qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS en


From: Eric Blake
Subject: Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for TLS encrypted TCP chardev backend
Date: Fri, 17 Apr 2015 12:27:06 -0600
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

On 04/17/2015 08:22 AM, Daniel P. Berrange wrote:
> This integrates support for QIOChannelTLS object in the TCP
> chardev backend. If the 'tls-cred=NAME' option is passed with
> the '-chardev tcp' argument, then it will setup the chardev
> such that the client is required to establish a TLS handshake
> when connecting. The 'acl' option will further enable the
> creation of a 'char.$ID.tlspeername' ACL which will be used
> to validate the client x509 certificate, if provided.
> 
> A complete invokation to run QEMU as the server for a TLS

s/invokation/invocation/

> encrypted serial dev might be
> 
>   $ qemu-system-x86_64 \
>       -nodefconfig -nodefaults -device sga -display none \
>       -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \
>       -device isa-serial,chardev=s0 \
>       -object qcrypto-tls-cred,id=tls0,credtype=x509,\
>         endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off
> 
> To test with the gnutls-cli tool as the client:
> 
>   $ gnutls-cli --priority=NORMAL -p 9000 \
>        --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
>        127.0.0.1
> 
> If QEMU was told to use 'anon' credential type, then use the
> priority string 'NOMAL:+ANON-DH' with gnutls-cli

s/NOMAL/NORMAL/

> 
> Alternatively, if setting up a chardev to operate as a client,
> then the TLS credentials registered must be for the client
> endpoint. First a TLS server must be setup, which can be done
> with the gnutls-serv tool
> 
>   $ gnutls-serv --priority=NORMAL -p 9000 \
>        --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
>        --x509certfile=/home/berrange/security/qemutls/server-cert.pem \
>        --x509keyfile=/home/berrange/security/qemutls/server-key.pem
> 
> Then QEMU can connect with
> 
>   $ qemu-system-x86_64 \
>       -nodefconfig -nodefaults -device sga -display none \
>       -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \
>       -device isa-serial,chardev=s0 \
>       -object qcrypto-tls-cred,id=tls0,credtype=x509,\
>         endpoint=client,dir=/home/berrange/security/qemutls
> 
> Signed-off-by: Daniel P. Berrange <address@hidden>
> ---
>  qapi-schema.json |   2 +
>  qemu-char.c      | 182 
> ++++++++++++++++++++++++++++++++++++++++++++++---------
>  qemu-options.hx  |   9 ++-
>  3 files changed, 161 insertions(+), 32 deletions(-)
> 
> diff --git a/qapi-schema.json b/qapi-schema.json
> index ac9594d..062a455 100644
> --- a/qapi-schema.json
> +++ b/qapi-schema.json
> @@ -2782,6 +2782,8 @@
>  # Since: 1.4
>  ##
>  { 'type': 'ChardevSocket', 'data': { 'addr'       : 'SocketAddress',
> +                                     '*tls-cred'  : 'str',
> +                                     '*acl'       : 'str',

Need to document these two fields, along with '(since 2.4)' designators.

> +++ b/qemu-options.hx
> @@ -2009,7 +2009,7 @@ ETEXI
>  DEF("chardev", HAS_ARG, QEMU_OPTION_chardev,
>      "-chardev null,id=id[,mux=on|off]\n"
>      "-chardev 
> socket,id=id[,host=host],port=port[,to=to][,ipv4][,ipv6][,nodelay][,reconnect=seconds]\n"
> -    "         [,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off] 
> (tcp)\n"
> +    "         
> [,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off][,tls-cred=ID][,acl]
>  (tcp)\n"
>      "-chardev 
> socket,id=id,path=path[,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off]
>  (unix)\n"
>      "-chardev udp,id=id[,host=host],port=port[,localaddr=localaddr]\n"
>      "         [,localport=localport][,ipv4][,ipv6][,mux=on|off]\n"
> @@ -2082,7 +2082,7 @@ Options to each backend are described below.
>  A void device. This device will not emit any data, and will drop any data it
>  receives. The null backend does not take any options.
>  
> address@hidden -chardev socket ,address@hidden address@hidden options} or 
> @var{unix options}] [,server] [,nowait] [,telnet] [,address@hidden
> address@hidden -chardev socket ,address@hidden address@hidden options} or 
> @var{unix options}] [,server] [,nowait] [,telnet] 
> [,address@hidden,address@hidden

Everyone else in this line had space before [

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]