qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] RFC: Universal encryption on QEMU I/O channels


From: Dr. David Alan Gilbert
Subject: Re: [Qemu-devel] RFC: Universal encryption on QEMU I/O channels
Date: Thu, 5 Feb 2015 09:11:26 +0000
User-agent: Mutt/1.5.23 (2014-03-12)

* Eric Blake (address@hidden) wrote:
> On 02/04/2015 07:02 AM, Daniel P. Berrange wrote:
> 
> >>
> >> I think fixing this for migration might simplify stuff for users a lot as 
> >> well;
> >> the choice of whether libvirt does tunneling or not and what it means
> >> for how block migration happens etc can get very confusing.
> > 
> > Yes, and not helped by the fact that no single current impl offers all
> > desired features - they are all partially overlapping sets :-(
> 
> >> Some things to keep in mind:
> >>   1) The current patch from Liang Li doing multi threaded compression
> >>      It just strikes me as an exmaple of another type of filter in the 
> >> migration
> >>      stream.
> > 
> > Yes, that does make sense in that way,
> > 
> >>   2) Postcopy and fault tolerance need a bidirectional channel; and that 
> >> back
> >>      channel tends to be small messages.
> > 
> > TLS will require bidirectional channels too in order to perform the
> > handshake. SASL will require bidirectional channels too. So this
> > seems rather inevitable.
> > 
> >>   3) I'd considered making a separate socket/fd for passing page data
> >>      in the hope of maybe making that page take data via splice; but am not
> >>      sure yet.
> 
> Another thing to think about - should migration to file be something
> that can be encrypted?  There, you don't have the luxury of a
> bidirectional channel, but securing the machine state so that only an
> authenticated user can decrypt to reload the state later sounds like
> another benefit that might be possible.

That's something that's pretty easy to do via exec-migration; so I'm
not sure it's worth doing anything particularly special for it.

Dave

> 
> -- 
> Eric Blake   eblake redhat com    +1-919-301-3266
> Libvirt virtualization library http://libvirt.org
> 


--
Dr. David Alan Gilbert / address@hidden / Manchester, UK



reply via email to

[Prev in Thread] Current Thread [Next in Thread]