[libvirt] [PATCH 7/8] qemu: add support for encrypted VNC TLS keys

John Ferlan jferlan at redhat.com
Thu Jan 17 16:11:15 UTC 2019



On 1/16/19 2:41 AM, Ján Tomko wrote:
> Use the password stored in the secret driver under
> the uuid specified by the vnc_tls_x509_secret_uuid
> option in qemu.conf.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1602418
> 
> Signed-off-by: Ján Tomko <jtomko at redhat.com>
> ---
>  src/qemu/qemu_command.c                       | 11 +++++-
>  src/qemu/qemu_domain.c                        |  9 +++++
>  src/qemu/qemu_domain.h                        |  1 +
>  ...graphics-vnc-tls-secret.x86_64-latest.args | 36 +++++++++++++++++++
>  .../graphics-vnc-tls-secret.xml               | 30 ++++++++++++++++
>  tests/qemuxml2argvtest.c                      |  5 +++
>  6 files changed, 91 insertions(+), 1 deletion(-)
>  create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.x86_64-latest.args
>  create mode 100644 tests/qemuxml2argvdata/graphics-vnc-tls-secret.xml
> 
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index d130d0463c..e17d7ddec7 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -8037,11 +8037,20 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfigPtr cfg,
>      if (cfg->vncTLS) {
>          qemuDomainGraphicsPrivatePtr gfxPriv = QEMU_DOMAIN_GRAPHICS_PRIVATE(graphics);
>          if (gfxPriv->tlsAlias) {
> +            const char *secretAlias = NULL;
> +
> +            if (gfxPriv && gfxPriv->secinfo) {

"gfxPriv" check is unnecessary, we would have already died dereffing
tlsAlias.

> +                if (qemuBuildObjectSecretCommandLine(cmd,
> +                                                     gfxPriv->secinfo) < 0)
> +                    goto error;
> +                secretAlias = gfxPriv->secinfo->s.aes.alias;
> +            }
> +
>              if (qemuBuildTLSx509CommandLine(cmd,
>                                              cfg->vncTLSx509certdir,
>                                              true,
>                                              cfg->vncTLSx509verify,
> -                                            NULL,
> +                                            secretAlias,
>                                              gfxPriv->tlsAlias,
>                                              qemuCaps) < 0)
>                  goto error;
> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index 6960f0569b..da9c4e566d 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -1269,6 +1269,7 @@ qemuDomainGraphicsPrivateDispose(void *obj)
>      qemuDomainGraphicsPrivatePtr priv = obj;
>  
>      VIR_FREE(priv->tlsAlias);
> +    qemuDomainSecretInfoFree(&priv->secinfo);>  }
>  
>  
> @@ -1750,6 +1751,7 @@ qemuDomainSecretGraphicsDestroy(virDomainGraphicsDefPtr graphics)
>          return;
>  
>      VIR_FREE(gfxPriv->tlsAlias);
> +    qemuDomainSecretInfoFree(&gfxPriv->secinfo);

If you use virObjectUnref as noted in patch4, then the change in the
hunk above gives you this for free.

>  }
>  
>  
> @@ -1773,6 +1775,13 @@ qemuDomainSecretGraphicsPrepare(virQEMUDriverConfigPtr cfg,
>      if (VIR_STRDUP(gfxPriv->tlsAlias, "vnc-tls-creds0") < 0)
>          return -1;
>  
> +    if (cfg->vncTLSx509secretUUID) {
> +        gfxPriv->secinfo = qemuDomainSecretInfoTLSNew(priv, gfxPriv->tlsAlias,
> +                                                      cfg->vncTLSx509secretUUID);
> +        if (!gfxPriv->secinfo)
> +            return -1;
> +    }
> +
>      return 0;
>  }
>  

Reviewed-by: John Ferlan <jferlan at redhat.com>

John

[...]




More information about the libvir-list mailing list