Add infrastructure for hot- and cold-plug of the secret object holding
decryption key for the TLS key.
Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
---
src/qemu/qemu_block.c | 12 ++++++++++++
src/qemu/qemu_block.h | 2 ++
src/qemu/qemu_command.c | 11 ++++++++++-
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index b00694c96f..36fc6784de 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1542,7 +1542,9 @@ qemuBlockStorageSourceAttachDataFree(qemuBlockStorageSourceAttachDataPtr data)
virJSONValueFree(data->httpcookiesecretProps);
virJSONValueFree(data->encryptsecretProps);
virJSONValueFree(data->tlsProps);
+ virJSONValueFree(data->tlsKeySecretProps);
VIR_FREE(data->tlsAlias);
+ VIR_FREE(data->tlsKeySecretAlias);
VIR_FREE(data->authsecretAlias);
VIR_FREE(data->encryptsecretAlias);
VIR_FREE(data->httpcookiesecretAlias);
@@ -1617,6 +1619,11 @@ qemuBlockStorageSourceAttachApplyStorageDeps(qemuMonitorPtr mon,
&data->httpcookiesecretAlias) < 0)
return -1;
+ if (data->tlsKeySecretProps &&
+ qemuMonitorAddObject(mon, &data->tlsKeySecretProps,
+ &data->tlsKeySecretAlias) < 0)
+ return -1;
+
if (data->tlsProps &&
qemuMonitorAddObject(mon, &data->tlsProps, &data->tlsAlias) < 0)
return -1;
@@ -1766,6 +1773,8 @@ qemuBlockStorageSourceAttachRollback(qemuMonitorPtr mon,
if (data->tlsAlias)
ignore_value(qemuMonitorDelObject(mon, data->tlsAlias, false));
+ if (data->tlsKeySecretAlias)
+ ignore_value(qemuMonitorDelObject(mon, data->tlsKeySecretAlias, false));
virErrorRestore(&orig_err);
}
@@ -1821,6 +1830,9 @@ qemuBlockStorageSourceDetachPrepare(virStorageSourcePtr src,
if (srcpriv->httpcookie)
data->httpcookiesecretAlias = g_strdup(srcpriv->httpcookie->s.aes.alias);
+
+ if (srcpriv->tlsKeySecret)
+ data->tlsKeySecretAlias = g_strdup(srcpriv->tlsKeySecret->s.aes.alias);
}
return g_steal_pointer(&data);
diff --git a/src/qemu/qemu_block.h b/src/qemu/qemu_block.h
index 24b87e79db..b1bdb39613 100644
--- a/src/qemu/qemu_block.h
+++ b/src/qemu/qemu_block.h
@@ -105,6 +105,8 @@ struct qemuBlockStorageSourceAttachData {
virJSONValuePtr tlsProps;
char *tlsAlias;
+ virJSONValuePtr tlsKeySecretProps;
+ char *tlsKeySecretAlias;
};
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 6e7fd59561..0c4c77cf8c 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -2047,6 +2047,7 @@ qemuBuildBlockStorageSourceAttachDataCommandline(virCommandPtr cmd,
qemuBuildObjectCommandline(cmd, data->authsecretProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->encryptsecretProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->httpcookiesecretProps) < 0 ||
+ qemuBuildObjectCommandline(cmd, data->tlsKeySecretProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->tlsProps) < 0)
return -1;
@@ -10161,6 +10162,7 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSourcePtr src,
virQEMUCapsPtr qemuCaps)
{
qemuDomainStorageSourcePrivatePtr srcpriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
+ const char *tlsKeySecretAlias = NULL;
if (src->pr &&
!virStoragePRDefIsManaged(src->pr) &&
@@ -10180,11 +10182,18 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSourcePtr src,
if (srcpriv->httpcookie &&
qemuBuildSecretInfoProps(srcpriv->httpcookie, &data->httpcookiesecretProps) < 0)
return -1;
+
+ if (srcpriv->tlsKeySecret) {
+ if (qemuBuildSecretInfoProps(srcpriv->tlsKeySecret, &data->tlsKeySecretProps) < 0)
+ return -1;
+
+ tlsKeySecretAlias = srcpriv->tlsKeySecret->s.aes.alias;
+ }
}
if (src->haveTLS == VIR_TRISTATE_BOOL_YES &&
qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsAlias,
- NULL, qemuCaps, &data->tlsProps) < 0)
+ tlsKeySecretAlias, qemuCaps, &data->tlsProps) < 0)
return -1;
return 0;
--
2.26.2
