 << QEMU_MIGRATION_COOKIE_FLAG_TLS= _PSK), } qemuMigrationCookieFeatures; =20 typedef struct _qemuMigrationCookieGraphics qemuMigrationCookieGraphics; @@ -171,6 +173,9 @@ struct _qemuMigrationCookie { =20 /* If flags & QEMU_MIGRATION_COOKIE_BLOCK_DIRTY_BITMAPS */ GSList *blockDirtyBitmaps; + + /* If flags & QEMU_MIGRATION_COOKIE_TLS_PSK */ + char *tlsPSK; }; =20 =20 diff --git a/tests/qemumigrationcookiexmltest.c b/tests/qemumigrationcookie= xmltest.c index bc0f68b8c5..ee91c5d8b1 100644 --- a/tests/qemumigrationcookiexmltest.c +++ b/tests/qemumigrationcookiexmltest.c @@ -161,7 +161,7 @@ testQemuMigrationCookieParse(const void *opaque) } =20 /* set all flags so that formatter attempts to format everything */ - data->cookie->flags =3D ~0; + data->cookie->flags =3D ~QEMU_MIGRATION_COOKIE_TLS_PSK; =20 if (qemuMigrationCookieXMLFormat(&driver, priv->qemuCaps, @@ -225,15 +225,17 @@ testQemuMigrationCookieDom2XML(const char *namesuffix, * - lockstate: internals are NULL in tests, causes crash * - nbd: monitor not present * - dirty bitmaps: monitor not present + * - tls-psk: monitor not present */ unsigned int cookiePopulateFlagMask =3D QEMU_MIGRATION_COOKIE_LOCK= STATE | QEMU_MIGRATION_COOKIE_NBD | - QEMU_MIGRATION_COOKIE_BLOCK_= DIRTY_BITMAPS; + QEMU_MIGRATION_COOKIE_BLOCK_= DIRTY_BITMAPS | + QEMU_MIGRATION_COOKIE_TLS_PS= K; data->cookiePopulateFlags =3D ~cookiePopulateFlagMask; } =20 if (cookieParseFlags =3D=3D 0) - data->cookieParseFlags =3D ~0; + data->cookieParseFlags =3D ~QEMU_MIGRATION_COOKIE_TLS_PSK; =20 data->inStatus =3D g_strconcat(abs_srcdir, "/", domxml, NULL); =20 @@ -279,7 +281,7 @@ testQemuMigrationCookieXML2XML(const char *name, int ret =3D 0; =20 if (cookieParseFlags =3D=3D 0) - data->cookieParseFlags =3D ~0; + data->cookieParseFlags =3D ~QEMU_MIGRATION_COOKIE_TLS_PSK; =20 data->inStatus =3D g_strconcat(abs_srcdir, "/", statusxml, NULL); data->infile =3D g_strconcat(abs_srcdir, "/qemumigrationcookiexmldata/= ", @@ -381,7 +383,7 @@ testQemuMigrationCookieXML2XMLBitmaps(const char *name, int ret =3D 0; =20 if (cookieParseFlags =3D=3D 0) - data->cookieParseFlags =3D ~0; + data->cookieParseFlags =3D ~QEMU_MIGRATION_COOKIE_TLS_PSK; =20 data->inStatus =3D g_strconcat(abs_srcdir, "/", statusxml, NULL); data->infile =3D g_strconcat(abs_srcdir, "/qemumigrationcookiexmldata/= ", --=20 2.43.7 From nobody Wed Jun 24 21:48:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1782196401; cv=pass; d=zohomail.com; s=zohoarc; b=Aec40dN04T5khlay5UPRe1Kp1ZCRYEH0kRT+F7bTSFPNFjY7iyVIoBmPVlSk6I5pIKbZKGw7TRebRmaM9ir8vz+SwKesbp5pIiix2ve9aUsDcNqU0hSRS0AJb5bzPHKayz+AK24Fx+oIsmqRsIgjZ2BBFlOcWWuISLFo4C55Gtw= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1782196401; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=b4IBdjHLHnowzwLovucLb4hy0Am314sKlF94Wp7vjUI=; b=bQNiUuyjwBzuzIZrcYQghZnpbqNFJhwPpxhN/uWDKkanjerIDWNUfUdKKpX/vrvOOehRt6gdrDAYjJEZw29cBlMB+cK/W3ng/eJJ7aeXuGnwue/yVEEOGa39M7kypltWKRra79MfEmcd6laEjdcDroA9jDW6U7TY8N+6R2u9SAc= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 17821964018197.808014049135636; Mon, 22 Jun 2026 23:33:21 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 55DB741C8F; Tue, 23 Jun 2026 02:33:20 -0400 (EDT) Received: from [172.19.199.7] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 1001D41E27; Tue, 23 Jun 2026 02:27:30 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 391FD41BD1; Tue, 23 Jun 2026 02:27:00 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id E100441D1C for ; Tue, 23 Jun 2026 02:26:35 -0400 (EDT) Received: from pps.filterd (m0127840.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 65N0gK5g1714833 for ; Mon, 22 Jun 2026 23:26:34 -0700 Received: from cy7pr03cu001.outbound.protection.outlook.com (mail-westcentralusazon11020132.outbound.protection.outlook.com [40.93.198.132]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4ewq6sx0ev-2 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 22 Jun 2026 23:26:34 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by IA1PR02MB9231.namprd02.prod.outlook.com (2603:10b6:208:425::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.19; Tue, 23 Jun 2026 06:26:32 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0139.018; Tue, 23 Jun 2026 06:26:32 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=b4IBdjHLHnowzwLovucLb4hy0Am314sKlF94Wp7vj UI=; b=pbc/QHOAbkNgG/FH249AdB/fQfx0/td1n8e7PjQzVLD4vBisIskc1f+Io D0yyndM3dHGv1P0yl4ANZGbl93+VWd6QgfzhvgBSLjxVe8ZjRdc7HYJoazH7NTCf BZ8S9wjZors/I4TVMQf7H+UmBgTMbPyuNcDs96NHMS9bWKIBnCFHgczYmIEfGUBi PhJ3HI8yLkI3MaggEfEUSHE3kdw8iBYWOUVLo603vcKm67YIk1JBvdkeOqPsCBs3 CF0s5obbZDtXwq4t0Zh3JEUd+Zr9X11+WiMm0rQ1d3yH/1adVrhLsGl5+qMkl7ba hwdivrkucBCMP56puA36Pw4a7BUTg== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=N4ydgHoyrqVWysOKJgL6q3d3uW0stL/6rLMbzN++9IYeOV2btHrN3kNd3Tbnq1CV7nUW8gV3Z9TOw+HcWwz3BILHEQ52K/jumuTn3iC/yRvdqhy8E9bcU+EqRWl2aCVe4foIOTC92F7J5h5ROMK5bqTzYofLmi2tasBYHRy8Dtc1p5TZ42PllQUL0S731px8mE3KVmWIhLjd+GCsQT8IJqNP073+4QhB/rLq1jtftU0/b00kZ0c7verHIxGCWXl968ll9prTQ8glwF5cwY5DocMjetXGyPtIqzEyOuRf2e5FjrcB5tVKFHMKvLuQ2dispXpszwOV1Xs+k+W0zBRqhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=b4IBdjHLHnowzwLovucLb4hy0Am314sKlF94Wp7vjUI=; b=fBLrIV5y0kd5Swd4C7vyaBsycxTgswAWtgIejSH2pilrqmVugv9UYfSR7fIMaaB//nLp8ImyZDpKEuPEeQlqNV+TtstgLqkr1Ri6au0fUk3FyzkOYENoY4/9Xep/ye3OWuXCKlMcpvx6YU4PfK1srOLY6+0vfpgBmhKZHfhrfjwrh7iEyZUGjtvbwBqz2C4WgJxYbl0U7KOG1k0h9fgpwc50RDiCnhKEXTgadN2ftgbnJw2tV2ZKCjpV+kNV7IY/1F+0cxqNTtW9t4TxlaE3fCjQ+x2Zj+1sgOoe+r2EYEKmAEwkAwNQrc0ZhPg312Cga+NqxghuE4yRwrCXRzmpFg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b4IBdjHLHnowzwLovucLb4hy0Am314sKlF94Wp7vjUI=; b=Or8FVfGXj/tEwek/ESOa4r/q8nxK+3UIbipZR7mgVcMr+3cvYYrAPgjnNIXnLEgpA9OnuYyWbHieE7WAWabvfnJM7CRXTNp9cBwvePz2GFcGBQe0KQzDwqwWSAhUvbN6VyQFQYi9nC8nWSKQeU5WMwk9OGPZC3P43lXKNRZvEl1nO3I4FfwWWgG9hMzFGaGI0QKl+A8GngZQREmJyNd14Xlj8kCAHPSWfgD8/2WSux5asWpUPP6OAfmMdzR0tFIgB+59N3iJKXoDkrxeGvkuOFfKLuzZyp7mMwkfeLceg1Ra6wPImU5hmpx2S9fKlTHO6ZigbuX/+7GqsClW2nceHQ== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v2 3/6] qemu: Add support to build the tls-creds-psk object Date: Tue, 23 Jun 2026 06:26:01 +0000 Message-ID: <20260623062615.914208-4-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260623062615.914208-1-abhisek.panda1@nutanix.com> References: <20260623062615.914208-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CYZPR02CA0010.namprd02.prod.outlook.com (2603:10b6:930:a1::12) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|IA1PR02MB9231:EE_ X-MS-Office365-Filtering-Correlation-Id: 5ccd16a8-8a1b-4539-7791-08ded0f05e69 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|23010399003|18002099003|22082099003|6133799003|56012099006; X-Microsoft-Antispam-Message-Info: C9QZZEOkNiZpBGP/+BkrrUGBMUYMBnHIEMTSn4OSHO6RUPx1CH/7S2uHXHv6hq3uiOG+Cdpg7ntfENorOR7UXnF2i2JWW9UEJeaL5pqHJU5snS6w4lOzyVySUimoedUraAAKiFhIX7k/8JnbDMPy1JBLcyaeo/8uoq5WNrtUuUBgBNHzWL21WugAmtLxnWF8RwDuSagBDytRChULrPcHJt6Q1xKPKNUsFTLeh/e7SURp2LW097hRU6hbWpXWCZ8L9tqP493aoJq73cEM6iyI2xhkRwRX/lde7+w05Chwy0iAGNJ1MyuxYZYjYMul83KiSpGg47JqJmvu3kiGdPcDN/8SsC4+Y3iqLRzLjB42EOFgbot0SC3kX9kBNId2uV7CiiQJv+bzwQlOT3dt9sT0vBPCynjLV//W+wd1EcJJWIEWmAe5NkeYA3laDMx/6ztexNEGy3nhx7e9hUk2VQ3sLHooAoto13deCEFP4oqwvT0E646j5HJPB3X8waiGY4+frjOjCFYipyvMfDDDTjzBTdVBVvAyFXsZZKBmbIjPxrwyoad7E25kke8NUysqxTWhHHQFJ/w85HelpHVumgdUUvvEFYe1INZGZeaIHtkm87nkUPiH4aGdRkb2Y3VHJ/Eji0QVDldFik3VnwRjDYnmmMbYZ3lOizSj7oAqzhXnzl4= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(23010399003)(18002099003)(22082099003)(6133799003)(56012099006);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?8DMMyuNkxuBbYgnf2BpPFlf6SObGIGDS8uq/dErV1E6I2A/zlHykBVXgiRae?= =?us-ascii?Q?NoAaKqH1uQjYiLWK4gLMibRghED7ho3Z1VaYvHVqC0/4sP2mCWZ0PymdzZFS?= =?us-ascii?Q?0IApu5Ma3jq82E5W1A6Le4x9IaK9cno8g9uBZlBUvVGdlBbbGmvQiQBU9Pgo?= =?us-ascii?Q?7gGtl3tN7AjXf0MSHVFqa8u4Qj85w+a1gC2qaVegT+pBnxqQIn4vtKjfRnHy?= =?us-ascii?Q?rGirj+SIInWZQvxnK0mb4otpw5niL1egm8bRkFDmQyIFjKL21zDVln2Fpssm?= =?us-ascii?Q?sFb8QNGPxrahMoMKopGuDoZt52M5vvNy4uLNC39y6eQ95yhtTb0QVeTuVV/K?= =?us-ascii?Q?UkXS+MBNhGmBaBoFMxaoMMKoiquF/XnaDDPt0IWJRznjuWd7P0nYxER1ksDZ?= =?us-ascii?Q?XJDcB3KFyzB1ZlRVhG2E9JzSsPaVUAIR3ZgOVluKPZECkTen0zMQZHQMk4bY?= =?us-ascii?Q?wlxXHikuENRvBvg/pJeXJ7PRGqvo8pfQuP3Eaq6whRto96C0DOVGPujnQY9n?= =?us-ascii?Q?Vh1JykSel2d1lN7Zc6avyXMFZHyqMNzSiMVeA/1NKymGMlqn7HOecfnMkVzr?= =?us-ascii?Q?sl2EjhgFDeGlgg2DZizlVZUWF5qpGhd4atANVSNqorrqBbeFIHQUDMt8OK8l?= =?us-ascii?Q?lJcK+t7BNwv53ezVE9iY7mhMg2HwCp8C+zeA4nTrxjHxVcB6Gh5rvWZJMktT?= =?us-ascii?Q?A4eCTUqyJbXmzVhTAboHxMz8Ujxdpkzpzw5o6YuEeDA+PIBHNxt5Lw+VXvEY?= =?us-ascii?Q?yEETbNqVOmmUL/8wBgCl086VwEFyFavKbPdYhYHl7IwLypZJnTNBlWrSpHvQ?= =?us-ascii?Q?feJwGd5V7zwu8WL2WrMBZ4/BWCvrOoDZ2LCWipMY0INJzx40GDsEgAlEkjgw?= =?us-ascii?Q?j+k1ynIwlikLO/OWcF0oNO2IaG/TtTyK7RmskZbbtyaXKUSI7tr6xT0hl90M?= =?us-ascii?Q?hJE6tZrDhxiPtKm13yLTSlc8qtnBBH8rMsPsLk/QY36HlpVogI2S1QpJbN1h?= =?us-ascii?Q?DvOYfGipEQZbhHuIqdVpipXrq9reRfIscX8tX5AiGyxF/qs2W0Wsyco4NtBs?= =?us-ascii?Q?LBFp/iXsOrNIev2N7FiJ6jSzq6T56E40V7XwxyB8HDd5YEcq0hM/FiownOSD?= =?us-ascii?Q?R54Gsa/3XRKErz2LhmZWGXo6nEqBp8/4hrHjU5wXLg9bi8T2kkcNbbGTVyIN?= =?us-ascii?Q?vD73jPP9iuJaZzom1ciOlTgm4vYZ8lJwH/Eq1G/SWKjaUNa/eIW811tCd8N2?= =?us-ascii?Q?oB39CpJarLZdmIqnvA+fcAYWkfxvLRX6ZK9rAhE3JGlws9bGF0lAowWTQa9o?= =?us-ascii?Q?EUO72LXHbW2FXKrk3c8UJNCvO3RD8XgA7Sv1U61/1YiWLbRCAQ2xBnAStwIy?= =?us-ascii?Q?LVx7RWyLIb1zZE+XxY82i56ykHwQcAMW5p5P6TuGNXT+eEyHIKSWODD8ygv7?= =?us-ascii?Q?dGEHbcXR19rv72vT154jnu9vkLuu5IX7O7Ux6bxn1FDLNtVlssWTEJAN9Iol?= =?us-ascii?Q?Wvh15hBQoN+SLl3iMHg4+85+i9yo/WmZ9XL9KVK98gSM1ooO982mS3lMYvPE?= =?us-ascii?Q?j0Vi5s7AaclfCfa8vmj4VUbBrCZIh8UOWjNe31O1dXyjRFnN3hZeLCN6HFkD?= =?us-ascii?Q?frUIz9lGp4TcGtFrYZqM15oi2oXQU7O7P07avj3Hm0p/fN5YUEpOZ59V1mxO?= =?us-ascii?Q?tcrALo6r/my0CcGdHufRDUImdCZfFyWQVX2sSE0xKMMcbS+orAkEOmuOKD+q?= =?us-ascii?Q?/ZykKKy/0npA4lBDg7H41h6I+exGyL0=3D?= X-Exchange-RoutingPolicyChecked: oCd33mo+wDUlsT+GZ45ChUFGsII3UYjxtnpDcRUQTU0O0gk++x+FuKRkVJOYzMLx4/q9+NTdqqWGBwULhkh19WNlJstmycTSSCz9r4VlS3emH436OilnkeTHHifqEAm4g82kFKQhlB+qYSSzGbJ4ohSmAupBM7CtbYgR7Kf8cciy+XgQdeTdmXd2X9fRprEoyIjlofdlnbxUdNSBEfHGUZdc/gYQLQbjzf0YdEpVoPoJqiGguYnKgkDD+UaL1mu5X2kfEcrEZ6zLsU1ICG6Btc2y770brdM6jng+mJX6qGUO+ov80e2kWwZFBu7awREaxc8hWEatGX6Aali68OJ2LQ== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5ccd16a8-8a1b-4539-7791-08ded0f05e69 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jun 2026 06:26:32.8614 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ZQn3OGwwZUoj2eER4Wu0nnFJoHLQ4LgqCiKFU+3cqAyEO/tJl0rQaEBrqG08ozRqCUJOxErbS7YLCi68q66QhpeAhKEYgQCtzNwVnfB3alg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR02MB9231 X-Proofpoint-Spam-Info: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX8RstN4yNTddG OMvqOHhxHmZVMRxkhYgye0LnFxnru1KwiGIswWWs0euR+1XLe/r+3Fvh2F8k85fp2DAEsK9JkgB DXeTBc7RSaFtCesSHBOf6a2Z/LaSNFM= X-Proofpoint-GUID: wHulHXeqgJxR51iU3ZEPUDSWG3lq8-65 X-Proofpoint-ORIG-GUID: wHulHXeqgJxR51iU3ZEPUDSWG3lq8-65 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX5IEHJDgz+9Cy wYKejFreIC4c452eDrMpPHebBePqTckyr5qspN6q2tW+CqxbigEEn3VWbIy5l7/uO9YxkteftDB gob7DRE5zdaX6fqLaES2kWvTtnFUWeeOTL8sUOv2eOyBYSFvUrN1Du+mCETgfsq6DYjSScmggHy rAE/8r80g/BIMRnixLt1ay9FeR4kKEOj6RaMPNJ62/j2bQLBmNJIfTgZMfMq0eKfEiNFBKVfby5 1OFYU1V8SSP8lZ/K2OlCcetF0Xc9MpV4kf65lPWQfrc9mXGfbWeZPQqODeaUaKrEn6WoS0ML9/C L+IhKTS8xFKU3OdodliDghYJY5eJxdDqlsG/JarAsnlK/FuJ4iKxB16Wpt28C9onR8Yd5/cdV98 +sVnQwjp8Ez9ET6xr9FLMbGnB5QrhnAljDUNq83sMEUSu8nSvfL0R1+qvH5wozyZiyflUE9aW4g O7sqRFgJqmO90pOF+6w== X-Authority-Analysis: v=2.4 cv=YuY/gYYX c=1 sm=1 tr=0 ts=6a3a271a cx=c_pps a=APpQm0mLgNUAkX6qZvPSjQ==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=_-M8LpHI31CeLmyZm6wg:22 a=64Cc0HZtAAAA:8 a=-DOnkpEdNJLKZcUuXmsA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-23_01,2026-06-22_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: M3HRLJFUMYAG7QKKXNMJBURAKUZKZRQF X-Message-ID-Hash: M3HRLJFUMYAG7QKKXNMJBURAKUZKZRQF X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1782196403862158500 Content-Type: text/plain; charset="utf-8" Build the tls-creds-psk object with the following params: id, dir, endpoint. Note: Libvirt generates a keys.psk file for each migration session that only contains the pre-shared key for the "qemu" user. Because QEMU defaults to using "qemu" as the username if the username attribute of the tls-creds-psk object is undefined. We intentionally do not set this attribute. