[PATCH 09/24] qemu: conf: Add configuration of TLS key encryption for 'vxhs' and 'nbd' disks

Peter Krempa pkrempa at redhat.com
Thu Jul 2 14:39:55 UTC 2020 

Until now libvirt didn't allow using encrypted TLS key for disk clients.

Add fields for configuring the secret and propagate defaults.

Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
 src/qemu/libvirtd_qemu.aug         |  2 ++
 src/qemu/qemu.conf                 | 19 +++++++++++++++++++
 src/qemu/qemu_conf.c               | 13 +++++++++----
 src/qemu/qemu_conf.h               |  2 ++
 src/qemu/test_libvirtd_qemu.aug.in |  2 ++
 5 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 7a6a33c77c..c19a086c38 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -61,9 +61,11 @@ module Libvirtd_qemu =

    let vxhs_entry = bool_entry "vxhs_tls"
                  | str_entry "vxhs_tls_x509_cert_dir"
+                 | str_entry "vxhs_tls_x509_secret_uuid"

    let nbd_entry = bool_entry "nbd_tls"
                  | str_entry "nbd_tls_x509_cert_dir"
+                 | str_entry "nbd_tls_x509_secret_uuid"

    let nogfx_entry = bool_entry "nographics_allow_host_audio"

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 9b04c8534b..ab403c21ac 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -303,6 +303,15 @@
 #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"


+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+

 # Enable use of TLS encryption for all NBD disk devices that don't
 # specifically disable it.
@@ -337,6 +346,16 @@
 #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"


+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # In order to override the default TLS certificate location for migration
 # certificates, supply a valid path to the certificate directory. If the
 # provided path does not exist, libvirtd will fail to start. If the path is
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index b9b90e853f..6e673e8f62 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -339,7 +339,10 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->chardevTLSx509secretUUID);

     VIR_FREE(cfg->vxhsTLSx509certdir);
+    VIR_FREE(cfg->vxhsTLSx509secretUUID);
+
     VIR_FREE(cfg->nbdTLSx509certdir);
+    VIR_FREE(cfg->nbdTLSx509secretUUID);

     VIR_FREE(cfg->migrateTLSx509certdir);
     VIR_FREE(cfg->migrateTLSx509secretUUID);
@@ -477,12 +480,8 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,

     if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0)
         return -1;
-    if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTLSx509certdir) < 0)
-        return -1;
     if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0)
         return -1;
-    if (virConfGetValueString(conf, "nbd_tls_x509_cert_dir", &cfg->nbdTLSx509certdir) < 0)
-        return -1;
     if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0)
         return -1;

@@ -512,6 +511,10 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
     GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
     GET_CONFIG_TLS_CERTINFO_SERVER(migrate);

+    GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);
+
+    GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
+
 #undef GET_CONFIG_TLS_CERTINFO_COMMON
 #undef GET_CONFIG_TLS_CERTINFO_SERVER
     return 0;
@@ -1186,6 +1189,8 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
     SET_TLS_SECRET_UUID_DEFAULT(vnc);
     SET_TLS_SECRET_UUID_DEFAULT(chardev);
     SET_TLS_SECRET_UUID_DEFAULT(migrate);
+    SET_TLS_SECRET_UUID_DEFAULT(vxhs);
+    SET_TLS_SECRET_UUID_DEFAULT(nbd);

 #undef SET_TLS_SECRET_UUID_DEFAULT

diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 4f54c136db..6193a7111c 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -146,9 +146,11 @@ struct _virQEMUDriverConfig {

     bool vxhsTLS;
     char *vxhsTLSx509certdir;
+    char *vxhsTLSx509secretUUID;

     bool nbdTLS;
     char *nbdTLSx509certdir;
+    char *nbdTLSx509secretUUID;

     unsigned int remotePortMin;
     unsigned int remotePortMax;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index e533b9f551..db125bf352 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -28,8 +28,10 @@ module Test_libvirtd_qemu =
 { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "vxhs_tls" = "1" }
 { "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
+{ "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "nbd_tls" = "1" }
 { "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
+{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
 { "migrate_tls_x509_verify" = "1" }
 { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
-- 
2.26.2

More information about the libvir-list mailing list