[PATCH v1 0/7] Add TLS-PSK support for migration
QEMU provides the ability to encrypt the migration data stream using two transport layer security (TLS) authentication schemes: X.509 certificates and pre-shared keys (PSK). Currently, Libvirt only supports the X.509-based TLS authentication scheme. In TLS X.509 certificates, a set of live migrations utilize a fixed set of static certificates for encrypted migration. In this authentication scheme, users require to deploy a certificate authority and monitor the certificate expiration window. In case certificates are compromised all the future live migrations are vulnerable. To resolve this, the patch series introduce the alternative pre-shared key-based authentication scheme. This mechanism relies on symmetric pre-shared keys (a secret key that is known to both sender and receiver prior to secure communication) for providing secure transfer of data. During a migration, the parties negotiate which unique key to utilize for encrypting the migration data. To improve the security further, we utilize different key files for each migration session. Abhisek Panda (7): conf: Add configuration params for TLS-PSK include: define VIR_MIGRATE_TLS_PSK flag qemu: Add support to build the tls-creds-psk object qemu: rename tls-creds-x509 obj related functions qemu: Manage tls-creds-psk object lifecycle qemu: Set up the migrate TLS-PSK objects include: define VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY include/libvirt/libvirt-domain.h | 31 ++- src/qemu/libvirtd_qemu.aug | 2 + src/qemu/qemu.conf.in | 27 ++- src/qemu/qemu_alias.c | 19 +- src/qemu/qemu_alias.h | 5 +- src/qemu/qemu_backup.c | 2 +- src/qemu/qemu_command.c | 31 ++- src/qemu/qemu_command.h | 8 + src/qemu/qemu_conf.c | 55 ++++- src/qemu/qemu_conf.h | 3 + src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_driver.c | 24 ++- src/qemu/qemu_hotplug.c | 125 +++++++---- src/qemu/qemu_hotplug.h | 43 ++-- src/qemu/qemu_migration.c | 194 ++++++++++++------ src/qemu/qemu_migration.h | 3 + src/qemu/qemu_migration_params.c | 138 ++++++++++--- src/qemu/qemu_migration_params.h | 28 ++- src/qemu/qemu_postparse.c | 2 +- src/qemu/test_libvirtd_qemu.aug.in | 2 + tests/qemumigparamsdata/tls-enabled.json | 2 +- tests/qemumigparamsdata/tls-enabled.reply | 2 +- tests/qemumigparamsdata/tls-enabled.xml | 2 +- tests/qemumigparamsdata/tls-hostname.json | 2 +- tests/qemumigparamsdata/tls-hostname.reply | 2 +- tests/qemumigparamsdata/tls-hostname.xml | 2 +- tests/qemumonitorjsontest.c | 4 +- tests/qemustatusxml2xmldata/upgrade-out.xml | 2 +- .../chardev-backends-json.x86_64-9.1.0.args | 8 +- .../chardev-backends-json.x86_64-latest.args | 8 +- .../chardev-backends.x86_64-9.1.0.args | 8 +- .../chardev-backends.x86_64-latest.args | 8 +- ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 6 +- ...isk-network-tlsx509-nbd.x86_64-latest.args | 6 +- ...-tlsx509-chardev-verify.x86_64-latest.args | 4 +- ...ial-tcp-tlsx509-chardev.x86_64-latest.args | 4 +- ...-tlsx509-secret-chardev.x86_64-latest.args | 4 +- tests/testutilsqemu.c | 2 + tools/virsh-domain.c | 12 ++ 39 files changed, 623 insertions(+), 209 deletions(-) -- 2.39.3
For encrypted migration of VMs, QEMU provides the TLS-PSK authentication apart from TLS certificates. This mechanism relies on pre-shared keys (a secret key that is known to both sender and receiver prior to secure communication) for providing secure transfer of data. We store these keys in a pre-shared key file, where each line contains a pair of identifier and its corresponding key. During an encrypted migration, the parties negotiate which unique identifier to utilize, then parse the key file to extract the key matching the identifier. Add the "migrate_tls_psk_dir" parameter to qemu.conf to allow users to define the path containing the pre-shared keys. In case the user does not define this parameter and attempts to utilize TLS-PSK for migration, we fallback to the configurable "default_tls_psk_dir" parameter whose value is set to /etc/pki/qemu-psk by default. In addition, we get the client identity by parsing the migration URI, defaulting to 'qemu' if username is undefined. Example entry format in a PSK file: qemu:61aa7b2c93d4e8f10c25b6a782e3f4051a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d Suggested-by: Tejus GK <tejus.gk@nutanix.com> Signed-off-by: Abhisek Panda <abhisek.panda1@nutanix.com> --- src/qemu/libvirtd_qemu.aug | 2 ++ src/qemu/qemu.conf.in | 19 +++++++++++ src/qemu/qemu_conf.c | 55 +++++++++++++++++++++++++++++- src/qemu/qemu_conf.h | 3 ++ src/qemu/qemu_migration.c | 2 ++ src/qemu/test_libvirtd_qemu.aug.in | 2 ++ tests/testutilsqemu.c | 2 ++ 7 files changed, 84 insertions(+), 1 deletion(-) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index eb790d48be..75639919fa 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -29,6 +29,7 @@ module Libvirtd_qemu = (* Config entry grouped by function - same order as example config *) let default_tls_entry = str_entry "default_tls_x509_cert_dir" | bool_entry "default_tls_x509_verify" + | str_entry "default_tls_psk_dir" | str_entry "default_tls_x509_secret_uuid" | str_entry "default_tls_priority" @@ -68,6 +69,7 @@ module Libvirtd_qemu = | str_entry "migrate_tls_x509_secret_uuid" | str_entry "migrate_tls_priority" | bool_entry "migrate_tls_force" + | str_entry "migrate_tls_psk_dir" let backup_entry = str_entry "backup_tls_x509_cert_dir" | bool_entry "backup_tls_x509_verify" diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 5eacd70022..5dfd3229e5 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -49,6 +49,17 @@ #default_tls_x509_verify = 1 +# Use of TLS-PSK requires the pre-shared key files to be present. +# The default is to keep them in /etc/pki/qemu-psk. This directory must contain +# keys.psk - PSK key information +# +# If the directory does not exist, libvirtd will fail to start. If the +# directory doesn't contain the necessary files, VM migration will fail +# during TLS handshake if they are configured to use TLS-PSK. +# +#default_tls_psk_dir = "/etc/pki/qemu-psk" + + # Libvirt assumes the server-key.pem file is unencrypted by default. # To use an encrypted server-key.pem file, the password to decrypt # the PEM file is required. This can be provided by creating a secret @@ -437,6 +448,14 @@ #migrate_tls_force = 0 +# In order to override the default TLS pre-shared key files location for migration, +# supply a valid path to the key files. If the provided path does not exist, libvirtd +# will fail to start. If the path is not provided, but TLS-PSK-based migration is +# requested, then the default_tls_psk_dir path will be used. +# +#migrate_tls_psk_dir = "/etc/pki/libvirt-migrate-psk" + + # In order to override the default TLS certificate location for backup NBD # server certificates, supply a valid path to the certificate directory. If the # provided path does not exist, libvirtd will fail to start. If the path is diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 9c32310096..f52c8d78dd 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -245,14 +245,16 @@ virQEMUDriverConfig *virQEMUDriverConfigNew(bool privileged, cfg->passtStateDir = g_strdup_printf("%s/passt", cfg->stateDir); cfg->dbusStateDir = g_strdup_printf("%s/dbus", cfg->stateDir); - /* Set the default directory to find TLS X.509 certificates. + /* Set the default directory to find TLS X.509 certificates and pre-shared key files. * This will then be used as a fallback if the service specific * directory doesn't exist (although we don't check if this exists). */ if (root == NULL) { cfg->defaultTLSx509certdir = g_strdup(SYSCONFDIR "/pki/qemu"); + cfg->defaultTLSPSKdir = g_strdup(SYSCONFDIR "/pki/qemu-psk"); } else { cfg->defaultTLSx509certdir = g_strdup_printf("%s/etc/pki/qemu", root); + cfg->defaultTLSPSKdir = g_strdup_printf("%s/etc/pki/qemu-psk", root); } cfg->vncListen = g_strdup(VIR_LOOPBACK_IPV4_ADDR); @@ -380,6 +382,7 @@ static void virQEMUDriverConfigDispose(void *obj) g_free(cfg->defaultTLSx509certdir); g_free(cfg->defaultTLSx509secretUUID); + g_free(cfg->defaultTLSPSKdir); g_free(cfg->vncTLSx509certdir); g_free(cfg->vncTLSx509secretUUID); @@ -406,6 +409,8 @@ static void virQEMUDriverConfigDispose(void *obj) g_free(cfg->migrateTLSx509certdir); g_free(cfg->migrateTLSx509secretUUID); + g_free(cfg->migrateTLSPSKdir); + g_free(cfg->backupTLSx509certdir); g_free(cfg->backupTLSx509secretUUID); @@ -472,6 +477,9 @@ virQEMUDriverConfigLoadDefaultTLSEntry(virQEMUDriverConfig *cfg, if (virConfGetValueString(conf, "default_tls_priority", &cfg->defaultTLSpriority) < 0) return -1; + if ((rv = virConfGetValueString(conf, "default_tls_psk_dir", &cfg->defaultTLSPSKdir)) < 0) + return -1; + cfg->defaultTLSPSKdirPresent = (rv == 1); return 0; } @@ -611,6 +619,11 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfig *cfg, #undef GET_CONFIG_TLS_CERTINFO_COMMON #undef GET_CONFIG_TLS_CERTINFO_SERVER + + if (virConfGetValueString(conf, "migrate_tls_psk_dir", + &cfg->migrateTLSPSKdir) < 0) + return -1; + return 0; } @@ -1445,6 +1458,15 @@ virQEMUDriverConfigValidate(virQEMUDriverConfig *cfg) } } + if (cfg->defaultTLSPSKdirPresent) { + if (!virFileExists(cfg->defaultTLSPSKdir)) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("default_tls_psk_dir directory '%1$s' does not exist"), + cfg->defaultTLSPSKdir); + return -1; + } + } + if (cfg->vncTLSx509certdir && !virFileExists(cfg->vncTLSx509certdir)) { virReportError(VIR_ERR_CONF_SYNTAX, @@ -1485,6 +1507,14 @@ virQEMUDriverConfigValidate(virQEMUDriverConfig *cfg) return -1; } + if (cfg->migrateTLSPSKdir && + !virFileExists(cfg->migrateTLSPSKdir)) { + virReportError(VIR_ERR_CONF_SYNTAX, + _("migrate_tls_psk_dir directory '%1$s' does not exist"), + cfg->migrateTLSPSKdir); + return -1; + } + if (cfg->backupTLSx509certdir && !virFileExists(cfg->backupTLSx509certdir)) { virReportError(VIR_ERR_CONF_SYNTAX, @@ -1586,6 +1616,29 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *cfg) #undef SET_TLS_VERIFY_DEFAULT + + /* + * If a "SYSCONFDIR" + "pki/libvirt-<val>-psk" exists, then assume someone + * has created a val specific area to place service specific key files. + * + * If the service specific directory doesn't exist, 'assume' that the + * user has created and populated the "SYSCONFDIR" + "pki/libvirt-default-psk". + */ +#define SET_TLS_PSK_DEFAULT(val) \ + do { \ + if (cfg->val ## TLSPSKdir) \ + break; \ + if (virFileExists(SYSCONFDIR "/pki/libvirt-"#val"-psk")) { \ + cfg->val ## TLSPSKdir = g_strdup(SYSCONFDIR "/pki/libvirt-"#val"-psk"); \ + } else { \ + cfg->val ## TLSPSKdir = g_strdup(cfg->defaultTLSPSKdir); \ + } \ + } while (0) + + SET_TLS_PSK_DEFAULT(migrate); + + #undef SET_TLS_PSK_DEFAULT + return 0; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 511ab77f71..ba7364dc89 