[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS en
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend |
Date: |
Fri, 17 Apr 2015 12:27:06 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
On 04/17/2015 08:22 AM, Daniel P. Berrange wrote:
> This integrates support for QIOChannelTLS object in the TCP
> chardev backend. If the 'tls-cred=NAME' option is passed with
> the '-chardev tcp' argument, then it will setup the chardev
> such that the client is required to establish a TLS handshake
> when connecting. The 'acl' option will further enable the
> creation of a 'char.$ID.tlspeername' ACL which will be used
> to validate the client x509 certificate, if provided.
>
> A complete invokation to run QEMU as the server for a TLS
s/invokation/invocation/
> encrypted serial dev might be
>
> $ qemu-system-x86_64 \
> -nodefconfig -nodefaults -device sga -display none \
> -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \
> -device isa-serial,chardev=s0 \
> -object qcrypto-tls-cred,id=tls0,credtype=x509,\
> endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off
>
> To test with the gnutls-cli tool as the client:
>
> $ gnutls-cli --priority=NORMAL -p 9000 \
> --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> 127.0.0.1
>
> If QEMU was told to use 'anon' credential type, then use the
> priority string 'NOMAL:+ANON-DH' with gnutls-cli
s/NOMAL/NORMAL/
>
> Alternatively, if setting up a chardev to operate as a client,
> then the TLS credentials registered must be for the client
> endpoint. First a TLS server must be setup, which can be done
> with the gnutls-serv tool
>
> $ gnutls-serv --priority=NORMAL -p 9000 \
> --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> --x509certfile=/home/berrange/security/qemutls/server-cert.pem \
> --x509keyfile=/home/berrange/security/qemutls/server-key.pem
>
> Then QEMU can connect with
>
> $ qemu-system-x86_64 \
> -nodefconfig -nodefaults -device sga -display none \
> -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \
> -device isa-serial,chardev=s0 \
> -object qcrypto-tls-cred,id=tls0,credtype=x509,\
> endpoint=client,dir=/home/berrange/security/qemutls
>
> Signed-off-by: Daniel P. Berrange <address@hidden>
> ---
> qapi-schema.json | 2 +
> qemu-char.c | 182
> ++++++++++++++++++++++++++++++++++++++++++++++---------
> qemu-options.hx | 9 ++-
> 3 files changed, 161 insertions(+), 32 deletions(-)
>
> diff --git a/qapi-schema.json b/qapi-schema.json
> index ac9594d..062a455 100644
> --- a/qapi-schema.json
> +++ b/qapi-schema.json
> @@ -2782,6 +2782,8 @@
> # Since: 1.4
> ##
> { 'type': 'ChardevSocket', 'data': { 'addr' : 'SocketAddress',
> + '*tls-cred' : 'str',
> + '*acl' : 'str',
Need to document these two fields, along with '(since 2.4)' designators.
> +++ b/qemu-options.hx
> @@ -2009,7 +2009,7 @@ ETEXI
> DEF("chardev", HAS_ARG, QEMU_OPTION_chardev,
> "-chardev null,id=id[,mux=on|off]\n"
> "-chardev
> socket,id=id[,host=host],port=port[,to=to][,ipv4][,ipv6][,nodelay][,reconnect=seconds]\n"
> - " [,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off]
> (tcp)\n"
> + "
> [,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off][,tls-cred=ID][,acl]
> (tcp)\n"
> "-chardev
> socket,id=id,path=path[,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off]
> (unix)\n"
> "-chardev udp,id=id[,host=host],port=port[,localaddr=localaddr]\n"
> " [,localport=localport][,ipv4][,ipv6][,mux=on|off]\n"
> @@ -2082,7 +2082,7 @@ Options to each backend are described below.
> A void device. This device will not emit any data, and will drop any data it
> receives. The null backend does not take any options.
>
> address@hidden -chardev socket ,address@hidden address@hidden options} or
> @var{unix options}] [,server] [,nowait] [,telnet] [,address@hidden
> address@hidden -chardev socket ,address@hidden address@hidden options} or
> @var{unix options}] [,server] [,nowait] [,telnet]
> [,address@hidden,address@hidden
Everyone else in this line had space before [
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
- Re: [Qemu-devel] [PATCH v1 RFC 25/34] io: add QIOTask class for async operations, (continued)
[Qemu-devel] [PATCH v1 RFC 26/34] io: add QIOChannelTLS class, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 28/34] io: add QIOChannelWebsock class, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 30/34] ui: convert VNC server to use QIOChannelTLS, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 31/34] ui: convert VNC server to use QIOChannelWebsock, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 32/34] char: convert from GIOChannel to QIOChannel, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 33/34] char: don't assume telnet initialization will not block, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend, Daniel P. Berrange, 2015/04/17
- Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend,
Eric Blake <=
[Qemu-devel] [PATCH v1 RFC 13/34] crypto: add a nettle cipher implementation, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 12/34] crypto: add a gcrypt cipher implementation, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 10/34] crypto: move built-in D3DES implementation into crypto/, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 27/34] io: pull Buffer code out of VNC module, Daniel P. Berrange, 2015/04/17
[Qemu-devel] [PATCH v1 RFC 29/34] ui: convert VNC server to use QEMUIOChannelSocket classes, Daniel P. Berrange, 2015/04/17
Re: [Qemu-devel] [PATCH v1 RFC 00/34] Generic support for TLS protocol & I/O channels, Stefan Hajnoczi, 2015/04/23