[libvirt] [RFC 0/3] Master secret key support

Posted as RFC primarily to make sure there's buyin for something that will become the basis for more patches to add support for using the master secret to encrypt sensitive data using objects. This work is related to the QEMU 2.6 commit 'ac1d8878' (not a libvirt commit, rather a qemu.git commit id). Hopefully I've properly read the qemu checkin notes as they relate to key generation. One thing of note that differs from other descriptions for a master secret. Most bz's where it's described indicate using /var/lib/libvirt/qemu/ $GUEST-master.key; whereas, these patches chose a slightly different tact using the generated libDir (/var/lib/libvirt/qemu/domain-#-$GUEST/ master.key). This file will be generated in qemu process launch regardless of whether the emulator supports it or not (because we have the domain private object to access the masterKey, but not in qemuBuildCommandLine). The only odd part for me was the realizing that libDir is created after successfully completing qemuBuildCommandLine - so checking if the file exists before adding it to the command line wasn't possible, but it seems that's no different to other libDir usages. Internally, the I chose to store the secret to be used as a base64 value since 1. it's going to be saved in the domain objects XML output (for libvirtd restart) and 2. it's easy enough to decode if we do need to later on. Not sure it's appropriate to store the non encoded secret in the domain object XML file. One extra area I need help on is the capabilitiesdata setup... That is how to generate the tests/qemucapabilitiesdata/caps_2.6.0-1.replies so that the 'secret' object exists and so that if I add "<flag name='secret'>" to the .caps file I won't get a test failure since the existing one doesn't list the secrets object. I've done a bit of testing locally... Starting with running domains (both persistent and transient) then restarting libvirtd and with starting the same domains with the code running. I didn't update my qemu locally to see the -object on the command line, but the test added does show the -object added (although I it took a double take and some thinking whether /tmp/lib/domain--1-$NAME/ should be used - note the /tmp and the domain--# prefix). John Ferlan (3): qemu: Create domain master key qemu: Add capability bit for qemu secret object qemu: Introduce qemuBuildMasterKeyCommandLine src/qemu/qemu_capabilities.c | 2 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 67 ++++++++ src/qemu/qemu_domain.c | 175 +++++++++++++++++++++ src/qemu/qemu_domain.h | 11 ++ src/qemu/qemu_process.c | 13 ++ .../qemuxml2argvdata/qemuxml2argv-master-key.args | 23 +++ tests/qemuxml2argvdata/qemuxml2argv-master-key.xml | 30 ++++ tests/qemuxml2argvtest.c | 2 + 9 files changed, 324 insertions(+) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-master-key.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-master-key.xml -- 2.5.0