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -130,6 +130,8 @@ struct _virQEMUDriverConfig { bool defaultTLSx509verifyPresent; char *defaultTLSx509secretUUID; char *defaultTLSpriority; + char *defaultTLSPSKdir; + bool defaultTLSPSKdirPresent; bool vncAutoUnixSocket; bool vncTLS; @@ -169,6 +171,7 @@ struct _virQEMUDriverConfig { char *migrateTLSx509secretUUID; char *migrateTLSpriority; bool migrateTLSForce; + char *migrateTLSPSKdir; char *backupTLSx509certdir; bool backupTLSx509verify; diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 4a43ab83b0..af981fb992 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -4355,6 +4355,7 @@ struct _qemuMigrationSpec { const char *protocol; const char *name; int port; + const char *username; } host; struct { @@ -5460,6 +5461,7 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, spec.dest.host.protocol = uribits->scheme; spec.dest.host.name = uribits->server; spec.dest.host.port = uribits->port; + spec.dest.host.username = uribits->user; } spec.fwdType = MIGRATION_FWD_DIRECT; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index 2582c6a09c..9782e45b59 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -4,6 +4,7 @@ module Test_libvirtd_qemu = test Libvirtd_qemu.lns get conf = { "default_tls_x509_cert_dir" = "/etc/pki/qemu" } { "default_tls_x509_verify" = "1" } +{ "default_tls_psk_dir" = "/etc/pki/qemu-psk" } { "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } { "default_tls_priority" = "@SYSTEM" } { "vnc_listen" = "0.0.0.0" } @@ -45,6 +46,7 @@ module Test_libvirtd_qemu = { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } { "migrate_tls_priority" = "@SYSTEM" } { "migrate_tls_force" = "0" } +{ "migrate_tls_psk_dir" = "/etc/pki/libvirt-migrate-psk" } { "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" } { "backup_tls_x509_verify" = "1" } { "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c index e7a61d0c6f..6c71272e80 100644 --- a/tests/testutilsqemu.c +++ b/tests/testutilsqemu.c @@ -401,6 +401,8 @@ int qemuTestDriverInit(virQEMUDriver *driver) cfg->nbdTLSx509certdir = g_strdup("/etc/pki/libvirt-nbd"); VIR_FREE(cfg->migrateTLSx509certdir); cfg->migrateTLSx509certdir = g_strdup("/etc/pki/libvirt-migrate"); + VIR_FREE(cfg->migrateTLSPSKdir); + cfg->migrateTLSPSKdir = g_strdup("/etc/pki/libvirt-migrate-psk"); VIR_FREE(cfg->backupTLSx509certdir); cfg->backupTLSx509certdir = g_strdup("/etc/pki/libvirt-backup"); -- 2.39.3
Introduce a new migration flag VIR_MIGRATE_TLS_PSK, that enables the use of the TLS-PSK-based authentication mechanism for encrypted migration. Suggested-by: Tejus GK <tejus.gk@nutanix.com> Signed-off-by: Abhisek Panda <abhisek.panda1@nutanix.com> --- include/libvirt/libvirt-domain.h | 17 ++++++++++++++--- src/qemu/qemu_migration.h | 1 + tools/virsh-domain.c | 5 +++++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h index 1066a0b3f1..88eb3e55aa 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1089,9 +1089,9 @@ typedef enum { VIR_MIGRATE_POSTCOPY = (1 << 15), /* Setting the VIR_MIGRATE_TLS flag will cause the migration to attempt - * to use the TLS environment configured by the hypervisor in order to - * perform the migration. If incorrectly configured on either source or - * destination, the migration will fail. + * to use the X.509-based TLS authentication configured by the hypervisor. + * If incorrectly configured on either source or destination, the migration + * will fail. * * Since: 3.2.0 */ @@ -1131,6 +1131,17 @@ typedef enum { * Since: 8.5.0 */ VIR_MIGRATE_ZEROCOPY = (1 << 20), + + /* Setting the VIR_MIGRATE_TLS_PSK flag will cause the migration to attempt + * to use the pre-shared key-based TLS authentication configured + * by the hypervisor. Setting both VIR_MIGRATE_TLS_PSK and VIR_MIGRATE_TLS flags + * simultaneously will result in migration failure because both the flags represent + * different types of TLS authentication schemes. If incorrectly configured on either + * source or destination, the migration will fail. + * + * Since: 12.4.0 + */ + VIR_MIGRATE_TLS_PSK = (1 << 21), } virDomainMigrateFlags; diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 7e9410e1f7..7fbf959ee6 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -62,6 +62,7 @@ VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES | \ VIR_MIGRATE_POSTCOPY_RESUME | \ VIR_MIGRATE_ZEROCOPY | \ + VIR_MIGRATE_TLS_PSK | \ 0) /* All supported migration parameters and their types. */ diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 76369e8694..286abd2f1c 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -11327,6 +11327,10 @@ static const vshCmdOptDef opts_migrate[] = { .type = VSH_OT_INT, .help = N_("bandwidth (in MiB/s) available for the final phase of migration") }, + {.name = "tls-psk", + .type = VSH_OT_BOOL, + .help = N_("use tls-psk for migration") + }, {.name = NULL} }; @@ -11376,6 +11380,7 @@ doMigrate(void *opaque) { "tls", VIR_MIGRATE_TLS }, { "parallel", VIR_MIGRATE_PARALLEL }, { "suspend", VIR_MIGRATE_PAUSED }, + { "tls-psk", VIR_MIGRATE_TLS_PSK }, }; #ifndef WIN32 -- 2.39.3
Enable TLS-PSK based secure migration at the source and destination, if and only if the VIR_MIGRATE_TLS_PSK flag is set. To prevent configuration conflicts, report an error in case a user attempts to enable both TLS-PSK and TLS x509 certificate authentication methods simultaneously. Suggested-by: Tejus GK <tejus.gk@nutanix.com> Signed-off-by: Abhisek Panda <abhisek.panda1@nutanix.com> --- src/qemu/qemu.conf.in | 8 +-- src/qemu/qemu_migration.c | 110 +++++++++++++++++++++++++++----------- 2 files changed, 82 insertions(+), 36 deletions(-) diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 5dfd3229e5..fa4f711592 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -440,10 +440,10 @@ #migrate_tls_priority = "@SYSTEM" -# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested -# automatically. Setting 'migate_tls_force' to "1" will prevent any migration -# which is not using VIR_MIGRATE_TLS to ensure higher level of security in -# deployments with TLS. +# By default TLS is requested using either VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK +# flags, thus not requested automatically. Setting 'migate_tls_force' to "1" will +# prevent any migration which is not using either VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK +# to ensure higher level of security in deployments with TLS. # #migrate_tls_force = 0 diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 15e3571c99..239d547bb0 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3078,9 +3078,9 @@ qemuMigrationSrcBegin(virConnectPtr conn, if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only with VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only with VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); goto cleanup; } @@ -3327,6 +3327,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, qemuDomainJobPrivate *jobPriv = vm->job->privateData; qemuProcessIncomingDef *incoming = NULL; g_autofree char *tlsx509Alias = NULL; + g_autofree char *tlsPSKAlias = NULL; virObjectEvent *event = NULL; virErrorPtr origErr = NULL; int dataFD[2] = { -1, -1 }; @@ -3335,6 +3336,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, bool relabel = false; bool tunnel = !!st; int ret = -1; + int tls_creds_type = 0; int rv; if (STREQ_NULLABLE(protocol, "rdma") && @@ -3409,17 +3411,36 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, /* Save original migration parameters */ qemuDomainSaveStatus(vm); - /* Migrations using TLS need to add the "tls-creds-x509" object and - * set the migration TLS parameters */ - if (flags & VIR_MIGRATE_TLS) { - if (qemuMigrationParamsEnableTLSx509(driver, vm, true, - VIR_ASYNC_JOB_MIGRATION_IN, - &tlsx509Alias, NULL, - migParams) < 0) - goto error; - } else { - if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + /* Migrations using TLS can support two types of credential + * objects: "tls-creds-x509" and "tls-creds-psk". Set the migration + * TLS parameters based on the chosen credential type. + */ + tls_creds_type = flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK); + switch (tls_creds_type) { + case 0: + if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS: + if (qemuMigrationParamsEnableTLSx509(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsx509Alias, NULL, + migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS_PSK: + if (qemuMigrationParamsEnableTLSPSK(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsPSKAlias, NULL, + migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK: + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("Both TLS x509 and TLS PSK are enabled simultaneously")); goto error; + default: + break; } if (mig->nbd && @@ -3825,9 +3846,9 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only with VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only with VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); return -1; } @@ -4978,6 +4999,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, qemuDomainObjPrivate *priv = vm->privateData; g_autoptr(qemuMigrationCookie) mig = NULL; g_autofree char *tlsx509Alias = NULL; + g_autofree char *tlsPSKAlias = NULL; qemuMigrationIOThread *iothread = NULL; VIR_AUTOCLOSE fd = -1; unsigned long restore_max_bandwidth = priv->migMaxBandwidth; @@ -4988,6 +5010,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, bool cancel = false; unsigned int waitFlags; g_autoptr(virDomainDef) persistDef = NULL; + int tls_creds_type = 0; int rc; if (bandwidth > 0) @@ -5061,23 +5084,46 @@ qemuMigrationSrcRun(virQEMUDriver *driver, /* Save original migration parameters */ qemuDomainSaveStatus(vm); - if (flags & VIR_MIGRATE_TLS) { - const char *hostname = NULL; - - /* We need to add tls-hostname whenever QEMU itself does not - * connect directly to the destination. */ - if (spec->destType == MIGRATION_DEST_CONNECT_HOST || - spec->destType == MIGRATION_DEST_FD) - hostname = spec->dest.host.name; - - if (qemuMigrationParamsEnableTLSx509(driver, vm, false, - VIR_ASYNC_JOB_MIGRATION_OUT, - &tlsx509Alias, hostname, - migParams) < 0) - goto error; - } else { - if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + /* Migrations using TLS can support two types of credential + * objects: "tls-creds-x509" and "tls-creds-psk". Set the migration + * TLS parameters based on the chosen credential type. + */ + tls_creds_type = flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK); + switch (tls_creds_type) { + case 0: + if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) + goto error; + break; + case VIR_MIGRATE_TLS:{ + const char *hostname = NULL; + + /* We need to add tls-hostname whenever QEMU itself does not + * connect directly to the destination. */ + if (spec->destType == MIGRATION_DEST_CONNECT_HOST || + spec->destType == MIGRATION_DEST_FD) + hostname = spec->dest.host.name; + + if (qemuMigrationParamsEnableTLSx509(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OUT, + &tlsx509Alias, hostname, + migParams) < 0) + goto error; + break; + } + case VIR_MIGRATE_TLS_PSK: { + if (qemuMigrationParamsEnableTLSPSK(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OUT, + &tlsPSKAlias, spec->dest.host.username, + migParams) < 0) + goto error; + break; + } + case VIR_MIGRATE_TLS|VIR_MIGRATE_TLS_PSK: + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("Both TLS and TLS-PSK are enabled simultaneously")); goto error; + default: + break; } if (qemuMigrationParamsSetULL(migParams, QEMU_MIGRATION_PARAM_MAX_BANDWIDTH, @@ -6553,9 +6599,9 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, if (cfg->migrateTLSForce && !(flags & VIR_MIGRATE_TUNNELLED) && - !(flags & VIR_MIGRATE_TLS)) { + !(flags & (VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK))) { virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("this libvirtd instance allows migration only with VIR_MIGRATE_TLS flag")); + _("this libvirtd instance allows migration only with VIR_MIGRATE_TLS or VIR_MIGRATE_TLS_PSK flags")); return -1; } -- 2.39.3
