def->compat = g_strdup(src->compat);
def->tlsAlias = g_strdup(src->tlsAlias);
def->tlsCertdir = g_strdup(src->tlsCertdir);
+ def->tlsPriority = g_strdup(src->tlsPriority);
def->tlsHostname = g_strdup(src->tlsHostname);
def->query = g_strdup(src->query);
def->vdpadev = g_strdup(src->vdpadev);
VIR_FREE(def->tlsAlias);
VIR_FREE(def->tlsCertdir);
+ VIR_FREE(def->tlsPriority);
VIR_FREE(def->tlsHostname);
VIR_FREE(def->ssh_user);
* certificate directory with listen and verify bools. */
char *tlsAlias;
char *tlsCertdir;
+ char *tlsPriority;
/* TLS hostname override */
char *tlsHostname;
let default_tls_entry = str_entry "default_tls_x509_cert_dir"
| bool_entry "default_tls_x509_verify"
| str_entry "default_tls_x509_secret_uuid"
+ | str_entry "default_tls_priority"
let vnc_entry = str_entry "vnc_listen"
| bool_entry "vnc_auto_unix_socket"
| str_entry "vnc_tls_x509_cert_dir"
| bool_entry "vnc_tls_x509_verify"
| str_entry "vnc_tls_x509_secret_uuid"
+ | str_entry "vnc_tls_priority"
| str_entry "vnc_password"
| bool_entry "vnc_sasl"
| str_entry "vnc_sasl_dir"
| str_entry "chardev_tls_x509_cert_dir"
| bool_entry "chardev_tls_x509_verify"
| str_entry "chardev_tls_x509_secret_uuid"
+ | str_entry "chardev_tls_priority"
let migrate_entry = str_entry "migrate_tls_x509_cert_dir"
| bool_entry "migrate_tls_x509_verify"
| str_entry "migrate_tls_x509_secret_uuid"
+ | str_entry "migrate_tls_priority"
| bool_entry "migrate_tls_force"
let backup_entry = str_entry "backup_tls_x509_cert_dir"
| bool_entry "backup_tls_x509_verify"
| str_entry "backup_tls_x509_secret_uuid"
+ | str_entry "backup_tls_priority"
(* support for vxhs was removed from qemu and the examples were dopped from *)
(* qemu.conf but these need to stay *)
let nbd_entry = bool_entry "nbd_tls"
| str_entry "nbd_tls_x509_cert_dir"
| str_entry "nbd_tls_x509_secret_uuid"
+ | str_entry "nbd_tls_priority"
let nogfx_entry = bool_entry "nographics_allow_host_audio"
#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Libvirt allows QEMU to use its built-in TLS priority by default,
+# however, this allows overriding it at runtime. This is especially
+# useful if TLS priority needs to be changed for an operation run
+# against an existing running QEMU.
+#
+# This must be a valid GNUTLS priority string:
+#
+# https://gnutls.org/manual/html_node/Priority-Strings.html
+#
+#default_tls_priority = "@SYSTEM"
+
+
# VNC is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for VNC
+#
+#vnc_tls_priority = "@SYSTEM"
+
+
# The default VNC password. Only 8 bytes are significant for
# VNC passwords. This parameter is only used if the per-domain
# XML config does not already provide a password. To allow
#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for character devices
+#
+#chardev_tls_priority = "@SYSTEM"
+
+
# The support for VxHS network block protocol was removed in qemu-5.2 and
# thus also dropped from libvirt's qemu driver. The following options which
# were used to configure the TLS certificates for VxHS are thus ignored.
#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for NBD
+#
+#nbd_tls_priority = "@SYSTEM"
+
+
# In order to override the default TLS certificate location for migration
# certificates, supply a valid path to the certificate directory. If the
# provided path does not exist, libvirtd will fail to start. If the path is
#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for live migration
+#
+#migrate_tls_priority = "@SYSTEM"
+
+
# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested
# automatically. Setting 'migate_tls_force' to "1" will prevent any migration
# which is not using VIR_MIGRATE_TLS to ensure higher level of security in
#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+# Override QEMU default GNUTLS priority string for NBD backups
+#
+#backup_tls_priority = "@SYSTEM"
+
+
# By default, if no graphical front end is configured, libvirt will disable
# QEMU audio output since directly talking to alsa/pulseaudio may not work
# with various security settings. If you know what you're doing, enable
}
if (qemuBuildTLSx509BackendProps(cfg->backupTLSx509certdir, true,
- cfg->backupTLSx509verify, tlsObjAlias,
- tlsKeySecretAlias,
+ cfg->backupTLSx509verify,
+ cfg->backupTLSpriority,
+ tlsObjAlias, tlsKeySecretAlias,
tlsProps) < 0)
return -1;
VIR_FREE(src->nodenameformat);
VIR_FREE(src->tlsAlias);
VIR_FREE(src->tlsCertdir);
+ VIR_FREE(src->tlsPriority);
}
* @tlspath: path to the TLS credentials
* @listen: boolean listen for client or server setting
* @verifypeer: boolean to enable peer verification (form of authorization)
+ * @priority: GNUTLS priority string override (optional)
* @alias: alias for the TLS credentials object
* @secalias: if one exists, the alias of the security object for passwordid
* @propsret: json properties to return
qemuBuildTLSx509BackendProps(const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *alias,
const char *secalias,
virJSONValue **propsret)
"s:dir", tlspath,
"s:endpoint", (isListen ? "server": "client"),
"b:verify-peer", (isListen ? verifypeer : true),
+ "S:priority", priority,
"S:passwordid", secalias,
NULL) < 0)
return -1;
* @tlspath: path to the TLS credentials
* @listen: boolean listen for client or server setting
* @verifypeer: boolean to enable peer verification (form of authorization)
+ * @priority: GNUTLS priority string override (optional)
* @certEncSecretAlias: alias of a 'secret' object for decrypting TLS private key
* (optional)
* @alias: TLS object alias
const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *certEncSecretAlias,
const char *alias)
{
g_autoptr(virJSONValue) props = NULL;
- if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, alias,
- certEncSecretAlias, &props) < 0)
+ if (qemuBuildTLSx509BackendProps(tlspath, isListen, verifypeer, priority,
+ alias, certEncSecretAlias, &props) < 0)
return -1;
if (qemuBuildObjectCommandlineFromJSON(cmd, props) < 0)
if (qemuBuildTLSx509CommandLine(cmd, chrSourcePriv->tlsCertPath,
dev->data.tcp.listen,
chrSourcePriv->tlsVerify,
+ chrSourcePriv->tlsPriority,
tlsCertEncSecAlias,
objalias) < 0) {
return -1;
cfg->vncTLSx509certdir,
true,
cfg->vncTLSx509verify,
+ cfg->vncTLSpriority,
secretAlias,
gfxPriv->tlsAlias) < 0)
return -1;
}
if (src->haveTLS == VIR_TRISTATE_BOOL_YES &&
- qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsAlias,
- tlsKeySecretAlias, &data->tlsProps) < 0)
+ qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsPriority,
+ src->tlsAlias, tlsKeySecretAlias, &data->tlsProps) < 0)
return -1;
return 0;
qemuBuildTLSx509BackendProps(const char *tlspath,
bool isListen,
bool verifypeer,
+ const char *priority,
const char *alias,
const char *secalias,
virJSONValue **propsret);
if (virConfGetValueString(conf, "default_tls_x509_secret_uuid",
&cfg->defaultTLSx509secretUUID) < 0)
return -1;
+ if (virConfGetValueString(conf, "default_tls_priority",
+ &cfg->defaultTLSpriority) < 0)
+ return -1;
return 0;
}
#val "_tls_x509_secret_uuid", \
&cfg->val## TLSx509secretUUID) < 0) \
return -1; \
+ if ((rv = virConfGetValueString(conf, #val "_tls_priority", \
+ &cfg->val## TLSpriority)) < 0) \
+ return -1; \
} while (0)
#define GET_CONFIG_TLS_CERTINFO_SERVER(val) \
#undef SET_TLS_SECRET_UUID_DEFAULT
+#define SET_TLS_PRIORITY_DEFAULT(val) \
+ do { \
+ if (!cfg->val## TLSpriority && \
+ cfg->defaultTLSpriority) { \
+ cfg->val## TLSpriority = g_strdup(cfg->defaultTLSpriority); \
+ } \
+ } while (0)
+
+ SET_TLS_PRIORITY_DEFAULT(vnc);
+ SET_TLS_PRIORITY_DEFAULT(chardev);
+ SET_TLS_PRIORITY_DEFAULT(migrate);
+ SET_TLS_PRIORITY_DEFAULT(backup);
+ SET_TLS_PRIORITY_DEFAULT(nbd);
+
+#undef SET_TLS_PRIORITY_DEFAULT
+
/*
* If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone
* has created a val specific area to place service specific certificates.
