From: Daniel P. Berrangé <berrange(a)redhat.com&gt; For TLS config parameters, the 'verify' option always comes before the 'secret_uuid' option, except in the VNC case which has them reversed. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- src/qemu/libvirtd_qemu.aug | 2 +- src/qemu/qemu.conf.in | 12 ++++++------ src/qemu/test_libvirtd_qemu.aug.in | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index e1e479d72c..d36baed6fc 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -35,8 +35,8 @@ module Libvirtd_qemu = | bool_entry "vnc_auto_unix_socket" | bool_entry "vnc_tls" | str_entry "vnc_tls_x509_cert_dir" - | str_entry "vnc_tls_x509_secret_uuid" | bool_entry "vnc_tls_x509_verify" + | str_entry "vnc_tls_x509_secret_uuid" | str_entry "vnc_password" | bool_entry "vnc_sasl" | str_entry "vnc_sasl_dir" diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 6358a45ae2..9bb52b5927 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -101,12 +101,6 @@ #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - # The default TLS configuration only uses certificates for the server # allowing the client to verify the server's identity and establish # an encrypted channel. @@ -125,6 +119,12 @@ #vnc_tls_x509_verify = 1 +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + # The default VNC password. Only 8 bytes are significant for # VNC passwords. This parameter is only used if the per-domain # XML config does not already provide a password. To allow diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index 88d1a6aca1..e461fcc9df 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -9,8 +9,8 @@ module Test_libvirtd_qemu = { "vnc_auto_unix_socket" = "1" } { "vnc_tls" = "1" } { "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" } -{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } { "vnc_tls_x509_verify" = "1" } +{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } { "vnc_password" = "XYZ12345" } { "vnc_sasl" = "1" } { "vnc_sasl_dir" = "/some/directory/sasl2" } -- 2.50.1

From: Daniel P. Berrangé <berrange(a)redhat.com&gt; We mostly use 2 blank lines between config file entries to improve readability. Fix where we don't do that. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- src/qemu/qemu.conf.in | 50 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 9bb52b5927..eee190cf0b 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -48,6 +48,7 @@ # #default_tls_x509_verify = 1 + # # Libvirt assumes the server-key.pem file is unencrypted by default. # To use an encrypted server-key.pem file, the password to decrypt @@ -71,6 +72,7 @@ # #vnc_listen = "0.0.0.0" + # Enable this option to have VNC served over an automatically created # unix socket. This prevents unprivileged access from users on the # host machine, though most VNC clients do not support it. @@ -81,6 +83,7 @@ # #vnc_auto_unix_socket = 1 + # Enable use of TLS encryption on the VNC server. This requires # a VNC client which supports the VeNCrypt protocol extension. # Examples include vinagre, virt-viewer, virt-manager and vencrypt @@ -222,6 +225,7 @@ # #spice_sasl = 1 + # The default SASL configuration file is located in /etc/sasl2/ # When running libvirtd unprivileged, it may be desirable to # override the configs in this location. Set this parameter to @@ -229,6 +233,7 @@ # #spice_sasl_dir = "/some/directory/sasl2" + # RDP is configured to listen on 127.0.0.1 by default. # To make it listen on all public interfaces, uncomment # this next option. @@ -242,11 +247,13 @@ # #rdp_tls_x509_cert_dir = "/etc/pki/libvirt-rdp" + # The default RDP username. This parameter is only used if the # per-domain XML config does not already provide a username. # #rdp_username = "user" + # The default RDP password. This parameter is only used if the # per-domain XML config does not already provide a password. # By default, RDP server will not allow password-less connections. @@ -254,6 +261,7 @@ # #rdp_password = "RDP12345" + # Enable use of TLS encryption on the chardev TCP transports. # # It is necessary to setup CA and issue a server certificate @@ -457,6 +465,7 @@ #remote_display_port_min = 5900 #remote_display_port_max = 65535 + # VNC WebSocket port policies, same rules apply as with remote display # ports. VNC WebSockets use similar display <-> port mappings, with # the exception being that ports start from 5700 instead of 5900. @@ -464,6 +473,7 @@ #remote_websocket_port_min = 5700 #remote_websocket_port_max = 65535 + # The default security driver is SELinux. If SELinux is disabled # on the host, then the security driver will automatically disable # itself. If you wish to disable QEMU SELinux security driver while @@ -481,15 +491,18 @@ # #security_driver = "selinux" + # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests # will be unconfined by default. Defaults to 1. #security_default_confined = 1 + # If set to non-zero, then attempts to create unconfined # guests will be blocked. Defaults to 0. #security_require_confined = 1 + # The user for QEMU processes run by the system instance. It can be # specified as a user name or as a user id. The qemu driver will try to # parse this value first as a name and then, if the name doesn't exist, @@ -507,10 +520,12 @@ # #user = "@QEMU_USER@" + # The group for QEMU processes run by the system instance. It can be # specified in a similar way to user. #group = "@QEMU_GROUP@" + # Whether libvirt should dynamically change file ownership # to match the configured user/group above. Defaults to 1. # @@ -526,11 +541,13 @@ # Set to 0 to disable file ownership changes globally in the qemu driver. #dynamic_ownership = 1 + # Whether libvirt should remember and restore the original # ownership over files it is relabeling. Defaults to 1, set # to 0 to disable the feature. #remember_owner = 1 + # What cgroup controllers to make use of with QEMU guests # # - 'cpu' - use for scheduler tunables @@ -552,6 +569,7 @@ # #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] + # This is the basic set of devices allowed / required by # all virtual machines. # @@ -618,12 +636,14 @@ #dump_image_format = "raw" #snapshot_image_format = "raw" + # When a domain is configured to be auto-dumped when libvirtd receives a # watchdog event from qemu guest, libvirtd will save dump files in directory # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump # #auto_dump_path = "/var/lib/libvirt/qemu/dump" + # When a domain is configured to be auto-dumped, enabling this flag # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the # virDomainCoreDump API. That is, the system will avoid using the @@ -632,6 +652,7 @@ # #auto_dump_bypass_cache = 0 + # When a domain is configured to be auto-started, enabling this flag # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag # with the virDomainCreateWithFlags API. That is, the system will @@ -640,11 +661,13 @@ # #auto_start_bypass_cache = 0 + # Delay in milliseconds between initiating the startup for # each VM, during autostart # #auto_start_delay = 0 + # The settings for auto shutdown actions accept one of # four possible options: # @@ -669,6 +692,7 @@ # they are restarted, or saved and restored. #auto_shutdown_try_save = "persistent" + # As above, but with a graceful shutdown action instead of # managed save. If managed save is enabled, shutdown will # be tried only on failure to perform managed save. @@ -683,6 +707,7 @@ # they are restarted, or saved and restored. #auto_shutdown_try_shutdown = "all" + # As above, but with a forced poweroff instead of managed # save. If managed save or graceful shutdown are enabled, # forced poweroff will be tried only on failure of the @@ -702,16 +727,19 @@ # feature should to be enabled as well to ensure proper cleanup of the VMs. #auto_shutdown_poweroff = "all" + # How may seconds to wait for running VMs to gracefully shutdown # when 'auto_shutdown_try_shutdown' is enabled. If set to 0 # then an arbitrary built-in default value will be used (which # is currently 30 secs) #auto_shutdown_wait = 30 + # Whether VMs that are automatically powered off or saved during # host shutdown, should be set to restore on next boot #auto_shutdown_restore = 1 + # When a domain is configured to be auto-saved on shutdown, enabling # this flag has the same effect as using the VIR_DOMAIN_SAVE_BYPASS_CACHE # flag with the virDomainManagedSave API. That is, the system will @@ -720,6 +748,7 @@ # #auto_save_bypass_cache = 0 + # If provided by the host and a hugetlbfs mount point is configured, # a guest may request huge page backing. When this mount point is # unspecified here, determination of a host mount point in /proc/mounts @@ -768,6 +797,7 @@ #max_processes = 0 #max_files = 0 + # If max_threads_per_process is set to a positive integer, libvirt # will use it to set the maximum number of threads that can be # created by a qemu process. Some VM configurations can result in @@ -778,6 +808,7 @@ # #max_threads_per_process = 0 + # If max_core is set to a non-zero integer, then QEMU will be # permitted to create core dumps when it crashes, provided its # RAM size is smaller than the limit set. @@ -804,6 +835,7 @@ # #max_core = "unlimited" + # Determine if guest RAM is included in QEMU core dumps. By # default guest RAM will be excluded on Linux platforms, # and included on all other patforms. Setting this to '1' will @@ -814,6 +846,7 @@ # #dump_guest_core = 1 + # mac_filter enables MAC addressed based filtering on bridge ports. # This currently requires ebtables to be installed. # @@ -843,6 +876,7 @@ # #max_queued = 0 + ################################################################### # Keepalive protocol: # This allows qemu driver to detect broken connections to remote @@ -866,7 +900,6 @@ #keepalive_count = 5 - # Use seccomp syscall filtering sandbox in QEMU. # 1 == filter enabled, 0 == filter disabled # @@ -901,7 +934,6 @@ #migration_port_max = 49215 - # Timestamp QEMU's log messages (if QEMU supports it) # # Defaults to 1. @@ -941,6 +973,7 @@ # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" #] + # The backend to use for handling stdout/stderr output from # QEMU processes. # @@ -956,6 +989,7 @@ # #stdio_handler = "logd" + # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the # most verbose, and 0 representing no debugging output. # @@ -976,6 +1010,7 @@ # #gluster_debug_level = 9 + # virtiofsd debug # # Whether to enable the debugging output of the virtiofsd daemon. @@ -983,6 +1018,7 @@ # #virtiofsd_debug = 1 + # To enhance security, QEMU driver is capable of creating private namespaces # for each domain started. Well, so far only "mount" namespace is supported. If # enabled it means qemu process is unable to see all the devices on the system, @@ -991,16 +1027,19 @@ # by default. #namespaces = [ "mount" ] + # This directory is used for memoryBacking source if configured as file. # NOTE: big files will be stored here #memory_backing_dir = "/var/lib/libvirt/qemu/ram" + # Path to the SCSI persistent reservations helper. This helper is # used whenever <reservations/> are enabled for SCSI LUN devices. # If this is not an absolute path, the program will be searched for # in $PATH as well as a few additional directories. #pr_helper = "qemu-pr-helper" + # Path to the SLIRP networking helper. #slirp_helper = "/usr/bin/slirp-helper" @@ -1010,11 +1049,13 @@ # in $PATH. #qemu_rdp = "qemu-rdp" + # Path to the dbus-daemon # If this is not an absolute path, the program will be searched for # in $PATH. #dbus_daemon = "dbus-daemon" + # User for the swtpm TPM Emulator # # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs @@ -1023,6 +1064,7 @@ #swtpm_user = "tss" #swtpm_group = "tss" + # For debugging and testing purposes it's sometimes useful to be able to disable # libvirt behaviour based on the capabilities of the qemu process. This option # allows to do so. DO _NOT_ use in production and beaware that the behaviour @@ -1030,6 +1072,7 @@ # #capability_filters = [ "capname" ] + # 'deprecation_behavior' setting controls how the qemu process behaves towards # deprecated commands and arguments used by libvirt. # @@ -1061,6 +1104,7 @@ # #deprecation_behavior = "none" + # If this is set then QEMU and its threads will run in a separate scheduling # group meaning no other process will share Hyper Threads of a single core with # QEMU. Each QEMU has its own group. @@ -1077,6 +1121,7 @@ # scheduling group #sched_core = "none" + # Using nbdkit to access remote disk sources # # If this is set then libvirt will use nbdkit to access remote disk sources @@ -1088,6 +1133,7 @@ # #storage_use_nbdkit = @USE_NBDKIT_DEFAULT@ + # libvirt will normally prevent migration if the storage backing the VM is not # on a shared filesystems. Sometimes, however, the storage *is* shared despite # not being detected as such: for example, this is the case when one of the -- 2.50.1