During an encrypted migration, the parties negotiate a unique identifier, then QEMU parses the key file and extracts the matching key. By default, the key file’s location is defined in either "migrate_tls_psk_dir" or "default_tls_psk_dir" in qemu.conf. To use a different key file for a particular migration session, a user can provide custom directory path of the key file using the "VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY" migration parameter. If this parameter is set, the defined path supersedes the "migrate_tls_psk_dir" or "default_tls_psk_dir" configurations provided in qemu.conf. Suggested-by: Tejus GK <tejus.gk@nutanix.com> Signed-off-by: Abhisek Panda <abhisek.panda1@nutanix.com> --- include/libvirt/libvirt-domain.h | 14 ++++++ src/qemu/qemu_driver.c | 24 ++++++---- src/qemu/qemu_migration.c | 78 ++++++++++++++++++++------------ src/qemu/qemu_migration.h | 2 + src/qemu/qemu_migration_params.c | 41 +++++++++++++---- src/qemu/qemu_migration_params.h | 5 ++ tools/virsh-domain.c | 7 +++ 7 files changed, 127 insertions(+), 44 deletions(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h index 88eb3e55aa..f600771c08 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1479,6 +1479,20 @@ typedef enum { */ # define VIR_MIGRATE_PARAM_TLS_DESTINATION "tls.destination" +/** + * VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY: + * + * virDomainMigrate* params field: override the path of the directory containing + * the pre-shared key files. + * + * Normally the pre-shared key files on a host is stored at a specific path specified + * in the configuration file. When a user wants to use a unique or custom pre-shared key + * for migration, this parameter can be used to override the pre-shared key files' path. + * + * Since: 12.4.0 + */ +# define VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY "tls.psk_directory" + /* Domain migration. */ virDomainPtr virDomainMigrate (virDomainPtr domain, virConnectPtr dconn, unsigned long flags, const char *dname, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index eda1f42054..8e4d415874 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -11004,7 +11004,7 @@ qemuDomainMigratePrepare2(virConnectPtr dconn, return qemuMigrationDstPrepareDirect(driver, dconn, NULL, 0, NULL, NULL, /* No cookies */ uri_in, uri_out, - &def, origname, NULL, NULL, 0, NULL, + &def, origname, NULL, NULL, 0, NULL, NULL, migParams, flags); } @@ -11055,7 +11055,7 @@ qemuDomainMigratePerform(virDomainPtr dom, */ ret = qemuMigrationSrcPerform(driver, dom->conn, vm, NULL, NULL, dconnuri, uri, NULL, NULL, NULL, NULL, NULL, 0, - NULL, + NULL, NULL, migParams, cookie, cookielen, NULL, NULL, /* No output cookies in v2 */ flags, dname, bandwidth, false); @@ -11230,7 +11230,7 @@ qemuDomainMigratePrepare3(virConnectPtr dconn, cookieout, cookieoutlen, uri_in, uri_out, &def, origname, NULL, NULL, 0, - NULL, migParams, flags); + NULL, NULL, migParams, flags); } static int @@ -11256,6 +11256,7 @@ qemuDomainMigratePrepare3Params(virConnectPtr dconn, g_autofree char *origname = NULL; g_autoptr(qemuMigrationParams) migParams = NULL; const char *nbdURI = NULL; + const char *tls_psk_directory = NULL; virCheckFlags(QEMU_MIGRATION_FLAGS, -1); if (virTypedParamsValidateTemplate(params, nparams, qemuMigrationParametersValidation) < 0) @@ -11278,7 +11279,10 @@ qemuDomainMigratePrepare3Params(virConnectPtr dconn, &nbdURI) < 0 || virTypedParamsGetInt(params, nparams, VIR_MIGRATE_PARAM_DISKS_PORT, - &nbdPort) < 0) + &nbdPort) < 0 || + virTypedParamsGetString(params, nparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + &tls_psk_directory) < 0) return -1; virTypedParamsGetStringList(params, nparams, VIR_MIGRATE_PARAM_MIGRATE_DISKS, @@ -11333,7 +11337,7 @@ qemuDomainMigratePrepare3Params(virConnectPtr dconn, uri_in, uri_out, &def, origname, listenAddress, migrate_disks, nbdPort, - nbdURI, migParams, flags); + nbdURI, tls_psk_directory, migParams, flags); } @@ -11461,7 +11465,7 @@ qemuDomainMigratePerform3(virDomainPtr dom, ret = qemuMigrationSrcPerform(driver, dom->conn, vm, xmlin, NULL, dconnuri, uri, NULL, NULL, NULL, NULL, NULL, 0, - NULL, migParams, + NULL, NULL, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, true); @@ -11489,6 +11493,7 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, const char *dname = NULL; const char *uri = NULL; const char *graphicsuri = NULL; + const char *tls_psk_directory = NULL; const char *listenAddress = NULL; g_autofree const char **migrate_disks = NULL; g_autofree const char **migrate_disks_detect_zeroes = NULL; @@ -11529,7 +11534,10 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, &nbdURI) < 0 || virTypedParamsGetString(params, nparams, VIR_MIGRATE_PARAM_PERSIST_XML, - &persist_xml) < 0) + &persist_xml) < 0 || + virTypedParamsGetString(params, nparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + &tls_psk_directory) < 0) goto cleanup; @@ -11580,7 +11588,7 @@ qemuDomainMigratePerform3Params(virDomainPtr dom, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directory, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, true); cleanup: diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 239d547bb0..79d11732a7 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3320,6 +3320,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3432,7 +3433,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, if (qemuMigrationParamsEnableTLSPSK(driver, vm, true, VIR_ASYNC_JOB_MIGRATION_IN, &tlsPSKAlias, NULL, - migParams) < 0) + tls_psk_directory, migParams) < 0) goto error; break; case VIR_MIGRATE_TLS | VIR_MIGRATE_TLS_PSK: @@ -3533,6 +3534,7 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3546,9 +3548,10 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, bool taint_hook = false; VIR_DEBUG("name=%s, origname=%s, protocol=%s, port=%hu, " - "listenAddress=%s, nbdPort=%d, nbdURI=%s, flags=0x%x", + "listenAddress=%s, nbdPort=%d, nbdURI=%s," + "tls_psk_directory=%s, flags=0x%x", (*def)->name, NULLSTR(origname), protocol, port, - listenAddress, nbdPort, NULLSTR(nbdURI), flags); + listenAddress, nbdPort, NULLSTR(nbdURI), NULLSTR(tls_psk_directory), flags); if (!(flags & VIR_MIGRATE_OFFLINE)) { cookieFlags = QEMU_MIGRATION_COOKIE_GRAPHICS | @@ -3641,6 +3644,7 @@ qemuMigrationDstPrepareFresh(virQEMUDriver *driver, protocol, port, listenAddress, migrate_disks, nbdPort, nbdURI, + tls_psk_directory, migParams, flags) < 0) { goto stopjob; } @@ -3806,6 +3810,7 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3867,6 +3872,7 @@ qemuMigrationDstPrepareAny(virQEMUDriver *driver, port, autoPort, listenAddress, migrate_disks, nbdPort, nbdURI, + tls_psk_directory, migParams, flags); } @@ -3903,7 +3909,7 @@ qemuMigrationDstPrepareTunnel(virQEMUDriver *driver, return qemuMigrationDstPrepareAny(driver, dconn, cookiein, cookieinlen, cookieout, cookieoutlen, def, origname, st, NULL, 0, false, NULL, NULL, 0, - NULL, migParams, flags); + NULL, NULL, migParams, flags); } @@ -3944,6 +3950,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags) { @@ -3959,12 +3966,12 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, "cookieout=%p, cookieoutlen=%p, uri_in=%s, uri_out=%p, " "def=%p, origname=%s, listenAddress=%s, " "migrate_disks=%p, nbdPort=%d, " - "nbdURI=%s, flags=0x%x", + "nbdURI=%s, tls_psk_directory=%s, flags=0x%x", driver, dconn, NULLSTR(cookiein), cookieinlen, cookieout, cookieoutlen, NULLSTR(uri_in), uri_out, *def, origname, NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), - flags); + NULLSTR(tls_psk_directory), flags); *uri_out = NULL; @@ -4072,7 +4079,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, NULL, uri ? uri->scheme : "tcp", port, autoPort, listenAddress, migrate_disks, nbdPort, - nbdURI, migParams, flags); + nbdURI, tls_psk_directory, migParams, flags); cleanup: if (ret != 0) { VIR_FREE(*uri_out); @@ -4993,7 +5000,8 @@ qemuMigrationSrcRun(virQEMUDriver *driver, const char **migrate_disks_detect_zeroes, const char **migrate_disks_target_zero, qemuMigrationParams *migParams, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { int ret = -1; qemuDomainObjPrivate *priv = vm->privateData; @@ -5114,7 +5122,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, if (qemuMigrationParamsEnableTLSPSK(driver, vm, false, VIR_ASYNC_JOB_MIGRATION_OUT, &tlsPSKAlias, spec->dest.host.username, - migParams) < 0) + tls_psk_directory, migParams) < 0) goto error; break; } @@ -5444,7 +5452,8 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, const char **migrate_disks_detect_zeroes, const char **migrate_disks_target_zero, qemuMigrationParams *migParams, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { g_autoptr(virURI) uribits = NULL; int ret = -1; @@ -5521,7 +5530,7 @@ qemuMigrationSrcPerformNative(virQEMUDriver *driver, &spec, dconn, graphicsuri, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - migParams, nbdURI); + migParams, nbdURI, tls_psk_directory); } if (spec.destType == MIGRATION_DEST_FD) @@ -5584,7 +5593,7 @@ qemuMigrationSrcPerformTunnel(virQEMUDriver *driver, ret = qemuMigrationSrcRun(driver, vm, persist_xml, cookiein, cookieinlen, cookieout, cookieoutlen, flags, bandwidth, &spec, dconn, graphicsuri, NULL, NULL, NULL, - migParams, NULL); + migParams, NULL, NULL); cleanup: VIR_FORCE_CLOSE(spec.dest.fd.qemu); @@ -5623,7 +5632,7 @@ qemuMigrationSrcPerformResume(virQEMUDriver *driver, ret = qemuMigrationSrcPerformNative(driver, vm, NULL, uri, cookiein, cookieinlen, cookieout, cookieoutlen, flags, - 0, NULL, NULL, NULL, NULL, NULL, migParams, NULL); + 