[libvirt] [RFC 1/3] qemu: Create domain master key

Daniel P. Berrange berrange at redhat.com
Wed Mar 23 12:44:19 UTC 2016 

On Wed, Mar 23, 2016 at 08:36:30AM -0400, John Ferlan wrote:
> 
> 
> On 03/22/2016 10:08 AM, Daniel P. Berrange wrote:
> > On Mon, Mar 21, 2016 at 02:29:00PM -0400, John Ferlan wrote:
> >> Add a masterKey to _qemuDomainObjPrivate to store a base64 encoded domain
> >> master key in order to support the ability to encrypt/decrypt sensitive
> >> data shared between libvirt and qemu. The base64 encoded value will be
> >> written to the domain XML file for consistency between domain restarts.
> > 
> > Ohh, no, we don't want the master key to ever appear in any XML file,
> > because that in turn leads to compromise of user data when reporting
> > bugs. For example if the user provides the CLI args + runtime XML
> > then you can decrypt their passwords from the CLI args. The master
> > key must only ever be in its own file, which minimises the chance of
> > the user ever uploading the master key for their VM with bug reports.
> > 
> 
> OK - well that simplifies certain things; however, I would think that
> means on libvirtd restart we would then have to read the master key file
> in order to repopulate the priv->masterKey, right?

Yes, that's correct.

> >> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> >> index 9f9fae3..507ae9e 100644
> >> --- a/src/qemu/qemu_domain.c
> >> +++ b/src/qemu/qemu_domain.c
> >> @@ -23,6 +23,7 @@
> >>  
> >>  #include <config.h>
> >>  
> >> +#include <assert.h>
> > 
> > We have a general rule that libvirt should never assert() in its
> > code, so don't add this. Errors should always propagate back
> > to a virErrorPtr.
> > 
> > 
> 
> OK - although it is used today in virsh/vsh and remote_driver...

Using it in virsh is ok as that's a client app. We shouldn't use it
in the remote_driver though - I'd not noticed that actually.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list