From nobody Mon Nov 10 01:29:00 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1552479058914385.2078617839393; Wed, 13 Mar 2019 05:10:58 -0700 (PDT) Received: from localhost ([127.0.0.1]:43040 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h42ih-00027J-OK for importer@patchew.org; Wed, 13 Mar 2019 08:10:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:52530) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h42YN-0002Gk-Aa for qemu-devel@nongnu.org; Wed, 13 Mar 2019 08:00:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h42YI-0005DP-34 for qemu-devel@nongnu.org; Wed, 13 Mar 2019 08:00:11 -0400 Received: from mx1.redhat.com ([209.132.183.28]:57598) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1h42YH-0005Ck-NN for qemu-devel@nongnu.org; Wed, 13 Mar 2019 08:00:05 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D4DC7C066455 for ; Wed, 13 Mar 2019 11:53:16 +0000 (UTC) Received: from localhost.localdomain (ovpn-116-118.ams2.redhat.com [10.36.116.118]) by smtp.corp.redhat.com (Postfix) with ESMTP id B6AEA1001E70; Wed, 13 Mar 2019 11:53:14 +0000 (UTC) From: Juan Quintela To: qemu-devel@nongnu.org Date: Wed, 13 Mar 2019 12:51:21 +0100 Message-Id: <20190313115121.7611-11-quintela@redhat.com> In-Reply-To: <20190313115121.7611-1-quintela@redhat.com> References: <20190313115121.7611-1-quintela@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 13 Mar 2019 11:53:16 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 10/10] migration: add support for a "tls-authz" migration parameter X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Juan Quintela , "Dr. David Alan Gilbert" , Markus Armbruster , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: "Daniel P. Berrange" The QEMU instance that runs as the server for the migration data transport (ie the target QEMU) needs to be able to configure access control so it can prevent unauthorized clients initiating an incoming migration. This adds a new 'tls-authz' migration parameter that is used to provide the QOM ID of a QAuthZ subclass instance that provides the access control check. This is checked against the x509 certificate obtained during the TLS handshake. For example, when starting a QEMU for incoming migration, it is possible to give an example identity of the source QEMU that is intended to be connecting later: $QEMU \ -monitor stdio \ -incoming defer \ ...other args... (qemu) object_add tls-creds-x509,id=3Dtls0,dir=3D/home/berrange/qemutls,\ endpoint=3Dserver,verify-peer=3Dyes \ (qemu) object_add authz-simple,id=3Dauth0,identity=3DCN=3Dlaptop.example.= com,,\ O=3DExample Org,,L=3DLondon,,ST=3DLondon,,C=3DGB \ (qemu) migrate_incoming tcp:localhost:9000 Reviewed-by: Juan Quintela Signed-off-by: Daniel P. Berrange Signed-off-by: Juan Quintela --- hmp.c | 9 +++++++++ migration/migration.c | 8 ++++++++ migration/tls.c | 2 +- qapi/migration.json | 14 +++++++++++++- 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/hmp.c b/hmp.c index 876c656c94..c5c9d01491 100644 --- a/hmp.c +++ b/hmp.c @@ -440,6 +440,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QD= ict *qdict) monitor_printf(mon, "%s: %" PRIu64 "\n", MigrationParameter_str(MIGRATION_PARAMETER_MAX_POSTCOPY_BANDWI= DTH), params->max_postcopy_bandwidth); + monitor_printf(mon, " %s: '%s'\n", + MigrationParameter_str(MIGRATION_PARAMETER_TLS_AUTHZ), + params->has_tls_authz ? params->tls_authz : ""); } =20 qapi_free_MigrationParameters(params); @@ -1756,6 +1759,12 @@ void hmp_migrate_set_parameter(Monitor *mon, const Q= Dict *qdict) p->tls_hostname->type =3D QTYPE_QSTRING; visit_type_str(v, param, &p->tls_hostname->u.s, &err); break; + case