[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v1 4/4] char: introduce support for TLS encrypte
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH v1 4/4] char: introduce support for TLS encrypted TCP chardev backend |
Date: |
Wed, 18 Nov 2015 13:00:25 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 |
On 11/18/2015 11:48 AM, Daniel P. Berrange wrote:
> This integrates support for QIOChannelTLS object in the TCP
> chardev backend. If the 'tls-creds=NAME' option is passed with
> the '-chardev tcp' argument, then it will setup the chardev
> such that the client is required to establish a TLS handshake
> when connecting. There is no support for checking the client
> certificate against ACLs in this initial patch. This is pending
> work to QOM-ify the ACL object code.
>
> A complete invocation to run QEMU as the server for a TLS
> encrypted serial dev might be
>
> $ qemu-system-x86_64 \
> -nodefconfig -nodefaults -device sga -display none \
> -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-creds=tls0,server \
> -device isa-serial,chardev=s0 \
> -object tls-creds-x509,id=tls0,endpoint=server,verify-peer=off,\
> dir=/home/berrange/security/qemutls
>
> To test with the gnutls-cli tool as the client:
>
> $ gnutls-cli --priority=NORMAL -p 9000 \
> --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> 127.0.0.1
>
> If QEMU was told to use 'anon' credential type, then use the
> priority string 'NORMAL:+ANON-DH' with gnutls-cli
>
> Alternatively, if setting up a chardev to operate as a client,
> then the TLS credentials registered must be for the client
> endpoint. First a TLS server must be setup, which can be done
> with the gnutls-serv tool
>
> $ gnutls-serv --priority=NORMAL -p 9000 --echo \
> --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> --x509certfile=/home/berrange/security/qemutls/server-cert.pem \
> --x509keyfile=/home/berrange/security/qemutls/server-key.pem
>
> Then QEMU can connect with
>
> $ qemu-system-x86_64 \
> -nodefconfig -nodefaults -device sga -display none \
> -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-creds=tls0 \
> -device isa-serial,chardev=s0 \
> -object tls-creds-x509,id=tls0,endpoint=client,\
> dir=/home/berrange/security/qemutls
>
> Signed-off-by: Daniel P. Berrange <address@hidden>
> ---
> qapi-schema.json | 2 +
> qemu-char.c | 138
> ++++++++++++++++++++++++++++++++++++++++++++++++++-----
> qemu-options.hx | 9 +++-
> 3 files changed, 135 insertions(+), 14 deletions(-)
>
> diff --git a/qapi-schema.json b/qapi-schema.json
> index 8b1a423..be6636c 100644
> --- a/qapi-schema.json
> +++ b/qapi-schema.json
> @@ -3046,6 +3046,7 @@
> #
> # @addr: socket address to listen on (server=true)
> # or connect to (server=false)
> +# @tls-creds: #optional the ID of the TLS credentials object (since 2.4)
2.6, now :)
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature