From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: Alexey Krasikov <alex-krasikov@yandex-team.ru>
Subject: Re: [PULL 3/5] crypto/linux_keyring: add 'secret_keyring' secret object.
Date: Fri, 5 Jun 2020 12:06:41 +0100 [thread overview]
Message-ID: <20200605110641.GC3289519@redhat.com> (raw)
In-Reply-To: <20200529103555.2759928-4-berrange@redhat.com>
On Fri, May 29, 2020 at 11:35:53AM +0100, Daniel P. Berrangé wrote:
> From: Alexey Krasikov <alex-krasikov@yandex-team.ru>
>
> Add the ability for the secret object to obtain secret data from the
> Linux in-kernel key managment and retention facility, as an extra option
> to the existing ones: reading from a file or passing directly as a
> string.
>
> The secret is identified by the key serial number. The upper layers
> need to instantiate the key and make sure the QEMU process has access
> permissions to read it.
>
> Signed-off-by: Alexey Krasikov <alex-krasikov@yandex-team.ru>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> configure | 38 ++++++++
> crypto/Makefile.objs | 1 +
> crypto/secret_keyring.c | 148 ++++++++++++++++++++++++++++++++
> include/crypto/secret_keyring.h | 52 +++++++++++
> 4 files changed, 239 insertions(+)
> create mode 100644 crypto/secret_keyring.c
> create mode 100644 include/crypto/secret_keyring.h
>
> diff --git a/configure b/configure
> index 2ffe365e2c..d95ff4e0b3 100755
> --- a/configure
> +++ b/configure
> @@ -510,6 +510,7 @@ default_devices="yes"
> plugins="no"
> fuzzing="no"
> rng_none="no"
> +secret_keyring="yes"
>
> supported_cpu="no"
> supported_os="no"
> @@ -1606,6 +1607,10 @@ for opt do
> ;;
> --disable-rng-none) rng_none=no
> ;;
> + --enable-keyring) secret_keyring="yes"
> + ;;
> + --disable-keyring) secret_keyring="no"
> + ;;
> *)
> echo "ERROR: unknown option $opt"
> echo "Try '$0 --help' for more information"
> @@ -6272,6 +6277,34 @@ case "$slirp" in
> ;;
> esac
>
> +##########################################
> +# check for usable __NR_keyctl syscall
> +
> +if test "$linux" = "yes" ; then
> +
> + have_keyring=no
> + cat > $TMPC << EOF
> +#include <errno.h>
> +#include <asm/unistd.h>
> +#include <linux/keyctl.h>
> +#include <unistd.h>
> +int main(void) {
> + return syscall(__NR_keyctl, KEYCTL_READ, 0, NULL, NULL, 0);
> +}
> +EOF
> + if compile_prog "" "" ; then
> + have_keyring=yes
> + fi
> +fi
> +if test "$secret_keyring" = "yes"
> +then
> + if test "$have_keyring" != "yes"
> + then
> + error_exit "syscall __NR_keyctl requested, \
> +but not implemented on your system"
> + fi
> +fi
This logic doesn't correctly disable keyring on Non-Linux native
builds by default. eg mingw as reported by patchew
I'm going to repost with the following squashed in
diff --git a/configure b/configure
index f2ff722f7e..f17c2fd72e 100755
--- a/configure
+++ b/configure
@@ -510,7 +510,7 @@ default_devices="yes"
plugins="no"
fuzzing="no"
rng_none="no"
-secret_keyring="yes"
+secret_keyring=""
supported_cpu="no"
supported_os="no"
@@ -6296,12 +6296,19 @@ EOF
have_keyring=yes
fi
fi
-if test "$secret_keyring" = "yes"
+if test "$secret_keyring" != "no"
then
- if test "$have_keyring" != "yes"
+ if test "$have_keyring" == "yes"
then
- error_exit "syscall __NR_keyctl requested, \
+ secret_keyring=yes
+ else
+ if test "$secret_keyring" = "yes"
+ then
+ error_exit "syscall __NR_keyctl requested, \
but not implemented on your system"
+ else
+ secret_keyring=no
+ fi
fi
fi
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-06-05 11:07 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-29 10:35 [PULL 0/5] Qcrypto next patches Daniel P. Berrangé
2020-05-29 10:35 ` [PULL 1/5] crypto: add "none" random provider Daniel P. Berrangé
2020-05-29 10:35 ` [PULL 2/5] crypto/secret: move main logic from 'secret' to 'secret_common' Daniel P. Berrangé
2020-05-29 10:35 ` [PULL 3/5] crypto/linux_keyring: add 'secret_keyring' secret object Daniel P. Berrangé
2020-06-05 11:06 ` Daniel P. Berrangé [this message]
2020-05-29 10:35 ` [PULL 4/5] test-crypto-secret: add 'secret_keyring' object tests Daniel P. Berrangé
2020-05-29 10:35 ` [PULL 5/5] crypto: Remove use of GCRYPT_VERSION macro Daniel P. Berrangé
2020-05-29 17:04 ` [PULL 0/5] Qcrypto next patches no-reply
2020-05-29 17:08 ` Daniel P. Berrangé
-- strict thread matches above, loose matches on Subject: below --
2020-06-15 10:36 [PULL v2 " Daniel P. Berrangé
2020-06-15 10:36 ` [PULL 3/5] crypto/linux_keyring: add 'secret_keyring' secret object Daniel P. Berrangé
2020-06-16 16:49 ` David Edmondson
2020-06-16 16:51 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605110641.GC3289519@redhat.com \
--to=berrange@redhat.com \
--cc=alex-krasikov@yandex-team.ru \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).