qemu: Refactor secret/TLS setup and add TLS for nbd

[libvirt] [PATCH 01/38] qemu: domain: Add helper to check if encrypted secrets can be used with a VM

Posted by Peter Krempa 6 years, 11 months ago

This helper checks that the vm has the master key setup and libvirt
supports the given encryption algorithm.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_domain.c | 19 +++++++++++++++++--
 src/qemu/qemu_domain.h |  2 ++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 2c51e4c0d8..708d562e82 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -1292,6 +1292,22 @@ qemuDomainSecretAESSetup(qemuDomainObjPrivatePtr priv,
 }


+/**
+ * qemuDomainSupportsEncryptedSecret:
+ * @priv: qemu domain private data
+ *
+ * Returns true if libvirt can use encrypted 'secret' objects with VM which
+ * @priv belongs to.
+ */
+bool
+qemuDomainSupportsEncryptedSecret(qemuDomainObjPrivatePtr priv)
+{
+    return virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC) &&
+           virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_SECRET) &&
+           priv->masterKey;
+}
+
+
 /* qemuDomainSecretSetup:
  * @priv: pointer to domain private object
  * @secinfo: Pointer to secret info
@@ -1320,8 +1336,7 @@ qemuDomainSecretSetup(qemuDomainObjPrivatePtr priv,
     bool iscsiHasPS = virQEMUCapsGet(priv->qemuCaps,
                                      QEMU_CAPS_ISCSI_PASSWORD_SECRET);

-    if (virCryptoHaveCipher(VIR_CRYPTO_CIPHER_AES256CBC) &&
-        virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_SECRET) &&
+    if (qemuDomainSupportsEncryptedSecret(priv) &&
         (usageType == VIR_SECRET_USAGE_TYPE_CEPH ||
          (usageType == VIR_SECRET_USAGE_TYPE_ISCSI && iscsiHasPS) ||
          usageType == VIR_SECRET_USAGE_TYPE_VOLUME ||
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index 2e0f4df0fb..f7405e0c6c 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -831,6 +831,8 @@ int qemuDomainMasterKeyCreate(virDomainObjPtr vm);

 void qemuDomainMasterKeyRemove(qemuDomainObjPrivatePtr priv);

+bool qemuDomainSupportsEncryptedSecret(qemuDomainObjPrivatePtr priv);
+
 void qemuDomainSecretInfoFree(qemuDomainSecretInfoPtr *secinfo)
     ATTRIBUTE_NONNULL(1);

-- 
2.16.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 01/38] qemu: domain: Add helper to check if encrypted secrets can be used with a VM

Posted by Ján Tomko 6 years, 11 months ago

On Wed, May 30, 2018 at 02:40:57PM +0200, Peter Krempa wrote:
>This helper checks that the vm has the master key setup and libvirt
>supports the given encryption algorithm.
>
>Signed-off-by: Peter Krempa <pkrempa@redhat.com>
>---
> src/qemu/qemu_domain.c | 19 +++++++++++++++++--
> src/qemu/qemu_domain.h |  2 ++
> 2 files changed, 19 insertions(+), 2 deletions(-)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list