From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Alexey Krasikov <alex-krasikov@yandex-team.ru>
Subject: Re: [PULL 3/5] crypto/linux_keyring: add 'secret_keyring' secret object.
Date: Fri, 5 Jun 2020 12:06:41 +0100 [thread overview]
Message-ID: <20200605110641.GC3289519@redhat.com> (raw)
In-Reply-To: <20200529103555.2759928-4-berrange@redhat.com>
On Fri, May 29, 2020 at 11:35:53AM +0100, Daniel P. Berrangé wrote:
> From: Alexey Krasikov <alex-krasikov@yandex-team.ru>
>
> Add the ability for the secret object to obtain secret data from the
> Linux in-kernel key managment and retention facility, as an extra option
> to the existing ones: reading from a file or passing directly as a
> string.
>
> The secret is identified by the key serial number. The upper layers
> need to instantiate the key and make sure the QEMU process has access
> permissions to read it.
>
> Signed-off-by: Alexey Krasikov <alex-krasikov@yandex-team.ru>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> configure | 38 ++++++++
> crypto/Makefile.objs | 1 +
> crypto/secret_keyring.c | 148 ++++++++++++++++++++++++++++++++
> include/crypto/secret_keyring.h | 52 +++++++++++
> 4 files changed, 239 insertions(+)
> create mode 100644 crypto/secret_keyring.c
> create mode 100644 include/crypto/secret_keyring.h
>
> diff --git a/configure b/configure
> index 2ffe365e2c..d95ff4e0b3 100755
> --- a/configure
> +++ b/configure
> @@ -510,6 +510,7 @@ default_devices="yes"
> plugins="no"
> fuzzing="no"
> rng_none="no"
> +secret_keyring="yes"
>
> supported_cpu="no"
> supported_os="no"
> @@ -1606,6 +1607,10 @@ for opt do
> ;;
> --disable-rng-none) rng_none=no
> ;;
> + --enable-keyring) secret_keyring="yes"
> + ;;
> + --disable-keyring) secret_keyring="no"
> + ;;
> *)
> echo "ERROR: unknown option $opt"
> echo "Try '$0 --help' for more information"
> @@ -6272,6 +6277,34 @@ case "$slirp" in
> ;;
> esac
>
> +##########################################
> +# check for usable __NR_keyctl syscall
> +
> +if test "$linux" = "yes" ; then
> +
> + have_keyring=no
> + cat > $TMPC << EOF
> +#include <errno.h>
> +#include <asm/unistd.h>
> +#include <linux/keyctl.h>
> +#include <unistd.h>
> +int main(void) {
> + return syscall(__NR_keyctl, KEYCTL_READ, 0, NULL, NULL, 0);
> +}
> +EOF
> + if compile_prog "" "" ; then
> + have_keyring=yes
> + fi
> +fi
> +if test "$secret_keyring" = "yes"
> +then
> + if test "$have_keyring" != "yes"
> + then
> + error_exit "syscall __NR_keyctl requested, \
> +but not implemented on your system"
> + fi
> +fi
This logic doesn't correctly disable keyring on Non-Linux native
builds by default. eg mingw as reported by patchew
I'm going to repost with the following squashed in
diff --git a/configure b/configure
index f2ff722f7e..f17c2fd72e 100755
--- a/configure
+++ b/configure
@@ -510,7 +510,7 @@ default_devices="yes"
plugins="no"
fuzzing="no"
rng_none="no"
-secret_keyring="yes"
+secret_keyring=""
supported_cpu="no"
supported_os="no"
@@ -6296,12 +6296,19 @@ EOF
have_keyring=yes
fi
fi
-if test "$secret_keyring" = "yes"
+if test "$secret_keyring" != "no"
then
- if test "$have_keyring" != "yes"
+ if test "$have_keyring" == "yes"
then
- error_exit "syscall __NR_keyctl requested, \
+ secret_keyring=yes
+ else
+ if test "$secret_keyring" = "yes"
+ then
+ error_exit "syscall __NR_keyctl requested, \
but not implemented on your system"
+ else
+ secret_keyring=no
+ fi
fi
fi
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-06-05 11:07 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-29 10:35 [PULL 0/5] Qcrypto next patches Daniel P. Berrangé
2020-05-29 10:35 ` [PULL 1/5] crypto: add "none" random provider Daniel P. Berrangé
2020-05-29 10:35 ` [PULL 2/5] crypto/secret: move main logic from 'secret' to 'secret_common' Daniel P. Berrangé
2020-05-29 10:35 ` [PULL 3/5] crypto/linux_keyring: add 'secret_keyring' secret object Daniel P. Berrangé
2020-06-05 11:06 ` Daniel P. Berrangé [this message]
2020-05-29 10:35 ` [PULL 4/5] test-crypto-secret: add 'secret_keyring' object tests Daniel P. Berrangé
2020-05-29 10:35 ` [PULL 5/5] crypto: Remove use of GCRYPT_VERSION macro Daniel P. Berrangé
2020-05-29 17:04 ` [PULL 0/5] Qcrypto next patches no-reply
2020-05-29 17:08 ` Daniel P. Berrangé
-- strict thread matches above, loose matches on Subject: below --
2020-06-15 10:36 [PULL v2 " Daniel P. Berrangé
2020-06-15 10:36 ` [PULL 3/5] crypto/linux_keyring: add 'secret_keyring' secret object Daniel P. Berrangé
2020-06-16 16:49 ` David Edmondson
2020-06-16 16:51 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605110641.GC3289519@redhat.com \
--to=berrange@redhat.com \
--cc=alex-krasikov@yandex-team.ru \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.