0, NULL, NULL, NULL, NULL, NULL, migParams, NULL, NULL); virCloseCallbacksDomainAdd(vm, conn, qemuMigrationAnyConnectionClosed); @@ -5731,7 +5740,7 @@ qemuMigrationSrcPerformPeer2Peer2(virQEMUDriver *driver, cookie, cookielen, NULL, NULL, /* No out cookie with v2 migration */ flags, bandwidth, dconn, NULL, NULL, NULL, - NULL, migParams, NULL); + NULL, migParams, NULL, NULL); /* Perform failed. Make sure Finish doesn't overwrite the error */ if (ret < 0) @@ -5798,6 +5807,7 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned long long bandwidth, bool useParams, @@ -5824,12 +5834,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *driver, "dname=%s, uri=%s, graphicsuri=%s, listenAddress=%s, " "migrate_disks=%p, migrate_disks_detect_zeroes=%p, " "migrate_disks_target_zero=%p, nbdPort=%d, nbdURI=%s, " - "bandwidth=%llu, useParams=%d, flags=0x%x", + "tls_psk_directory=%s, bandwidth=%llu, useParams=%d, flags=0x%x", driver, sconn, dconn, NULLSTR(dconnuri), vm, NULLSTR(xmlin), NULLSTR(dname), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, nbdPort, - NULLSTR(nbdURI), bandwidth, useParams, flags); + NULLSTR(nbdURI), NULLSTR(tls_psk_directory), bandwidth, useParams, flags); /* Unlike the virDomainMigrateVersion3 counterpart, we don't need * to worry about auto-setting the VIR_MIGRATE_CHANGE_PROTECTION @@ -5919,6 +5929,12 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *driver, nbdURI) < 0) goto cleanup; + if (tls_psk_directory && + virTypedParamsAddString(¶ms, &nparams, &maxparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, + tls_psk_directory) < 0) + goto cleanup; + if (qemuMigrationParamsDump(migParams, ¶ms, &nparams, &maxparams, &flags) < 0) goto cleanup; @@ -6022,7 +6038,7 @@ qemuMigrationSrcPerformPeer2Peer3(virQEMUDriver *driver, flags, bandwidth, dconn, graphicsuri, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - migParams, nbdURI); + migParams, nbdURI, tls_psk_directory); } if (ret == 0) @@ -6199,6 +6215,7 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags, const char *dname, @@ -6217,11 +6234,12 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *driver, VIR_DEBUG("driver=%p, sconn=%p, vm=%p, xmlin=%s, dconnuri=%s, uri=%s, " "graphicsuri=%s, listenAddress=%s, " - "migrate_disks=%p, nbdPort=%d, nbdURI=%s, flags=0x%x, " - "dname=%s, bandwidth=%lu", + "migrate_disks=%p, nbdPort=%d, nbdURI=%s, tls_psk_directory=%s, " + "flags=0x%x, dname=%s, bandwidth=%lu", driver, sconn, vm, NULLSTR(xmlin), NULLSTR(dconnuri), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), + NULLSTR(tls_psk_directory), flags, NULLSTR(dname), bandwidth); if (flags & VIR_MIGRATE_TUNNELLED && uri) { @@ -6323,7 +6341,7 @@ qemuMigrationSrcPerformPeer2Peer(virQEMUDriver *driver, persist_xml, dname, uri, graphicsuri, listenAddress, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, bandwidth, + nbdPort, nbdURI, tls_psk_directory, migParams, bandwidth, !!useParams, flags); } else { ret = qemuMigrationSrcPerformPeer2Peer2(driver, sconn, dconn, vm, @@ -6363,6 +6381,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, @@ -6412,7 +6431,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, dconnuri, uri, graphicsuri, listenAddress, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, + nbdPort, nbdURI, tls_psk_directory, migParams, flags, dname, bandwidth, &v3proto); } else { @@ -6422,7 +6441,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, ret = qemuMigrationSrcPerformNative(driver, vm, persist_xml, uri, cookiein, cookieinlen, cookieout, cookieoutlen, flags, bandwidth, NULL, NULL, NULL, NULL, NULL, - migParams, nbdURI); + migParams, nbdURI, tls_psk_directory); } if (ret < 0) goto endjob; @@ -6497,7 +6516,8 @@ qemuMigrationSrcPerformPhase(virQEMUDriver *driver, int *cookieoutlen, unsigned int flags, unsigned long bandwidth, - const char *nbdURI) + const char *nbdURI, + const char *tls_psk_directory) { qemuDomainObjPrivate *priv = vm->privateData; qemuDomainJobPrivate *jobPriv = vm->job->privateData; @@ -6527,7 +6547,7 @@ qemuMigrationSrcPerformPhase(virQEMUDriver *driver, flags, bandwidth, NULL, graphicsuri, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - migParams, nbdURI) < 0) + migParams, nbdURI, tls_psk_directory) < 0) goto cleanup; virCloseCallbacksDomainAdd(vm, conn, qemuMigrationAnyConnectionClosed); @@ -6573,6 +6593,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, @@ -6588,12 +6609,13 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, VIR_DEBUG("driver=%p, conn=%p, vm=%p, xmlin=%s, dconnuri=%s, " "uri=%s, graphicsuri=%s, listenAddress=%s, " "migrate_disks=%p, nbdPort=%d, " - "nbdURI=%s, " + "nbdURI=%s, tls_psk_directory=%s, " "cookiein=%s, cookieinlen=%d, cookieout=%p, cookieoutlen=%p, " "flags=0x%x, dname=%s, bandwidth=%lu, v3proto=%d", driver, conn, vm, NULLSTR(xmlin), NULLSTR(dconnuri), NULLSTR(uri), NULLSTR(graphicsuri), NULLSTR(listenAddress), migrate_disks, nbdPort, NULLSTR(nbdURI), + NULLSTR(tls_psk_directory), NULLSTR(cookiein), cookieinlen, cookieout, cookieoutlen, flags, NULLSTR(dname), bandwidth, v3proto); @@ -6616,7 +6638,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, graphicsuri, listenAddress, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directory, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, v3proto); @@ -6636,14 +6658,14 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, - flags, bandwidth, nbdURI); + flags, bandwidth, nbdURI, tls_psk_directory); } return qemuMigrationSrcPerformJob(driver, conn, vm, xmlin, persist_xml, NULL, uri, graphicsuri, listenAddress, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - nbdPort, nbdURI, migParams, + nbdPort, nbdURI, tls_psk_directory, migParams, cookiein, cookieinlen, cookieout, cookieoutlen, flags, dname, bandwidth, v3proto); diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index 7fbf959ee6..6154037c0d 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -140,6 +140,7 @@ qemuMigrationDstPrepareDirect(virQEMUDriver *driver, const char **migrate_disks, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, unsigned int flags); @@ -158,6 +159,7 @@ qemuMigrationSrcPerform(virQEMUDriver *driver, const char **migrate_disks_target_zero, int nbdPort, const char *nbdURI, + const char *tls_psk_directory, qemuMigrationParams *migParams, const char *cookiein, int cookieinlen, diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index 1c6ab6fc8a..d6099894c5 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1258,17 +1258,13 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, int asyncJob, char **tlsPSKAlias, const char *username, + const char *tls_psk_directory, qemuMigrationParams *migParams) { qemuDomainJobPrivate *jobPriv = vm->job->privateData; g_autoptr(virJSONValue) tlsPSKProps = NULL; g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); - - if (!cfg->migrateTLSPSKdir) { - virReportError(VIR_ERR_OPERATION_INVALID, "%s", - _("host migration TLS-PSK directory not configured")); - return -1; - } + const char *pskDirectory = qemuMigrationParamsGetTLSPSKDirectory(driver, tls_psk_directory); if (!jobPriv->migParams->params[QEMU_MIGRATION_PARAM_TLS_CREDS].set) { virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", @@ -1279,8 +1275,8 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, if (!(*tlsPSKAlias = qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE))) return -1; - if (qemuDomainGetTLSPSKObjects(cfg->migrateTLSPSKdir, tlsListen, - username, *tlsPSKAlias, &tlsPSKProps) < 0) + if (qemuDomainGetTLSPSKObjects(pskDirectory, tlsListen, + username, *tlsPSKAlias, &tlsPSKProps) < 0) return -1; /* Ensure the domain doesn't already have the TLS-PSK objects defined... @@ -1847,3 +1843,32 @@ qemuMigrationParamsGetTLSHostname(qemuMigrationParams *migParams) return hostname; } + + +/** + * qemuMigrationParamsGetTLSPSKDirectory: + * @migParams: Migration params object + * @tls_psk_directory: path containing the TLS-PSK key file provided by the client + * + * Identifies the correct value of the directory that stores the pre-shared keys + * required for the TLS-based authentication based on the precedence. + */ +const char * +qemuMigrationParamsGetTLSPSKDirectory(virQEMUDriver *driver, + const char *tls_psk_directory) +{ + const char *pskDirectory = NULL; + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); + + if (tls_psk_directory) { + pskDirectory = tls_psk_directory; + } else { + if (!cfg->migrateTLSPSKdir) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("host migration TLS-PSK directory not configured")); + return NULL; + } + pskDirectory = cfg->migrateTLSPSKdir; + } + return pskDirectory; +} diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_params.h index 07f5812065..eec08f3c69 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -130,6 +130,7 @@ qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, int asyncJob, char **tlsPSKAlias, const char *username, + const char *tls_psk_directory, qemuMigrationParams *migParams); int @@ -199,3 +200,7 @@ qemuMigrationCapsGet(virDomainObj *vm, const char * qemuMigrationParamsGetTLSHostname(qemuMigrationParams *migParams); + +const char * +qemuMigrationParamsGetTLSPSKDirectory(virQEMUDriver *driver, + const char *tls_psk_directory); diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 286abd2f1c..c939274881 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -11667,6 +11667,13 @@ doMigrate(void *opaque) VIR_MIGRATE_PARAM_TLS_DESTINATION, opt) < 0) goto save_error; + if (vshCommandOptString(ctl, cmd, "tls-psk-directory", &opt) < 0) + goto out; + if (opt && + virTypedParamsAddString(¶ms, &nparams, &maxparams, + VIR_MIGRATE_PARAM_TLS_PSK_DIRECTORY, opt) < 0) + goto save_error; + if ((rv = vshCommandOptULongLong(ctl, cmd, "available-switchover-bandwidth", &ullOpt)) < 0) { goto out; } else if (rv > 0) { -- 2.39.3