From: Daniel P. Berrangé <berrange(a)redhat.com&gt; QEMU will either use the GNUTLS default priority string of "NORMAL", or on Fedora/RHEL related distros, "@QEMU,SYSTEM", which resolves to a configuration in /etc/crypto-policies/back-ends/gnutls.config. The latter gives the sysadmin the ability to change the priority string used for GNUTLS at deployment time, either system side, or exclusively for QEMU, avoiding the hardcoded GNUTLS defaults. There are still some limitations to this: * Priorities cannot be set for different areas of QEMU functionality (migration, vnc, nbd, etc) * Priorities are fixed at the time when QEMU first triggers GNUTLS to load its config file, often immediately at startup. We recently uncovered a QEMU bug that causes crashes in live migration with TLS-1.3, where the easiest workaround is to change the TLS priorities. We can't change this on the running QEMU, but fortunately it is possible to change it on the target QEMU and the TLS handshake will make it take effect on both src and dst. The problem is, while fixing the immediate incoming and outgoing live migration problems, the workaround will apply to everything else that QEMU does for the rest of the time that process exists. We want to make it possible to set the TLS priorities only for the current migrations, such that if the target QEMU has a fixed GNUTLS, it will not have its TLS priorities hobbled for the next live migration. To achieve this we need libvirt to be able to (optionally) set the TLS priority string with QEMU. While live migration is the most pressing need, the new qemu.conf parameters are wired up for every subsystem for greater selectivity in future. With this we can activate the GNUTLS workaround for running QEMU processes by editting qemu.conf and restarting virtqemud, and later undo this the same way. Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- src/conf/storage_source_conf.c | 2 + src/conf/storage_source_conf.h | 1 + src/qemu/libvirtd_qemu.aug | 6 +++ src/qemu/qemu.conf.in | 37 +++++++++++++++++++ src/qemu/qemu_backup.c | 5 ++- src/qemu/qemu_blockjob.c | 1 + src/qemu/qemu_command.c | 15 ++++++-- src/qemu/qemu_command.h | 1 + src/qemu/qemu_conf.c | 22 +++++++++++ src/qemu/qemu_conf.h | 6 +++ src/qemu/qemu_domain.c | 3 ++ src/qemu/qemu_domain.h | 1 + src/qemu/qemu_hotplug.c | 4 +- src/qemu/qemu_hotplug.h | 1 + src/qemu/qemu_migration_params.c | 1 + src/qemu/test_libvirtd_qemu.aug.in | 6 +++ ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 2 +- ...graphics-vnc-tls-secret.x86_64-latest.args | 2 +- ...-tlsx509-secret-chardev.x86_64-latest.args | 2 +- tests/qemuxmlconftest.c | 6 +++ 20 files changed, 114 insertions(+), 10 deletions(-) diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c index 8a063be244..8bab116d89 100644 --- a/src/conf/storage_source_conf.c +++ b/src/conf/storage_source_conf.c @@ -832,6 +832,7 @@ virStorageSourceCopy(const virStorageSource *src, def->compat = g_strdup(src->compat); def->tlsAlias = g_strdup(src->tlsAlias); def->tlsCertdir = g_strdup(src->tlsCertdir); + def->tlsPriority = g_strdup(src->tlsPriority); def->tlsHostname = g_strdup(src->tlsHostname); def->query = g_strdup(src->query); def->vdpadev = g_strdup(src->vdpadev); @@ -1185,6 +1186,7 @@ virStorageSourceClear(virStorageSource *def) VIR_FREE(def->tlsAlias); VIR_FREE(def->tlsCertdir); + VIR_FREE(def->tlsPriority); VIR_FREE(def->tlsHostname); VIR_FREE(def->ssh_user); diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h index ebddf28cd6..a0d5acdb09 100644 --- a/src/conf/storage_source_conf.h +++ b/src/conf/storage_source_conf.h @@ -396,6 +396,7 @@ struct _virStorageSource { * certificate directory with listen and verify bools. */ char *tlsAlias; char *tlsCertdir; + char *tlsPriority; /* TLS hostname override */ char *tlsHostname; diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index d36baed6fc..772d4dcabe 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -30,6 +30,7 @@ module Libvirtd_qemu = let default_tls_entry = str_entry "default_tls_x509_cert_dir" | bool_entry "default_tls_x509_verify" | str_entry "default_tls_x509_secret_uuid" + | str_entry "default_tls_priority" let vnc_entry = str_entry "vnc_listen" | bool_entry "vnc_auto_unix_socket" @@ -37,6 +38,7 @@ module Libvirtd_qemu = | str_entry "vnc_tls_x509_cert_dir" | bool_entry "vnc_tls_x509_verify" | str_entry "vnc_tls_x509_secret_uuid" + | str_entry "vnc_tls_priority" | str_entry "vnc_password" | bool_entry "vnc_sasl" | str_entry "vnc_sasl_dir" @@ -59,15 +61,18 @@ module Libvirtd_qemu = | str_entry "chardev_tls_x509_cert_dir" | bool_entry "chardev_tls_x509_verify" | str_entry "chardev_tls_x509_secret_uuid" + | str_entry "chardev_tls_priority" let migrate_entry = str_entry "migrate_tls_x509_cert_dir" | bool_entry "migrate_tls_x509_verify" | str_entry "migrate_tls_x509_secret_uuid" + | str_entry "migrate_tls_priority" | bool_entry "migrate_tls_force" let backup_entry = str_entry "backup_tls_x509_cert_dir" | bool_entry "backup_tls_x509_verify" | str_entry "backup_tls_x509_secret_uuid" + | str_entry "backup_tls_priority" (* support for vxhs was removed from qemu and the examples were dopped from *) (* qemu.conf but these need to stay *) @@ -78,6 +83,7 @@ module Libvirtd_qemu = let nbd_entry = bool_entry "nbd_tls" | str_entry "nbd_tls_x509_cert_dir" | str_entry "nbd_tls_x509_secret_uuid" + | str_entry "nbd_tls_priority" let nogfx_entry = bool_entry "nographics_allow_host_audio" diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index eee190cf0b..7602e777ae 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -63,6 +63,18 @@ #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +# Libvirt allows QEMU to use its built-in TLS priority by default, +# however, this allows overriding it at runtime. This is especially +# useful if TLS priority needs to be changed for an operation run +# against an existing running QEMU. +# +# This must be a valid GNUTLS priority string: +# +# https://gnutls.org/manual/html_node/Priority-Strings.html +# +#default_tls_priority = "@SYSTEM" + + # VNC is configured to listen on 127.0.0.1 by default. # To make it listen on all public interfaces, uncomment # this next option. @@ -128,6 +140,11 @@ #vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +# Override QEMU default GNUTLS priority string for VNC +# +#vnc_tls_priority = "@SYSTEM" + + # The default VNC password. Only 8 bytes are significant for # VNC passwords. This parameter is only used if the per-domain # XML config does not already provide a password. To allow @@ -307,6 +324,11 @@ #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +# Override QEMU default GNUTLS priority string for character devices +# +#chardev_tls_priority = "@SYSTEM" + + # The support for VxHS network block protocol was removed in qemu-5.2 and # thus also dropped from libvirt's qemu driver. The following options which # were used to configure the TLS certificates for VxHS are thus ignored. @@ -359,6 +381,11 @@ #nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +# Override QEMU default GNUTLS priority string for NBD +# +#nbd_tls_priority = "@SYSTEM" + + # In order to override the default TLS certificate location for migration # certificates, supply a valid path to the certificate directory. If the # provided path does not exist, libvirtd will fail to start. If the path is @@ -398,6 +425,11 @@ #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +# Override QEMU default GNUTLS priority string for live migration +# +#migrate_tls_priority = "@SYSTEM" + + # By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested # automatically. Setting 'migate_tls_force' to "1" will prevent any migration # which is not using VIR_MIGRATE_TLS to ensure higher level of security in @@ -443,6 +475,11 @@ #backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" +# Override QEMU default GNUTLS priority string for NBD backups +# +#backup_tls_priority = "@SYSTEM" + + # By default, if no graphical front end is configured, libvirt will disable # QEMU audio output since directly talking to alsa/pulseaudio may not work # with various security settings. If you know what you're doing, enable diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index fb3558d280..1f43479b5e 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -728,8 +728,9 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm, } if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true, - cfg->backupTLSx509verify, tlsObjAlias, - tlsKeySecretAlias, + cfg->backupTLSx509verify, + cfg->backupTLSpriority, + tlsObjAlias, tlsKeySecretAlias, tlsProps) < 0) return -1; diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c index c7462e2838..315b742053 100644 --- a/src/qemu/qemu_blockjob.c +++ b/src/qemu/qemu_blockjob.c @@ -624,6 +624,7 @@ qemuBlockJobCleanStorageSourceRuntime(virStorageSource *src) VIR_FREE(src->nodenameformat); VIR_FREE(src->tlsAlias); VIR_FREE(src->tlsCertdir); + VIR_FREE(src->tlsPriority); } diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 7658cc4d39..a0a04ae1fc 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1263,6 +1263,7 @@ qemuBuildObjectSecretCommandLine(virCommand *cmd, * @tlspath: path to the TLS credentials * @listen: boolean listen for client or server setting * @verifypeer: boolean to enable peer verification (form of authorization) + * @priority: GNUTLS priority string override (optional) * @alias: alias for the TLS credentials object * @secalias: if one exists, the alias of the security object