MIGRATION_PARAMETER_TLS_AUTHZ: + p->has_tls_authz =3D true; + p->tls_authz =3D g_new0(StrOrNull, 1); + p->tls_authz->type =3D QTYPE_QSTRING; + visit_type_str(v, param, &p->tls_authz->u.s, &err); + break; case MIGRATION_PARAMETER_MAX_BANDWIDTH: p->has_max_bandwidth =3D true; /* diff --git a/migration/migration.c b/migration/migration.c index b36cf9c9a0..d5c218a22b 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -757,6 +757,8 @@ MigrationParameters *qmp_query_migrate_parameters(Error= **errp) params->tls_creds =3D g_strdup(s->parameters.tls_creds); params->has_tls_hostname =3D true; params->tls_hostname =3D g_strdup(s->parameters.tls_hostname); + params->has_tls_authz =3D true; + params->tls_authz =3D g_strdup(s->parameters.tls_authz); params->has_max_bandwidth =3D true; params->max_bandwidth =3D s->parameters.max_bandwidth; params->has_downtime_limit =3D true; @@ -1331,6 +1333,12 @@ static void migrate_params_apply(MigrateSetParameter= s *params, Error **errp) s->parameters.tls_hostname =3D g_strdup(params->tls_hostname->u.s); } =20 + if (params->has_tls_authz) { + g_free(s->parameters.tls_authz); + assert(params->tls_authz->type =3D=3D QTYPE_QSTRING); + s->parameters.tls_authz =3D g_strdup(params->tls_authz->u.s); + } + if (params->has_max_bandwidth) { s->parameters.max_bandwidth =3D params->max_bandwidth; if (s->to_dst_file) { diff --git a/migration/tls.c b/migration/tls.c index 3b9e8c9263..5171afc6c4 100644 --- a/migration/tls.c +++ b/migration/tls.c @@ -94,7 +94,7 @@ void migration_tls_channel_process_incoming(MigrationStat= e *s, =20 tioc =3D qio_channel_tls_new_server( ioc, creds, - NULL, /* XXX pass ACL name */ + s->parameters.tls_authz, errp); if (!tioc) { return; diff --git a/qapi/migration.json b/qapi/migration.json index ff3616f4c2..0a85aadd15 100644 --- a/qapi/migration.json +++ b/qapi/migration.json @@ -541,6 +541,12 @@ # hostname must be provided so that the server's x509 # certificate identity can be validated. (Since 2.7) # +# @tls-authz: ID of the 'authz' object subclass that provides access contr= ol +# checking of the TLS x509 certificate distinguished name. +# This object is only resolved at time of use, so can be delet= ed +# and recreated on the fly while the migration server is activ= e. +# If missing, it will default to denying access (Since 4.0) +# # @max-bandwidth: to set maximum speed for migration. maximum speed in # bytes per second. (Since 2.8) # @@ -582,7 +588,7 @@ 'compress-level', 'compress-threads', 'decompress-threads', 'compress-wait-thread', 'cpu-throttle-initial', 'cpu-throttle-increment', - 'tls-creds', 'tls-hostname', 'max-bandwidth', + 'tls-creds', 'tls-hostname', 'tls-authz', 'max-bandwidth', 'downtime-limit', 'x-checkpoint-delay', 'block-incremental', 'multifd-channels', 'xbzrle-cache-size', 'max-postcopy-bandwidth', @@ -693,6 +699,7 @@ '*cpu-throttle-increment': 'int', '*tls-creds': 'StrOrNull', '*tls-hostname': 'StrOrNull', + '*tls-authz': 'StrOrNull', '*max-bandwidth': 'int', '*downtime-limit': 'int', '*x-checkpoint-delay': 'int', @@ -773,6 +780,10 @@ # associated with the migration URI, if any. (Since 2.9) # Note: 2.8 reports this by omitting tls-hostname instead. # +# @tls-authz: ID of the 'authz' object subclass that provides access contr= ol +# checking of the TLS x509 certificate distinguished name. (Si= nce +# 4.0) +# # @max-bandwidth: to set maximum speed for migration. maximum speed in # bytes per second. (Since 2.8) # @@ -821,6 +832,7 @@ '*cpu-throttle-increment': 'uint8', '*tls-creds': 'str', '*tls-hostname': 'str', + '*tls-authz': 'str', '*max-bandwidth': 'size', '*downtime-limit': 'uint64', '*x-checkpoint-delay': 'uint32', --=20 2.20.1