[PATCH v6 4/5] qemu: Add a secret object to/for a chardev tcp with secret

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Add the secret object prior to the chardev tcp so the 'passwordid=' can
be added if the domain XML has a <secret> for the chardev TLS.

Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
---
 src/qemu/qemu_command.c                            | 32 ++++++-
 src/qemu/qemu_command.h                            |  1 +
 src/qemu/qemu_domain.c                             | 99 +++++++++++++++++++++-
 src/qemu/qemu_domain.h                             | 16 +++-
 src/qemu/qemu_hotplug.c                            |  1 +
 src/qemu/qemu_process.c                            |  6 +-
 ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 38 +++++++++
 ...uxml2argv-serial-tcp-tlsx509-secret-chardev.xml | 50 +++++++++++
 tests/qemuxml2argvtest.c                           | 19 +++++
 9 files changed, 253 insertions(+), 9 deletions(-)
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.xml

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 1fd57b0..b9179f0 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -683,6 +683,7 @@ qemuBuildRBDSecinfoURI(virBufferPtr buf,
  * @tlspath: path to the TLS credentials
  * @listen: boolen listen for client or server setting
  * @verifypeer: boolean to enable peer verification (form of authorization)
+ * @secalias: if one exists, the alias of the security object for passwordid
  * @qemuCaps: capabilities
  * @propsret: json properties to return
  *
@@ -694,6 +695,7 @@ int
 qemuBuildTLSx509BackendProps(const char *tlspath,
                              bool listen,
                              bool verifypeer,
+                             const char *secalias,
                              virQEMUCapsPtr qemuCaps,
                              virJSONValuePtr *propsret)
 {
@@ -719,6 +721,10 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
                                  NULL) < 0)
         goto cleanup;
 
+    if (secalias &&
+        virJSONValueObjectAdd(*propsret, "s:passwordid", secalias, NULL) < 0)
+        goto cleanup;
+
     ret = 0;
 
  cleanup:
@@ -733,6 +739,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
  * @tlspath: path to the TLS credentials
  * @listen: boolen listen for client or server setting
  * @verifypeer: boolean to enable peer verification (form of authorization)
+ * @addpasswordid: boolean to handle adding passwordid to object
  * @inalias: Alias for the parent to generate object alias
  * @qemuCaps: capabilities
  *
@@ -745,6 +752,7 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd,
                             const char *tlspath,
                             bool listen,
                             bool verifypeer,
+                            bool addpasswordid,
                             const char *inalias,
                             virQEMUCapsPtr qemuCaps)
 {
@@ -752,11 +760,16 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd,
     char *objalias = NULL;
     virJSONValuePtr props = NULL;
     char *tmp = NULL;
+    char *secalias = NULL;
 
-    if (qemuBuildTLSx509BackendProps(tlspath, listen, verifypeer,
-                                     qemuCaps, &props) < 0)
+    if (addpasswordid &&
+        !(secalias = qemuDomainGetSecretAESAlias(inalias, false)))
         return -1;
 
+    if (qemuBuildTLSx509BackendProps(tlspath, listen, verifypeer, secalias,
+                                     qemuCaps, &props) < 0)
+        goto cleanup;
+
     if (!(objalias = qemuAliasTLSObjFromChardevAlias(inalias)))
         goto cleanup;
 
@@ -772,6 +785,7 @@ qemuBuildTLSx509CommandLine(virCommandPtr cmd,
     virJSONValueFree(props);
     VIR_FREE(objalias);
     VIR_FREE(tmp);
+    VIR_FREE(secalias);
     return ret;
 }
 
@@ -5063,6 +5077,7 @@ qemuBuildChrChardevStr(virLogManagerPtr logManager,
                 if (qemuBuildTLSx509CommandLine(cmd, cfg->chardevTLSx509certdir,
                                                 dev->data.tcp.listen,
                                                 cfg->chardevTLSx509verify,
+                                                cfg->chardevTLSx509haveUUID,
                                                 alias, qemuCaps) < 0)
                     goto error;
 