Append 'x509' to the function identifiers managing the tls-creds-x509 objects. This defines the functions' scope and prevents naming conflicts with the introduction of functions related to tls-creds-psk in subsequent commits. Additionally, update the TLS x509 object alias from "obj%s_tls0" to "obj%s_tlsx5090" along with relevant testcase changes. Suggested-by: Tejus GK <tejus.gk@nutanix.com> Signed-off-by: Abhisek Panda <abhisek.panda1@nutanix.com> --- src/qemu/qemu_alias.c | 8 +- src/qemu/qemu_alias.h | 2 +- src/qemu/qemu_backup.c | 2 +- src/qemu/qemu_command.c | 2 +- src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_hotplug.c | 76 +++++++++---------- src/qemu/qemu_hotplug.h | 26 +++---- src/qemu/qemu_migration.c | 24 +++--- src/qemu/qemu_migration_params.c | 44 +++++------ src/qemu/qemu_migration_params.h | 14 ++-- src/qemu/qemu_postparse.c | 2 +- tests/qemumigparamsdata/tls-enabled.json | 2 +- tests/qemumigparamsdata/tls-enabled.reply | 2 +- tests/qemumigparamsdata/tls-enabled.xml | 2 +- tests/qemumigparamsdata/tls-hostname.json | 2 +- tests/qemumigparamsdata/tls-hostname.reply | 2 +- tests/qemumigparamsdata/tls-hostname.xml | 2 +- tests/qemumonitorjsontest.c | 4 +- tests/qemustatusxml2xmldata/upgrade-out.xml | 2 +- .../chardev-backends-json.x86_64-9.1.0.args | 8 +- .../chardev-backends-json.x86_64-latest.args | 8 +- .../chardev-backends.x86_64-9.1.0.args | 8 +- .../chardev-backends.x86_64-latest.args | 8 +- ...rk-tlsx509-nbd-hostname.x86_64-latest.args | 6 +- ...isk-network-tlsx509-nbd.x86_64-latest.args | 6 +- ...-tlsx509-chardev-verify.x86_64-latest.args | 4 +- ...ial-tcp-tlsx509-chardev.x86_64-latest.args | 4 +- ...-tlsx509-secret-chardev.x86_64-latest.args | 4 +- 28 files changed, 138 insertions(+), 138 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index 400ce73283..9133389df1 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -872,15 +872,15 @@ qemuAliasForSecret(const char *parentalias, return g_strdup_printf("%s-secret%zu", parentalias, secret_idx); } -/* qemuAliasTLSObjFromSrcAlias +/* qemuAliasTLSx509ObjFromSrcAlias * @srcAlias: Pointer to a source alias string * - * Generate and return a string to be used as the TLS object alias + * Generate and return a string to be used as the TLS X509 object alias */ char * -qemuAliasTLSObjFromSrcAlias(const char *srcAlias) +qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) { - return g_strdup_printf("obj%s_tls0", srcAlias); + return g_strdup_printf("obj%s_tlsx5090", srcAlias); } diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index eae08020dc..dd7bfdcc0f 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -89,7 +89,7 @@ char *qemuAliasForSecret(const char *parentalias, const char *obj, size_t secret_idx); -char *qemuAliasTLSObjFromSrcAlias(const char *srcAlias) +char *qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); char *qemuAliasChardevFromDevAlias(const char *devAlias) diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index a0544c83dc..9c496ee0c8 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -745,7 +745,7 @@ qemuBackupBeginPrepareTLS(virDomainObj *vm, virJSONValue **tlsSecretProps) { qemuDomainObjPrivate *priv = vm->privateData; - g_autofree char *tlsObjAlias = qemuAliasTLSObjFromSrcAlias(QEMU_BACKUP_TLS_ALIAS_BASE); + g_autofree char *tlsObjAlias = qemuAliasTLSx509ObjFromSrcAlias(QEMU_BACKUP_TLS_ALIAS_BASE); g_autoptr(qemuDomainSecretInfo) secinfo = NULL; const char *tlsKeySecretAlias = NULL; diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 69324a523f..efa1d10a57 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1387,7 +1387,7 @@ qemuBuildChardevCommand(virCommand *cmd, tlsCertEncSecAlias = chrSourcePriv->secinfo->alias; } - if (!(objalias = qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(objalias = qemuAliasTLSx509ObjFromSrcAlias(charAlias))) return -1; if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPath, diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index dde257bb70..99660e684f 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -9030,7 +9030,7 @@ qemuProcessPrepareStorageSourceTLSNBD(virStorageSource *src, return -1; } - src->tlsAlias = qemuAliasTLSObjFromSrcAlias(parentAlias); + src->tlsAlias = qemuAliasTLSx509ObjFromSrcAlias(parentAlias); src->tlsCertdir = g_strdup(cfg->nbdTLSx509certdir); src->tlsPriority = g_strdup(cfg->nbdTLSpriority); diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 8d45a6db9d..9e7055f5da 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1702,12 +1702,12 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsAlias) + const char *tlsx509Alias) { qemuDomainObjPrivate *priv = vm->privateData; virErrorPtr orig_err; - if (!tlsAlias && !secAlias) + if (!tlsx509Alias && !secAlias) return; virErrorPreserveLast(&orig_err); @@ -1715,8 +1715,8 @@ qemuDomainDelTLSObjects(virDomainObj *vm, if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0) goto cleanup; - if (tlsAlias) - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + if (tlsx509Alias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsx509Alias, false)); if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); @@ -1729,10 +1729,10 @@ qemuDomainDelTLSObjects(virDomainObj *vm, int -qemuDomainAddTLSObjects(virDomainObj *vm, - virDomainAsyncJob asyncJob, - virJSONValue **secProps, - virJSONValue **tlsProps) +qemuDomainAddTLSx509Objects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **secProps, + virJSONValue **tlsProps) { qemuDomainObjPrivate *priv = vm->privateData; virErrorPtr orig_err; @@ -1766,14 +1766,14 @@ qemuDomainAddTLSObjects(virDomainObj *vm, int -qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, - const char *tlsCertdir, - bool tlsListen, - bool tlsVerify, - const char *tlsPriority, - const char *alias, - virJSONValue **tlsProps, - virJSONValue **secProps) +qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps) { const char *secAlias = NULL; @@ -1798,7 +1798,7 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, virDomainChrSourceDef *dev, char *devAlias, char *charAlias, - char **tlsAlias, + char **tlsx509Alias, const char **secAlias) { g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); @@ -1821,21 +1821,21 @@ qemuDomainAddChardevTLSObjects(virQEMUDriver *driver, if (secinfo) *secAlias = secinfo->alias; - if (!(*tlsAlias = qemuAliasTLSObjFromSrcAlias(charAlias))) + if (!(*tlsx509Alias = qemuAliasTLSx509ObjFromSrcAlias(charAlias))) return -1; - if (qemuDomainGetTLSObjects(secinfo, - cfg->chardevTLSx509certdir, - dev->data.tcp.listen, - cfg->chardevTLSx509verify, - cfg->chardevTLSpriority, - *tlsAlias, &tlsProps, &secProps) < 0) + if (qemuDomainGetTLSx509Objects(secinfo, + cfg->chardevTLSx509certdir, + dev->data.tcp.listen, + cfg->chardevTLSx509verify, + cfg->chardevTLSpriority, + *tlsx509Alias, &tlsProps, &secProps) < 0) return -1; dev->data.tcp.tlscreds = true; - if (qemuDomainAddTLSObjects(vm, VIR_ASYNC_JOB_NONE, - &secProps, &tlsProps) < 0) + if (qemuDomainAddTLSx509Objects(vm, VIR_ASYNC_JOB_NONE, + &secProps, &tlsProps) < 0) return -1; return 0; @@ -1850,7 +1850,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, { g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); qemuDomainObjPrivate *priv = vm->privateData; - g_autofree char *tlsAlias = NULL; + g_autofree char *tlsx509Alias = NULL; g_autofree char *secAlias = NULL; if (dev->type != VIR_DOMAIN_CHR_TYPE_TCP || @@ -1858,7 +1858,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, return 0; } - if (!(tlsAlias = qemuAliasTLSObjFromSrcAlias(inAlias))) + if (!(tlsx509Alias = qemuAliasTLSx509ObjFromSrcAlias(inAlias))) return -1; /* Best shot at this as the secinfo is destroyed after process launch @@ -1871,7 +1871,7 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, qemuDomainObjEnterMonitor(vm); - ignore_value(qemuMonitorDelObject(priv->mon, tlsAlias, false)); + ignore_value(qemuMonitorDelObject(priv->mon, tlsx509Alias, false)); if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); @@ -1892,7 +1892,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, g_autofree char *charAlias = NULL; g_autoptr(virJSONValue) devprops = NULL; bool chardevAdded = false; - g_autofree char *tlsAlias = NULL; + g_autofree char *tlsx509Alias = NULL; const char *secAlias = NULL; virErrorPtr orig_err; @@ -1911,7 +1911,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, if (qemuDomainAddChardevTLSObjects(driver, vm, redirdev->source, redirdev->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; qemuDomainObjEnterMonitor(vm); @@ -1941,7 +1941,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias); goto audit; } @@ -2127,7 +2127,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, bool teardowncgroup = false; bool teardowndevice = false; bool teardownlabel = false; - g_autofree char *tlsAlias = NULL; + g_autofree char *tlsx509Alias = NULL; const char *secAlias = NULL; bool need_release = false; bool guestfwd = false; @@ -2181,7 +2181,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, if (qemuDomainAddChardevTLSObjects(driver, vm, chr->source, chr->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; qemuDomainObjEnterMonitor(vm); @@ -2240,7 +2240,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias); goto audit; } @@ -2256,7 +2256,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, g_autoptr(virJSONValue) devprops = NULL; g_autofree char *charAlias = NULL; g_autofree char *objAlias = NULL; - g_autofree char *tlsAlias = NULL; + g_autofree char *tlsx509Alias = NULL; const char *secAlias = NULL; bool releaseaddr = false; bool teardowncgroup = false; @@ -2294,7 +2294,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, if (qemuDomainAddChardevTLSObjects(driver, vm, rng->source.chardev, rng->info.alias, charAlias, - &tlsAlias, &secAlias) < 0) + &tlsx509Alias, &secAlias) < 0) goto audit; } @@ -2345,7 +2345,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias); goto audit; } diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 60ed0e174c..2d9b10204c 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -28,23 +28,23 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsAlias); + const char *tlsx509Alias); int -qemuDomainAddTLSObjects(virDomainObj *vm, - virDomainAsyncJob asyncJob, - virJSONValue **secProps, - virJSONValue **tlsProps); +qemuDomainAddTLSx509Objects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **secProps, + virJSONValue **tlsProps); int -qemuDomainGetTLSObjects(qemuDomainSecretInfo *secinfo, - const char *tlsCertdir, - bool tlsListen, - bool tlsVerify, - const char *tlsPriority, - const char *alias, - virJSONValue **tlsProps, - virJSONValue **secProps); +qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, + const char *tlsCertdir, + bool tlsListen, + bool tlsVerify, + const char *tlsPriority, + const char *alias, + virJSONValue **tlsProps, + virJSONValue **secProps); int qemuDomainAttachDiskGeneric(virDomainObj *vm, diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index af981fb992..15e3571c99 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -3326,7 +3326,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, qemuDomainObjPrivate *priv = vm->privateData; qemuDomainJobPrivate *jobPriv = vm->job->privateData; qemuProcessIncomingDef *incoming = NULL; - g_autofree char *tlsAlias = NULL; + g_autofree char *tlsx509Alias = NULL; virObjectEvent *event = NULL; virErrorPtr origErr = NULL; int dataFD[2] = { -1, -1 }; @@ -3412,10 +3412,10 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, /* Migrations using TLS need to add the "tls-creds-x509" object and * set the migration TLS parameters */ if (flags & VIR_MIGRATE_TLS) { - if (qemuMigrationParamsEnableTLS(driver, vm, true, - VIR_ASYNC_JOB_MIGRATION_IN, - &tlsAlias, NULL, - migParams) < 0) + if (qemuMigrationParamsEnableTLSx509(driver, vm, true, + VIR_ASYNC_JOB_MIGRATION_IN, + &tlsx509Alias, NULL, + migParams) < 