Re: [Qemu-devel] [PATCH v1 4/4] char: introduce support for TLS encrypted TCP chardev backend

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Blake <eblake@redhat.com>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v1 4/4] char: introduce support for TLS encrypted TCP chardev backend
Date: Wed, 18 Nov 2015 13:00:25 -0700	[thread overview]
Message-ID: <564CD8D9.2090104@redhat.com> (raw)
In-Reply-To: <1447872538-1713-5-git-send-email-berrange@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 2819 bytes --]

On 11/18/2015 11:48 AM, Daniel P. Berrange wrote:
> This integrates support for QIOChannelTLS object in the TCP
> chardev backend. If the 'tls-creds=NAME' option is passed with
> the '-chardev tcp' argument, then it will setup the chardev
> such that the client is required to establish a TLS handshake
> when connecting. There is no support for checking the client
> certificate against ACLs in this initial patch. This is pending
> work to QOM-ify the ACL object code.
> 
> A complete invocation to run QEMU as the server for a TLS
> encrypted serial dev might be
> 
>   $ qemu-system-x86_64 \
>       -nodefconfig -nodefaults -device sga -display none \
>       -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-creds=tls0,server \
>       -device isa-serial,chardev=s0 \
>       -object tls-creds-x509,id=tls0,endpoint=server,verify-peer=off,\
>          dir=/home/berrange/security/qemutls
> 
> To test with the gnutls-cli tool as the client:
> 
>   $ gnutls-cli --priority=NORMAL -p 9000 \
>        --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
>        127.0.0.1
> 
> If QEMU was told to use 'anon' credential type, then use the
> priority string 'NORMAL:+ANON-DH' with gnutls-cli
> 
> Alternatively, if setting up a chardev to operate as a client,
> then the TLS credentials registered must be for the client
> endpoint. First a TLS server must be setup, which can be done
> with the gnutls-serv tool
> 
>   $ gnutls-serv --priority=NORMAL -p 9000 --echo \
>        --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
>        --x509certfile=/home/berrange/security/qemutls/server-cert.pem \
>        --x509keyfile=/home/berrange/security/qemutls/server-key.pem
> 
> Then QEMU can connect with
> 
>   $ qemu-system-x86_64 \
>       -nodefconfig -nodefaults -device sga -display none \
>       -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-creds=tls0 \
>       -device isa-serial,chardev=s0 \
>       -object tls-creds-x509,id=tls0,endpoint=client,\
>         dir=/home/berrange/security/qemutls
> 
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  qapi-schema.json |   2 +
>  qemu-char.c      | 138 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
>  qemu-options.hx  |   9 +++-
>  3 files changed, 135 insertions(+), 14 deletions(-)
> 
> diff --git a/qapi-schema.json b/qapi-schema.json
> index 8b1a423..be6636c 100644
> --- a/qapi-schema.json
> +++ b/qapi-schema.json
> @@ -3046,6 +3046,7 @@
>  #
>  # @addr: socket address to listen on (server=true)
>  #        or connect to (server=false)
> +# @tls-creds: #optional the ID of the TLS credentials object (since 2.4)

2.6, now :)


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 604 bytes --]

     prev parent reply	other threads:[~2015-11-18 20:00 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-18 18:48 [Qemu-devel] [PATCH v1 0/4] Convert chardevs to QIOChannel & add TLS support Daniel P. Berrange
2015-11-18 18:48 ` [Qemu-devel] [PATCH v1 1/4] char: remove fixed length filename allocation Daniel P. Berrange
2015-11-18 18:48 ` [Qemu-devel] [PATCH v1 2/4] char: convert from GIOChannel to QIOChannel Daniel P. Berrange
2015-11-18 18:48 ` [Qemu-devel] [PATCH v1 3/4] char: don't assume telnet initialization will not block Daniel P. Berrange
2015-11-18 18:48 ` [Qemu-devel] [PATCH v1 4/4] char: introduce support for TLS encrypted TCP chardev backend Daniel P. Berrange
2015-11-18 20:00   ` Eric Blake [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=564CD8D9.2090104@redhat.com \
    --to=eblake@redhat.com \
    --cc=berrange@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.