If user requests their virSecret value to be encrypted using
hosts' TPM we can now honour such request as we have all the APIs
ready. The value is still stored in a file (obj->base64File) but
because it was encrypted by TPM it's not readable (even though
it's still base64 encoded).
And since we can detect usability of host's TPM, let's do that
when a virSecret is defined and TPM is requested. This avoids
unpleasant surprises later on.
Resolves: https://issues.redhat.com/browse/RHEL-7125
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
src/conf/virsecretobj.c | 32 +++++++++++++++++++++++++++++---
src/secret/secret_driver.c | 7 +++++++
2 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/src/conf/virsecretobj.c b/src/conf/virsecretobj.c
index 455798d414..b77d69649c 100644
--- a/src/conf/virsecretobj.c
+++ b/src/conf/virsecretobj.c
@@ -24,12 +24,13 @@
#include <sys/stat.h>
#include "datatypes.h"
-#include "virsecretobj.h"
#include "viralloc.h"
#include "virerror.h"
#include "virfile.h"
#include "virhash.h"
#include "virlog.h"
+#include "virsecret.h"
+#include "virsecretobj.h"
#include "virstring.h"
#define VIR_FROM_THIS VIR_FROM_SECRET
@@ -689,7 +690,19 @@ virSecretObjSaveData(virSecretObj *obj)
if (!obj->value)
return 0;
- base64 = g_base64_encode(obj->value, obj->value_size);
+ if (obj->def->tpm == VIR_TRISTATE_BOOL_YES) {
+ char uuidStr[VIR_UUID_STRING_BUFLEN] = { 0 };
+
+ virUUIDFormat(obj->def->uuid, uuidStr);
+
+ if (virSecretTPMEncrypt(uuidStr,
+ obj->value, obj->value_size,
+ &base64) < 0) {
+ return -1;
+ }
+ } else {
+ base64 = g_base64_encode(obj->value, obj->value_size);
+ }
if (virFileRewriteStr(obj->base64File, S_IRUSR | S_IWUSR, base64) < 0)
return -1;
@@ -847,7 +860,20 @@ virSecretLoadValue(virSecretObj *obj)
VIR_FORCE_CLOSE(fd);
- obj->value = g_base64_decode(contents, &obj->value_size);
+ if (obj->def->tpm == VIR_TRISTATE_BOOL_YES) {
+ char uuidStr[VIR_UUID_STRING_BUFLEN] = { 0 };
+
+ virUUIDFormat(obj->def->uuid, uuidStr);
+
+ if (virSecretTPMDecrypt(uuidStr,
+ contents,
+ &obj->value,
+ &obj->value_size) < 0) {
+ goto cleanup;
+ }
+ } else {
+ obj->value = g_base64_decode(contents, &obj->value_size);
+ }
ret = 0;
diff --git a/src/secret/secret_driver.c b/src/secret/secret_driver.c
index c7bd65b4e9..116d645243 100644
--- a/src/secret/secret_driver.c
+++ b/src/secret/secret_driver.c
@@ -234,6 +234,13 @@ secretDefineXML(virConnectPtr conn,
if (virSecretDefineXMLEnsureACL(conn, def) < 0)
goto cleanup;
+ if (def->tpm == VIR_TRISTATE_BOOL_YES &&
+ virSecretTPMAvailable() != 1) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("TPM is unavailable or unusable on this host"));
+ goto cleanup;
+ }
+
if (!(obj = virSecretObjListAdd(driver->secrets, &def,
driver->configDir, &backup)))
goto cleanup;
--
2.43.0
_______________________________________________
Devel mailing list -- devel@lists.libvirt.org
To unsubscribe send an email to devel-leave@lists.libvirt.org
On a Tuesday in 2024, Michal Privoznik wrote: >If user requests their virSecret value to be encrypted using >hosts' TPM we can now honour such request as we have all the APIs >ready. The value is still stored in a file (obj->base64File) but >because it was encrypted by TPM it's not readable (even though >it's still base64 encoded). > >And since we can detect usability of host's TPM, let's do that >when a virSecret is defined and TPM is requested. This avoids >unpleasant surprises later on. > >Resolves: https://issues.redhat.com/browse/RHEL-7125 That link is private so it does not belong in an upstream commit message. Jano >Signed-off-by: Michal Privoznik <mprivozn@redhat.com> >--- > src/conf/virsecretobj.c | 32 +++++++++++++++++++++++++++++--- > src/secret/secret_driver.c | 7 +++++++ > 2 files changed, 36 insertions(+), 3 deletions(-) _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org
© 2016 - 2026 Red Hat, Inc.