https://bugzilla.redhat.com/show_bug.cgi?id=1300776 Complete the implementation of support for TLS encryption on chardev TCP transports by adding the hotplug ability of a secret to generate the passwordid for the TLS object Likewise, add the ability to hot unplug that secret object as well Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> --- src/qemu/qemu_driver.c | 2 +- src/qemu/qemu_hotplug.c | 43 +++++++++++++++++++++++++++++++++++++++++-- src/qemu/qemu_hotplug.h | 3 ++- tests/qemuhotplugtest.c | 2 +- 4 files changed, 45 insertions(+), 5 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index ee717f0..aba5a69 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -7516,7 +7516,7 @@ qemuDomainAttachDeviceLive(virDomainObjPtr vm, break; case VIR_DOMAIN_DEVICE_CHR: - ret = qemuDomainAttachChrDevice(driver, vm, + ret = qemuDomainAttachChrDevice(dom->conn, driver, vm, dev->data.chr); if (!ret) { alias = dev->data.chr->info.alias; diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 1a07a32..42b5778 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1513,7 +1513,8 @@ qemuDomainAttachChrDeviceAssignAddr(qemuDomainObjPrivatePtr priv, return 0; } -int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, +int qemuDomainAttachChrDevice(virConnectPtr conn, + virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainChrDefPtr chr) { @@ -1526,6 +1527,8 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, char *charAlias = NULL; virJSONValuePtr props = NULL; char *objAlias = NULL; + virJSONValuePtr secprops = NULL; + char *secAlias = NULL; bool need_release = false; if (chr->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CHANNEL && @@ -1549,11 +1552,28 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, if (qemuDomainChrPreInsert(vmdef, chr) < 0) goto cleanup; + if (qemuDomainSecretChardevPrepare(conn, priv, chr) < 0) + goto cleanup; + if (cfg->chardevTLS) { + /* Add a secret object in order to access the TLS environment + * if provided of course */ + if (dev->data.tcp.sectype == VIR_SECRET_USAGE_TYPE_PASSPHRASE) { + qemuDomainChardevPrivatePtr chardevPriv = + QEMU_DOMAIN_CHARDEV_PRIVATE(chr); + qemuDomainSecretInfoPtr secinfo = chardevPriv->secinfo; + + if (qemuBuildSecretInfoProps(secinfo, &secprops) < 0) + goto cleanup; + + if (!(secAlias = qemuDomainGetSecretAESAlias(charAlias))) + goto cleanup; + } + if (qemuBuildTLSx509BackendProps(cfg->chardevTLSx509certdir, dev->data.tcp.listen, cfg->chardevTLSx509verify, - NULL, + secAlias, priv->qemuCaps, &props) < 0) goto cleanup; @@ -1565,6 +1585,10 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, qemuDomainObjEnterMonitor(driver, vm); + if (secAlias && qemuMonitorAddObject(priv->mon, "secret", + secAlias, secprops) < 0) + goto failsecobject; + if (objAlias && qemuMonitorAddObject(priv->mon, "tls-creds-x509", objAlias, props) < 0) goto failobject; @@ -1589,6 +1613,8 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, qemuDomainReleaseDeviceAddress(vm, &chr->info, NULL); VIR_FREE(objAlias); virJSONValueFree(props); + VIR_FREE(secAlias); + virJSONValueFree(secprops); VIR_FREE(charAlias); VIR_FREE(devstr); virObjectUnref(cfg); @@ -1601,6 +1627,9 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, /* Remove the object */ ignore_value(qemuMonitorDelObject(priv->mon, objAlias)); failobject: + /* Remove the secobject */ + ignore_value(qemuMonitorDelObject(priv->mon, secAlias)); + failsecobject: ignore_value(qemuDomainObjExitMonitor(driver, vm)); goto audit; } @@ -4115,6 +4144,7 @@ int qemuDomainDetachChrDevice(virQEMUDriverPtr driver, qemuDomainObjPrivatePtr priv = vm->privateData; virDomainDefPtr vmdef = vm->def; virDomainChrDefPtr tmpChr; + virDomainChrSourceDefPtr dev = &chr->source; char *objAlias = NULL; char *devstr = NULL; @@ -4139,6 +4169,15 @@ int qemuDomainDetachChrDevice(virQEMUDriverPtr driver, qemuDomainMarkDeviceForRemoval(vm, &tmpChr->info); qemuDomainObjEnterMonitor(driver, vm); + if (dev->data.tcp.sectype == VIR_SECRET_USAGE_TYPE_PASSPHRASE) { + qemuDomainChardevPrivatePtr chardevPriv = + QEMU_DOMAIN_CHARDEV_PRIVATE(chr); + qemuDomainSecretInfoPtr secinfo = chardevPriv->secinfo; + + if (qemuMonitorDelObject(priv->mon, secinfo->s.aes.alias) < 0) + goto faildel; + } + if (objAlias && qemuMonitorDelObject(priv->mon, objAlias) < 0) goto faildel; diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 165d345..a299ea1 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -92,7 +92,8 @@ int qemuDomainAttachLease(virQEMUDriverPtr driver, int qemuDomainDetachLease(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainLeaseDefPtr lease); -int qemuDomainAttachChrDevice(virQEMUDriverPtr driver, +int qemuDomainAttachChrDevice(virConnectPtr conn, + virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainChrDefPtr chr); int qemuDomainDetachChrDevice(virQEMUDriverPtr driver, diff --git a/tests/qemuhotplugtest.c b/tests/qemuhotplugtest.c index 91bf331..c4412b6 100644 --- a/tests/qemuhotplugtest.c +++ b/tests/qemuhotplugtest.c @@ -116,7 +116,7 @@ testQemuHotplugAttach(virDomainObjPtr vm, ret = qemuDomainAttachDeviceDiskLive(NULL, &driver, vm, dev); break; case VIR_DOMAIN_DEVICE_CHR: - ret = qemuDomainAttachChrDevice(&driver, vm, dev->data.chr); + ret = qemuDomainAttachChrDevice(NULL, &driver, vm, dev->data.chr); break; default: VIR_TEST_VERBOSE("device type '%s' cannot be attached\n", -- 2.5.5 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list