@@ -8708,6 +8723,19 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
 
         /* Use -chardev with -device if they are available */
         if (virQEMUCapsSupportsChardev(def, qemuCaps, serial)) {
+            qemuDomainChardevPrivatePtr chardevPriv =
+                QEMU_DOMAIN_CHARDEV_PRIVATE(serial);
+            qemuDomainSecretInfoPtr secinfo = chardevPriv->secinfo;
+
+            /* Add the secret object first if necessary. The
+             * secinfo is added only to a TCP serial device during
+             * qemuDomainSecretChardevPrepare. Subsequent called
+             * functions can just check the config fields */
+            if (cfg->chardevTLS && cfg->chardevTLSx509haveUUID &&
+                serial->source.type == VIR_DOMAIN_CHR_TYPE_TCP &&
+                qemuBuildObjectSecretCommandLine(cmd, secinfo) < 0)
+                return -1;
+
             if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
                                                   &serial->source,
                                                   serial->info.alias,
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index b7c59bb..5d303ce 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -69,6 +69,7 @@ int qemuBuildSecretInfoProps(qemuDomainSecretInfoPtr secinfo,
 int qemuBuildTLSx509BackendProps(const char *tlspath,
                                  bool listen,
                                  bool verifypeer,
+                                 const char *secalias,
                                  virQEMUCapsPtr qemuCaps,
                                  virJSONValuePtr *propsret);
 
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index cab1f24..434bad1 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1042,7 +1042,8 @@ qemuDomainSecretSetup(virConnectPtr conn,
     if (virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC) &&
         virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_SECRET) &&
         (secretUsageType == VIR_SECRET_USAGE_TYPE_CEPH ||
-         secretUsageType == VIR_SECRET_USAGE_TYPE_VOLUME)) {
+         secretUsageType == VIR_SECRET_USAGE_TYPE_VOLUME ||
+         secretUsageType == VIR_SECRET_USAGE_TYPE_TLS)) {
         if (qemuDomainSecretAESSetup(conn, priv, secinfo, srcalias,
                                      secretUsageType, username,
                                      seclookupdef, isLuks) < 0)
@@ -1223,6 +1224,91 @@ qemuDomainSecretHostdevPrepare(virConnectPtr conn,
 }
 
 
+/* qemuDomainSecretChardevDestroy:
+ * @disk: Pointer to a chardev definition
+ *
+ * Clear and destroy memory associated with the secret
+ */
+void
+qemuDomainSecretChardevDestroy(virDomainChrDefPtr chardev)
+{
+    qemuDomainChardevPrivatePtr chardevPriv =
+        QEMU_DOMAIN_CHARDEV_PRIVATE(chardev);
+
+    if (!chardevPriv || !chardevPriv->secinfo)
+        return;
+
+    qemuDomainSecretInfoFree(&chardevPriv->secinfo);
+}
+
+
+/* qemuDomainSecretChardevPrepare:
+ * @conn: Pointer to connection
+ * @driver: Pointer to driver object
+ * @priv: pointer to domain private object
+ * @chardev: Pointer to a chardev definition
+ *
+ * For a serial TCP character device, generate a qemuDomainSecretInfo to be
+ * used by the command line code to generate the secret for the tls-creds
+ * to use.
+ *
+ * Returns 0 on success, -1 on failure
+ */
+int
+qemuDomainSecretChardevPrepare(virConnectPtr conn,
+                               virQEMUDriverPtr driver,
+                               qemuDomainObjPrivatePtr priv,
+                               virDomainChrDefPtr chardev)
+{
+    virQEMUDriverConfigPtr cfg;
+    virSecretLookupTypeDef seclookupdef = {0};
+    qemuDomainSecretInfoPtr secinfo = NULL;
+
+    if (!conn || chardev->deviceType != VIR_DOMAIN_CHR_DEVICE_TYPE_SERIAL ||
+        chardev->source.type != VIR_DOMAIN_CHR_TYPE_TCP)
+        return 0;
+
+    cfg = virQEMUDriverGetConfig(driver);
+    if (cfg->chardevTLS && cfg->chardevTLSx509haveUUID) {
+        qemuDomainChardevPrivatePtr chardevPriv =
+            QEMU_DOMAIN_CHARDEV_PRIVATE(chardev);
+
+        if (virUUIDParse(cfg->chardevTLSx509secretUUID,
+                         seclookupdef.u.uuid) < 0) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                           _("malformed chardev TLS secret uuid in qemu.conf"));
+            goto error;
+        }
+        seclookupdef.type = VIR_SECRET_LOOKUP_TYPE_UUID;
+
+        if (VIR_ALLOC(secinfo) < 0)
+            goto error;
+
+        if (qemuDomainSecretSetup(conn, priv, secinfo, chardev->info.alias,
+                                  VIR_SECRET_USAGE_TYPE_TLS, NULL,
+                                  &seclookupdef, false) < 0)
+            goto error;
+
+        if (secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_PLAIN) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                           _("TLS X.509 requires encrypted secrets "
+                             "to be supported"));
+            goto error;
+        }
+
+        chardevPriv->secinfo = secinfo;
+    }
+
+    virObjectUnref(cfg);
+    return 0;
+
+ error:
+    virObjectUnref(cfg);
+    qemuDomainSecretInfoFree(&secinfo);
+    return -1;
+}
+
+
 /* qemuDomainSecretDestroy:
  * @vm: Domain object
  *
@@ -1239,11 +1325,15 @@ qemuDomainSecretDestroy(virDomainObjPtr vm)
 
