On Tue, Nov 02, 2021 at 10:26:24AM +0100, Peter Krempa wrote:
> On Tue, Nov 02, 2021 at 12:28:29 +0800, longguang.yue wrote:
>
> Firstly I'd like to ask you to follow mailing list posting netiquette
> and don't drop the mailing list on replies from the CC list. My reply
> would then not end up in the archives and the community would not be
> able to refer to it later.
>
> > i use kata on kubernetes. kata manages qemu via qmp directly.
>
> So this makes this out of scope for libvirt. A better forum to ask
> qemu-only related questions is the qemu mailing list.
>
> You can also make this a case for the Kata community to adopt usage of
> libvirt, as libvirt gives you a stable, secure and tested way to manage
> a qemu process. I think the Kata project would benefit from libvirt
> usage and could focus their efforts on adding features rather than
> reinventing what libvirt has for a long time already.
>
> > suppose secret object does not have keyid and iv, can i store base64-coded ceph-auth-ring into data?
> > could you tell me a complete command to add rbd disk ? no encrypt
>
> Note that would be insecure as anybody with access to the host could
> read the commandline and know your secret.
>
> Let's rephrase your question to: "How does libvirt securely pass
> passwords to qemu on the commandline?"
>
> Libvirt uses two kinds of secrets, which both are secure when used
> properly:
>
> (Note that libvirt nowadays uses direct JSON with -object as it's
> possible starting with qemu-6.0, thus my examples will use the new
> format)
>
> 1) Secret stored in a file:
>
> -object '{"qom-type":"secret","id":"masterKey0","format":"raw","file":"/tmp/lib/domain--1-QEMUGuest1/master-key.aes"}'
>
> libvirt uses this format to pass the master key, which is used to
> encrypt other secrets, but any other secret can be passed this way. It's
> a bit tedious, and that's the reason why libvirt passes only the master
> key using the file.
>
> When the access permissions are set properly this way is secure.
>
> 2) Inline (base64) encrypted secrets
>
> -object '{"qom-type":"secret","id":"libvirt-5-storage-auth-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwU6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}'
>
> This secret is encrypted using the master key (as you can see above).
> When inspecting the commandline an attacker can't tell the original
> value.
>
> Theoretically when using the monitor (QMP) it's also secure to pass a
> plaintext secret, but that's tricky if the monitor traffic is logged, so
> libvirt opted to use encrypted secrets also in that case.
Yep, there is a rich history of log files compromising secret data
resulting in CVEs, so absolutely don't pass secrets in clear text
over QMP at any time for production environments.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
