From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41986) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aScsT-00089m-N2 for qemu-devel@nongnu.org; Sun, 07 Feb 2016 22:52:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aScsS-00032B-Ji for qemu-devel@nongnu.org; Sun, 07 Feb 2016 22:52:41 -0500 Date: Sun, 7 Feb 2016 22:52:33 -0500 From: Jeff Cody Message-ID: <20160208035233.GA26620@localhost.localdomain> References: <1453385961-10718-1-git-send-email-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1453385961-10718-1-git-send-email-berrange@redhat.com> Subject: Re: [Qemu-devel] [Qemu-block] [PATCH v4 0/3] Use QCryptoSecret for block device passwords List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Paolo Bonzini , qemu-devel@nongnu.org, qemu-block@nongnu.org, Markus Armbruster On Thu, Jan 21, 2016 at 02:19:18PM +0000, Daniel P. Berrange wrote: > This series was previously posted: > > v1: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg04365.html > v2: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03809.html > v3: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03461.html > > The RBD, Curl and iSCSI block device drivers all need the ability > to accept a password to authenticate with the remote network storage > server. Currently RBD and iSCSI both just take the password in clear > text as part of the block parameters which is insecure (passwords are > visible in the process listing), while Curl doesn't support auth at > all. > > This series updates all three drivers so that they use the recently > merged QCryptoSecret API for getting passwords. Each driver gains > a 'passwordid' property that can be set to provide the ID of a > QCryptoSecret object instance, which in turn provides the actual > password data. > > This series is required in order to fix a long standing CVE security > flaw in libvirt, whereby passwords are exposed in the command line > arguments and so visible in process listing > > This series would benefit from the --object additions to qemu-img, > qemu-io and qemu-nbd, but this is not a pre-requisite for its merge > as it us still useful in the system emulator without that support: > > https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03381.html > > Changed in v4: > > - Rename 'password-id' to 'password-secret', 'proxy-password-id' > to 'proxy-password-secret' (Paolo) > > Changed in v3: > > - Rename 'passwordid' to 'password-id', 'proxypasswordid' > to 'proxy-password-id' and 'proxyusername' to 'proxy-username' > (Markus) > > Daniel P. Berrange (3): > rbd: add support for getting password from QCryptoSecret object > curl: add support for HTTP authentication parameters > iscsi: add support for getting CHAP password via QCryptoSecret API > > block/curl.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > block/iscsi.c | 24 +++++++++++++++++++++- > block/rbd.c | 47 ++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 136 insertions(+), 1 deletion(-) > > -- > 2.5.0 > > Thanks, applied to my git branch: git://github.com/codyprime/qemu-kvm-jtc.git block -Jeff