From nobody Fri Dec 19 02:49:32 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1613760395; cv=none;
	d=zohomail.com; s=zohoarc;
	b=lw4RaKsKdG+bH4tG4cmGY7oYMYaQ8x47lKDZp8/zoWJX+hYoGYscJbmMpkTORlfBoiBI/r6mDGXLGHR4mBHgTOb92BuWVNEKE2r530+OX5ymud1Q4YvaGwLokFhBiE4PZoJdM6Zef/lFzqXIVz8sU+lc+FUYKLNGw0lrNdFK3D0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1613760395;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=pQ/foB9uBR0CA11WeN72PR/8jMINUpIXOzJt4AZvhbk=;
	b=Hpx8t3Tj9K5NRVzmFJgJgbVsT39I7sNP7z8xZ7PQYNc8RGJJW8QCkeBN5nGpX6fFyhcLXGClpQCpoC42mOTFic/ADaAeWWNST7oymFVXjnQqU9Idj1Ps7h/Vs+YRvfpXMoUAUlfNu/ENawrGmAt7MWtzwKtmT+0nvPppFRUEETY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<berrange@redhat.com> (p=none dis=none)
 header.from=<berrange@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1613760395011752.7028728735827;
 Fri, 19 Feb 2021 10:46:35 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-47-Acckd4leMKadcOxxtMhboA-1; Fri, 19 Feb 2021 13:46:31 -0500
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6F4FE100A8E8;
	Fri, 19 Feb 2021 18:46:25 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 49B1410016F9;
	Fri, 19 Feb 2021 18:46:25 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 13AA018095CE;
	Fri, 19 Feb 2021 18:46:25 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 11JIkBUf029392 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 19 Feb 2021 13:46:11 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 1172219D9C; Fri, 19 Feb 2021 18:46:11 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-112-33.ams2.redhat.com
	[10.36.112.33])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 742FA1970A;
	Fri, 19 Feb 2021 18:46:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1613760394;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=pQ/foB9uBR0CA11WeN72PR/8jMINUpIXOzJt4AZvhbk=;
	b=dkmKQ+MGtH9Lb9w70RBtZ82xLyb3y9SHyVOHlC173mHiZUI1QsxpZ5mYedTmBbMW/z7R0f
	fPk1JY0tceU5mMEJxmPCQId+dSfckcm+uspAo2j573+8DgEu89SrnbHGaVZdMSHEQUY6nk
	DaqchAoyM9eQnG9hlzkd0+qGofRNpFo=
X-MC-Unique: Acckd4leMKadcOxxtMhboA-1
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: qemu-devel@nongnu.org
Subject: [PATCH 2/4] ui: introduce "password-secret" option for SPICE server
Date: Fri, 19 Feb 2021 18:45:54 +0000
Message-Id: <20210219184556.154972-3-berrange@redhat.com>
In-Reply-To: <20210219184556.154972-1-berrange@redhat.com>
References: <20210219184556.154972-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: libvir-list@redhat.com, Gerd Hoffmann <kraxel@redhat.com>,
	"Dr. David Alan Gilbert" <dgilbert@redhat.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)

Currently when using SPICE the "password" option provides the password
in plain text on the command line. This is insecure as it is visible
to all processes on the host. As an alternative, the password can be
provided separately via the monitor.

This introduces a "password-secret" option which lets the password be
provided up front.

  $QEMU --object secret,id=3Dvncsec0,file=3Dpasswd.txt \
        --spice port=3D5901,password-secret=3Dvncsec0

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 qemu-options.hx |  8 ++++++--
 ui/spice-core.c | 28 ++++++++++++++++++++++++++--
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index 893d0f500b..ff4ef3b708 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1898,7 +1898,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice,
     "       [,tls-ciphers=3D<list>]\n"
     "       [,tls-channel=3D[main|display|cursor|inputs|record|playback]]\=
n"
     "       [,plaintext-channel=3D[main|display|cursor|inputs|record|playb=
ack]]\n"
-    "       [,sasl][,password=3D<secret>][,disable-ticketing]\n"
+    "       [,sasl][,password=3D<string>][,password-secret=3D<secret-id>][=
,disable-ticketing]\n"
     "       [,image-compression=3D[auto_glz|auto_lz|quic|glz|lz|off]]\n"
     "       [,jpeg-wan-compression=3D[auto|never|always]]\n"
     "       [,zlib-glz-wan-compression=3D[auto|never|always]]\n"
@@ -1923,9 +1923,13 @@ SRST
     ``ipv4``; \ ``ipv6``; \ ``unix``
         Force using the specified IP version.
=20
-    ``password=3D<secret>``
+    ``password=3D<string>``
         Set the password you need to authenticate.
=20
+    ``password-secret=3D<secret-id>``
+        Set the ID of the ``secret`` object containing the password
+        you need to authenticate.
+
     ``sasl``
         Require that the client use SASL to authenticate with the spice.
         The exact choice of authentication method used is controlled
diff --git a/ui/spice-core.c b/ui/spice-core.c
index beee932f55..353848b244 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -34,6 +34,7 @@
 #include "qapi/qapi-events-ui.h"
 #include "qemu/notify.h"
 #include "qemu/option.h"
+#include "crypto/secret_common.h"
 #include "migration/misc.h"
 #include "hw/pci/pci_bus.h"
 #include "ui/spice-display.h"
@@ -415,6 +416,9 @@ static QemuOptsList qemu_spice_opts =3D {
         },{
             .name =3D "password",
             .type =3D QEMU_OPT_STRING,
+        },{
+            .name =3D "password-secret",
+            .type =3D QEMU_OPT_STRING,
         },{
             .name =3D "disable-ticketing",
             .type =3D QEMU_OPT_BOOL,
@@ -636,7 +640,9 @@ void qemu_spice_display_init_done(void)
 static void qemu_spice_init(void)
 {
     QemuOpts *opts =3D QTAILQ_FIRST(&qemu_spice_opts.head);
-    const char *password, *str, *x509_dir, *addr,
+    char *password =3D NULL;
+    const char *passwordSecret;
+    const char *str, *x509_dir, *addr,
         *x509_key_password =3D NULL,
         *x509_dh_file =3D NULL,
         *tls_ciphers =3D NULL;
@@ -663,7 +669,24 @@ static void qemu_spice_init(void)
         error_report("spice tls-port is out of range");
         exit(1);
     }
-    password =3D qemu_opt_get(opts, "password");
+    passwordSecret =3D qemu_opt_get(opts, "password-secret");
+    if (passwordSecret) {
+        Error *local_err =3D NULL;
+        if (qemu_opt_get(opts, "password")) {
+            error_report("'password' option is mutually exclusive with "
+                         "'password-secret'");
+            exit(1);
+        }
+        password =3D qcrypto_secret_lookup_as_utf8(passwordSecret,
+                                                 &local_err);
+        if (!password) {
+            error_report_err(local_err);
+            exit(1);
+        }
+    } else {
+        str =3D qemu_opt_get(opts, "password");
+        password =3D g_strdup(str);
+    }
=20
     if (tls_port) {
         x509_dir =3D qemu_opt_get(opts, "x509-dir");
@@ -809,6 +832,7 @@ static void qemu_spice_init(void)
     g_free(x509_key_file);
     g_free(x509_cert_file);
     g_free(x509_cacert_file);
+    g_free(password);
=20
 #ifdef HAVE_SPICE_GL
     if (qemu_opt_get_bool(opts, "gl", 0)) {
--=20
2.29.2