0) goto error; } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) @@ -3433,7 +3433,7 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver, goto error; } - nbdTLSAlias = tlsAlias; + nbdTLSAlias = tlsx509Alias; } if (qemuMigrationDstStartNBDServer(driver, vm, incoming->address, @@ -4977,7 +4977,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, int ret = -1; qemuDomainObjPrivate *priv = vm->privateData; g_autoptr(qemuMigrationCookie) mig = NULL; - g_autofree char *tlsAlias = NULL; + g_autofree char *tlsx509Alias = NULL; qemuMigrationIOThread *iothread = NULL; VIR_AUTOCLOSE fd = -1; unsigned long restore_max_bandwidth = priv->migMaxBandwidth; @@ -5070,10 +5070,10 @@ qemuMigrationSrcRun(virQEMUDriver *driver, spec->destType == MIGRATION_DEST_FD) hostname = spec->dest.host.name; - if (qemuMigrationParamsEnableTLS(driver, vm, false, - VIR_ASYNC_JOB_MIGRATION_OUT, - &tlsAlias, hostname, - migParams) < 0) + if (qemuMigrationParamsEnableTLSx509(driver, vm, false, + VIR_ASYNC_JOB_MIGRATION_OUT, + &tlsx509Alias, hostname, + migParams) < 0) goto error; } else { if (qemuMigrationParamsDisableTLS(vm, migParams) < 0) @@ -5128,7 +5128,7 @@ qemuMigrationSrcRun(virQEMUDriver *driver, migrate_disks, migrate_disks_detect_zeroes, migrate_disks_target_zero, - dconn, tlsAlias, tlsHostname, + dconn, tlsx509Alias, tlsHostname, nbdURI, flags) < 0) { goto error; } diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index dd47516742..c91ae89c9b 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1150,12 +1150,12 @@ qemuMigrationParamsSetString(qemuMigrationParams *migParams, } -/* qemuMigrationParamsEnableTLS +/* qemuMigrationParamsEnableTLSx509 * @driver: pointer to qemu driver * @vm: domain object * @tlsListen: server or client * @asyncJob: Migration job to join - * @tlsAlias: alias to be generated for TLS object + * @tlsx509Alias: alias to be generated for TLS X.509 object * @hostname: hostname of the migration destination * @migParams: migration parameters to set * @@ -1166,17 +1166,17 @@ qemuMigrationParamsSetString(qemuMigrationParams *migParams, * Returns 0 on success, -1 on failure */ int -qemuMigrationParamsEnableTLS(virQEMUDriver *driver, - virDomainObj *vm, - bool tlsListen, - int asyncJob, - char **tlsAlias, - const char *hostname, - qemuMigrationParams *migParams) +qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsx509Alias, + const char *hostname, + qemuMigrationParams *migParams) { qemuDomainObjPrivate *priv = vm->privateData; qemuDomainJobPrivate *jobPriv = vm->job->privateData; - g_autoptr(virJSONValue) tlsProps = NULL; + g_autoptr(virJSONValue) tlsx509Props = NULL; g_autoptr(virJSONValue) secProps = NULL; g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); const char *secAlias = NULL; @@ -1202,28 +1202,28 @@ qemuMigrationParamsEnableTLS(virQEMUDriver *driver, secAlias = priv->migSecinfo->alias; } - if (!(*tlsAlias = qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE))) + if (!(*tlsx509Alias = qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE))) return -1; - if (qemuDomainGetTLSObjects(priv->migSecinfo, - cfg->migrateTLSx509certdir, tlsListen, - cfg->migrateTLSx509verify, - cfg->migrateTLSpriority, - *tlsAlias, &tlsProps, &secProps) < 0) + if (qemuDomainGetTLSx509Objects(priv->migSecinfo, + cfg->migrateTLSx509certdir, tlsListen, + cfg->migrateTLSx509verify, + cfg->migrateTLSpriority, + *tlsx509Alias, &tlsx509Props, &secProps) < 0) return -1; /* Ensure the domain doesn't already have the TLS objects defined... * This should prevent any issues just in case some cleanup wasn't * properly completed (both src and dst use the same alias) or * some other error path between now and perform . */ - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsAlias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias); - if (qemuDomainAddTLSObjects(vm, asyncJob, &secProps, &tlsProps) < 0) + if (qemuDomainAddTLSx509Objects(vm, asyncJob, &secProps, &tlsx509Props) < 0) return -1; if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_CREDS, - *tlsAlias) < 0) + *tlsx509Alias) < 0) return -1; /* QEMU interprets an empty string for hostname as if it is not populated */ @@ -1290,7 +1290,7 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, qemuMigrationParams *origParams, unsigned int apiFlags) { - g_autofree char *tlsAlias = NULL; + g_autofree char *tlsx509Alias = NULL; g_autofree char *secAlias = NULL; /* There's nothing to do if QEMU does not support TLS migration or we were @@ -1299,10 +1299,10 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, !(apiFlags & VIR_MIGRATE_TLS)) return; - tlsAlias = qemuAliasTLSObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE); + tlsx509Alias = qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE); secAlias = qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL, 0); - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsAlias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias); g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo, qemuDomainSecretInfoFree); } diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_params.h index b7a829b85a..b578cf5091 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -115,13 +115,13 @@ qemuMigrationParamsApply(virDomainObj *vm, unsigned int apiFlags); int -qemuMigrationParamsEnableTLS(virQEMUDriver *driver, - virDomainObj *vm, - bool tlsListen, - int asyncJob, - char **tlsAlias, - const char *hostname, - qemuMigrationParams *migParams); +qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsx509Alias, + const char *hostname, + qemuMigrationParams *migParams); int qemuMigrationParamsDisableTLS(virDomainObj *vm, diff --git a/src/qemu/qemu_postparse.c b/src/qemu/qemu_postparse.c index 79e02e34ac..7e3e714fae 100644 --- a/src/qemu/qemu_postparse.c +++ b/src/qemu/qemu_postparse.c @@ -278,7 +278,7 @@ qemuDomainDeviceDiskDefPostParse(virDomainDiskDef *disk, if (parseFlags & VIR_DOMAIN_DEF_PARSE_STATUS && disk->src->haveTLS == VIR_TRISTATE_BOOL_YES && !disk->src->tlsAlias && - !(disk->src->tlsAlias = qemuAliasTLSObjFromSrcAlias(disk->info.alias))) + !(disk->src->tlsAlias = qemuAliasTLSx509ObjFromSrcAlias(disk->info.alias))) return -1; return 0; diff --git a/tests/qemumigparamsdata/tls-enabled.json b/tests/qemumigparamsdata/tls-enabled.json index 098d3ae148..c16d24684f 100644 --- a/tests/qemumigparamsdata/tls-enabled.json +++ b/tests/qemumigparamsdata/tls-enabled.json @@ -1,7 +1,7 @@ { "cpu-throttle-initial": 20, "cpu-throttle-increment": 10, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "tls-hostname": "", "max-bandwidth": 33554432, "downtime-limit": 300 diff --git a/tests/qemumigparamsdata/tls-enabled.reply b/tests/qemumigparamsdata/tls-enabled.reply index e3ce8e7778..679df2d638 100644 --- a/tests/qemumigparamsdata/tls-enabled.reply +++ b/tests/qemumigparamsdata/tls-enabled.reply @@ -4,7 +4,7 @@ "cpu-throttle-increment": 10, "tls-hostname": "", "cpu-throttle-initial": 20, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "max-bandwidth": 33554432, "downtime-limit": 300 } diff --git a/tests/qemumigparamsdata/tls-enabled.xml b/tests/qemumigparamsdata/tls-enabled.xml index 554b6855d4..e786896165 100644 --- a/tests/qemumigparamsdata/tls-enabled.xml +++ b/tests/qemumigparamsdata/tls-enabled.xml @@ -2,7 +2,7 @@ <migParams> <param name='cpu-throttle-initial' value='20'/> <param name='cpu-throttle-increment' value='10'/> - <param name='tls-creds' value='objlibvirt_migrate_tls0'/> + <param name='tls-creds' value='objlibvirt_migrate_tlsx5090'/> <param name='tls-hostname' value=''/> <param name='max-bandwidth' value='33554432'/> <param name='downtime-limit' value='300'/> diff --git a/tests/qemumigparamsdata/tls-hostname.json b/tests/qemumigparamsdata/tls-hostname.json index 2943df769b..4fb1f011fe 100644 --- a/tests/qemumigparamsdata/tls-hostname.json +++ b/tests/qemumigparamsdata/tls-hostname.json @@ -1,7 +1,7 @@ { "cpu-throttle-initial": 20, "cpu-throttle-increment": 10, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "tls-hostname": "f27-1.virt", "max-bandwidth": 33554432, "downtime-limit": 300 diff --git a/tests/qemumigparamsdata/tls-hostname.reply b/tests/qemumigparamsdata/tls-hostname.reply index f7e7a96bc5..07fa788135 100644 --- a/tests/qemumigparamsdata/tls-hostname.reply +++ b/tests/qemumigparamsdata/tls-hostname.reply @@ -4,7 +4,7 @@ "cpu-throttle-increment": 10, "tls-hostname": "f27-1.virt", "cpu-throttle-initial": 20, - "tls-creds": "objlibvirt_migrate_tls0", + "tls-creds": "objlibvirt_migrate_tlsx5090", "max-bandwidth": 33554432, "downtime-limit": 300 } diff --git a/tests/qemumigparamsdata/tls-hostname.xml b/tests/qemumigparamsdata/tls-hostname.xml index addb5e68a4..099e28b5fc 100644 --- a/tests/qemumigparamsdata/tls-hostname.xml +++ b/tests/qemumigparamsdata/tls-hostname.xml @@ -2,7 +2,7 @@ <migParams> <param name='cpu-throttle-initial' value='20'/> <param name='cpu-throttle-increment' value='10'/> - <param name='tls-creds' value='objlibvirt_migrate_tls0'/> + <param name='tls-creds' value='objlibvirt_migrate_tlsx5090'/> <param name='tls-hostname' value='f27-1.virt'/> <param name='max-bandwidth' value='33554432'/> <param name='downtime-limit' value='300'/> diff --git a/tests/qemumonitorjsontest.c b/tests/qemumonitorjsontest.c index e34dbad7cd..67586bd84b 100644 --- a/tests/qemumonitorjsontest.c +++ b/tests/qemumonitorjsontest.c @@ -665,7 +665,7 @@ qemuMonitorJSONTestAttachChardev(virDomainXMLOption *xmlopt, "'server':false}}}"); chr->data.tcp.tlscreds = true; - chrSourcePriv->tlsCredsAlias = qemuAliasTLSObjFromSrcAlias("alias"); + chrSourcePriv->tlsCredsAlias = qemuAliasTLSx509ObjFromSrcAlias("alias"); chr->logfile = g_strdup("/test/log"); CHECK("tcp", false, "{'id':'alias'," @@ -675,7 +675,7 @@ qemuMonitorJSONTestAttachChardev(virDomainXMLOption *xmlopt, "'port':'1234'}}," "'telnet':false," "'server':false," - "'tls-creds':'objalias_tls0'," + "'tls-creds':'objalias_tlsx5090'," "'logfile':'/test/log'}}}"); } diff --git a/tests/qemustatusxml2xmldata/upgrade-out.xml b/tests/qemustatusxml2xmldata/upgrade-out.xml index c7bc7128df..bd2323862d 100644 --- a/tests/qemustatusxml2xmldata/upgrade-out.xml +++ b/tests/qemustatusxml2xmldata/upgrade-out.xml @@ -414,7 +414,7 @@ <host name='example.org' port='9999'/> <privateData> <objects> - <TLSx509 alias='objvirtio-disk6_tls0'/> + <TLSx509 alias='objvirtio-disk6_tlsx5090'/> </objects> </privateData> </source> diff --git a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args index dce4a582d2..c0fc1ea722 100644 --- a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args +++ b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-9.1.0.