for passwordid * @propsret: json properties to return @@ -1275,6 +1276,7 @@ int qemuBuildTLSx509BackendProps(const char *tlspath, bool isListen, bool verifypeer, + const char *priority, const char *alias, const char *secalias, virJSONValue **propsret) @@ -1283,6 +1285,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, "s:dir", tlspath, "s:endpoint", (isListen ? "server": "client"), "b:verify-peer", (isListen ? verifypeer : true), + "S:priority", priority, "S:passwordid", secalias, NULL) < 0) return -1; @@ -1296,6 +1299,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, * @tlspath: path to the TLS credentials * @listen: boolean listen for client or server setting * @verifypeer: boolean to enable peer verification (form of authorization) + * @priority: GNUTLS priority string override (optional) * @certEncSecretAlias: alias of a 'secret' object for decrypting TLS private key * (optional) * @alias: TLS object alias @@ -1309,13 +1313,14 @@ qemuBuildTLSx509CommandLine(virCommand *cmd, const char *tlspath, bool isListen, bool verifypeer, + const char *priority, const char *certEncSecretAlias, const char *alias) { g_autoptr(virJSONValue) props = NULL; - if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, alias, - certEncSecretAlias, &props) < 0) + if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, priority, + alias, certEncSecretAlias, &props) < 0) return -1; if (qemuBuildObjectCommandlineFromJSON(cmd, props) < 0) @@ -1357,6 +1362,7 @@ qemuBuildChardevCommand(virCommand *cmd, if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPath, dev->data.tcp.listen, chrSourcePriv->tlsVerify, + chrSourcePriv->tlsPriority, tlsCertEncSecAlias, objalias) < 0) { return -1; @@ -8348,6 +8354,7 @@ qemuBuildGraphicsVNCCommandLine(virQEMUDriverConfig *cfg, cfg->vncTLSx509certdir, true, cfg->vncTLSx509verify, + cfg->vncTLSpriority, secretAlias, gfxPriv->tlsAlias) < 0) return -1; @@ -11189,8 +11196,8 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSource *src, } if (src->haveTLS == VIR_TRISTATE_BOOL_YES && - qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsAlias, - tlsKeySecretAlias, &data->tlsProps) < 0) + qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsPriority, + src->tlsAlias, tlsKeySecretAlias, &data->tlsProps) < 0) return -1; return 0; diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index 574dffdc96..ad068f1f16 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -67,6 +67,7 @@ int qemuBuildTLSx509BackendProps(const char *tlspath, bool isListen, bool verifypeer, + const char *priority, const char *alias, const char *secalias, virJSONValue **propsret); diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 482e19b502..088904eb12 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -454,6 +454,9 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfig *cfg, if (virConfGetValueString(conf, "default_tls_x509_secret_uuid", &cfg->defaultTLSx509secretUUID) < 0) return -1; + if (virConfGetValueString(conf, "default_tls_priority", + &cfg->defaultTLSpriority) < 0) + return -1; return 0; } @@ -566,6 +569,9 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfig *cfg, #val "_tls_x509_secret_uuid", \ &cfg->val## TLSx509secretUUID) < 0) \ return -1; \ + if ((rv = virConfGetValueString(conf, #val "_tls_priority", \ + &cfg->val## TLSpriority)) < 0) \ + return -1; \ } while (0) #define GET_CONFIG_TLS_CERTINFO_SERVER(val) \ @@ -1441,6 +1447,22 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *cfg) #undef SET_TLS_SECRET_UUID_DEFAULT +#define SET_TLS_PRIORITY_DEFAULT(val) \ + do { \ + if (!cfg->val## TLSpriority && \ + cfg->defaultTLSpriority) { \ + cfg->val## TLSpriority = g_strdup(cfg->defaultTLSpriority); \ + } \ + } while (0) + + SET_TLS_PRIORITY_DEFAULT(vnc); + SET_TLS_PRIORITY_DEFAULT(chardev); + SET_TLS_PRIORITY_DEFAULT(migrate); + SET_TLS_PRIORITY_DEFAULT(backup); + SET_TLS_PRIORITY_DEFAULT(nbd); + +#undef SET_TLS_PRIORITY_DEFAULT + /* * If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone * has created a val specific area to place service specific certificates. diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index ff376aed4d..192ddd0cbd 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -117,6 +117,7 @@ struct _virQEMUDriverConfig { bool defaultTLSx509verify; bool defaultTLSx509verifyPresent; char *defaultTLSx509secretUUID; + char *defaultTLSpriority; bool vncAutoUnixSocket; bool vncTLS; @@ -125,6 +126,7 @@ struct _virQEMUDriverConfig { bool