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_command.c | 26 ++++++++++++++++++++++++++ src/qemu/qemu_command.h | 7 +++++++ 2 files changed, 33 insertions(+) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index e726dc661c..6b72d74fc2 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1293,6 +1293,32 @@ qemuBuildTLSx509CommandLine(virCommand *cmd, } =20 =20 +/* qemuBuildTLSPSKBackendProps: + * @tlsPSKPath: path to the TLS-PSK credentials file + * @isListen: boolean listen for client or server setting + * @alias: alias for the TLS-PSK object + * @propsret: json properties to return + * + * Create a backend string for the tls-creds-psk object. + * + * Returns 0 on success, -1 on failure with error set. + */ +int +qemuBuildTLSPSKBackendProps(const char *tlsPSKPath, + bool isListen, + const char *alias, + virJSONValue **propsret) +{ + if (qemuMonitorCreateObjectProps(propsret, "tls-creds-psk", alias, + "s:dir", tlsPSKPath, + "s:endpoint", (isListen ? "server": "= client"), + NULL) < 0) + return -1; + + return 0; +} + + static int qemuBuildChardevCommand(virCommand *cmd, const virDomainChrSourceDef *dev, diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index e34172fbff..245c605b24 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -72,6 +72,13 @@ qemuBuildTLSx509BackendProps(const char *tlspath, const char *secalias, virJSONValue **propsret); =20 +/* Generate the object properties for a tls-creds-psk */ =20 +int =20 +qemuBuildTLSPSKBackendProps(const char *tlsPSKPath, =20 + bool isListen, =20 + const char *alias, =20 + virJSONValue **propsret); + /* Open a UNIX socket for chardev FD passing */ int qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev); --=20 2.43.7 From nobody Wed Jun 24 21:48:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1782196725; cv=pass; d=zohomail.com; s=zohoarc; b=Abl2XyIx/4s1YoDIRywfqUilbfyFJopm8OzZ0+jygiyWLB3WVwmlHD0o65BKrcg+KDh8MRCBB3E4YWDdzmIshRWVn/GnXKs701VNZtufLHPomEwHjKbfgpOZvSEJWoxh2AEPv8MhrQjSWVJm/qU1C58cMARoJju+9tzf3jr0/HA= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1782196725; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=lQdgbxuz+bGbeqxGbaF7+UNsuz2mj/FY0HIcnDaMMP0=; b=Xab2/WaZbdcFsbCfkaoW0ECWx+Gc41MOMOG9HE3xYTFI4iV9DEKDH8vujCRVeUhAwVH1pIqo9G1QjOltXHq01iJ66QF3HGhr1SnCQXPAh7BmYEjI3dsjLV5/1umh6UqlglzMtf8W/ySM5VDgIhf1UeSnzq96ROd3O8724mP80sU= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 17821967250851003.3095202435974; Mon, 22 Jun 2026 23:38:45 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 82B763F2F3; Tue, 23 Jun 2026 02:38:43 -0400 (EDT) Received: from [172.19.199.7] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id 8D79841CF0; Tue, 23 Jun 2026 02:27:45 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 011F23FAAD; Tue, 23 Jun 2026 02:27:34 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 86EAE41D5B for ; Tue, 23 Jun 2026 02:26:37 -0400 (EDT) Received: from pps.filterd (m0127842.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 65N0g18I2611832 for ; Mon, 22 Jun 2026 23:26:36 -0700 Received: from cy7pr03cu001.outbound.protection.outlook.com (mail-westcentralusazon11020074.outbound.protection.outlook.com [40.93.198.74]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4ewt6d5uve-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 22 Jun 2026 23:26:36 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by IA1PR02MB9231.namprd02.prod.outlook.com (2603:10b6:208:425::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.19; Tue, 23 Jun 2026 06:26:35 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0139.018; Tue, 23 Jun 2026 06:26:35 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=lQdgbxuz+bGbeqxGbaF7+UNsuz2mj/FY0HIcnDaMM P0=; b=1y74eW3awSR+M5xPfGAj5hA89K+owwKAncLcsC5ZXvSarv/gVMX3tlf1w YnruHIqVXMlOdFCxwnx/U4Nckd1HhGAjcCDF9rQAA6zFgGxr/QUtu7Xwyx8HIQtG fH/YQYwWQBxaqGFxd/UdesY3kGupGmcWMlIRTWYrRakjBupry6CJtaZCqzF5t7qZ cX/0sBjk0teuMPdklDj/x9gJDiOlQNPoFS7emOavgM3sTitDLyt4P1q/RCYSBeMT vWxUWnMicunZcHwLHwiPvlnffriFWZcl48F16a0A03B9rE/x3lRkV2M6SNuMEpP7 h4gNzJtFH16FBknJ7ZEYi1PduPJjw== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ykFgC4bw0yMD3e11ZE8SoEuBT0TiwYUXjZwCXsXoNzTk3vanZrvVWKX+N8iRrkefhHJqK+w/Teu0hCANUJaUjtxgu7hdPhOkgewV1KOak06/Fh+yIyo3b44bLT4Q0qD1/y4JjF6dpjmomWL23Qo8EUm54iKamt0n34SRhvLzJPThp7ayztVRwbAlTFo74XgwCHyV8ZJfwddeW6Y6eqlIV+JG/j+BQJr5Acu9Rns9OxumCd+aknepJgsghvcDW59peznH2oMpaOYgZeTVSxH49FNqTtRMa+//sOoywZUj5ySzLwIZ6WzVkukEIOLIUx6VVOLdsp5iDUEj18wmDi0+6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lQdgbxuz+bGbeqxGbaF7+UNsuz2mj/FY0HIcnDaMMP0=; b=A/dicBKM4R0k0r3EvGB/USRve6K4fyS31aFXRAxDzG65lcryluhqsH7zseh8qwTS4MeqogNK9aWVpUUF1hhO+18g90ExypeJa1xQ38UgWdjkP0PEpMLUnpvXdfKIQm7PxGBO+bzBs3eWpVeGzPDDhbnFZzJcYsZgFbzUsTLzP8usbnq8wD48ocr1Kzc1mwGnkbNFaOSJWF2Tm5qkTzht+d8KBlxG0jVT99FumB99XtwkNkrsasunwYgJjoU6dRUUnSOejQS4W1NqxReEIzh4gUQpL6E15T4X94cnX7JrZ5xZOKEazmE2NmPo/7ciAZpENd+nal46Jhwtu3Z5U2zxLw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lQdgbxuz+bGbeqxGbaF7+UNsuz2mj/FY0HIcnDaMMP0=; b=aiiUXRZiGfx7ouZIch8tCAyj1i6Pj737yuDta2a69Ecrk0GbI6eGmLn2kv8HACCb1OZI5+nwMG9DzfNlVJIh5LPliy72Kge5aY4AzzrhZ4N9RrKK0fWKPbwgyVXFVlnydZbg5yZjSOkYL381+R85wq+5DDig4017mlB/blgwCPqrQviN/EYE8k2+KMprYP3aKMwGE2gp46YvsPcSvnjtuR6W/N6ZWWTzSL05BM/EhhCsRkxBQoxdE73Ld99T0gtV3kgRYhva+VoduIbIJRJXvevWM0WGK1XHDFfrlfIL+MUt8NElwMJmsF9dmPkxDm3pqoKvmh9qU59GozWUIhY4kw== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v2 4/6] qemu: rename tls-creds-x509 obj related functions Date: Tue, 23 Jun 2026 06:26:02 +0000 Message-ID: <20260623062615.914208-5-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260623062615.914208-1-abhisek.panda1@nutanix.com> References: <20260623062615.914208-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY8P220CA0013.NAMP220.PROD.OUTLOOK.COM (2603:10b6:930:46::9) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|IA1PR02MB9231:EE_ X-MS-Office365-Filtering-Correlation-Id: f4f1fd7d-1090-49b0-9db0-08ded0f05fa6 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|23010399003|18002099003|22082099003|3023799007|5023799004|6133799003|56012099006; X-Microsoft-Antispam-Message-Info: v5taI4hhzk7bVbtco+E6Y6gj0G4IYaGqvs5PRSNAfdts2F210c5IrP7ALB+3LAebPkueHjTVFQ40gxUJ24btEhFGVrR+qm7itZcIWGna+SJGNgdD5b3gQoJlpPOUomQML9VJFQrMtnhJpKYokc0WXZIcSo8JQsFRI13JJInO+mt81MZPhOkbUi0p4voRIo9yfhs/ZRhBOXq7hkq/3XUlQF0dWbjS8rsxpLfb6tH3WGLt/dxwVHrCAlSCqv7rHXF9FF2P1gCj08IYRotnqeEHhdkP++iSUgaSySjYvRdYS6cdVUtP1fmiaAt8ODhqJBW3P7+lDe33ScFReHZrst5ST1Vnej6/kxrjAAPBdObxosy5rmbccH0UGSsVgS4F/lny1Qd0UAoQilMcoe6dxj8q3+eboeTA8ru8QXIylPbFUNMUfzasATr+39HBEQ+6AuQdJXdoP6qopqkA2W1XlfPUF76E9wnKssnb0Sm5jurgTVCi6h/4cT/gkAsvCLWD7+v+ILqHfOrXtVkRgvuT6OS+dgrWBKuME8XeAl6UOeAwBt86NHfHlQJ7mK2W0iOpAOtXYy4HJaqZZ+C8JKS49biG8burOpsk842A0ODdKlGoknTe1v+6FriUdY5L1cVvbSGQV3nPjlvA2yuogaCIHPw63TOWGTS5jyQ5At9MwjZFpE4= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(23010399003)(18002099003)(22082099003)(3023799007)(5023799004)(6133799003)(56012099006);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?PmfQs7VM7A/BQC0rzidDsNl+hIXoqGQidr/yrZjL2IAd4dsfxsmhpB7BwWc0?= =?us-ascii?Q?bs4TPrZEN4haRbdCmxY8HKBQWwPk5kK4X8V29iKIMFeivE/w1exChBOOQ60j?= =?us-ascii?Q?dxepIIDeIxHdjDOyKhcBezhb7H80lJG1lNlJQqPGetwPLdFJjOBPYVAwsJFq?= =?us-ascii?Q?oXbEMEmV0/xNklrzH8u/QFhfApaTMUb7+VVVD5yMzi4MVbwUlbulluJQxfms?= =?us-ascii?Q?NfLnpRWfezmtkZ5cgoltwEPB5DsMMd806KrlUULh86YOxQeqx5dpWnTAFI0G?= =?us-ascii?Q?PHjhupmzQXKaksXZESfSGPdX7C2F2b6NKdVqe00RJkW5fyIO1Jg5d0Cv0grG?= =?us-ascii?Q?Y/rXWhqfuanoKtg6aMNoBv+dbOWwYTqOcxOwMrkl4We6XU79tsV69GPqfU/W?= =?us-ascii?Q?QwAnCHOhIWCiu/scX5miBU69jY/XPaDE613zcL62qHLlFS/e26C7bXiL9Y4K?= =?us-ascii?Q?w/MjPPWOnvpPFN/CtwzKdQeJv2WMzF3tubyZYxNtO9ezzHBSaPmKWXfBKJCm?= =?us-ascii?Q?+6kcxoEtha+gx5/2SnvHP7dHkvxUkBDqrhi1z8L6tsXkJWOzeKzzo0ia4T97?= =?us-ascii?Q?eMvnvg1MDBhAI490yyM4L632cweYonHANEnU1ph1vGu0BUIrk0G5Br3kakLH?= =?us-ascii?Q?KBvFVIEsUtRoMg2dRy0AtD6J37vN+o8yoF4XX3h67RAfAPX7VjvGZqQsZ2/q?= =?us-ascii?Q?JUnSjjGdIfQR8wC9wXj4nLj5s4+SZVMkW7ZpqVvKnXLotfTpYLivFpL55JYD?= =?us-ascii?Q?wWAQxpOsBtTBZQXm7nu0JoPSSVTptYKbPcn/3HMenarA2/MJJAbYWuQoUFjI?= =?us-ascii?Q?uAItJ3Sg+7DaAj5oCmxE2c5J94tkb3q2w+rmNGrtsGv6pfzcZ74YIoxg7L6m?= =?us-ascii?Q?SLBy3RRqeIrjmlMpHQKsgHX4+Htcmy7++pgcPKwf6nqw3otB57v1rZxnOUmd?= =?us-ascii?Q?8wQ6gq7Q08VqDO0n3hzm0cA89CMN9fXlPU2ifwzMuUl1zscUAZWH9AikJ/MP?= =?us-ascii?Q?FkcyHx3PrHBSeBCujcDIFucZOkr7ia/7P7B45u+XIpUQMqELj7uy5zusX+kA?= =?us-ascii?Q?6Wc7qvNfyikF0V/owuHaLglurhuP4HcGoC+9IqnoxlY9K3XfvPoPhtHTno+H?= =?us-ascii?Q?tYQRwkWdvEkbXWZe+0bV/kDvU3k1WgRA6baok/fXFQAFKYRF7B3mSPFMmc4H?= =?us-ascii?Q?ADPaStwqayimPDQ1Niklf54DsRH9xYpl07FxG44dYWSgSvGC+1dmfPYU1DRa?= =?us-ascii?Q?YtQdwcFJd9j/yxZSR0nTlrAsZuOn/mZhR4Uq2UazTDzrKzdMcNZII+coqBxC?= =?us-ascii?Q?5C0yTEn4Y9vQZ1hJwF2KKdQE04CzUs1vCXbENfC+z9soq9trKY/XQRMQ5M3v?= =?us-ascii?Q?RXY/adrT/b0EcWHNK0X8fg72/Li2cBHIVH1kgtvXnMpXSsKkGVuoeg0jdL+C?= =?us-ascii?Q?BKd1Luivm58NAuq8afhlVSw1KVaeb8sN6fDFALhD5vhxl1C/1yNOTnYWdwKJ?= =?us-ascii?Q?3kq5nC6fOwT44Abt6cVqJU/ok565lXHNqyIl4QaPjk7KTIXqdDU5Oirvm7BF?= =?us-ascii?Q?jSk4taxfmkGvBvZUYNKEAi4FwIilQ6DglN7qZQDL00kI3rzrKqau91f1l3Cb?= =?us-ascii?Q?i22VloMMMcG6bPkY5evFfCiBDMvwFNX7qhSclafRyg478R+WxLB+LU7p3IDG?= =?us-ascii?Q?EVliVztUu5tzCGyotL4pqhCDNm6fOEecnm/FJVAwjbO/usrl2TYJ4DvfcIVo?= =?us-ascii?Q?RBytMRQTD/mjW7MFjcbt82QMOTWg6UM=3D?