Re: [PATCHv2 8/8] qemu: error out when vnc vncTLSx509secretUUID is unsupported

John Ferlan <jferlan@xxxxxxxxxx> · Mon, 21 Jan 2019 18:15:02 -0500

On 1/21/19 7:59 AM, Ján Tomko wrote:
> Add a capability check to qemuDomainDefValidate and refuse to start
> a domain with VNC graphics if the TLS secret was set in qemu.conf
> and it's not supported.
> 
> Note that qemuDomainSecretGraphicsPrepare does not generate any
> secret data if the capability is not present and qemuBuildTLSx509BackendProps
> is not called at all.
> 
> Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx>
> ---
>  src/qemu/qemu_domain.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 

Some day I see a patch to create a qemuDomainDefValidateGraphics being
created ;-)

Whether you add the NB below or not,

Reviewed-by: John Ferlan <jferlan@xxxxxxxxxx>

John

> diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
> index 22d93d56f9..32a43f2064 100644
> --- a/src/qemu/qemu_domain.c
> +++ b/src/qemu/qemu_domain.c
> @@ -4112,8 +4112,10 @@ qemuDomainDefValidate(const virDomainDef *def,
>                        void *opaque)
>  {
>      virQEMUDriverPtr driver = opaque;
> +    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
>      virQEMUCapsPtr qemuCaps = NULL;
>      int ret = -1;
> +    size_t i;
>  
>      if (!(qemuCaps = virQEMUCapsCacheLookup(driver->qemuCapsCache,
>                                              def->emulator)))
> @@ -4234,10 +4236,23 @@ qemuDomainDefValidate(const virDomainDef *def,
>      if (qemuDomainDefValidateMemory(def, qemuCaps) < 0)
>          goto cleanup;
>  

   /* NB: It is possible that vncTLS is set and we're using old style
    *     certificate processing without an X.509 object */

> +    if (cfg->vncTLS && cfg->vncTLSx509secretUUID &&
> +        !virQEMUCapsGet(qemuCaps, QEMU_CAPS_OBJECT_TLS_CREDS_X509)) {
> +        for (i = 0; i < def->ngraphics; i++) {
> +            if (def->graphics[i]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
> +                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                               _("encrypted VNC TLS keys are not supported with "
> +                                 "this QEMU binary"));
> +                goto cleanup;
> +            }
> +        }
> +    }
> +
>      ret = 0;
>  
>   cleanup:
>      virObjectUnref(qemuCaps);
> +    virObjectUnref(cfg);
>      return ret;
>  }
>  
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list