vncSASL; char *vncTLSx509certdir; char *vncTLSx509secretUUID; + char *vncTLSpriority; char *vncListen; char *vncPassword; char *vncSASLdir; @@ -147,21 +149,25 @@ struct _virQEMUDriverConfig { bool chardevTLSx509verify; bool chardevTLSx509verifyPresent; char *chardevTLSx509secretUUID; + char *chardevTLSpriority; char *migrateTLSx509certdir; bool migrateTLSx509verify; bool migrateTLSx509verifyPresent; char *migrateTLSx509secretUUID; + char *migrateTLSpriority; bool migrateTLSForce; char *backupTLSx509certdir; bool backupTLSx509verify; bool backupTLSx509verifyPresent; char *backupTLSx509secretUUID; + char *backupTLSpriority; bool nbdTLS; char *nbdTLSx509certdir; char *nbdTLSx509secretUUID; + char *nbdTLSpriority; unsigned int remotePortMin; unsigned int remotePortMax; diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 4420940745..b4327f9a32 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -955,6 +955,7 @@ qemuDomainChrSourcePrivateDispose(void *obj) qemuDomainChrSourcePrivateClearFDPass(priv); g_free(priv->tlsCertPath); + g_free(priv->tlsPriority); g_free(priv->tlsCredsAlias); @@ -8793,6 +8794,7 @@ qemuDomainPrepareChardevSourceOne(virDomainDeviceDef *dev, if (charsrc->data.tcp.haveTLS == VIR_TRISTATE_BOOL_YES) { charpriv->tlsCertPath = g_strdup(data->cfg->chardevTLSx509certdir); + charpriv->tlsPriority = g_strdup(data->cfg->chardevTLSpriority); charpriv->tlsVerify = data->cfg->chardevTLSx509verify; } } @@ -8858,6 +8860,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSource *src, src->tlsAlias = qemuAliasTLSObjFromSrcAlias(parentAlias); src->tlsCertdir = g_strdup(cfg->nbdTLSx509certdir); + src->tlsPriority = g_strdup(cfg->nbdTLSpriority); if (cfg->nbdTLSx509secretUUID) { qemuDomainStorageSourcePrivate *srcpriv = qemuDomainStorageSourcePrivateFetch(src); diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index 49f83613e3..b53ebcb478 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -384,6 +384,7 @@ struct _qemuDomainChrSourcePrivate { char *tlsCertPath; /* path to certificates if TLS is requested */ bool tlsVerify; /* whether server should verify client certificates */ + char *tlsPriority; /* optional GNUTLS priority string */ char *tlsCredsAlias; /* alias of the x509 tls credentials object */ }; diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 073bd97d3a..e9568af125 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1749,6 +1749,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, const char *tlsCertdir, bool tlsListen, bool tlsVerify, + const char *tlsPriority, const char *alias, virJSONValue **tlsProps, virJSONValue **secProps) @@ -1762,7 +1763,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, secAlias = secinfo->alias; } - if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, + if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, tlsPriority, alias, secAlias, tlsProps) < 0) return -1; @@ -1806,6 +1807,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, cfg->chardevTLSx509certdir, dev->data.tcp.listen, cfg->chardevTLSx509verify, + cfg->chardevTLSpriority, *tlsAlias, &tlsProps, &secProps) < 0) return -1; diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index de75bf9225..fb0b5b6cd7 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -41,6 +41,7 @@ qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, const char *tlsCertdir, bool tlsListen, bool tlsVerify, + const char *tlsPriority, const char *alias, virJSONValue **tlsProps, virJSONValue **secProps); diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index 17d08f4aa5..b79bbad5c2 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1208,6 +1208,7 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver, if (qemuDomainGetTLSObjects(priv->migSecinfo, cfg->migrateTLSx509certdir, tlsListen, cfg->migrateTLSx509verify, + cfg->migrateTLSpriority, *tlsAlias, &tlsProps, &secProps) < 0) return -1; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index e461fcc9df..1fa0e2206e 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -5,12 +5,14 @@ module Test_libvirtd_qemu = { "default_tls_x509_cert_dir" = "/etc/pki/qemu" } { "default_tls_x509_verify" = "1" } { "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } +{ "default_tls_priority" = "@SYSTEM" } { "vnc_listen" = "0.0.0.0" } { "vnc_auto_unix_socket" = "1" } { "vnc_tls" = "1" } { "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" } { "vnc_tls_x509_verify" = "1" } { "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } +{ "vnc_tls_priority" = "@SYSTEM" } { "vnc_password" = "XYZ12345" } { "vnc_sasl" = "1" } { "vnc_sasl_dir" = "/some/directory/sasl2" } @@ -30,19 +32,23 @@ module Test_libvirtd_qemu = { "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" } { "chardev_tls_x509_verify" = "1" } { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } +{ "chardev_tls_priority" = "@SYSTEM" } { "vxhs_tls" = "1" } { "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" } { "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } { "nbd_tls" = "1" } { "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" } { "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } +{ "nbd_tls_priority" = "@SYSTEM" } { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" } { "migrate_tls_x509_verify" = "1" } { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } +{ "migrate_tls_priority" = "@SYSTEM" } { "migrate_tls_force" = "0" } { "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" } { "backup_tls_x509_verify" = "1" } { "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } +{ "backup_tls_priority" = "@SYSTEM" } { "nographics_allow_host_audio" = "1" } { "remote_display_port_min" = "5900" } { "remote_display_port_max" = "65535" } diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args index 4ee9a0631b..77d38c3020 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args @@ -28,7 +28,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -boot strict=on \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ -object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ -blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ diff --git a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args index 50cc8532d1..32d7be1d3b 100644 --- a/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args +++ b/tests/qemuxmlconfdata/graphics-vnc-tls-secret.x86_64-latest.args @@ -29,7 +29,7 @@ SASL_CONF_PATH=/etc/sasl2 \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -object '{"qom-type":"secret","id":"vnc-tls-creds0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"passwordid":"vnc-tls-creds0-secret0"}' \ +-object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"vnc-tls-creds0-secret0"}' \ -vnc 127.0.0.1:3,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 \ -device '{"driver":"cirrus-vga","id":"video0","bus":"pci.0","addr":"0x2"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args index c227a04112..492d1be626 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args @@ -32,7 +32,7 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \ -object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"passwordid":"charserial1-secret0"}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c index 9fba984290..1b73e823ae 100644 --- a/tests/qemuxmlconftest.c +++ b/tests/qemuxmlconftest.c @@ -1596,7 +1596,9 @@ mymain(void) driver.config->nbdTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea"); DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd"); DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-tlsx509-nbd-hostname", "6.2.0"); + driver.config->nbdTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd-hostname"); + driver.config->nbdTLSpriority = NULL; DO_TEST_CAPS_LATEST("disk-network-http"); VIR_FREE(driver.config->nbdTLSx509secretUUID); DO_TEST_CAPS_LATEST("disk-network-ssh"); @@ -1729,8 +1731,10 @@ mymain(void) driver.config->vncTLS = 1; driver.config->vncTLSx509verify = 1; DO_TEST_CAPS_LATEST("graphics-vnc-tls"); + driver.config->vncTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); driver.config->vncTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea"); DO_TEST_CAPS_LATEST("graphics-vnc-tls-secret"); + VIR_FREE(driver.config->vncTLSpriority); VIR_FREE(driver.config->vncTLSx509secretUUID); driver.config->vncSASL = driver.config->vncTLSx509verify = driver.config->vncTLS = 0; DO_TEST_CAPS_LATEST("graphics-vnc-egl-headless"); @@ -1880,7 +1884,9 @@ mymain(void) driver.config->chardevTLSx509verify = 0; DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-chardev-notls"); driver.config->chardevTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea"); + driver.config->chardevTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3"); DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-secret-chardev"); + VIR_FREE(driver.config->chardevTLSpriority); VIR_FREE(driver.config->chardevTLSx509secretUUID); driver.config->chardevTLS = 0; DO_TEST_CAPS_LATEST("serial-many-chardev"); -- 2.50.1