     for (i = 0; i < vm->def->nhostdevs; i++)
         qemuDomainSecretHostdevDestroy(vm->def->hostdevs[i]);
+
+    for (i = 0; i < vm->def->nserials; i++)
+        qemuDomainSecretChardevDestroy(vm->def->serials[i]);
 }
 
 
 /* qemuDomainSecretPrepare:
  * @conn: Pointer to connection
+ * @driver: Pointer to driver object
  * @vm: Domain object
  *
  * For any objects that may require an auth/secret setup, create a
@@ -1256,6 +1346,7 @@ qemuDomainSecretDestroy(virDomainObjPtr vm)
  */
 int
 qemuDomainSecretPrepare(virConnectPtr conn,
+                        virQEMUDriverPtr driver,
                         virDomainObjPtr vm)
 {
     qemuDomainObjPrivatePtr priv = vm->privateData;
@@ -1272,6 +1363,12 @@ qemuDomainSecretPrepare(virConnectPtr conn,
             return -1;
     }
 
+    for (i = 0; i < vm->def->nserials; i++) {
+        if (qemuDomainSecretChardevPrepare(conn, driver, priv,
+                                           vm->def->serials[i]) < 0)
+            return -1;
+    }
+
     return 0;
 }
 
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index a4ead86..3e4e21e 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -723,11 +723,23 @@ int qemuDomainSecretHostdevPrepare(virConnectPtr conn,
                                    virDomainHostdevDefPtr hostdev)
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
 
+void qemuDomainSecretChardevDestroy(virDomainChrDefPtr chardev)
+    ATTRIBUTE_NONNULL(1);
+
+int qemuDomainSecretChardevPrepare(virConnectPtr conn,
+                                   virQEMUDriverPtr driver,
+                                   qemuDomainObjPrivatePtr priv,
+                                   virDomainChrDefPtr chardev)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
+    ATTRIBUTE_NONNULL(4);
+
 void qemuDomainSecretDestroy(virDomainObjPtr vm)
     ATTRIBUTE_NONNULL(1);
 
-int qemuDomainSecretPrepare(virConnectPtr conn, virDomainObjPtr vm)
-    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
+int qemuDomainSecretPrepare(virConnectPtr conn,
+                            virQEMUDriverPtr driver,
+                            virDomainObjPtr vm)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
 
 int qemuDomainDefValidateDiskLunSource(const virStorageSource *src)
     ATTRIBUTE_NONNULL(1);
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 4aa85e7..eb5de7b 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1682,6 +1682,7 @@ int qemuDomainAttachChrDevice(virQEMUDriverPtr driver,
         if (qemuBuildTLSx509BackendProps(cfg->chardevTLSx509certdir,
                                          dev->data.tcp.listen,
                                          cfg->chardevTLSx509verify,
+                                         NULL,
                                          priv->qemuCaps,
                                          &tlsProps) < 0)
             goto cleanup;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 7596579..9ca7f25 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4954,7 +4954,6 @@ qemuProcessPrepareDomain(virConnectPtr conn,
     size_t i;
     char *nodeset = NULL;
     qemuDomainObjPrivatePtr priv = vm->privateData;
-    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
     virCapsPtr caps;
 
     if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
@@ -5020,8 +5019,8 @@ qemuProcessPrepareDomain(virConnectPtr conn,
     if (qemuDomainMasterKeyCreate(vm) < 0)
         goto cleanup;
 
