qemu: conf: Add configuration of TLS key encryption for 'vxhs' and 'nbd' disks

Until now libvirt didn't allow using encrypted TLS key for disk clients. Add fields for configuring the secret and propagate defaults. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com>
2025-01-11 09:17:52 +03:00 · 2020-06-29 17:12:03 +02:00 · 2020-06-29 17:12:03 +02:00 · 470d322e0c
commit 470d322e0c
parent 7fa772bfd7
5 changed files with 34 additions and 4 deletions
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@ -61,9 +61,11 @@ module Libvirtd_qemu =

   let vxhs_entry = bool_entry "vxhs_tls"
                 | str_entry "vxhs_tls_x509_cert_dir"
+                 | str_entry "vxhs_tls_x509_secret_uuid"

   let nbd_entry = bool_entry "nbd_tls"
                 | str_entry "nbd_tls_x509_cert_dir"
+                 | str_entry "nbd_tls_x509_secret_uuid"

   let nogfx_entry = bool_entry "nographics_allow_host_audio"

--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@ -303,6 +303,15 @@
 #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"


+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+

 # Enable use of TLS encryption for all NBD disk devices that don't
 # specifically disable it.
@ -337,6 +346,16 @@
 #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"


+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
 # In order to override the default TLS certificate location for migration
 # certificates, supply a valid path to the certificate directory. If the
 # provided path does not exist, libvirtd will fail to start. If the path is
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@ -339,7 +339,10 @@ static void virQEMUDriverConfigDispose(void *obj)
    VIR_FREE(cfg->chardevTLSx509secretUUID);

    VIR_FREE(cfg->vxhsTLSx509certdir);
+    VIR_FREE(cfg->vxhsTLSx509secretUUID);
+
    VIR_FREE(cfg->nbdTLSx509certdir);
+    VIR_FREE(cfg->nbdTLSx509secretUUID);

    VIR_FREE(cfg->migrateTLSx509certdir);
    VIR_FREE(cfg->migrateTLSx509secretUUID);
@ -477,12 +480,8 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,

    if (virConfGetValueBool(conf, "vxhs_tls", &cfg->vxhsTLS) < 0)
        return -1;
-    if (virConfGetValueString(conf, "vxhs_tls_x509_cert_dir", &cfg->vxhsTLSx509certdir) < 0)
-        return -1;
    if (virConfGetValueBool(conf, "nbd_tls", &cfg->nbdTLS) < 0)
        return -1;
-    if (virConfGetValueString(conf, "nbd_tls_x509_cert_dir", &cfg->nbdTLSx509certdir) < 0)
-        return -1;
    if (virConfGetValueBool(conf, "chardev_tls", &cfg->chardevTLS) < 0)
        return -1;

@ -512,6 +511,10 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfigPtr cfg,
    GET_CONFIG_TLS_CERTINFO_COMMON(migrate);
    GET_CONFIG_TLS_CERTINFO_SERVER(migrate);

+    GET_CONFIG_TLS_CERTINFO_COMMON(vxhs);
+
+    GET_CONFIG_TLS_CERTINFO_COMMON(nbd);
+
 #undef GET_CONFIG_TLS_CERTINFO_COMMON
 #undef GET_CONFIG_TLS_CERTINFO_SERVER
    return 0;
@ -1186,6 +1189,8 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfigPtr cfg)
    SET_TLS_SECRET_UUID_DEFAULT(vnc);
    SET_TLS_SECRET_UUID_DEFAULT(chardev);
    SET_TLS_SECRET_UUID_DEFAULT(migrate);
+    SET_TLS_SECRET_UUID_DEFAULT(vxhs);
+    SET_TLS_SECRET_UUID_DEFAULT(nbd);

 #undef SET_TLS_SECRET_UUID_DEFAULT

--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@ -146,9 +146,11 @@ struct _virQEMUDriverConfig {

    bool vxhsTLS;
    char *vxhsTLSx509certdir;
+    char *vxhsTLSx509secretUUID;

    bool nbdTLS;
    char *nbdTLSx509certdir;
+    char *nbdTLSx509secretUUID;

    unsigned int remotePortMin;
    unsigned int remotePortMax;
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@ -28,8 +28,10 @@ module Test_libvirtd_qemu =
 { "chardev_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "vxhs_tls" = "1" }
 { "vxhs_tls_x509_cert_dir" = "/etc/pki/libvirt-vxhs" }
+{ "vxhs_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "nbd_tls" = "1" }
 { "nbd_tls_x509_cert_dir" = "/etc/pki/libvirt-nbd" }
+{ "nbd_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }
 { "migrate_tls_x509_cert_dir" = "/etc/pki/libvirt-migrate" }
 { "migrate_tls_x509_verify" = "1" }
 { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" }