= X-Exchange-RoutingPolicyChecked: knRka0gv4WLHV43yFZRqOIqJGoJGk3FiyJ08NauYEnkDgEXl0xs/eV+ePcvHxU9/peYWV5RU2H3a2xwpIcLNju/Yg6TAWP9fzm90gWVQqO2XcxzoMQXCgxMQfr+q32GSwdb4FC59hCYI89SEV81pGnVGil2TlO1HKXWjkgKKdwDzVx+bEHh0sGJBfKRFSz3Tn40dQnqhJclgLdnZB469xUgxfefkYHH52hhrBT1qaSB8ZVPXSVrcwUSesu+QEcJ9Q7TBN987PiObNutUQ+D9sq/9H7rPvdBsjewLhVveFJnWgL8leJ8VFp9ykc0GCATI+gQ/Y8/tKjVATNBZAadh1g== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: f4f1fd7d-1090-49b0-9db0-08ded0f05fa6 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jun 2026 06:26:35.0037 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Teg+PMAEqP4Upsm4+AvE9nOOIVZkTzLwyM0/tEdY3XxWD08JtH0TR2HSxRtLBGSG7BW3G/MNJ0ne4sOFmBXd4fvdgaCdIu76IKHYDBoY7/E= X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR02MB9231 X-Authority-Analysis: v=2.4 cv=T/S8ifKQ c=1 sm=1 tr=0 ts=6a3a271c cx=c_pps a=ydTOzwc5oh0TSxJkn1Qoyg==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=VUi8bpU7OL1Oj2-RSIOF:22 a=64Cc0HZtAAAA:8 a=QIhr-27iAAAA:8 a=A1X0JdhQAAAA:8 a=tF8aEQz37MI5_kyPiasA:9 a=Vk-83Md3cH02LLM3:21 a=cgaYBWEFosGJW4rWv5Lf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX8ehJPlLAWQZq 8ApsRCQvSLj2j9frLThPbr+SgozONAZE4ak5RiZn+B/o0CUo9/ZX+be9FT24RQKspUOQZ1cBVPC 3S0vn3zBHYn+K4FdKfeKamqAiL4ZaPbePz+Qa31dlv8Odpujy3oUSA+LVw528ZVJSwiLWRANBX3 SlIuDKWpaJPV/4gy7lxm7qPeLnWKb0MqDg0X5sm7Pu0MACqFaUki9bnx27wkZnlN/gzhuMlz06M kHaaCnrb3he6rChhk0fw329v5ebmhOGKFy14Ve7JLgMklO0hbyar9UNaiU1OCalHFoNxo5NCsG9 EsQfxG9oPh1gmF+iPp43lQ6lZ5I2AGrpQbqekqpwp0TAYViQ6PV6XDVwQRH+nkr9kwP5e2/Pf1D A+Q75AhaMoLhZ7b/XIi4kZKNtQf1xamfcOK2t9wfu1pDL2/V9QhJu4t8/KaiIh2IVlfW+u/E7pR I0KFrbPN8Fm/busZr2g== X-Proofpoint-Spam-Info: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX63pGlG8QF8/0 WIb7iJ9oH1/uxod+KW+uJC56dmj8HiSlD+Qw77D9FoY5jfpYVaF6a2L0x0kAsugmcsy/O980nlj CyJjWZ0SDaUbQtnEMoPL6ryym7Zp/I0= X-Proofpoint-ORIG-GUID: 7o7vPhSiJ123vOGM1WHAz26eFPyIyZyR X-Proofpoint-GUID: 7o7vPhSiJ123vOGM1WHAz26eFPyIyZyR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-23_01,2026-06-22_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: 3L5ZMFUVIZFZ4RCJ2U6O6A7W4OQFTIEG X-Message-ID-Hash: 3L5ZMFUVIZFZ4RCJ2U6O6A7W4OQFTIEG X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1782196727600158500 Content-Type: text/plain; charset="utf-8" Append 'x509' to the function identifiers managing the tls-creds-x509 objects. This defines the functions' scope and prevents naming conflicts with the introduction of functions related to tls-creds-psk in subsequent commits. Additionally, update the TLS x509 object alias from "obj%s_tls0" to "obj%s_tlsx509_0" along with relevant testcase changes. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_alias.c | 8 +- src/qemu/qemu_alias.h | 2 +- src/qemu/qemu_backup.c | 2 +- src/qemu/qemu_command.c | 2 +- src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_hotplug.c | 76 +++++++++---------- src/qemu/qemu_hotplug.h | 26 +++---- src/qemu/qemu_migration.c | 24 +++--- src/qemu/qemu_migration_params.c | 44 +++++------ src/qemu/qemu_migration_params.h | 14 ++-- src/qemu/qemu_postparse.c | 2 +- tests/qemumigparamsdata/tls-enabled.json | 2 +- tests/qemumigparamsdata/tls-enabled.reply | 2 +- tests/qemumigparamsdata/tls-enabled.xml | 2 +- tests/qemumigparamsdata/tls-hostname.json | 2 +- tests/qemumigparamsdata/tls-hostname.reply | 2 +- tests/qemumigparamsdata/tls-hostname.xml | 2 +- tests/qemumonitorjsontest.c | 4 +- tests/qemustatusxml2xmldata/upgrade-out.xml | 2 +- .../chardev-backends-json.x86_64-9.1.0.args | 8 +- .../chardev-backends-json.x86_64-latest.args | 8 +- .../chardev-backends.x86_64-9.1.0.args | 8 +- .../chardev-backends.x86_64-latest.args | 8 +- ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 6 +- ...isk-network-tlsx509-nbd.x86_64-latest.args | 6 +- ...-tlsx509-chardev-verify.x86_64-latest.args | 4 +- ...ial-tcp-tlsx509-chardev.x86_64-latest.args | 4 +- ...-tlsx509-secret-chardev.x86_64-latest.args | 4 +- 28 files changed, 138 insertions(+), 138 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index 400ce73283..b41794a5fa 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -872,15 +872,15 @@ qemuAliasForSecret(const char *parentalias, return g_strdup_printf("%s-secret%zu", parentalias, secret_idx); } =20 -/* qemuAliasTLSObjFromSrcAlias +/* qemuAliasTLSx509ObjFromSrcAlias * @srcAlias: Pointer to a source alias string * - * Generate and return a string to be used as the TLS object alias + * Generate and return a string to be used as the TLS X.509 object alias */ char * -qemuAliasTLSObjFromSrcAlias(const char *srcAlias) +qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) { - return g_strdup_printf("obj%s_tls0", srcAlias); + return g_strdup_printf("obj%s_tlsx509_0", srcAlias); } =20 =20 diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index eae08020dc..dd7bfdcc0f 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -89,7 +89,7 @@ char *qemuAliasForSecret(const char *parentalias, const char *obj, size_t secret_idx); =20 -char *qemuAliasTLSObjFromSrcAlias(const char *srcAlias) +char *qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); =20 char *qemuAliasChardevFromDevAlias(const char *devAlias) diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index a0544c83dc..9c496ee0c8 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -745,7 +745,7 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm, virJSONValue **tlsSecretProps) { qemuDomainObjPrivate *priv =3D vm->privateData; - g_autofree char *tlsObjAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_BACK= UP_TLS_ALIAS_BASE); + g_autofree char *tlsObjAlias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_= BACKUP_TLS_ALIAS_BASE); g_autoptr(qemuDomainSecretInfo) secinfo =3D NULL; const char *tlsKeySecretAlias =3D NULL; =20 diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 6b72d74fc2..4107b2aeb0 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1345,7 +1345,7 @@ qemuBuildChardevCommand(virCommand *cmd, tlsCertEncSecAlias =3D chrSourcePriv->secinfo->alias; } =20 - if (!(objalias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(objalias =3D qemuAliasTLSx509ObjFromSrcAlias(charAlias))) return -1; =20 if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPat= h, diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index a43a5c0e4f..1506bfd357 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -9046,7 +9046,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSourc= e *src, return -1; } =20 - src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(parentAlias); + src->tlsAlias =3D qemuAliasTLSx509ObjFromSrcAlias(parentAlias); src->tlsCertdir =3D g_strdup(cfg->nbdTLSx509certdir); src->tlsPriority =3D g_strdup(cfg->nbdTLSpriority); =20 diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 5be567b510..d2add3f656 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1702,12 +1702,12 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsAlias) + const char *tlsx509Alias) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; =20 - if (!tlsAlias && !secAlias) + if (!tlsx509Alias && !secAlias) return; =20 virErrorPreserveLast(&orig_err); @@ -1715,8 +1715,8 @@ qemuDomainDelTLSObjects(virDomainObj *vm, if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0) goto cleanup; =20 - if (tlsAlias) - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + if (tlsx509Alias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsx509Alias, false)); =20 if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); @@ -1729,10 +1729,10 @@ qemuDomainDelTLSObjects(virDomainObj *vm, =20 =20 int -qemuDomainAddTLSObjects(virDomainObj *vm, - virDomainAsyncJob asyncJob, - virJSONValue **secProps, - virJSONValue **tlsProps) +qemuDomainAddTLSx509Objects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **secProps, + virJSONValue **tlsProps) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; @@ -1766,14 +1766,14 @@ qemuDomainAddTLSObjects(virDomainObj *vm, =20 =20 int -qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, - const char *tlsCertdir, - bool tlsListen, - bool tlsVerify, - const char *tlsPriority, - const char *alias, - virJSONValue **tlsProps, - virJSONValue **secProps) +qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps) { const char *secAlias =3D NULL; =20 @@ -1798,7 +1798,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, virDomainChrSourceDef *dev, char *devAlias, char *charAlias, - char **tlsAlias, + char **tlsx509Alias, const char **secAlias) { g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); @@ -1821,21 +1821,21 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *drive= r, if (secinfo) *secAlias =3D secinfo->alias; =20 - if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(*tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(charAlias))) return -1; =20 - if (qemuDomainGetTLSObjects(secinfo, - cfg->chardevTLSx509certdir, - dev->data.tcp.listen, - cfg->chardevTLSx509verify, - cfg->chardevTLSpriority, - *tlsAlias, &tlsProps, &secProps) < 0) + if (qemuDomainGetTLSx509Objects(secinfo, + cfg->chardevTLSx509certdir, + dev->data.tcp.listen, + cfg->chardevTLSx509verify, + cfg->chardevTLSpriority, + *tlsx509Alias, &tlsProps, &secProps) <= 0) return -1; =20 dev->data.tcp.tlscreds =3D true; =20 - if (qemuDomainAddTLSObjects(vm, VIR_ASYNC_JOB_NONE, - &secProps, &tlsProps) < 0) + if (qemuDomainAddTLSx509Objects(vm, VIR_ASYNC_JOB_NONE, + &secProps, &tlsProps) < 0) return -1; =20 return 0; @@ -1850,7 +1850,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, { g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); qemuDomainObjPrivate *priv =3D vm->privateData; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; =20 if (dev->type !=3D VIR_DOMAIN_CHR_TYPE_TCP || @@ -1858,7 +1858,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, return 0; } =20 - if (!(tlsAlias =3D qemuAliasTLSObjFromSrcAlias(inAlias))) + if (!(tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(inAlias))) return -1; =20 /* Best shot at this as the secinfo is destroyed after process launch @@ -1871,7 +1871,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, =20 qemuDomainObjEnterMonitor(vm); =20 - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + ignore_value(qemuMonitorDelObject(priv->mon, tlsx509Alias, false)); if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); =20 @@ -1892,7 +1892,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, g_autofree char *charAlias =3D NULL; g_autoptr(virJSONValue) devprops =3D NULL; bool chardevAdded =3D false; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; virErrorPtr orig_err; =20 @@ -1911,7 +1911,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, =20 if (qemuDomainAddChardevTLSObjects(driver, vm, redirdev->source, redirdev->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; =20 qemuDomainObjEnterMonitor(vm); @@ -1941,7 +1941,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 @@ -2127,7 +2127,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, bool teardowncgroup =3D false; bool teardowndevice =3D false; bool teardownlabel =3D false; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; bool need_release =3D false; bool guestfwd =3D false; @@ -2181,7 +2181,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, =20 if (qemuDomainAddChardevTLSObjects(driver, vm, chr->source, chr->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; =20 qemuDomainObjEnterMonitor(vm); @@ -2240,7 +2240,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 @@ -2256,7 +2256,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, g_autoptr(virJSONValue) devprops =3D NULL; g_autofree char *charAlias =3D NULL; g_autofree char *objAlias =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; const char *secAlias =3D NULL; bool releaseaddr =3D false; bool teardowncgroup =3D false; @@ -2294,7 +2294,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, if (qemuDomainAddChardevTLSObjects(driver, vm, rng->source.chardev, rng->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; } =20 @@ -2345,7 +2345,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); goto audit; } =20 diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 60ed0e174c..2d9b10204c 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -28,23 +28,23 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsAlias); + const char *tlsx509Alias); =20 int -qemuDomainAddTLSObjects(virDomainObj *vm, - virDomainAsyncJob asyncJob, - virJSONValue **secProps, - virJSONValue **tlsProps); +qemuDomainAddTLSx509Objects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **secProps, + virJSONValue **tlsProps); =20 int -qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, - const char *tlsCertdir, - bool tlsListen, - bool