bool defaultTLSx509verify;
bool defaultTLSx509verifyPresent;
char *defaultTLSx509secretUUID;
+ char *defaultTLSpriority;
bool vncAutoUnixSocket;
bool vncTLS;
bool vncSASL;
char *vncTLSx509certdir;
char *vncTLSx509secretUUID;
+ char *vncTLSpriority;
char *vncListen;
char *vncPassword;
char *vncSASLdir;
bool chardevTLSx509verify;
bool chardevTLSx509verifyPresent;
char *chardevTLSx509secretUUID;
+ char *chardevTLSpriority;
char *migrateTLSx509certdir;
bool migrateTLSx509verify;
bool migrateTLSx509verifyPresent;
char *migrateTLSx509secretUUID;
+ char *migrateTLSpriority;
bool migrateTLSForce;
char *backupTLSx509certdir;
bool backupTLSx509verify;
bool backupTLSx509verifyPresent;
char *backupTLSx509secretUUID;
+ char *backupTLSpriority;
bool nbdTLS;
char *nbdTLSx509certdir;
char *nbdTLSx509secretUUID;
+ char *nbdTLSpriority;
unsigned int remotePortMin;
unsigned int remotePortMax;
qemuDomainChrSourcePrivateClearFDPass(priv);
g_free(priv->tlsCertPath);
+ g_free(priv->tlsPriority);
g_free(priv->tlsCredsAlias);
if (charsrc->data.tcp.haveTLS == VIR_TRISTATE_BOOL_YES) {
charpriv->tlsCertPath = g_strdup(data->cfg->chardevTLSx509certdir);
+ charpriv->tlsPriority = g_strdup(data->cfg->chardevTLSpriority);
charpriv->tlsVerify = data->cfg->chardevTLSx509verify;
}
}
src->tlsAlias = qemuAliasTLSObjFromSrcAlias(parentAlias);
src->tlsCertdir = g_strdup(cfg->nbdTLSx509certdir);
+ src->tlsPriority = g_strdup(cfg->nbdTLSpriority);
if (cfg->nbdTLSx509secretUUID) {
qemuDomainStorageSourcePrivate *srcpriv = qemuDomainStorageSourcePrivateFetch(src);
char *tlsCertPath; /* path to certificates if TLS is requested */
bool tlsVerify; /* whether server should verify client certificates */
+ char *tlsPriority; /* optional GNUTLS priority string */
char *tlsCredsAlias; /* alias of the x509 tls credentials object */
};
const char *tlsCertdir,
bool tlsListen,
bool tlsVerify,
+ const char *tlsPriority,
const char *alias,
virJSONValue **tlsProps,
virJSONValue **secProps)
secAlias = secinfo->alias;
}
- if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify,
+ if (qemuBuildTLSx509BackendProps(tlsCertdir, tlsListen, tlsVerify, tlsPriority,
alias, secAlias, tlsProps) < 0)
return -1;
cfg->chardevTLSx509certdir,
dev->data.tcp.listen,
cfg->chardevTLSx509verify,
+ cfg->chardevTLSpriority,
*tlsAlias, &tlsProps, &secProps) < 0)
return -1;
const char *tlsCertdir,
bool tlsListen,
bool tlsVerify,
+ const char *tlsPriority,
const char *alias,
virJSONValue **tlsProps,
virJSONValue **secProps);
if (qemuDomainGetTLSObjects(priv->migSecinfo,
cfg->migrateTLSx509certdir, tlsListen,
cfg->migrateTLSx509verify,
+ cfg->migrateTLSpriority,
*tlsAlias, &tlsProps, &secProps) < 0)
return -1;
{ "default_tls_x509_cert_dir" = "/etc/pki/qemu" }
{ "default_tls_x509_verify" = "1" }
{ "default_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "default_tls_priority" = "@SYSTEM" }
{ "vnc_listen" = "0.0.0.0" }
{ "vnc_auto_unix_socket" = "1" }
{ "vnc_tls" = "1" }
{ "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" }
{ "vnc_tls_x509_verify" = "1" }
{ "vnc_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "vnc_tls_priority" = "@SYSTEM" }
{ "vnc_password" = "XYZ12345" }
{ "vnc_sasl" = "1" }
{ "vnc_sasl_dir" = "/some/directory/sasl2" }
{ "chardev_tls_x509_cert_dir" = "/etc/pki/libvirt-chardev" }
{ "chardev_tls_x509_verify" = "1" }
{ "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "chardev_tls_priority" = "@SYSTEM" }
{ "vxhs_tls" = "1" }
{ "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
{ "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
{ "nbd_tls" = "1" }
{ "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "nbd_tls_priority" = "@SYSTEM" }
{ "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
{ "migrate_tls_x509_verify" = "1" }
{ "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "migrate_tls_priority" = "@SYSTEM" }
{ "migrate_tls_force" = "0" }
{ "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" }
{ "backup_tls_x509_verify" = "1" }
{ "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
+{ "backup_tls_priority" = "@SYSTEM" }
{ "nographics_allow_host_audio" = "1" }