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"chardev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev '{"id":"charchannel10","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"1.2.3.4","port":"5679"}},"telnet":true,"server":true,"wait":false}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"chardev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"server":false,"reconnect":2,"tls-creds":"objcharchannel11_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"server":false,"reconnect":2,"tls-creds":"objcharchannel11_tlsx5090"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"chardev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":true,"server":false,"reconnect":2,"tls-creds":"objcharchannel12_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":true,"server":false,"reconnect":2,"tls-creds":"objcharchannel12_tlsx5090"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"chardev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}' \ -chardev '{"id":"charchannel13","backend":{"type":"udp","data":{"remote":{"type":"inet","data":{"host":"127.0.0.1","port":"2222"}}}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"chardev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args index 2b7e614e8b..925d2f25e3 100644 --- a/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args +++ b/tests/qemuxmlconfdata/chardev-backends-json.x86_64-latest.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"chardev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev '{"id":"charchannel10","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"1.2.3.4","port":"5679"}},"telnet":true,"server":true,"wait":false}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"chardev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel11_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel11","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"1.2.3.4","port":"5678"}},"telnet":false,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel11_tlsx5090"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"chardev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":true,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel12_tls0"}}}' \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev '{"id":"charchannel12","backend":{"type":"socket","data":{"addr":{"type":"inet","data":{"host":"hostname.global.","port":"5679"}},"telnet":true,"server":false,"reconnect-ms":2000,"tls-creds":"objcharchannel12_tlsx5090"}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"chardev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}' \ -chardev '{"id":"charchannel13","backend":{"type":"udp","data":{"remote":{"type":"inet","data":{"host":"127.0.0.1","port":"2222"}}}}}' \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"chardev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args b/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args index 81773dcacd..c5924d44c5 100644 --- a/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args +++ b/tests/qemuxmlconfdata/chardev-backends.x86_64-9.1.0.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"chardev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev socket,id=charchannel10,host=1.2.3.4,port=5679,telnet=on,server=on,wait=off \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"chardev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=charchannel11,host=1.2.3.4,port=5678,reconnect=2,tls-creds=objcharchannel11_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=charchannel11,host=1.2.3.4,port=5678,reconnect=2,tls-creds=objcharchannel11_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"chardev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=charchannel12,host=hostname.global.,port=5679,telnet=on,reconnect=2,tls-creds=objcharchannel12_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=charchannel12,host=hostname.global.,port=5679,telnet=on,reconnect=2,tls-creds=objcharchannel12_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"chardev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}' \ -chardev udp,id=charchannel13,host=127.0.0.1,port=2222,localaddr=,localport=0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"chardev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args b/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args index 9708b18735..092f5f7921 100644 --- a/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args +++ b/tests/qemuxmlconfdata/chardev-backends.x86_64-latest.args @@ -54,11 +54,11 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":10,"chardev":"charchannel9","id":"channel9","name":"chardev-tcp-listen-raw"}' \ -chardev socket,id=charchannel10,host=1.2.3.4,port=5679,telnet=on,server=on,wait=off \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":11,"chardev":"charchannel10","id":"channel10","name":"chardev-tcp-listen-telnet"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=charchannel11,host=1.2.3.4,port=5678,reconnect-ms=2000,tls-creds=objcharchannel11_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel11_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=charchannel11,host=1.2.3.4,port=5678,reconnect-ms=2000,tls-creds=objcharchannel11_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":12,"chardev":"charchannel11","id":"channel11","name":"chardev-tcp-connect-raw"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=charchannel12,host=hostname.global.,port=5679,telnet=on,reconnect-ms=2000,tls-creds=objcharchannel12_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharchannel12_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=charchannel12,host=hostname.global.,port=5679,telnet=on,reconnect-ms=2000,tls-creds=objcharchannel12_tlsx5090 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":13,"chardev":"charchannel12","id":"channel12","name":"chardev-tcp-connect-telnet"}' \ -chardev udp,id=charchannel13,host=127.0.0.1,port=2222,localaddr=,localport=0 \ -device '{"driver":"virtserialport","bus":"virtio-serial0.0","nr":14,"chardev":"charchannel13","id":"channel13","name":"chardev-udp-nobind"}' \ diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args index 77d38c3020..0e758834fc 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd-hostname.x86_64-latest.args @@ -27,9 +27,9 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -no-shutdown \ -boot strict=on \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ --object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ --blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ +-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tlsx5090-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tlsx5090","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tlsx5090-secret0"}' \ +-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tlsx5090","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ diff --git a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args index fb68ac54fb..675e266400 100644 --- a/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args +++ b/tests/qemuxmlconfdata/disk-network-tlsx509-nbd.x86_64-latest.args @@ -27,9 +27,9 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -no-shutdown \ -boot strict=on \ -device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \ --object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tls0-secret0"}' \ --blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ +-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tlsx5090-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ +-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tlsx5090","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tlsx5090-secret0"}' \ +-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tlsx5090","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \ -device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest.args index f8f1bb8502..787ecbb5ec 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest.args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev-verify.x86_64-latest.args @@ -31,8 +31,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \ -chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","addr":"0x2"}' \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args index f8f1bb8502..787ecbb5ec 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-chardev.x86_64-latest.args @@ -31,8 +31,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -device '{"driver":"ide-hd","bus":"ide.0","unit":0,"drive":"libvirt-1-storage","id":"ide0-0-0","bootindex":1}' \ -chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ --chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true}' \ +-chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","addr":"0x2"}' \ diff --git a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args index 492d1be626..59f7b7be83 100644 --- a/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args +++ b/tests/qemuxmlconfdata/serial-tcp-tlsx509-secret-chardev.x86_64-latest.args @@ -32,8 +32,8 @@ XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain--1-QEMUGuest1/.config \ -chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \ -device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \ -object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \ --object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ --chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \ +-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tlsx5090","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \ +-chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tlsx5090 \ -device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \ -audiodev '{"id":"audio1","driver":"none"}' \ -device '{"driver":"virtio-balloon-pci","id":"balloon0","bus":"pci.0","addr":"0x3"}' \ -- 2.39.3
Build the tls-creds-psk object with the following params: id, dir, endpoint, and username. Note: username is an optional parameter; if not provided, it defaults to the value "qemu". Suggested-by: Tejus GK <tejus.gk@nutanix.com> Signed-off-by: Abhisek Panda <abhisek.panda1@nutanix.com> --- src/qemu/qemu_command.c | 29 +++++++++++++++++++++++++++++ src/qemu/qemu_command.h | 8 ++++++++ 2 files changed, 37 insertions(+) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index a4445ef17a..69324a523f 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1332,6 +1332,35 @@ qemuBuildTLSx509CommandLine(virCommand *cmd, } +/* qemuBuildTLSPSKBackendProps: + * @tlsPSKpath: path to the TLS-PSK credentials file + * @listen: boolean listen for client or server setting + * @username: identifier to find the secret key of a client at the server + * @alias: alias for the TLS-PSK object + * @propsret: json properties to return + * + * Create a backend string for the tls-creds-psk object. + * + * Returns 0 on success, -1 on failure with error set. + */ +int +qemuBuildTLSPSKBackendProps(const char *tlsPSKpath, + bool isListen, + const char *username, + const char *alias, + virJSONValue **propsret) +{ + if (qemuMonitorCreateObjectProps(propsret, "tls-creds-psk", alias, + "s:dir", tlsPSKpath, + "s:endpoint", (isListen ? "server": "client"), + "S:username", (isListen ? NULL: username), + NULL) < 0) + return -1; + + return 0; +} + + static int qemuBuildChardevCommand(virCommand *cmd, const virDomainChrSourceDef *dev, diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index 028d002ef9..b6c6403e07 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -72,6 +72,14 @@ qemuBuildTLSx509BackendProps(const char *tlspath, const char *secalias, virJSONValue **propsret); +/* Generate the object properties for a tls-creds-psk */ +int +qemuBuildTLSPSKBackendProps(const char *tlsPSKpath, + bool isListen, + const char *username, + const char *alias, + virJSONValue **propsret); + /* Open a UNIX socket for chardev FD passing */ int qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev) -- 2.39.3