tlsVerify, - const char *tlsPriority, - const char *alias, - virJSONValue **tlsProps, - virJSONValue **secProps); +qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps); =20 int qemuDomainAttachDiskGeneric(virDomainObj *vm, diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 72e13f854b..79b93fb6e9 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3359,7 +3359,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; qemuProcessIncomingDef *incoming =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; virObjectEvent *event =3D NULL; virErrorPtr origErr =3D NULL; int dataFD[2] =3D { -1, -1 }; @@ -3445,10 +3445,10 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, /* Migrations using TLS need to add the "tls-creds-x509" object and * set the migration TLS parameters */ if (flags & VIR_MIGRATE_TLS) { - if (qemuMigrationParamsEnableTLS(driver, vm, true, - VIR_ASYNC_JOB_MIGRATION_IN, - &tlsAlias, NULL, - migParams) < 0) + if (qemuMigrationParamsEnableTLSx509(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsx509Alias, NULL, + migParams) < 0) goto error; } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) @@ -3466,7 +3466,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, goto error; } =20 - nbdTLSAlias =3D tlsAlias; + nbdTLSAlias =3D tlsx509Alias; } =20 if (qemuMigrationDstStartNBDServer(driver, vm, incoming->address, @@ -5012,7 +5012,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(qemuMigrationCookie) mig =3D NULL; - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; qemuMigrationIOThread *iothread =3D NULL; VIR_AUTOCLOSE fd =3D -1; unsigned long restore_max_bandwidth =3D priv->migMaxBandwidth; @@ -5105,10 +5105,10 @@ qemuMigrationSrcRun(virQEMUDriver *driver, spec->destType =3D=3D MIGRATION_DEST_FD) hostname =3D spec->dest.host.name; =20 - if (qemuMigrationParamsEnableTLS(driver, vm, false, - VIR_ASYNC_JOB_MIGRATION_OUT, - &tlsAlias, hostname, - migParams) < 0) + if (qemuMigrationParamsEnableTLSx509(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OUT, + &tlsx509Alias, hostname, + migParams) < 0) goto error; } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) @@ -5163,7 +5163,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - dconn, tlsAlias, tlsHostname, + dconn, tlsx509Alias, tlsHostnam= e, nbdURI, flags) < 0) { goto error; } diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_par= ams.c index dd47516742..c91ae89c9b 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1150,12 +1150,12 @@ qemuMigrationParamsSetString(qemuMigrationParams *m= igParams, } =20 =20 -/* qemuMigrationParamsEnableTLS +/* qemuMigrationParamsEnableTLSx509 * @driver: pointer to qemu driver * @vm: domain object * @tlsListen: server or client * @asyncJob: Migration job to join - * @tlsAlias: alias to be generated for TLS object + * @tlsx509Alias: alias to be generated for TLS X.509 object * @hostname: hostname of the migration destination * @migParams: migration parameters to set * @@ -1166,17 +1166,17 @@ qemuMigrationParamsSetString(qemuMigrationParams *m= igParams, * Returns 0 on success, -1 on failure */ int -qemuMigrationParamsEnableTLS(virQEMUDriver *driver, - virDomainObj *vm, - bool tlsListen, - int asyncJob, - char **tlsAlias, - const char *hostname, - qemuMigrationParams *migParams) +qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsx509Alias, + const char *hostname, + qemuMigrationParams *migParams) { qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; - g_autoptr(virJSONValue) tlsProps =3D NULL; + g_autoptr(virJSONValue) tlsx509Props =3D NULL; g_autoptr(virJSONValue) secProps =3D NULL; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); const char *secAlias =3D NULL; @@ -1202,28 +1202,28 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver, secAlias =3D priv->migSecinfo->alias; } =20 - if (!(*tlsAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALI= AS_BASE))) + if (!(*tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION= _TLS_ALIAS_BASE))) return -1; =20 - if (qemuDomainGetTLSObjects(priv->migSecinfo, - cfg->migrateTLSx509certdir, tlsListen, - cfg->migrateTLSx509verify, - cfg->migrateTLSpriority, - *tlsAlias, &tlsProps, &secProps) < 0) + if (qemuDomainGetTLSx509Objects(priv->migSecinfo, + cfg->migrateTLSx509certdir, tlsListen, + cfg->migrateTLSx509verify, + cfg->migrateTLSpriority, + *tlsx509Alias, &tlsx509Props, &secProp= s) < 0) return -1; =20 /* Ensure the domain doesn't already have the TLS objects defined... * This should prevent any issues just in case some cleanup wasn't * properly completed (both src and dst use the same alias) or * some other error path between now and perform . */ - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsAlias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias); =20 - if (qemuDomainAddTLSObjects(vm, asyncJob, &secProps, &tlsProps) < 0) + if (qemuDomainAddTLSx509Objects(vm, asyncJob, &secProps, &tlsx509Props= ) < 0) return -1; =20 if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_CREDS, - *tlsAlias) < 0) + *tlsx509Alias) < 0) return -1; =20 /* QEMU interprets an empty string for hostname as if it is not popula= ted */ @@ -1290,7 +1290,7 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, qemuMigrationParams *origParams, unsigned int apiFlags) { - g_autofree char *tlsAlias =3D NULL; + g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; =20 /* There's nothing to do if QEMU does not support TLS migration or we = were @@ -1299,10 +1299,10 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, !(apiFlags & VIR_MIGRATE_TLS)) return; =20 - tlsAlias =3D qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE= ); + tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_AL= IAS_BASE); secAlias =3D qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL, 0= ); =20 - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias); g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo, qemuDomainSecret= InfoFree); } =20 diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_par= ams.h index b7a829b85a..b578cf5091 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -115,13 +115,13 @@ qemuMigrationParamsApply(virDomainObj *vm, unsigned int apiFlags); =20 int -qemuMigrationParamsEnableTLS(virQEMUDriver *driver, - virDomainObj *vm, - bool tlsListen, - int asyncJob, - char **tlsAlias, - const char *hostname, - qemuMigrationParams *migParams); +qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsx509Alias, + const char *hostname, + qemuMigrationParams *migParams); =20 int qemuMigrationParamsDisableTLS(virDomainObj *vm, diff --git a/src/qemu/qemu_postparse.c b/src/qemu/qemu_postparse.c index 9eda2f6b99..998d083a3d 100644 --- a/src/qemu/qemu_postparse.c +++ b/src/qemu/qemu_postparse.c @@ -278,7 +278,7 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk, if (parseFlags & VIR_DOMAIN_DEF_PARSE_STATUS && disk->src->haveTLS =3D=3D VIR_TRISTATE_BOOL_YES && !disk->src->tlsAlias && - !(disk->src->tlsAlias =3D qemuAliasTLSObjFromSrcAlias(disk->info.a= lias))) + !(disk->src->tlsAlias =3D qemuAliasTLSx509ObjFromSrcAlias(disk->in= fo.alias))) return -1; =20 return 0; diff --git a/tests/qemumigparamsdata/tls-enabled.json b/tests/qemumigparams= data/tls-enabled.json index 098d3ae148..b8d2f094a6 100644 --- a/tests/qemumigparamsdata/tls-enabled.json +++ b/tests/qemumigparamsdata/tls-enabled.json @@ -1,7 +1,7 @@ { "cpu-throttle-initial": 20, "cpu-throttle-increment": 10, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx509_0", "tls-hostname": "", "max-bandwidth": 33554432, "downtime-limit": 300 diff --git a/tests/qemumigparamsdata/tls-enabled.reply b/tests/qemumigparam= sdata/tls-enabled.reply index e3ce8e7778..10fe78b4b9 100644 --- a/tests/qemumigparamsdata/tls-enabled.reply +++ b/tests/qemumigparamsdata/tls-enabled.reply @@ -4,7 +4,7 @@ "cpu-throttle-increment": 10, "tls-hostname": "", "cpu-throttle-initial": 20, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx509_0", "max-bandwidth": 33554432, "downtime-limit": 300 } diff --git a/tests/qemumigparamsdata/tls-enabled.xml b/tests/qemumigparamsd= ata/tls-enabled.xml index 554b6855d4..1f5da6530c 100644 --- a/tests/qemumigparamsdata/tls-enabled.xml +++ b/tests/qemumigparamsdata/tls-enabled.xml @@ -2,7 +2,7 @@ - + diff --git a/tests/qemumigparamsdata/tls-hostname.json b/tests/qemumigparam= sdata/tls-hostname.json index 2943df769b..abd8f37e8a 100644 --- a/tests/qemumigparamsdata/tls-hostname.json +++ b/tests/qemumigparamsdata/tls-hostname.json @@ -1,7 +1,7 @@ { "cpu-throttle-initial": 20, "cpu-throttle-increment": 10, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx509_0", "tls-hostname": "f27-1.virt", "max-bandwidth": 33554432, "downtime-limit": 300 diff --git a/tests/qemumigparamsdata/tls-hostname.reply b/tests/qemumigpara= msdata/tls-hostname.reply index f7e7a96bc5..551010e426 100644 --- a/tests/qemumigparamsdata/tls-hostname.reply +++ b/tests/qemumigparamsdata/tls-hostname.reply @@ -4,7 +4,7 @@ "cpu-throttle-increment": 10, "tls-hostname": "f27-1.virt", "cpu-throttle-initial": 20, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx509_0", "max-bandwidth": 33554432, "downtime-limit": 300 } diff --git a/tests/qemumigparamsdata/tls-hostname.xml b/tests/qemumigparams= data/tls-hostname.xml index addb5e68a4..3dd0b6ae28 100644 --- a/tests/qemumigparamsdata/tls-hostname.xml +++ b/tests/qemumigparamsdata/tls-hostname.xml @@ -2,7 +2,7 @@ - + diff --git a/tests/qemumonitorjsontest.c b/tests/qemumonitorjsontest.c index f59b97c1c3..a9cccfb1d1 100644 --- a/tests/qemumonitorjsontest.c +++ b/tests/qemumonitorjsontest.c @@ -665,7 +665,7 @@ qemuMonitorJSONTestAttachChardev(virDomainXMLOption *xm= lopt, "'server':false}}}"); =20 chr->data.tcp.tlscreds =3D true; - chrSourcePriv->tlsCredsAlias =3D qemuAliasTLSObjFromSrcAlias("alia= s"); + chrSourcePriv->tlsCredsAlias =3D qemuAliasTLSx509ObjFromSrcAlias("= alias"); chr->logfile =3D g_strdup("/test/log"); CHECK("tcp", false, "{'id':'alias'," @@ -675,7 +675,7 @@ qemuMonitorJSONTestAttachChardev(virDomainXMLOption *xm= lopt, "'port':'1234'}}," "'telnet':false," "'server':false," - "'tls-creds':'objalias_tls0'," + "'tls-creds':'objalias_tlsx509_0'," "'logfile':'/test/log'}}}"); =20 } diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml b/tests/qemustatus= xml2xmldata/upgrade-out.xml index c7bc7128df..8d82c83146 100644 --- a/tests/qemustatusxml2xmldata/upgrade-out.xml +++ b/tests/qemustatusxml2xmldata/upgrade-out.xml @@ -414,7 +414,7 @@ - + diff --git a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args = b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args index fd1c94f8ed..1857c9c3c3 100644 --- a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args +++ b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev '{"id":"charchannel10","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5679"}},"telnet":true,"serv= er":true,"wait":false}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect":2,"tls-creds":"objcharchannel11_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx509_0","d= ir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect":2,"tls-creds":"objcharchannel11_tlsx509_0"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect":2,"tls-creds":"objcharchannel12_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx509_0","d= ir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect":2,"tls-creds":"objcharchannel12_tlsx509_0"}}= }' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev '{"id":"charchannel13","backend":{"type":"udp","data":{"remote":{= "type":"inet","data":{"host":"127.0.0.1","port":"2222"}}}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args= b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args index 7e5540ff09..d4fa40ed6c 100644 --- a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args +++ b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev '{"id":"charchannel10","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5679"}},"telnet":true,"serv= er":true,"wait":false}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect-ms":2000,"tls-creds":"objcharchannel11_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx509_0","d= ir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"ser= ver":false,"reconnect-ms":2000,"tls-creds":"objcharchannel11_tlsx509_0"}}}'= \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel12_tls0"}= }}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx509_0","d= ir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":= {"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":t= rue,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel12_tlsx50= 9_0"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev '{"id":"charchannel13","backend":{"type":"udp","data":{"remote":{= "type":"inet","data":{"host":"127.0.0.1","port":"2222"}}}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args b/tes= ts/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args index 3a3128eb3e..78275b25ac 100644 --- a/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args +++ b/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev socket,id=3Dcharchannel10,host=3D1.2.3.4,port=3D5679,telnet=3Don,= server=3Don,wait=3Doff \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect=3D= 2,tls-creds=3Dobjcharchannel11_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx509_0","d= ir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect=3D= 2,tls-creds=3Dobjcharchannel11_tlsx509_0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect=3D2,tls-creds=3Dobjcharchannel12_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx509_0","d= ir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect=3D2,tls-creds=3Dobjcharchannel12_tlsx509_0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev udp,id=3Dcharchannel13,host=3D127.0.0.1,port=3D2222,localaddr=3D,= localport=3D0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args b/te= sts/qemuxmlconfdata/chardev-backends.x86_64-latest.args index 68357c42f1..bc742db61c 100644 --- a/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args +++ b/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUG= uest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"char= dev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev socket,id=3Dcharchannel10,host=3D1.2.3.4,port=3D5679,telnet=3Don,= server=3Don,wait=3Doff \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"char= dev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect-ms= =3D2000,tls-creds=3Dobjcharchannel11_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx509_0","d= ir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel11,host=3D1.2.3.4,port=3D5678,reconnect-ms= =3D2000,tls-creds=3Dobjcharchannel11_tlsx509_0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"char= dev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"= /etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect-ms=3D2000,tls-creds=3Dobjcharchannel12_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx509_0","d= ir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharchannel12,host=3Dhostname.global.,port=3D5679,tel= net=3Don,reconnect-ms=3D2000,tls-creds=3Dobjcharchannel12_tlsx509_0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"char= dev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}'= \ -chardev udp,id=3Dcharchannel13,host=3D127.0.0.1,port=3D2222,localaddr=3D,= localport=3D0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"char= dev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64= -latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_= 64-latest.args index ed3fb618f6..0aaf41dfea 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest= .args @@ -27,9 +27,9 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -no-shutdown \ -boot strict=3Don \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0= x2"}' \ --object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","da= ta":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","key= id":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","di= r":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority"= :"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ --blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-h= ostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct= ":true,"no-flush":false}}' \ +-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tlsx509_0-secret0= ","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1"= ,"keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"= }' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tlsx509_0= ","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"prio= rity":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tlsx509_0-s= ecret0"}' \ +-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tlsx509_0","tls-hostname":"t= est-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"d= irect":true,"no-flush":false}}' \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"li= bvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource= control=3Ddeny \ diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.a= rgs b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args index 18e65ca27a..566d6ccb91 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args @@ -27,9 +27,9 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -no-shutdown \ -boot strict=3Don \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0= x2"}' \ --object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","da= ta":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","key= id":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","di= r":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordi= d":"objlibvirt-1-storage_tls0-secret0"}' \ --blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","node-name":"libvirt-1= -storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ +-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tlsx509_0-secret0= ","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1"= ,"keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"= }' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tlsx509_0= ","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"pass= wordid":"objlibvirt-1-storage_tlsx509_0-secret0"}' \ +-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","p= ort":"1234"},"tls-creds":"objlibvirt-1-storage_tlsx509_0","node-name":"libv= irt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}'= \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"li= bvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -sandbox on,obsolete=3Ddeny,elevateprivileges=3Ddeny,spawn=3Ddeny,resource= control=3Ddeny \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64= -latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_= 64-latest.args index fa87b76d78..95685a66d9 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest= .args @@ -31,8 +31,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-stor= age","id":"ide0-0-0","bootindex":1}' \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx509_0","dir= ":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx509_0 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x2"}' \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest= .args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args index fa87b76d78..95685a66d9 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args @@ -31,8 +31,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-stor= age","id":"ide0-0-0","bootindex":1}' \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx509_0","dir= ":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx509_0 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x2"}' \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64= -latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_= 64-latest.args index d127cc4ecf..4d61293d53 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest= .args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest= .args @@ -32,8 +32,8 @@ XDG_CONFIG_HOME=3D/var/lib/libvirt/qemu/domain--1-QEMUGue= st1/.config \ -chardev udp,id=3Dcharserial0,host=3D127.0.0.1,port=3D2222,localaddr=3D127= .0.0.1,localport=3D1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","in= dex":0}' \ -object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qt= kGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey= 0","iv":"AAECAwQFBgcICQoLDA0ODw=3D=3D","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/e= tc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"= @SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ --chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx509_0","dir= ":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priori= ty":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ +-chardev socket,id=3Dcharserial1,host=3D127.0.0.1,port=3D5555,tls-creds=3D= objcharserial1_tlsx509_0 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","in= dex":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","add= r":"0x3"}' \ --=20 2.43.7 From nobody Wed Jun 24 21:48:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1782196891; cv=pass; d=zohomail.com; s=zohoarc; b=SbixOptMudP7E0O2Jp/OsHuwDsylU/Pm+BxFnlePl0fn1R+wd2ufqrVAJhYK3wulOFeyqEUYn3DjjjRwteHGqKwPIJyQuy5p16wwYOgGv2zM1Sr9pJ8Q+SacQ57IA/vhNZYWlYBi/ehB87ncYoY+rCCt4/zRKxbzT5LQtBFrhAg= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1782196891; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=3k18Hzq1VCfisLTrOrYHv3MPV4YLDo2QBkrOcaDKLio=; b=chpRA7OUqvjhJV7f+rEd/KJTPkBFK1wz60wvj+gNpNphjY6Irtnid/ik9Neng+JpcORP3QVjeDl0ekYawy9I3M+fXjZc87a5ukAq56eoUzZE3Q2jFb/pqsPfCFDU3jns9SdR9qK9nGNiHklZnULQ5OJB9PTUpU95iW46yGMFBVI= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1782196891875767.2743582450909; Mon, 22 Jun 2026 23:41:31 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 94C38418E2; Tue, 23 Jun 2026 02:41:30 -0400 (EDT) Received: from [172.19.199.7] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id D92194240F; Tue, 23 Jun 2026 02:28:29 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 5FF6141CB2; Tue, 23 Jun 2026 02:28:20 -0400 (EDT) Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id CC23F41D26 for ; Tue, 23 Jun 2026 02:26:39 -0400 (EDT) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 65N0fKpn1601717 for ; Mon, 22 Jun 2026 23:26:39 -0700 Received: from cy7pr03cu001.outbound.protection.outlook.com (mail-westcentralusazon11020082.outbound.protection.outlook.com [40.93.198.82]) by mx0b-002c1b01.pphosted.com (PPS) with ESMTPS id 4ewtd0du1h-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 22 Jun 2026 23:26:38 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by IA1PR02MB9231.namprd02.prod.outlook.com (2603:10b6:208:425::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.19; Tue, 23 Jun 2026 06:26:37 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0139.018; Tue, 23 Jun 2026 06:26:37 