{ "remote_display_port_min" = "5900" }
{ "remote_display_port_max" = "65535" }
-boot strict=on \
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
-object '{"qom-type":"secret","id":"objlibvirt-1-storage_tls0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"passwordid":"objlibvirt-1-storage_tls0-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"objlibvirt-1-storage_tls0","dir":"/etc/pki/libvirt-nbd","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"objlibvirt-1-storage_tls0-secret0"}' \
-blockdev '{"driver":"nbd","server":{"type":"inet","host":"example.com","port":"1234"},"tls-creds":"objlibvirt-1-storage_tls0","tls-hostname":"test-hostname","node-name":"libvirt-1-storage","read-only":false,"cache":{"direct":true,"no-flush":false}}' \
-device '{"driver":"virtio-blk-pci","bus":"pci.0","addr":"0x7","drive":"libvirt-1-storage","id":"virtio-disk3","bootindex":1,"write-cache":"on"}' \
-audiodev '{"id":"audio1","driver":"none"}' \
-device '{"driver":"piix3-usb-uhci","id":"usb","bus":"pci.0","addr":"0x1.0x2"}' \
-audiodev '{"id":"audio1","driver":"none"}' \
-object '{"qom-type":"secret","id":"vnc-tls-creds0-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"passwordid":"vnc-tls-creds0-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"vnc-tls-creds0","dir":"/etc/pki/libvirt-vnc","endpoint":"server","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"vnc-tls-creds0-secret0"}' \
-vnc 127.0.0.1:3,tls-creds=vnc-tls-creds0,sasl=on,audiodev=audio1 \
-device '{"driver":"cirrus-vga","id":"video0","bus":"pci.0","addr":"0x2"}' \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-chardev udp,id=charserial0,host=127.0.0.1,port=2222,localaddr=127.0.0.1,localport=1111 \
-device '{"driver":"isa-serial","chardev":"charserial0","id":"serial0","index":0}' \
-object '{"qom-type":"secret","id":"charserial1-secret0","data":"9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1","keyid":"masterKey0","iv":"AAECAwQFBgcICQoLDA0ODw==","format":"base64"}' \
--object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"passwordid":"charserial1-secret0"}' \
+-object '{"qom-type":"tls-creds-x509","id":"objcharserial1_tls0","dir":"/etc/pki/libvirt-chardev","endpoint":"client","verify-peer":true,"priority":"@SYSTEM:-VERS-TLS1.3","passwordid":"charserial1-secret0"}' \
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,tls-creds=objcharserial1_tls0 \
-device '{"driver":"isa-serial","chardev":"charserial1","id":"serial1","index":1}' \
-audiodev '{"id":"audio1","driver":"none"}' \
driver.config->nbdTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea");
DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd");
DO_TEST_CAPS_VER_PARSE_ERROR("disk-network-tlsx509-nbd-hostname", "6.2.0");
+ driver.config->nbdTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
DO_TEST_CAPS_LATEST("disk-network-tlsx509-nbd-hostname");
+ VIR_FREE(driver.config->nbdTLSpriority);
DO_TEST_CAPS_LATEST("disk-network-http");
VIR_FREE(driver.config->nbdTLSx509secretUUID);
DO_TEST_CAPS_LATEST("disk-network-ssh");
driver.config->vncTLS = 1;
driver.config->vncTLSx509verify = 1;
DO_TEST_CAPS_LATEST("graphics-vnc-tls");
+ driver.config->vncTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
driver.config->vncTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea");
DO_TEST_CAPS_LATEST("graphics-vnc-tls-secret");
+ VIR_FREE(driver.config->vncTLSpriority);
VIR_FREE(driver.config->vncTLSx509secretUUID);
driver.config->vncSASL = driver.config->vncTLSx509verify = driver.config->vncTLS = 0;
DO_TEST_CAPS_LATEST("graphics-vnc-egl-headless");
driver.config->chardevTLSx509verify = 0;
DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-chardev-notls");
driver.config->chardevTLSx509secretUUID = g_strdup("6fd3f62d-9fe7-4a4e-a869-7acd6376d8ea");
+ driver.config->chardevTLSpriority = g_strdup("@SYSTEM:-VERS-TLS1.3");
DO_TEST_CAPS_LATEST("serial-tcp-tlsx509-secret-chardev");
+ VIR_FREE(driver.config->chardevTLSpriority);
VIR_FREE(driver.config->chardevTLSx509secretUUID);
driver.config->chardevTLS = 0;
DO_TEST_CAPS_LATEST("serial-many-chardev");
projects / thirdparty / libvirt.git / commitdiff
