From nobody Mon Feb 9 10:58:03 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) client-ip=207.211.31.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1593701099; cv=none; d=zohomail.com; s=zohoarc; b=iZ/Bn6yRPzXfsaYkv/sl6J0cbxt0sCyeTGGRTjk+2ZWl1dFKyy2W30YWCHSKFF42Sy3sSlzIDSXIkQLEiNW6fI0qFvL2e6fIbmvioy5z+F5yZv5S4xr6mbNXm2mYRcZg5EL91lqy3ZrJo3AcfQEIGh5+5V/TZlRlYGKm7GCCv+0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1593701099; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ey7Sxio2WO7nrgfLy+ldVgzZ8BAwIuQhJzCQYUDbU8A=; b=iTE+9n9HeA54wZJajP6rOf7Rie+A9nMkJ9jb72bZJvVvjb6HF1Xxb/Eum4xIZ8N6jCEThuwclX26DXgmPBPqdoBw4kzAku21ahNLZIFB+Nu47ts9sSRko9Cd3bfKzFmbPNk3T1z8IInxAbMTn1YoFr4KxPpd3lCXmjCTsWANrJE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by mx.zohomail.com with SMTPS id 1593701099898989.8437208703612; Thu, 2 Jul 2020 07:44:59 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-355-zh7N-ziVOVmqVcnJ2e-1iw-1; Thu, 02 Jul 2020 10:44:56 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 12AF0107ACF2; Thu, 2 Jul 2020 14:44:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EA19A73FE8; Thu, 2 Jul 2020 14:44:49 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BB69B6C9CD; Thu, 2 Jul 2020 14:44:49 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 062EeO0Y011756 for ; Thu, 2 Jul 2020 10:40:24 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5007B10002A2; Thu, 2 Jul 2020 14:40:24 +0000 (UTC) Received: from speedmetal.redhat.com (unknown [10.40.208.18]) by smtp.corp.redhat.com (Postfix) with ESMTP id B6B0F10013D2 for ; Thu, 2 Jul 2020 14:40:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1593701097; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ey7Sxio2WO7nrgfLy+ldVgzZ8BAwIuQhJzCQYUDbU8A=; b=RiXNzVy48TWNbT7rybABNktTBxvPUiLRNWPgxyM4LoJwTd24jsBp9LpsInOVwK2YB3sMJn Ary6U3pVg4DAwNG/jeyb0pq2jF0CLOTljvnV3Qy0gcsI5lXKs0IZECt4USuhx96HhwtoDi /T3wJ80zQvqR5RpAN5LzNqL4EiRjHnM= X-MC-Unique: zh7N-ziVOVmqVcnJ2e-1iw-1 From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 09/24] qemu: conf: Add configuration of TLS key encryption for 'vxhs' and 'nbd' disks Date: Thu, 2 Jul 2020 16:39:55 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Until now libvirt didn't allow using encrypted TLS key for disk clients. Add fields for configuring the secret and propagate defaults. Signed-off-by: Peter Krempa Reviewed-by: Eric Blake --- src/qemu/libvirtd_qemu.aug | 2 ++ src/qemu/qemu.conf | 19 +++++++++++++++++++ src/qemu/qemu_conf.c | 13 +++++++++---- src/qemu/qemu_conf.h | 2 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ 5 files changed, 34 insertions(+), 4 deletions(-) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index 7a6a33c77c..c19a086c38 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -61,9 +61,11 @@ module Libvirtd_qemu =3D let vxhs_entry =3D bool_entry "vxhs_tls" | str_entry "vxhs_tls_x509_cert_dir" + | str_entry "vxhs_tls_x509_secret_uuid" let nbd_entry =3D bool_entry "nbd_tls" | str_entry "nbd_tls_x509_cert_dir" + | str_entry "nbd_tls_x509_secret_uuid" let nogfx_entry =3D bool_entry "nographics_allow_host_audio" diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 9b04c8534b..ab403c21ac 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -303,6 +303,15 @@ #vxhs_tls_x509_cert_dir =3D "/etc/pki/libvirt-vxhs" +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#vxhs_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000" + # Enable use of TLS encryption for all NBD disk devices that don't # specifically disable it. @@ -337,6 +346,16 @@ #nbd_tls_x509_cert_dir =3D "/etc/pki/libvirt-nbd" +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#nbd_tls_x509_secret_uuid =3D "00000000-0000-0000-0000-000000000000" + + # In order to override the default TLS certificate location for migration # certificates, supply a valid path to the certificate directory. If the # provided path does not exist, libvirtd will fail to start. If the path is diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index b9b90e853f..6e673e8f62 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -339,7 +339,10 @@ static void virQEMUDriverConfigDispose(void *obj) VIR_FREE(cfg->chardevTLSx509secretUUID); VIR_FREE(cfg->vxhsTLSx509certdir); + VIR_FREE(cfg->vxhsTLSx509secretUUID); + VIR_FREE(cfg->nbdTLSx509certdir); + VIR_FREE(cfg->nbdTLSx509secretUUID); VIR_FREE(cfg->migrateTLSx509certdir); VIR_FREE(cfg->migrateTLSx509secretUUID); @@ -477,12 +480,8 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverC= onfigPtr cfg, if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0) return -1; - if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTL= Sx509certdir) < 0) - return -1; if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0) return -1; - if (virConfGetValueString(conf, "nbd_tls_x509_cert_dir", &cfg->nbdTLSx= 509certdir) < 0) - return -1; if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0) return -1; @@ -512,6 +511,10 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverC= onfigPtr cfg, GET_CONFIG_TLS_CERTINFO_COMMON(migrate); GET_CONFIG_TLS_CERTINFO_SERVER(migrate); + GET_CONFIG_TLS_CERTINFO_COMMON(vxhs); + + GET_CONFIG_TLS_CERTINFO_COMMON(nbd); + #undef GET_CONFIG_TLS_CERTINFO_COMMON #undef GET_CONFIG_TLS_CERTINFO_SERVER return 0; @@ -1186,6 +1189,8 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr= cfg) SET_TLS_SECRET_UUID_DEFAULT(vnc); SET_TLS_SECRET_UUID_DEFAULT(chardev); SET_TLS_SECRET_UUID_DEFAULT(migrate); + SET_TLS_SECRET_UUID_DEFAULT(vxhs); + SET_TLS_SECRET_UUID_DEFAULT(nbd); #undef SET_TLS_SECRET_UUID_DEFAULT diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 4f54c136db..6193a7111c 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -146,9 +146,11 @@ struct _virQEMUDriverConfig { bool vxhsTLS; char *vxhsTLSx509certdir; + char *vxhsTLSx509secretUUID; bool nbdTLS; char *nbdTLSx509certdir; + char *nbdTLSx509secretUUID; unsigned int remotePortMin; unsigned int remotePortMax; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index e533b9f551..db125bf352 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -28,8 +28,10 @@ module Test_libvirtd_qemu =3D { "chardev_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } { "vxhs_tls" =3D "1" } { "vxhs_tls_x509_cert_dir" =3D "/etc/pki/libvirt-vxhs" } +{ "vxhs_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000" } { "nbd_tls" =3D "1" } { "nbd_tls_x509_cert_dir" =3D "/etc/pki/libvirt-nbd" } +{ "nbd_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000" } { "migrate_tls_x509_cert_dir" =3D "/etc/pki/libvirt-migrate" } { "migrate_tls_x509_verify" =3D "1" } { "migrate_tls_x509_secret_uuid" =3D "00000000-0000-0000-0000-000000000000= " } --=20 2.26.2