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=3k18Hzq1VCfisLTrOrYHv3MPV4YLDo2QBkrOcaDKL io=; b=G9XU4BS+yJsvlCq5tOIKkfJEQG0tvFnyO6F1ECT5UBWM56Ksd7nhFTKXb bq+g7XCXtxqJSQzB2yuINgS7GvrsbtS/lu/TdRdZ8/+dh8ZL3/My+Asf23aFxqDU /pOOIfWhuqRs/SqYd6mYkPTbv+DnqRAY+3RsmP+cOWUl9o9V+eMqYO0F5vy54Hy9 0++ztYLi8eIH51e9Csyzrizogp8tIWX4ODQPWCOOgoz0OoAtTmaT7MEuD5f4xevw 708ayGEUMfVYqC62yYIccW1ya3Swqn/aXGE16s0KNCMapCqCXTDh1sy9QPofTcdV beY1BkelkNZAoJECDU/BUA8aMQzgQ== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=l8zzMCTRJbQ34f7diY7xKCozeYcxyJGwHJ0hgGo8RCFaFwHI7qSg66+NT6xY1wdirGjadLnux+l4uerdoGKNe9l0uVet991O4V9ToNKNa/Jm16jyellu+buSQrxqOS2eiMo/J6uXiKQiaCnDTeHxObX3EU+krUYJhGvtXPFSRzsQ+MwYF1mZCxctl7SCD51AF9p2/RnUh+tgHhnlUqXp3J63kHmfJklODzFbUWEhwCQ4vHx0STet5M/C1iPkhMr8R28bIUSKRfLJcfL/A3dqXIIvkiOaOF9G8MxzC5NsdVXdKuUKSw9CzX12clGh3um6aESX6OwMU51q/RBLFiis2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3k18Hzq1VCfisLTrOrYHv3MPV4YLDo2QBkrOcaDKLio=; b=ayWhcVxD/I/jjOcNxAOWtOL8Lb+sB3tkAeTCL8EJC4KXa+Dp9yPSihZ7fuZOH5hJIHgqEPizWW8iC0o1fmfkdYeygpJZlhl5Dj6Z1FHk7RJ4ZcKq0oOSiBpEluDmvUFa5TQrYfXu8+irhvowEtn6yYBzk84nqxmNl71xwKqg7smL6DjTGhCGV2Y1VPAHR6BpiChLURK7cXGDSn3qFe4l4ipfhWNBAkp2bgv88fs6oobAzmDJoFMA5k3pNA8ThQ0cubHz/A5jUgTZkN2I1BKZJSpUjgcu4jh4wPbUHxENd/2QbRuOfuPeUxjvoJFzfKUd24Uw0j+Puc+fWX6bcDmSyw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3k18Hzq1VCfisLTrOrYHv3MPV4YLDo2QBkrOcaDKLio=; b=rOL707BRFleolreZibbL8yue+OsMJHiWvHO/WGUlvmhYos9TOLTvqyFLbetMfW7d23h8oEYoMDnNiFEPitHtTpv8ojYI4s17fdBovU/XSaB3A1KKQzAE0Roj/ob61IGJ0Wjs+5qbxckZkO8RADooLWpA63YkBBvJj5RVwaiB/K20HAElUm5+oiQGv+Avqlv3wbvixFm08b9LJZ54hDygfuVCaMD8RRmrlO5OtTBAva2oE4GZExnSv456uKw5ygekpXAFLBNGMcirwdtWy9XfmHQ0jAmggWSgOEYZQ1mwD38ID2mQKigGIR8eWPHFLQCttAWnB1mLmU2CY0qh9TwKTg== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v2 5/6] qemu: Manage tls-creds-psk object lifecycle Date: Tue, 23 Jun 2026 06:26:03 +0000 Message-ID: <20260623062615.914208-6-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260623062615.914208-1-abhisek.panda1@nutanix.com> References: <20260623062615.914208-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR20CA0021.namprd20.prod.outlook.com (2603:10b6:930:3::8) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|IA1PR02MB9231:EE_ X-MS-Office365-Filtering-Correlation-Id: 7c196db5-d590-4bf7-138a-08ded0f060e0 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|23010399003|18002099003|22082099003|3023799007|5023799004|56012099006; X-Microsoft-Antispam-Message-Info: GyUpZpDpKmPTOKmZ8Ukk+4hLKFSoTMWUV/syiDPFIc3R8ujHLlyMjjU4gwt4qAqW/PhVDNAC9eQPiJBBkl+3Pea+7ZAm/TNSGVhOaQTi+Qlb2gOUbI5dU5y8xrgBm8W5AlnLbavIx5AFQzDbD1Iy/coyJPde02VRKU62ORD2HtkYJNSrV3ChJPwjAv/p7RGJcD4/dQHRJH/uRpCvlcl3ilN0FxDKPfdky3b46j5S8uYKEkUB+9QX2lRadlRPmA05lhEXwsOg2IqyjSD2hwcZlnEF29zQGcrju4etrcGTK1r6wIh2ot1MQZvj2lVbmYgPsYIgGvBhzpmfL5rUsQDzpR7WWxjTB8QlIg2wGgcpnrHwylbe26PqIOOVXP5uxAxo6FiWaC1aA/c4TXTMegR1iXVZNafCOBlV9gg1xcsEQtRHMrA8A9TSRkcuwyNlNgXYp7evNpsUuJ8jt0DtrrP5meqHbiG/fP/wmzSnCRJhJRzIM0Bk7+27wKICmJe8oMit/6DpVtXpWdUhopqbNQxaXNA4EnYBcdhsRkFZUMpYSBGs3l3tzSqZBYnZxuD9CSE7oQDBYOC0ESlyzIOKuKffa1xQ8joDUCYVftXwoDF08D5PSqwgI5HRRZUFO8EMjvRv1VrldxfPTa8owG4flf86VNycGpJeFLDNt/0z6QA/2wk= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(23010399003)(18002099003)(22082099003)(3023799007)(5023799004)(56012099006);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?KyCnGCmMRZnE+nIG9kV+li7pWLyG4lNYY91VzWLLU/xybhTCfQosZtTWako7?= =?us-ascii?Q?ZETc2HbqeMQIr9OPMGB4SzPaglhQHGP9iQ55rRvzKTFk08Fyfv5DRuwaGr32?= =?us-ascii?Q?n17HRlMRCYq1ziOyKe1rFbrzZo3NOqjaet5rOnuMp5fd5FTxJWXtzzudkiFo?= =?us-ascii?Q?/U7i/NHH+DHgcKm7E7KN5/F2zC8lFmFd67RUTKb8AJCIlSDQN6xUwnTwuMxY?= =?us-ascii?Q?yueBbNCX/jOV0xwspl+OhhBoDmuUi+UDjKlSUgdw10mVFHUE6Rt/NbuCyC1u?= =?us-ascii?Q?ga9R4QWupvP6QWwAKsmK/8yVp9dwXfeuVdC6OMkJ9o2ACpREhPVrWJzjU4fK?= =?us-ascii?Q?0d5A93qEMjnd1b/wI2qMCOHUzyp0aZluXiz8hGqYjCbzQAdVkSKp7b7p+T1x?= =?us-ascii?Q?9dnnfB/NCwWCpAC7tnmhsH/ZFOSZxpXky9L/bl1Ue7EM8ijcbdw8hPjTvDs0?= =?us-ascii?Q?OyvH1aU4VkuX5eRTjpt0p3+/5vLvJoBD/jLNL2RT4u55OpswV4xO/z6edm4u?= =?us-ascii?Q?7jgXrBAPnY61Iw8ZS7FOmcRJsROCoINA/OPOJgATYgYRnaTq1vWQ1RuKGPQ5?= =?us-ascii?Q?iTOiNr0Fg7Id/rk9iz1fw2Y7w6oXR2uw5YlrPnIJtEkUm2ctb2dGcGZec5fE?= =?us-ascii?Q?t7wO2NJLualWj60ls6rOyBqEMP0qsa2dKWEwXFTFd0Z4mjqwpXa3YarEINOr?= =?us-ascii?Q?dv5MsPclUgQN7ESLP/QMjUo00e1FPQCgfojXEK1pBjd5TdzCFpY/WueUCBOG?= =?us-ascii?Q?dIBtPBXU2J6WpxIPZsOYo7bBoMlnBAebv9OADnuPDyFKCrCkhDyJkKQKjMPg?= =?us-ascii?Q?ErE/2PCGCsWEwMyjMYjUV7vzSG1zuAtSxuHvEgv1Vvu34MwW5P5YEhfiQL9x?= =?us-ascii?Q?z7ty7A8kSkDbRJgyBwu8B/mYCusU7qM52gX9jcWwOtRpHecoxFG9/FI2CEgg?= =?us-ascii?Q?tbhdsqrDmmI6CazdzeJKRxmu/Wq3SVWj9C1LDEg8ZDYJWFC00tT5ncIZJ2ZX?= =?us-ascii?Q?/lqj5x38TnKcyJuUFfEt61lj7IEH+QXobREr9SE4X4BOvTxtEYf1GsELXi2q?= =?us-ascii?Q?C8ZiV+qk79LcfR0qc+ii/aHaCTaAawLm+6KCEo2jfIg+sVy4+97x1ZvdUqaF?= =?us-ascii?Q?j0zhczV0vA9UEz+qnvys/ntumynLYilQjZmqVWqKq5p6y1oM0MJndgv8pDf3?= =?us-ascii?Q?nDLsGrh4G1oqKRnXNlnsr5uRS9aqOHZiiYULk8YSeJIcaeWHsSEtPFzOEhLP?= =?us-ascii?Q?Y8b8D5e6VFmws2wtPgqPpx86kaU27tDQdJeY4gx8ESJ0XvT0e+hYDIqKm2/3?= =?us-ascii?Q?ww66k0oQI5OhWmiSF1nO3i3/3YK+nemJKZtgKCOnkCJM1xjXVjgwWFu4iP5U?= =?us-ascii?Q?3ctCApfhoE17cwHcnv19fzVN7fo8PPB1xQiYLCUr2FwSHi239FTriGL4I34I?= =?us-ascii?Q?w0BWRWLxtgUpm/e5+Kkshs2C0Y7x5n0VT+gNUw7fn9ebhYWKXTZVU/f2m1Sh?= =?us-ascii?Q?bDm9swV23dhBTNXmz4RPWDWuagF/FsTt/WbY6BLLgaRAtavj9lIzLg7JWE4K?= =?us-ascii?Q?8C8iGLfM102bO9ztbDRKPGN+N7gg8bXWrDUTWwjwF34y45iFC/rO3R2RCStR?= =?us-ascii?Q?poX/cSHMjlsHfSVD9gEh3ur94i9dXuTgCZNiSGgnsW6D/bB/o2JXEiM2nUie?= =?us-ascii?Q?SKXYLAc51GKudMQSjh5YOvvNWuIFpMQwIu9RiuYf795ea98pD2keTXz5pqhl?= =?us-ascii?Q?hFKji2hzCt4NZTEP2zekJUodrzPd8ak=3D?= X-Exchange-RoutingPolicyChecked: JLva4RmAOr99/CBiDYCmMoA/fiZwNmsP4OUNAvQtIxSiuTjUnu5tZj3enNdWKvuZvArqDoAu5vUkCRxTfIsf9xL7Q3edskNKeF3+SOFe0R5fjjnQguj7WunGdjIn1ZApoBFXi7lZjKRVCXe+tksTePXpNh/o73Kc6JR2gCRjb2FTtjH7M0lIX0xVwhGezKlmyG0Ed44Numyp7UCl8fOIMIYFnJuzXLjWPdGyUQ84QjmA3LCSnL1rvVN+wWsf62pc0z5pdMW4QdpiHql6XSTmfKgSjDwxh8nFUGbo18CPAmuB3UfvsgU4CW1+p0g6jadtWqmuU7Rpuo5wNgE0BnOHGg== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7c196db5-d590-4bf7-138a-08ded0f060e0 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jun 2026 06:26:37.0038 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: q6B1E8PL+3xM/n9ANk54v+GK5FiTs6rcKBEGwKlbv4knHSAmlo4dQc+TkNvpUUSY3yxagHLJDHZ7wVB6g2kdZDcpQ0yJgvv9urtm9PkK5S4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR02MB9231 X-Proofpoint-Spam-Info: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfXwhON3LNG9qQh E57GNPAvfxzpqxEE++3uj0vjFu6W9UpEKQkICH4QiktAZEQqvbquvRdvVfMc3mc8bKtN2zHroGk zNJmbPVB+b/45PLhrbxdn0/KDq05eZU= X-Proofpoint-GUID: 5i-W_1yX7n1J7Il1CtHb3E-FGIUbgiNN X-Proofpoint-ORIG-GUID: 5i-W_1yX7n1J7Il1CtHb3E-FGIUbgiNN X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfXwIQuObMDMpjy XLyarc3xm0Wv+HDSUKDI/hR9ht/Hfem1EpyYeaMzzi3GJGxPYn0lM6TXYwefyjnwxFHLBKBux9R h2I7PoWyJ+C7xkcOrtKYYHWgiwjvLyQtMQVj88O37NSWTKXe2ZPzAKj53vDo1aUjrwtdxg/zE3f etHnDskhGuSgvgxUryEa9jSmZzwkhdD1s+Pk6NZFsYlpdQmR6j6O7FCxxvTS/Tjx/sNyt2MedsP DSTp0dMCFS7Kmo5Q9v8Od5HRcmdINKoHH4Pmb6CQ28VlSZtCF67ziFhsmEO6BofdGLN/2sHQX0v r4S731rBjleGZbE3C6w4GGVTLhKkUZZzUNVFLZEN+gaZaYhQ99iCpuhqAY9I5Do2rbm5e/AOa88 JJHbZnMjfb7OjVVqqJftWhRlIYI41repTjrpS6vztoCfVyteatYXHfSRB5rBZjub8JvMl4LLSoS 0pg/QUux2UKIeiL2QGQ== X-Authority-Analysis: v=2.4 cv=S9LpBosP c=1 sm=1 tr=0 ts=6a3a271e cx=c_pps a=lntwMuBcOMWYP1oWCx7eiA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=0LlEyIVc8U2lsR7dKhuH:22 a=64Cc0HZtAAAA:8 a=MrYkCSYsHe1TiHtX4lQA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-23_01,2026-06-22_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: 5VBBSWKSGXQMZRZUW4CFGNVI4RAJAZL5 X-Message-ID-Hash: 5VBBSWKSGXQMZRZUW4CFGNVI4RAJAZL5 X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1782196892389158500 Content-Type: text/plain; charset="utf-8" To enable TLS-PSK-based authentication scheme, add support for instantiating the tls-creds-psk object through QEMU monitor. In order to remove the TLS-related objects from a QEMU instance, augment the qemuDomainDelTLSObjects handler to also consider the TLS-PSK object. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- src/qemu/qemu_alias.c | 11 +++++ src/qemu/qemu_alias.h | 3 ++ src/qemu/qemu_hotplug.c | 58 ++++++++++++++++++++++++--- src/qemu/qemu_hotplug.h | 14 ++++++- src/qemu/qemu_migration_params.c | 69 ++++++++++++++++++++++++++++++-- src/qemu/qemu_migration_params.h | 8 ++++ 6 files changed, 152 insertions(+), 11 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index b41794a5fa..a4894a681f 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -883,6 +883,17 @@ qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) return g_strdup_printf("obj%s_tlsx509_0", srcAlias); } =20 +/* qemuAliasTLSPSKObjFromSrcAlias + * @srcAlias: Pointer to a source alias string + * + * Generate and return a string to be used as the TLS PSK object alias + */ +char * +qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias) +{ + return g_strdup_printf("obj%s_tlspsk_0", srcAlias); +} + =20 /* qemuAliasChardevFromDevAlias: * @devAlias: pointer do device alias diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index dd7bfdcc0f..2a0c7ca7c3 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -92,6 +92,9 @@ char *qemuAliasForSecret(const char *parentalias, char *qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); =20 +char *qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias) + ATTRIBUTE_NONNULL(1); + char *qemuAliasChardevFromDevAlias(const char *devAlias) ATTRIBUTE_NONNULL(1); =20 diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index d2add3f656..75a2c75edf 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1702,12 +1702,13 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsx509Alias) + const char *tlsx509Alias, + const char *tlsPSKAlias) { qemuDomainObjPrivate *priv =3D vm->privateData; virErrorPtr orig_err; =20 - if (!tlsx509Alias && !secAlias) + if (!tlsx509Alias && !secAlias && !tlsPSKAlias) return; =20 virErrorPreserveLast(&orig_err); @@ -1721,6 +1722,9 @@ qemuDomainDelTLSObjects(virDomainObj *vm, if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); =20 + if (tlsPSKAlias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsPSKAlias, false)); + qemuDomainObjExitMonitor(vm); =20 cleanup: @@ -1759,7 +1763,7 @@ qemuDomainAddTLSx509Objects(virDomainObj *vm, virErrorPreserveLast(&orig_err); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, NULL); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, NULL, NULL); =20 return -1; } @@ -1881,6 +1885,48 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, } =20 =20 +int +qemuDomainAddTLSPSKObjects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **tlsPSKProps) +{ + qemuDomainObjPrivate *priv =3D vm->privateData; + virErrorPtr orig_err; + + if (!tlsPSKProps) + return 0; + + if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0) + return -1; + + if (tlsPSKProps && *tlsPSKProps && + qemuMonitorAddObject(priv->mon, tlsPSKProps, NULL) < 0) + goto error; + + qemuDomainObjExitMonitor(vm); + return 0; + + error: + virErrorPreserveLast(&orig_err); + qemuDomainObjExitMonitor(vm); + virErrorRestore(&orig_err); + return -1; +} + + +int +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir, + bool tlsListen, + const char *alias, + virJSONValue **tlsPSKProps) +{ + if (qemuBuildTLSPSKBackendProps(tlsPSKdir, tlsListen, alias, tlsPSKPro= ps) < 0) + return -1; + + return 0; +} + + static int qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, virDomainObj *vm, @@ -1941,7 +1987,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 @@ -2240,7 +2286,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 @@ -2345,7 +2391,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); =20 - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= ); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias= , NULL); goto audit; } =20 diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 2d9b10204c..984d3098a6 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -28,7 +28,8 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsx509Alias); + const char *tlsx509Alias, + const char *tlsPSKAlias); =20 int qemuDomainAddTLSx509Objects(virDomainObj *vm, @@ -46,6 +47,17 @@ qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinf= o, virJSONValue **tlsProps, virJSONValue **secProps); =20 +int +qemuDomainAddTLSPSKObjects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **tlsPSKProps); + +int +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir, + bool tlsListen, + const char *alias, + virJSONValue **tlsPSKProps); + int qemuDomainAttachDiskGeneric(virDomainObj *vm, virDomainDiskDef *disk, diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_par= ams.c index c91ae89c9b..846d97b4d1 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1216,7 +1216,7 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *drive= r, * This should prevent any issues just in case some cleanup wasn't * properly completed (both src and dst use the same alias) or * some other error path between now and perform . */ - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias, NULL); =20 if (qemuDomainAddTLSx509Objects(vm, asyncJob, &secProps, &tlsx509Props= ) < 0) return -1; @@ -1237,6 +1237,65 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driv= er, } =20 =20 +/* qemuMigrationParamsEnableTLSPSK + * @driver: pointer to qemu driver + * @vm: domain object + * @tlsListen: server or client + * @asyncJob: Migration job to join + * @tlsPSKAlias: alias to be generated for TLS-PSK object + * @migParams: migration parameters to set + * + * Create the TLS PSK objects for the migration and set the migParams valu= e. + * + * Returns 0 on success, -1 on failure + */ +int +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsPSKAlias, + qemuMigrationParams *migParams) +{ + qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; + g_autoptr(virJSONValue) tlsPSKProps =3D NULL; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + char uuidstr[VIR_UUID_STRING_BUFLEN]; + g_autofree char *dir_path =3D NULL; + + virUUIDFormat(vm->def->uuid, uuidstr); + dir_path =3D g_strdup_printf("%s/%s", cfg->stateDir, uuidstr); + + if (!jobPriv->migParams->params[QEMU_MIGRATION_PARAM_TLS_CREDS].set) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("TLS migration is not supported with this QEMU bi= nary")); + return -1; + } + + if (!(*tlsPSKAlias =3D qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_T= LS_ALIAS_BASE))) + return -1; + + if (qemuDomainGetTLSPSKObjects(dir_path, tlsListen, + *tlsPSKAlias, &tlsPSKProps) < 0) + return -1; + + /* Ensure the domain doesn't already have the TLS-PSK objects defined. + * This should prevent any issues just in case some cleanup wasn't + * properly completed (both src and dst use the same alias) or + * some other error path. */ + qemuDomainDelTLSObjects(vm, asyncJob, NULL, NULL, *tlsPSKAlias); + + if (qemuDomainAddTLSPSKObjects(vm, asyncJob, &tlsPSKProps) < 0) + return -1; + + if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_C= REDS, + *tlsPSKAlias) < 0) + return -1; + + return 0; +} + + /* qemuMigrationParamsDisableTLS * @vm: domain object * @migParams: Pointer to a migration parameters block @@ -1281,8 +1340,8 @@ qemuMigrationParamsTLSHostnameIsSet(qemuMigrationPara= ms *migParams) * @asyncJob: migration job to join * @apiFlags: API flags used to start the migration * - * Deconstruct all the setup possibly done for TLS - delete the TLS and - * security objects and free the secinfo + * Deconstruct all the setup possibly done for TLS - delete the TLS X.509,= TLS-PSK + * and security objects and free the secinfo */ static void qemuMigrationParamsResetTLS(virDomainObj *vm, @@ -1292,6 +1351,7 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, { g_autofree char *tlsx509Alias =3D NULL; g_autofree char *secAlias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; =20 /* There's nothing to do if QEMU does not support TLS migration or we = were * not asked to enable it. */ @@ -1301,8 +1361,9 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, =20 tlsx509Alias =3D qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_AL= IAS_BASE); secAlias =3D qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL, 0= ); + tlsPSKAlias =3D qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIA= S_BASE); =20 - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias, tlsPSKAl= ias); g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo, qemuDomainSecret= InfoFree); } =20 diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_par= ams.h index b578cf5091..ad65c7933e 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -123,6 +123,14 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, const char *hostname, qemuMigrationParams *migParams); =20 +int +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsPSKAlias, + qemuMigrationParams *migParams); + int qemuMigrationParamsDisableTLS(virDomainObj *vm, qemuMigrationParams *migParams); --=20 2.43.7 From nobody Wed Jun 24 21:48:11 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) client-ip=38.145.34.151; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass(p=none dis=none) header.from=nutanix.com ARC-Seal: i=2; a=rsa-sha256; t=1782196977; cv=pass; d=zohomail.com; s=zohoarc; b=Z0HbtH1tEihUy2Jy3OUFXgkYLZhyDL4tjThuPtxjz8744sOQJu6/BgDiWpkbHe+cofsY/BSJFZyYRo25YbLj1OYObDU/qVbJwCAXhnYFmE/sc/Ck2OSNVapG0vJ8vTKZDOJDUxtyzdrTble5Bo5ACmg5zzedGTZsQU+qSdV9cdo= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1782196977; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=Drzv4EdYneSP4Jr0Zcqwhr1IEXPNscqzUj/s44atKvM=; b=K4kjje48amVqQdTIzcs0OX9uV5FSV4YqH1lFrWGpsaoOv/voWBY9rjL+5jMHl33lODH/7InI9N32Gcorg0tEr0oHkXo1O0JiDx3yTCZGF9FA1YFvYx7cN7pTmmTsQWL37McF3TBpYMtxAUj7QPMeuDvhbHoaYwMMkSfBLWAZozU= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 38.145.34.151 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=pass (i=1 dmarc=pass fromdomain=nutanix.com); dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [38.145.34.151]) by mx.zohomail.com with SMTPS id 1782196977238462.3460882141719; Mon, 22 Jun 2026 23:42:57 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 1DA8341855; Tue, 23 Jun 2026 02:42:56 -0400 (EDT) Received: from [172.19.199.7] (unknown [10.16.107.18]) by lists.libvirt.org (Postfix) with ESMTP id D46C743DD1; Tue, 23 Jun 2026 02:28:49 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 384FE41CCF; Tue, 23 Jun 2026 02:28:40 -0400 (EDT) Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id C485141D84 for ; Tue, 23 Jun 2026 02:26:41 -0400 (EDT) Received: from pps.filterd (m0127839.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 65N0g6Ae1740914 for ; Mon, 22 Jun 2026 23:26:40 -0700 Received: from cy7pr03cu001.outbound.protection.outlook.com (mail-westcentralusazon11020136.outbound.protection.outlook.com [40.93.198.136]) by mx0a-002c1b01.pphosted.com (PPS) with ESMTPS id 4ewsxd5u1d-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Mon, 22 Jun 2026 23:26:40 -0700 (PDT) Received: from BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) by IA1PR02MB9231.namprd02.prod.outlook.com (2603:10b6:208:425::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.19; Tue, 23 Jun 2026 06:26:39 +0000 Received: from BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715]) by BN7PR02MB5329.namprd02.prod.outlook.com ([fe80::a3e:7534:76c8:6715%4]) with mapi id 15.21.0139.018; Tue, 23 Jun 2026 06:26:39 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h= cc:content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= proofpoint20171006; bh=Drzv4EdYneSP4Jr0Zcqwhr1IEXPNscqzUj/s44atK vM=; b=Y9ezmok/mcuZV86kWdui2iMEo5QoMAhqQt9dd8JryVmAoR1rmwa3Mrq/b HxR//SwMWuSjdUFy27GNj5vux5arOfHOPG68FoBpvSvVPNvbDW57ze4gaqukA1Oh q/LhxkfpLagh2qqhbHXz0toY2prfDdHARcVLg1fuVAf8ScvyHcXwZo2xFR1lk5Kc 6OkWdI0fbhWEyPBT34WjIRiUnnXnRaHm1aNV6Q7AUqVdMch0TwmwtpJuZgApkq5e 6AWsWzobZazmxo5p0VrSMzswdMV4VLCkvLYyVd6FFroYTrm9shDE4zz+Z8RqWMHb sLrC8CXuTa0mgjIsW+dyn7Z5zo9Vg== ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Izt3P0neZJbDjZFcZ5nJWxwpaetQD3m9ozCvnP2wlo+QQMgsXXrZ5PO9bCcQ7Nq00Xb/HiAFcIpJOY6tl6a6GVV82LmBdBhkJF5CEKMizoV1Z17h1vlBl9qlbvhaIZmeE3/mcyTDfJ/vpUHL7gue017uuSTMc76Nz2X7z9T5avcw5ny99nkBIG7dsJvlUIItTLbbhh3kBW/hn8853NUHhOjBt8sRbN0tgvYLFojG469PFfUDm+r2XYP/GHY9xAFaKnmQXWamPiQFZhaFAlHiLCEma1J/ssUqoXrQ01u9QB9mI2MmHHvaRkCcUrBMyJD1UNz7cTvDV7rZan9EEJ3Ofg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Drzv4EdYneSP4Jr0Zcqwhr1IEXPNscqzUj/s44atKvM=; b=Zv1H83ulElHHfo/q3nnKKSh99is9nOkXDsmngHsn7FRB/bhoyVp78NChzWQavRK4scbcUkwg83LrxWenS/RDw+fZ/Due4PiOjK59NmItHARBWsgOSk5EY3quDefQB/cVBcvkNu1lv3XqlP7qgWyK3hnj0x+y1GOTVGLAD02fzDP81y1136Td0Iwsi1Ak0emS1Qx74q6LJdIgywR4ObsnQBchKpoL/h+ungc5PcchqzxPdzg3AMVa+kw5IAlcNR2JYUcnFHspbtjh1mOCCZhDuC+E7iQUiVoUoXs14CHU+UZw08P0jSKzLv9m616JtVcRn2BHYKML5bymiD+9mGrWZQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Drzv4EdYneSP4Jr0Zcqwhr1IEXPNscqzUj/s44atKvM=; b=FwIiZfV5R/M6C6L8jekYGnv9dkBVsTMn7vZgq0drH+/AO3oNdzbZLV1r91P2tVir8pyRnv6T+cbS9QE/oZLs7bpTgzuDUWsmAoyX3+xHwDzU7ixZTUfRIAnU8SEU3tiL37lO22Okkk15SW65wrX1W9O9OgUnvNAYWlUQOcdZtfBTxQkQt2RJLRILACf64RMsJ6Qv7PoT5diLukY5B5jewJgcmytesooqsNp2bMh2yXvK/K5AqcWq8jtjMJxBcNr192HLsEzj7qAWgrLc1eNJviEtQx2clnmwtqCMvtqUxQcBg8fpWC+yQZwn0EB3rewH3t7GmlZ8ZtUfe2ziflM5tA== From: Abhisek Panda To: devel@lists.libvirt.org Subject: [PATCH v2 6/6] qemu: Set up the migrate TLS-PSK objects Date: Tue, 23 Jun 2026 06:26:04 +0000 Message-ID: <20260623062615.914208-7-abhisek.panda1@nutanix.com> X-Mailer: git-send-email 2.43.7 In-Reply-To: <20260623062615.914208-1-abhisek.panda1@nutanix.com> References: <20260623062615.914208-1-abhisek.panda1@nutanix.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: CY5PR15CA0177.namprd15.prod.outlook.com (2603:10b6:930:81::23) To BN7PR02MB5329.namprd02.prod.outlook.com (2603:10b6:408:29::15) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN7PR02MB5329:EE_|IA1PR02MB9231:EE_ X-MS-Office365-Filtering-Correlation-Id: f2a47c82-8cdb-49a1-2739-08ded0f06218 x-proofpoint-crosstenant: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|23010399003|18002099003|22082099003|3023799007|56012099006; X-Microsoft-Antispam-Message-Info: 2RYIVQlOWPhwnAy89LZECyW2ftomELHxFJsjXhLyQMIAj2+zyUR+GuRLIzuM3fgISTgmXrzvRtBpUlv8DGUQQsWZNnvwGY8rS1JfkrqUnUieBSGlBDZq+zgOIueH1BxHPg7kGz7fvjHYDfs8BEf+9ZaMAySfghaV5izGRB8FSnX7illJIt7WJnFKV2kzMpA1OHFflYRfOdUVNt3IXILtlzuJjfnf5AnnWQHtBEOO6K+3/n2XlfydyOPro7fJFkY6b3QfMJXjcI8Zxsf0c8aWet1u0OMsxNag0lYB6VwACRM5+6BHGayev2aixB+eucknsCP4BXuChUt0tN/97C58x1O8bLBUmUFk776lA9RW+m41a5YJo7x9pz5ZSA7W7fFET06zd1lFpLuU3CFn5+m5wI1QjLe0WUIESLAPLO+/srpo8wLW4E/kiMWrxc4i60gdClbiWi9GSi93pCk0Kul2FvZdDiY7KJdSfyn1Hqe4fZc2DALPfj9wfK1gAE7fYkjClQq6n68TURKmuzH6DkkG6BFFImlH5NZuvf4/1Gu8FmPf8cFvo+V1yTzcDuitIkDBaP3N3rICrMKQ2KEY6jFexgppOiYtbUYXhJkXGLDxuUF23VZXV4HHiabXKcgfqHdFxeC2yTzUlzk5Ga4uOk38MPIniwr1zPkymr/2h7zd3OY= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN7PR02MB5329.