From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 29 Jun 2020 15:12:03 +0000 (+0200)
Subject: qemu: conf: Add configuration of TLS key encryption for 'vxhs' and 'nbd' disks
X-Git-Tag: v6.6.0-rc1~281
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=470d322e0cc3d45eccf54c6e4fa13bf1bd40428f;p=thirdparty%2Flibvirt.git

qemu: conf: Add configuration of TLS key encryption for 'vxhs' and 'nbd' disks

Until now libvirt didn't allow using encrypted TLS key for disk clients.

Add fields for configuring the secret and propagate defaults.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
---

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 7a6a33c77c..c19a086c38 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -61,9 +61,11 @@ module Libvirtd_qemu =
 
    let vxhs_entry = bool_entry "vxhs_tls"
                  | str_entry "vxhs_tls_x509_cert_dir"
+                 | str_entry "vxhs_tls_x509_secret_uuid"
 
    let nbd_entry = bool_entry "nbd_tls"
                  | str_entry "nbd_tls_x509_cert_dir"
+                 | str_entry "nbd_tls_x509_secret_uuid"
 
    let nogfx_entry = bool_entry "nographics_allow_host_audio"
 
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 9b04c8534b..ab403c21ac 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -303,6 +303,15 @@
 #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
 
 
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
 
 # Enable use of TLS encryption for all NBD disk devices that don't
 # specifically disable it.
@@ -337,6 +346,16 @@
 #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
 
 
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # In order to override the default TLS certificate location for migration
 # certificates, supply a valid path to the certificate directory. If the
 # provided path does not exist, libvirtd will fail to start. If the path is
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index b9b90e853f..6e673e8f62 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -339,7 +339,10 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->chardevTLSx509secretUUID);
 
     VIR_FREE(cfg->vxhsTLSx509certdir);
+    VIR_FREE(cfg->vxhsTLSx509secretUUID);
+
     VIR_FREE(cfg->nbdTLSx509certdir);
+    VIR_FREE(cfg->nbdTLSx509secretUUID);
 
     VIR_FREE(cfg->migrateTLSx509certdir);
     VIR_FREE(cfg->migrateTLSx509secretUUID);
@@ -477,12 +480,8 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
 
     if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0)
         return -1;
-    if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTLSx509certdir) < 0)
-        return -1;
     if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0)
         return -1;
-    if (virConfGetValueString(conf, "nbd_tls_x509_cert_dir", &cfg->nbdTLSx509certdir) < 0)
-        return -1;
     if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0)
         return -1;
 
@@ -512,6 +511,10 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
     GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
     GET_CONFIG_TLS_CERTINFO_SERVER(migrate);
 
+    GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);
+
+    GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
+
 #undef GET_CONFIG_TLS_CERTINFO_COMMON
 #undef GET_CONFIG_TLS_CERTINFO_SERVER
     return 0;
@@ -1186,6 +1189,8 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
     SET_TLS_SECRET_UUID_DEFAULT(vnc);
     SET_TLS_SECRET_UUID_DEFAULT(chardev);
     SET_TLS_SECRET_UUID_DEFAULT(migrate);
+    SET_TLS_SECRET_UUID_DEFAULT(vxhs);
+    SET_TLS_SECRET_UUID_DEFAULT(nbd);
 
 #undef SET_TLS_SECRET_UUID_DEFAULT
 
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 4f54c136db..6193a7111c 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -146,9 +146,11 @@ struct _virQEMUDriverConfig {
 
     bool vxhsTLS;
     char *vxhsTLSx509certdir;
+    char *vxhsTLSx509secretUUID;
 
     bool nbdTLS;
     char *nbdTLSx509certdir;
+    char *nbdTLSx509secretUUID;
 
     unsigned int remotePortMin;
     unsigned int remotePortMax;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index e533b9f551..db125bf352 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -28,8 +28,10 @@ module Test_libvirtd_qemu =
 { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "vxhs_tls" = "1" }
 { "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
+{ "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "nbd_tls" = "1" }
 { "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
+{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
 { "migrate_tls_x509_verify" = "1" }
 { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }