1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH 00/38] qemu: Refactor secret/TLS setup and add TLS for nbd
  4. View patch

[libvirt] [PATCH 05/38] qemu: domain: Add new function to set up encrypted secrets only

Peter Krempa posted 38 patches 6 years, 11 months ago
[libvirt] [PATCH 05/38] qemu: domain: Add new function to set up encrypted secrets only
Posted by Peter Krempa 6 years, 11 months ago 
Some code paths can't use the unencrypted secret. Add a helper which
checks and sets up an encrypted secret only and reuse it when setting up
the secret to decrypt the TLS private key in qemuDomainSecretInfoTLSNew.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_domain.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index cda3d00f75..67bf2f6718 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1399,6 +1399,49 @@ qemuDomainSecretInfoNewPlain(qemuDomainObjPrivatePtr priv,
 }


+/* qemuDomainSecretInfoNew:
+ * @priv: pointer to domain private object
+ * @srcAlias: Alias base to use for TLS object
+ * @usageType: Secret usage type
+ * @username: username for plain secrets (only)
+ * @looupdef: lookup def describing secret
+ * @isLuks: boolean for luks lookup
+ *
+ * Helper function to create a secinfo to be used for secinfo consumers. This
+ * possibly sets a encrypted secret object.
+ *
+ * Returns @secinfo on success, NULL on failure. Caller is responsible
+ * to eventually free @secinfo.
+ */
+static qemuDomainSecretInfoPtr
+qemuDomainSecretInfoNew(qemuDomainObjPrivatePtr priv,
+                        const char *srcAlias,
+                        virSecretUsageType usageType,
+                        const char *username,
+                        virSecretLookupTypeDefPtr lookupDef,
+                        bool isLuks)
+{
+    qemuDomainSecretInfoPtr secinfo = NULL;
+
+    if (!qemuDomainSupportsEncryptedSecret(priv)) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                       _("encrypted secrets are not supported"));
+        return NULL;
+    }
+
+    if (VIR_ALLOC(secinfo) < 0)
+        return NULL;
+
+    if (qemuDomainSecretAESSetup(priv, secinfo, srcAlias, usageType, username,
+                                 lookupDef, isLuks) < 0) {
+        qemuDomainSecretInfoFree(&secinfo);
+        return NULL;
+    }
+
+    return secinfo;
+}
+
+
 /**
  * qemuDomainSecretInfoTLSNew:
  * @priv: pointer to domain private object
@@ -1425,9 +1468,9 @@ qemuDomainSecretInfoTLSNew(qemuDomainObjPrivatePtr priv,
     }
     seclookupdef.type = VIR_SECRET_LOOKUP_TYPE_UUID;

-    return qemuDomainSecretInfoNewPlain(priv, srcAlias,
-                                        VIR_SECRET_USAGE_TYPE_TLS, NULL,
-                                        &seclookupdef, false);
+    return qemuDomainSecretInfoNew(priv, srcAlias,
+                                   VIR_SECRET_USAGE_TYPE_TLS, NULL,
+                                   &seclookupdef, false);
 }


-- 
2.16.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 05/38] qemu: domain: Add new function to set up encrypted secrets only
Posted by Ján Tomko 6 years, 11 months ago 
On Wed, May 30, 2018 at 02:41:01PM +0200, Peter Krempa wrote:
>Some code paths can't use the unencrypted secret. Add a helper which
>checks and sets up an encrypted secret only and reuse it when setting up
>the secret to decrypt the TLS private key in qemuDomainSecretInfoTLSNew.
>
>Signed-off-by: Peter Krempa <pkrempa@redhat.com>
>---
> src/qemu/qemu_domain.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 46 insertions(+), 3 deletions(-)
>
>diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
>index cda3d00f75..67bf2f6718 100644
>--- a/src/qemu/qemu_domain.c
>+++ b/src/qemu/qemu_domain.c
>@@ -1399,6 +1399,49 @@ qemuDomainSecretInfoNewPlain(qemuDomainObjPrivatePtr priv,
> }
>
>
>+/* qemuDomainSecretInfoNew:
>+ * @priv: pointer to domain private object
>+ * @srcAlias: Alias base to use for TLS object
>+ * @usageType: Secret usage type
>+ * @username: username for plain secrets (only)

AFAIK we have been using username with AES secrets since:
commit a1344f70a128921e7fe7213da7c1afbc962fba9c
    qemu: Utilize qemu secret objects for RBD auth/secret

Just drop the plain secret reference and resort to tautological documentation.

>+ * @looupdef: lookup def describing secret
>+ * @isLuks: boolean for luks lookup
>+ *
>+ * Helper function to create a secinfo to be used for secinfo consumers. This
>+ * possibly sets a encrypted secret object.

sets up

>+ *
>+ * Returns @secinfo on success, NULL on failure. Caller is responsible
>+ * to eventually free @secinfo.
>+ */

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 05/38] qemu: domain: Add new function to set up encrypted secrets only
Posted by Ján Tomko 6 years, 11 months ago 
On Wed, May 30, 2018 at 05:25:27PM +0200, Ján Tomko wrote:
>On Wed, May 30, 2018 at 02:41:01PM +0200, Peter Krempa wrote:
>>Some code paths can't use the unencrypted secret. Add a helper which
>>checks and sets up an encrypted secret only and reuse it when setting up
>>the secret to decrypt the TLS private key in qemuDomainSecretInfoTLSNew.
>>
>>Signed-off-by: Peter Krempa <pkrempa@redhat.com>
>>---
>> src/qemu/qemu_domain.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++---
>> 1 file changed, 46 insertions(+), 3 deletions(-)
>>
>>diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
>>index cda3d00f75..67bf2f6718 100644
>>--- a/src/qemu/qemu_domain.c
>>+++ b/src/qemu/qemu_domain.c
>>@@ -1399,6 +1399,49 @@ qemuDomainSecretInfoNewPlain(qemuDomainObjPrivatePtr priv,
>> }
>>
>>
>>+/* qemuDomainSecretInfoNew:
>>+ * @priv: pointer to domain private object
>>+ * @srcAlias: Alias base to use for TLS object
>>+ * @usageType: Secret usage type
>>+ * @username: username for plain secrets (only)
>
>AFAIK we have been using username with AES secrets since:
>commit a1344f70a128921e7fe7213da7c1afbc962fba9c
>    qemu: Utilize qemu secret objects for RBD auth/secret
>
>Just drop the plain secret reference and resort to tautological documentation.
>
>>+ * @looupdef: lookup def describing secret

Also, the parameter is named lookupDef

Jano
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.