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(23010399003)(18002099003)(22082099003)(3023799007)(56012099006);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Cv9+VOmieZ7x8Joe0QEQNtK/HrDWeRMYnv2tKk4SxhoU2b6s36tovfPQp+4N?= =?us-ascii?Q?DK3oSJP15psOrZRR9huo1+lFdfK26MLzq8erpgXCG9ZKKRfM1N5oH8DUFXAx?= =?us-ascii?Q?cJIST3yzivjePqI79NxdGyX9Yxu0B1yXAOP3EQt5WdaQ8FLwUINV9eQ6vGqF?= =?us-ascii?Q?4eJLR2DB2qcwk1uLIo0WWAy8hxSQAHELB1COEP4Xa5y7QGlJbU+eQkDWpLXb?= =?us-ascii?Q?arWEWIehL822nmjKPiTYBXfQLcwTL/LvfJu7yoRk4lIaoNdYE4b90m3fX2g8?= =?us-ascii?Q?zPVVZSsShWRpZ2E7w1NafFkDKVelFxd2K+SwBOswKCBs/4UkoVJzBMF0ifkM?= =?us-ascii?Q?uokIIiQ0jXlYl+Cj+N8pqeWEdHLqgASnBsqTkKAPkeVIa1GRc3/QdGQjz1+B?= =?us-ascii?Q?dHU8FRpqiw7Y2NiwwwxCTQONvyuSMiL11u2nOp9wBRuDtxiyxu65RZqlxeDi?= =?us-ascii?Q?pVDPzubq1ayVxJjPJvMTnZJa3p06H+AyNP21Om6Qi6JZgQziomN+3acI3/XS?= =?us-ascii?Q?607rJVcNxONvck3NfHOxDC9TMl5ud47g+nm+WtoykmfjYAm2KL19m6Zta1Oi?= =?us-ascii?Q?pyLNJ7gMUk1nQChMPuhewSuJNhqxJhmklve+pHX7iBUzkCIsReul37ZTxfIZ?= =?us-ascii?Q?yrPwvLwfC9Xdob0iUm+iX6UqTfxh+ImlO46fnghegIGBFfkNDUDjAiWX191s?= =?us-ascii?Q?uID+ZmlOTxpJV6NRHvx8BmTJawSUfkIPipMAQpG7bqTOKca28AEQlRH3RAI6?= =?us-ascii?Q?ePanBoAkR5bgl2PmNGPWZqgh1+wTISLYVspZGx8C8lJZ0sFqTWK7fgk72we2?= =?us-ascii?Q?QRhGmyQ8sNj3RO+xYWi5IfrY/Hg9m8RLb6aMsvPtjlAOJ4/iqFvuKmH9rc0/?= =?us-ascii?Q?IW/o8jUs9Wt+iqL5vcLmR6aq3g0LxZbBd4AuAgymI/UibGQ6AtMeX7ePHUwe?= =?us-ascii?Q?IAsdSFErSN1hW/E4QjxahwVnkm3hI7WI+an8Vh1jjyh4vxcKRxHCi0mUGWv8?= =?us-ascii?Q?J0oVQ6703Qr5CtDtAkmltdZIz1yVS8oSMe+71rAtt4Hvslrebl3amwTB/9dR?= =?us-ascii?Q?xEqcRxLhR2NISojVJO4cBRlj1nsvzuYb0WGpaRQHWMA4Ryk3Dq1M+gLX5hzH?= =?us-ascii?Q?S75wxrzzYBao3bbxocxYt8SkoO86TA6TGr8xSlfdyUJ+FEH+ayZgusjQMJJN?= =?us-ascii?Q?GRnlPvmO+obLEed0ke3ADmEsVp7De/od++811iShSAO/MHKkbCrSwQhccR+A?= =?us-ascii?Q?RKMSyPFQpbSO6Rt/Tcxu1h/T/b64L7AOjWEvrFqSMVXWKcUjkPo9uJV2MqfV?= =?us-ascii?Q?AHkd8vWjGeyiG47MSxt1xYr84E4xs3SrGk3lsL9L60mwlOmZK2UUvDOY/ctm?= =?us-ascii?Q?ih97g03XbM5I878RmckHiTZoMWMhznfbU5mjR2Nm0CTvtgWnfTVbGTUQ78yp?= =?us-ascii?Q?a4tbApNDPnObqPubA/4dk5wtVtiwa2eS6qIAWSNeS9T7Fx6yQcxqa5LhbRiD?= =?us-ascii?Q?OsibJ3sQg7J9BoWLPzocf7hRF8dfVbjuqNkiSoBTWDCzqmKlaFLzMIyKLwUI?= =?us-ascii?Q?dD61uGDfw1+D8izE0jnF95WT9/Y4ns/By/99/L5RHJ56gWRb0CrCXfPMl9dr?= =?us-ascii?Q?QOXLba9tujgDOzndqmlHXf2xlWJME5+fdnxpcpvNYfocTunKIA2SHBt1hCqJ?= =?us-ascii?Q?8C12SLWLhjetHSSEEGdP8k76dD4sXHbaiDWJ49XJJHH2tqznYiircx+W/exx?= =?us-ascii?Q?60fwmiTE/A/BFPXebcLWUxlqfUUsbFI=3D?= X-Exchange-RoutingPolicyChecked: KBssHy2C6xcZSS3HzejaxrlyJ3xq6CKUEHbOV7GMalycAO6N4m9nR4c7UzIYBaRceNJk5/flvWr9F7S2D2Nm3VKe3MS+J1gH9gbYPUnoK1i0JXVuoNjlxm0Ri9PXWOx92K4kkK6ldq4HWNEOSVhrM+xlw1zavrm+/adlvEp+WSuaY/0JhiPWi5QEbculnoaIeelqn9BsgOE13HdQibVVI5tGnBldSOYSRc9vEgEezgJb6qfyzRqldP09P/lhGEpoWYCEvmR/C75zJTIArx2BCsN0laQJU/zruDL5+YWxovsbpWHWBa3j7ACRtIj/PWGZUw7lZnMAnTVljyC7KYrO/A== X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: f2a47c82-8cdb-49a1-2739-08ded0f06218 X-MS-Exchange-CrossTenant-AuthSource: BN7PR02MB5329.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jun 2026 06:26:39.0540 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QqrQXKdUuAPH3O+Tt4FlRxrPnSgLVurTQ3buB2U28VfOI05jGXNgoTdx3Q1i4NqptYG2fEwsupjyphTScAOj+9iDJEE3ezDCTfx4TFJgcWI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR02MB9231 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX6YlNMFLrtFka 8SM+k4GhoOdd3jkkfSZwQWXO3JPpALqiNhQw1GlS3kIGuGATdWHq7JFWBJfdlBY+rD4Ey+H/kMF rHtE/es2fBxc2bE6lsfnpXkxNoR2eXxFp+j6Ps3qipuYHs2qv8rGGh27RYaD86PxK400UzvDdpP qXItD//gB2nacUtYZTcr4FWDiJNq88iczBGh3oyiXsb88bKnC/1JebF2rTl5kU8b6jXGX+LuLlt GFD/BgdxHaaUqZiWG/y9vZbkGx2M1PAbF9X3aDM3oja0kOqIVEZ8B7/3ccx154zItoeRA6yvJSC xufiN5Fk47Q1Ke7Y1S5QwML31WAdr7nhhczrguM7WX8CaFTy2qSBKBpAeZljTzXfaY7NV+FQ7q2 vx35frpDVNSe3uHQeyLFgUv4sVO82XFsyQmJUIjnX9Jt6NQfOYU9hlUA2BVP1Ksuz4mhLZHEK2N cGCHeCzMZx0fvmhobMA== X-Authority-Analysis: v=2.4 cv=WYg8rUhX c=1 sm=1 tr=0 ts=6a3a2720 cx=c_pps a=N0p9dsNkTmNcAxi3Eyz8Mw==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=FelO9ux0wxsA:10 a=0kUYKlekyDsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VofLwUrZ8Iiv6rRUPXIb:22 a=y4UcunY2MAxhM4LwGdWI:22 a=64Cc0HZtAAAA:8 a=m9nVCRrcZDnXHdazAWUA:9 X-Proofpoint-ORIG-GUID: WWGhPVHeD17HvYOkMG6qA4xlYRcYLnzT X-Proofpoint-GUID: WWGhPVHeD17HvYOkMG6qA4xlYRcYLnzT X-Proofpoint-Spam-Info: AW1haW4tMjYwNjIzMDA1MCBTYWx0ZWRfX/bmidlrGI+Rf MyOKVefCfeZkJppa6fC5+sKXJh3SHFOnhqdlNGo+yWMFpU5aBJz/p6jtkn9ae3z6Dzpj6Wi6o7d /77TWflnzdj6OjIYJUh9vutBjpk/BJs= X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-06-23_01,2026-06-22_01,2025-10-01_01 X-Proofpoint-Spam-Reason: safe Message-ID-Hash: J623TSVNSQWF2SWURYI4WCDIFM4SM4TS X-Message-ID-Hash: J623TSVNSQWF2SWURYI4WCDIFM4SM4TS X-MailFrom: abhisek.panda1@nutanix.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: tejus.gk@nutanix.com, mark.caveayland@nutanix.com, Abhisek Panda X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @nutanix.com) X-ZM-MESSAGEID: 1782196978843158500 Content-Type: text/plain; charset="utf-8" On the source host enable TLS-PSK based secure migration, if and only if the VIR_MIGRATE_TLS flag is set and ca-cert.pem does not exist. This is because the TLS X.509-based migration utilize the ca-cert.pem file to verify the destination host. Subsequently, the source generates a pre-shared key and transmits it to the destination via a migration cookie. On the destination host, Libvirt unconditionally enables PSK-based migration if it receives the key via the cookie. Suggested-by: Tejus GK Signed-off-by: Abhisek Panda --- include/libvirt/libvirt-domain.h | 13 ++++-- src/qemu/qemu_migration.c | 74 ++++++++++++++++++++------------ 2 files changed, 56 insertions(+), 31 deletions(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-dom= ain.h index 5b67f8f897..e8b5d8451c 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1089,11 +1089,16 @@ typedef enum { VIR_MIGRATE_POSTCOPY =3D (1 << 15), =20 /* Setting the VIR_MIGRATE_TLS flag will cause the migration to attempt - * to use the TLS environment configured by the hypervisor in order to - * perform the migration. If incorrectly configured on either source or - * destination, the migration will fail. + * to use either the TLS X.509 or TLS pre-shared key (PSK) authenticat= ion + * mechanisms. If valid certificates and keys are present on the + * host, then TLS X.509 authentication scheme is used. However, if ca-= cert.pem + * is missing on the source, then TLS PSK authentication scheme is use= d. + * In this case, the client must use a secure Libvirt to Libvirt commu= nication + * channel because the pre-shared key is transmitted to the destinatio= n using the + * migration cookie. If the certificate or the key file is corrupted o= r not + * properly configured on either source or destination, the migration = will fail. * - * Since: 3.2.0 + * Since: 12.4.0 */ VIR_MIGRATE_TLS =3D (1 << 16), =20 diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 79b93fb6e9..bac5a953d1 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3360,6 +3360,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; qemuProcessIncomingDef *incoming =3D NULL; g_autofree char *tlsx509Alias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; virObjectEvent *event =3D NULL; virErrorPtr origErr =3D NULL; int dataFD[2] =3D { -1, -1 }; @@ -3442,14 +3443,22 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, /* Save original migration parameters */ qemuDomainSaveStatus(vm); =20 - /* Migrations using TLS need to add the "tls-creds-x509" object and + /* Migrations using TLS need to add the "tls-creds-x509" object if the= cert files are + * present on the host, else fallback to adding the "tls-creds-psk" ob= ject. Additionally, * set the migration TLS parameters */ if (flags & VIR_MIGRATE_TLS) { - if (qemuMigrationParamsEnableTLSx509(driver, vm, true, - VIR_ASYNC_JOB_MIGRATION_IN, - &tlsx509Alias, NULL, - migParams) < 0) - goto error; + if (!mig->tlsPSK) { + if (qemuMigrationParamsEnableTLSx509(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_I= N, + &tlsx509Alias, NULL, + migParams) < 0) + goto error; + } else { + if (qemuMigrationParamsEnableTLSPSK(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsPSKAlias, migParams) <= 0) + goto error; + } } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) goto error; @@ -3556,6 +3565,13 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, g_autofree char *xmlout =3D NULL; unsigned int cookieFlags =3D 0; bool taint_hook =3D false; + unsigned int parseCookieFlags =3D QEMU_MIGRATION_COOKIE_LOCKSTATE | + QEMU_MIGRATION_COOKIE_NBD | + QEMU_MIGRATION_COOKIE_MEMORY_HOTPLUG | + QEMU_MIGRATION_COOKIE_CPU_HOTPLUG | + QEMU_MIGRATION_COOKIE_CPU | + QEMU_MIGRATION_COOKIE_CAPS | + QEMU_MIGRATION_COOKIE_BLOCK_DIRTY_BITM= APS; =20 VIR_DEBUG("name=3D%s, origname=3D%s, protocol=3D%s, port=3D%hu, " "listenAddress=3D%s, nbdPort=3D%d, nbdURI=3D%s, flags=3D0x%x= ", @@ -3567,6 +3583,9 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, QEMU_MIGRATION_COOKIE_CAPS; } =20 + if (flags & VIR_MIGRATE_TLS) + parseCookieFlags |=3D QEMU_MIGRATION_COOKIE_TLS_PSK; + /* Let migration hook filter domain XML */ if (virHookPresent(VIR_HOOK_DRIVER_QEMU)) { g_autofree char *xml =3D NULL; @@ -3613,14 +3632,7 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, * domain list. Parsing/validation may fail and there's no * point in having the domain in the list at that point. */ if (!(mig =3D qemuMigrationCookieParse(driver, NULL, *def, origname, N= ULL, - cookiein, cookieinlen, - QEMU_MIGRATION_COOKIE_LOCKSTATE | - QEMU_MIGRATION_COOKIE_NBD | - QEMU_MIGRATION_COOKIE_MEMORY_HOTP= LUG | - QEMU_MIGRATION_COOKIE_CPU_HOTPLUG= | - QEMU_MIGRATION_COOKIE_CPU | - QEMU_MIGRATION_COOKIE_CAPS | - QEMU_MIGRATION_COOKIE_BLOCK_DIRTY= _BITMAPS))) + cookiein, cookieinlen, parseCooki= eFlags))) goto cleanup; =20 if (!(vm =3D virDomainObjListAdd(driver->domains, def, @@ -5013,6 +5025,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(qemuMigrationCookie) mig =3D NULL; g_autofree char *tlsx509Alias =3D NULL; + g_autofree char *tlsPSKAlias =3D NULL; qemuMigrationIOThread *iothread =3D NULL; VIR_AUTOCLOSE fd =3D -1; unsigned long restore_max_bandwidth =3D priv->migMaxBandwidth; @@ -5097,19 +5110,26 @@ qemuMigrationSrcRun(virQEMUDriver *driver, qemuDomainSaveStatus(vm); =20 if (flags & VIR_MIGRATE_TLS) { - const char *hostname =3D NULL; - - /* We need to add tls-hostname whenever QEMU itself does not - * connect directly to the destination. */ - if (spec->destType =3D=3D MIGRATION_DEST_CONNECT_HOST || - spec->destType =3D=3D MIGRATION_DEST_FD) - hostname =3D spec->dest.host.name; - - if (qemuMigrationParamsEnableTLSx509(driver, vm, false, - VIR_ASYNC_JOB_MIGRATION_OUT, - &tlsx509Alias, hostname, - migParams) < 0) - goto error; + if (qemuMigrationCACertExists(driver)) { + const char *hostname =3D NULL; + + /* We need to add tls-hostname whenever QEMU itself does not + * connect directly to the destination. */ + if (spec->destType =3D=3D MIGRATION_DEST_CONNECT_HOST || + spec->destType =3D=3D MIGRATION_DEST_FD) + hostname =3D spec->dest.host.name; + + if (qemuMigrationParamsEnableTLSx509(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_O= UT, + &tlsx509Alias, hostname, + migParams) < 0) + goto error; + } else { + if (qemuMigrationParamsEnableTLSPSK(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OU= T, + &tlsPSKAlias, migParams) <= 0) + goto error; + } } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) goto error; --=20 2.43.7