Re: [libvirt] [RFC 1/3] qemu: Create domain master key
On Wed, Mar 23, 2016 at 08:36:30AM -0400, John Ferlan wrote:
On 03/22/2016 10:08 AM, Daniel P. Berrange wrote:
> On Mon, Mar 21, 2016 at 02:29:00PM -0400, John Ferlan wrote:
>> Add a masterKey to _qemuDomainObjPrivate to store a base64 encoded domain
>> master key in order to support the ability to encrypt/decrypt sensitive
>> data shared between libvirt and qemu. The base64 encoded value will be
>> written to the domain XML file for consistency between domain restarts.
>
> Ohh, no, we don't want the master key to ever appear in any XML file,
> because that in turn leads to compromise of user data when reporting
> bugs. For example if the user provides the CLI args + runtime XML
> then you can decrypt their passwords from the CLI args. The master
> key must only ever be in its own file, which minimises the chance of
> the user ever uploading the master key for their VM with bug reports.
>
OK - well that simplifies certain things; however, I would think that
means on libvirtd restart we would then have to read the master key file
in order to repopulate the priv->masterKey, right?
Yes, that's correct.
>> diff --git a/src/qemu/qemu_domain.c
b/src/qemu/qemu_domain.c
>> index 9f9fae3..507ae9e 100644
>> --- a/src/qemu/qemu_domain.c
>> +++ b/src/qemu/qemu_domain.c
>> @@ -23,6 +23,7 @@
>>
>> #include <config.h>
>>
>> +#include <assert.h>
>
> We have a general rule that libvirt should never assert() in its
> code, so don't add this. Errors should always propagate back
> to a virErrorPtr.
>
>
OK - although it is used today in virsh/vsh and remote_driver...
Using it in virsh is ok as that's a client app. We shouldn't use it
in the remote_driver though - I'd not noticed that actually.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|