From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55364)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1YlGJB-0000uF-SA
	for qemu-devel@nongnu.org; Thu, 23 Apr 2015 08:32:46 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1YlGIz-0004UO-J1
	for qemu-devel@nongnu.org; Thu, 23 Apr 2015 08:32:45 -0400
Received: from mx1.redhat.com ([209.132.183.28]:57676)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1YlGIz-0004UI-CP
	for qemu-devel@nongnu.org; Thu, 23 Apr 2015 08:32:33 -0400
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
	(int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
	by mx1.redhat.com (Postfix) with ESMTPS id 1200DB6A59
	for <qemu-devel@nongnu.org>; Thu, 23 Apr 2015 12:32:33 +0000 (UTC)
Date: Thu, 23 Apr 2015 13:32:28 +0100
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20150423123228.GG5845@redhat.com>
References: <1429280557-8887-1-git-send-email-berrange@redhat.com>
	<1429280557-8887-35-git-send-email-berrange@redhat.com>
	<5531507A.6000401@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <5531507A.6000401@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for
 TLS encrypted TCP chardev backend
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Eric Blake <eblake@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>

On Fri, Apr 17, 2015 at 12:27:06PM -0600, Eric Blake wrote:
> On 04/17/2015 08:22 AM, Daniel P. Berrange wrote:
> > This integrates support for QIOChannelTLS object in the TCP
> > chardev backend. If the 'tls-cred=NAME' option is passed with
> > the '-chardev tcp' argument, then it will setup the chardev
> > such that the client is required to establish a TLS handshake
> > when connecting. The 'acl' option will further enable the
> > creation of a 'char.$ID.tlspeername' ACL which will be used
> > to validate the client x509 certificate, if provided.
> > 
> > A complete invokation to run QEMU as the server for a TLS
> 
> s/invokation/invocation/
> 
> > encrypted serial dev might be
> > 
> >   $ qemu-system-x86_64 \
> >       -nodefconfig -nodefaults -device sga -display none \
> >       -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \
> >       -device isa-serial,chardev=s0 \
> >       -object qcrypto-tls-cred,id=tls0,credtype=x509,\
> >         endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off
> > 
> > To test with the gnutls-cli tool as the client:
> > 
> >   $ gnutls-cli --priority=NORMAL -p 9000 \
> >        --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> >        127.0.0.1
> > 
> > If QEMU was told to use 'anon' credential type, then use the
> > priority string 'NOMAL:+ANON-DH' with gnutls-cli
> 
> s/NOMAL/NORMAL/
> 
> > 
> > Alternatively, if setting up a chardev to operate as a client,
> > then the TLS credentials registered must be for the client
> > endpoint. First a TLS server must be setup, which can be done
> > with the gnutls-serv tool
> > 
> >   $ gnutls-serv --priority=NORMAL -p 9000 \
> >        --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \
> >        --x509certfile=/home/berrange/security/qemutls/server-cert.pem \
> >        --x509keyfile=/home/berrange/security/qemutls/server-key.pem
> > 
> > Then QEMU can connect with
> > 
> >   $ qemu-system-x86_64 \
> >       -nodefconfig -nodefaults -device sga -display none \
> >       -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \
> >       -device isa-serial,chardev=s0 \
> >       -object qcrypto-tls-cred,id=tls0,credtype=x509,\
> >         endpoint=client,dir=/home/berrange/security/qemutls
> > 
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
> >  qapi-schema.json |   2 +
> >  qemu-char.c      | 182 ++++++++++++++++++++++++++++++++++++++++++++++---------
> >  qemu-options.hx  |   9 ++-
> >  3 files changed, 161 insertions(+), 32 deletions(-)
> > 
> > diff --git a/qapi-schema.json b/qapi-schema.json
> > index ac9594d..062a455 100644
> > --- a/qapi-schema.json
> > +++ b/qapi-schema.json
> > @@ -2782,6 +2782,8 @@
> >  # Since: 1.4
> >  ##
> >  { 'type': 'ChardevSocket', 'data': { 'addr'       : 'SocketAddress',
> > +                                     '*tls-cred'  : 'str',
> > +                                     '*acl'       : 'str',
> 
> Need to document these two fields, along with '(since 2.4)' designators.

Ah, ok forgot about that.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|