-    VIR_DEBUG("Add secrets to disks and hostdevs");
-    if (qemuDomainSecretPrepare(conn, vm) < 0)
+    VIR_DEBUG("Add secrets to disks, hostdevs, and chardevs");
+    if (qemuDomainSecretPrepare(conn, driver, vm) < 0)
         goto cleanup;
 
     for (i = 0; i < vm->def->nchannels; i++) {
@@ -5046,7 +5045,6 @@ qemuProcessPrepareDomain(virConnectPtr conn,
  cleanup:
     VIR_FREE(nodeset);
     virObjectUnref(caps);
-    virObjectUnref(cfg);
     return ret;
 }
 
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
new file mode 100644
index 0000000..5859c74
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
@@ -0,0 +1,38 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu \
+-name QEMUGuest1 \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
+-M pc \
+-m 214 \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nographic \
+-nodefconfig \
+-nodefaults \
+-chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\
+server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=readline \
+-no-acpi \
+-boot c \
+-usb \
+-drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \
+-device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
+-chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,\
+localport=1111 \
+-device isa-serial,chardev=charserial0,id=serial0 \
+-object secret,id=serial1-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-object tls-creds-x509,id=objserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+endpoint=client,verify-peer=yes,passwordid=serial1-secret0 \
+-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+tls-creds=objserial1_tls0 \
+-device isa-serial,chardev=charserial1,id=serial1 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.xml b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.xml
new file mode 100644
index 0000000..832e2a2
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.xml
@@ -0,0 +1,50 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219136</memory>
+  <currentMemory unit='KiB'>219136</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <disk type='block' device='disk'>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
+    </controller>
+    <controller type='ide' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
+    </controller>
+    <controller type='pci' index='0' model='pci-root'/>
+    <serial type='udp'>
+      <source mode='bind' host='127.0.0.1' service='1111'/>
+      <source mode='connect' host='127.0.0.1' service='2222'/>
+      <target port='0'/>
+    </serial>
+    <serial type='tcp'>
+      <source mode='connect' host='127.0.0.1' service='5555'/>
+      <protocol type='raw'/>
+      <target port='0'/>
+    </serial>
+    <console type='udp'>
+      <source mode='bind' host='127.0.0.1' service='1111'/>
+      <source mode='connect' host='127.0.0.1' service='2222'/>
+      <target type='serial' port='0'/>
+    </console>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <memballoon model='virtio'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+    </memballoon>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index ca48056..fa190e9 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1122,6 +1122,25 @@ mymain(void)
     DO_TEST("serial-tcp-tlsx509-chardev-disableTLS",
             QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG,
             QEMU_CAPS_OBJECT_TLS_CREDS_X509);
+    VIR_FREE(driver.config->chardevTLSx509certdir);
+    if (VIR_STRDUP_QUIET(driver.config->chardevTLSx509certdir, "/etc/pki/libvirt-chardev") < 0)
+        return EXIT_FAILURE;
+    driver.config->chardevTLSx509verify = 1;
+    if (VIR_STRDUP_QUIET(driver.config->chardevTLSx509secretUUID,
+                         "6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea") < 0)
+        return EXIT_FAILURE;
+    driver.config->chardevTLSx509haveUUID = true;
+# ifdef HAVE_GNUTLS_CIPHER_ENCRYPT
+    DO_TEST("serial-tcp-tlsx509-secret-chardev",
+            QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG,
+            QEMU_CAPS_OBJECT_SECRET,
+            QEMU_CAPS_OBJECT_TLS_CREDS_X509);
+# else
+    DO_TEST_FAILURE("serial-tcp-tlsx509-secret-chardev",
+                    QEMU_CAPS_CHARDEV, QEMU_CAPS_NODEFCONFIG,
+                    QEMU_CAPS_OBJECT_SECRET,
+                    QEMU_CAPS_OBJECT_TLS_CREDS_X509);
+# endif
     driver.config->chardevTLS = 0;
     VIR_FREE(driver.config->chardevTLSx509certdir);
     DO_TEST("serial-many-chardev",
-- 
2.7.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]