To enable TLS-PSK-based authentication scheme, add support for instantiating the tls-creds-psk object through QEMU monitor. In order to remove the TLS-related objects from a QEMU instance, augment the qemuDomainDelTLSObjects handler to also consider the TLS-PSK object. Suggested-by: Tejus GK <tejus.gk@nutanix.com> Signed-off-by: Abhisek Panda <abhisek.panda1@nutanix.com> --- src/qemu/qemu_alias.c | 11 +++++ src/qemu/qemu_alias.h | 3 ++ src/qemu/qemu_hotplug.c | 59 +++++++++++++++++++++++--- src/qemu/qemu_hotplug.h | 15 ++++++- src/qemu/qemu_migration_params.c | 73 ++++++++++++++++++++++++++++++-- src/qemu/qemu_migration_params.h | 9 ++++ 6 files changed, 159 insertions(+), 11 deletions(-) diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c index 9133389df1..4d61d7d2fe 100644 --- a/src/qemu/qemu_alias.c +++ b/src/qemu/qemu_alias.c @@ -883,6 +883,17 @@ qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) return g_strdup_printf("obj%s_tlsx5090", srcAlias); } +/* qemuAliasTLSPSKObjFromSrcAlias + * @srcAlias: Pointer to a source alias string + * + * Generate and return a string to be used as the TLS PSK object alias + */ +char * +qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias) +{ + return g_strdup_printf("obj%s_tlspsk0", srcAlias); +} + /* qemuAliasChardevFromDevAlias: * @devAlias: pointer do device alias diff --git a/src/qemu/qemu_alias.h b/src/qemu/qemu_alias.h index dd7bfdcc0f..2a0c7ca7c3 100644 --- a/src/qemu/qemu_alias.h +++ b/src/qemu/qemu_alias.h @@ -92,6 +92,9 @@ char *qemuAliasForSecret(const char *parentalias, char *qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias) ATTRIBUTE_NONNULL(1); +char *qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias) + ATTRIBUTE_NONNULL(1); + char *qemuAliasChardevFromDevAlias(const char *devAlias) ATTRIBUTE_NONNULL(1); diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 9e7055f5da..296da1f195 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -1702,12 +1702,13 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsx509Alias) + const char *tlsx509Alias, + const char *tlsPSKAlias) { qemuDomainObjPrivate *priv = vm->privateData; virErrorPtr orig_err; - if (!tlsx509Alias && !secAlias) + if (!tlsx509Alias && !secAlias && !tlsPSKAlias) return; virErrorPreserveLast(&orig_err); @@ -1721,6 +1722,9 @@ qemuDomainDelTLSObjects(virDomainObj *vm, if (secAlias) ignore_value(qemuMonitorDelObject(priv->mon, secAlias, false)); + if (tlsPSKAlias) + ignore_value(qemuMonitorDelObject(priv->mon, tlsPSKAlias, false)); + qemuDomainObjExitMonitor(vm); cleanup: @@ -1759,7 +1763,7 @@ qemuDomainAddTLSx509Objects(virDomainObj *vm, virErrorPreserveLast(&orig_err); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, NULL); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, NULL, NULL); return -1; } @@ -1881,6 +1885,49 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver, } +int +qemuDomainAddTLSPSKObjects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **tlsPSKProps) +{ + qemuDomainObjPrivate *priv = vm->privateData; + virErrorPtr orig_err; + + if (!tlsPSKProps) + return 0; + + if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0) + return -1; + + if (tlsPSKProps && *tlsPSKProps && + qemuMonitorAddObject(priv->mon, tlsPSKProps, NULL) < 0) + goto error; + + qemuDomainObjExitMonitor(vm); + return 0; + + error: + virErrorPreserveLast(&orig_err); + qemuDomainObjExitMonitor(vm); + virErrorRestore(&orig_err); + return -1; +} + + +int +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir, + bool tlsListen, + const char *username, + const char *alias, + virJSONValue **tlsPSKProps) +{ + if (qemuBuildTLSPSKBackendProps(tlsPSKdir, tlsListen, username, alias, tlsPSKProps) < 0) + return -1; + + return 0; +} + + static int qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, virDomainObj *vm, @@ -1941,7 +1988,7 @@ qemuDomainAttachRedirdevDevice(virQEMUDriver *driver, ignore_value(qemuMonitorDetachCharDev(priv->mon, charAlias)); qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias, NULL); goto audit; } @@ -2240,7 +2287,7 @@ qemuDomainAttachChrDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias, NULL); goto audit; } @@ -2345,7 +2392,7 @@ qemuDomainAttachRNGDevice(virQEMUDriver *driver, qemuDomainObjExitMonitor(vm); virErrorRestore(&orig_err); - qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias); + qemuDomainDelTLSObjects(vm, VIR_ASYNC_JOB_NONE, secAlias, tlsx509Alias, NULL); goto audit; } diff --git a/src/qemu/qemu_hotplug.h b/src/qemu/qemu_hotplug.h index 2d9b10204c..835f57ded1 100644 --- a/src/qemu/qemu_hotplug.h +++ b/src/qemu/qemu_hotplug.h @@ -28,7 +28,8 @@ void qemuDomainDelTLSObjects(virDomainObj *vm, virDomainAsyncJob asyncJob, const char *secAlias, - const char *tlsx509Alias); + const char *tlsx509Alias, + const char *tlsPSKAlias); int qemuDomainAddTLSx509Objects(virDomainObj *vm, @@ -46,6 +47,18 @@ qemuDomainGetTLSx509Objects(qemuDomainSecretInfo *secinfo, virJSONValue **tlsProps, virJSONValue **secProps); +int +qemuDomainAddTLSPSKObjects(virDomainObj *vm, + virDomainAsyncJob asyncJob, + virJSONValue **tlsPSKProps); + +int +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir, + bool tlsListen, + const char *username, + const char *alias, + virJSONValue **tlsPSKProps); + int qemuDomainAttachDiskGeneric(virDomainObj *vm, virDomainDiskDef *disk, diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index c91ae89c9b..1c6ab6fc8a 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -1216,7 +1216,7 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, * This should prevent any issues just in case some cleanup wasn't * properly completed (both src and dst use the same alias) or * some other error path between now and perform . */ - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, *tlsx509Alias, NULL); if (qemuDomainAddTLSx509Objects(vm, asyncJob, &secProps, &tlsx509Props) < 0) return -1; @@ -1237,6 +1237,69 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, } +/* qemuMigrationParamsEnableTLSPSK + * @driver: pointer to qemu driver + * @vm: domain object + * @tlsListen: server or client + * @asyncJob: Migration job to join + * @tlsPSKAlias: alias to be generated for TLS-PSK object + * @username: hostname of the migration destination + * @tls_psk_directory: directory containing the TLS-PSK key file + * @migParams: migration parameters to set + * + * Create the TLS PSK objects for the migration and set the migParams value. + * + * Returns 0 on success, -1 on failure + */ +int +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsPSKAlias, + const char *username, + qemuMigrationParams *migParams) +{ + qemuDomainJobPrivate *jobPriv = vm->job->privateData; + g_autoptr(virJSONValue) tlsPSKProps = NULL; + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); + + if (!cfg->migrateTLSPSKdir) { + virReportError(VIR_ERR_OPERATION_INVALID, "%s", + _("host migration TLS-PSK directory not configured")); + return -1; + } + + if (!jobPriv->migParams->params[QEMU_MIGRATION_PARAM_TLS_CREDS].set) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s", + _("TLS migration is not supported with this QEMU binary")); + return -1; + } + + if (!(*tlsPSKAlias = qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE))) + return -1; + + if (qemuDomainGetTLSPSKObjects(cfg->migrateTLSPSKdir, tlsListen, + username, *tlsPSKAlias, &tlsPSKProps) < 0) + return -1; + + /* Ensure the domain doesn't already have the TLS-PSK objects defined... + * This should prevent any issues just in case some cleanup wasn't + * properly completed (both src and dst use the same alias) or + * some other error path between now and perform . */ + qemuDomainDelTLSObjects(vm, asyncJob, NULL, NULL, *tlsPSKAlias); + + if (qemuDomainAddTLSPSKObjects(vm, asyncJob, &tlsPSKProps) < 0) + return -1; + + if (qemuMigrationParamsSetString(migParams, QEMU_MIGRATION_PARAM_TLS_CREDS, + *tlsPSKAlias) < 0) + return -1; + + return 0; +} + + /* qemuMigrationParamsDisableTLS * @vm: domain object * @migParams: Pointer to a migration parameters block @@ -1281,8 +1344,8 @@ qemuMigrationParamsTLSHostnameIsSet(qemuMigrationParams *migParams) * @asyncJob: migration job to join * @apiFlags: API flags used to start the migration * - * Deconstruct all the setup possibly done for TLS - delete the TLS and - * security objects and free the secinfo + * Deconstruct all the setup possibly done for TLS - delete the TLS X.509, TLS-PSK + * and security objects and free the secinfo */ static void qemuMigrationParamsResetTLS(virDomainObj *vm, @@ -1292,6 +1355,7 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, { g_autofree char *tlsx509Alias = NULL; g_autofree char *secAlias = NULL; + g_autofree char *tlsPSKAlias = NULL; /* There's nothing to do if QEMU does not support TLS migration or we were * not asked to enable it. */ @@ -1301,8 +1365,9 @@ qemuMigrationParamsResetTLS(virDomainObj *vm, tlsx509Alias = qemuAliasTLSx509ObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE); secAlias = qemuAliasForSecret(QEMU_MIGRATION_TLS_ALIAS_BASE, NULL, 0); + tlsPSKAlias = qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE); - qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias); + qemuDomainDelTLSObjects(vm, asyncJob, secAlias, tlsx509Alias, tlsPSKAlias); g_clear_pointer(&QEMU_DOMAIN_PRIVATE(vm)->migSecinfo, qemuDomainSecretInfoFree); } diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_params.h index b578cf5091..07f5812065 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -123,6 +123,15 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver, const char *hostname, qemuMigrationParams *migParams); +int +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver, + virDomainObj *vm, + bool tlsListen, + int asyncJob, + char **tlsPSKAlias, + const char *username, + qemuMigrationParams *migParams); + int qemuMigrationParamsDisableTLS(virDomainObj *vm, qemuMigrationParams *migParams); -- 2.39.3
participants (1)
-
Abhisek Panda