From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39835)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1YjAyu-0000Jk-VP
	for qemu-devel@nongnu.org; Fri, 17 Apr 2015 14:27:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1YjAyq-000695-I2
	for qemu-devel@nongnu.org; Fri, 17 Apr 2015 14:27:12 -0400
Received: from mx1.redhat.com ([209.132.183.28]:54106)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1YjAyq-00068i-Aq
	for qemu-devel@nongnu.org; Fri, 17 Apr 2015 14:27:08 -0400
Received: from int-mx09.intmail.prod.int.phx2.redhat.com
	(int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t3HIR7jE011089
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=FAIL)
	for <qemu-devel@nongnu.org>; Fri, 17 Apr 2015 14:27:07 -0400
Message-ID: <5531507A.6000401@redhat.com>
Date: Fri, 17 Apr 2015 12:27:06 -0600
From: Eric Blake <eblake@redhat.com>
MIME-Version: 1.0
References: <1429280557-8887-1-git-send-email-berrange@redhat.com>
	<1429280557-8887-35-git-send-email-berrange@redhat.com>
In-Reply-To: <1429280557-8887-35-git-send-email-berrange@redhat.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="V4eb4S2pM7e5ivgFQXmX2UN1CjwnP8wfe"
Subject: Re: [Qemu-devel] [PATCH v1 RFC 34/34] char: introduce support for
 TLS encrypted TCP chardev backend
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--V4eb4S2pM7e5ivgFQXmX2UN1CjwnP8wfe
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 04/17/2015 08:22 AM, Daniel P. Berrange wrote:
> This integrates support for QIOChannelTLS object in the TCP
> chardev backend. If the 'tls-cred=3DNAME' option is passed with
> the '-chardev tcp' argument, then it will setup the chardev
> such that the client is required to establish a TLS handshake
> when connecting. The 'acl' option will further enable the
> creation of a 'char.$ID.tlspeername' ACL which will be used
> to validate the client x509 certificate, if provided.
>=20
> A complete invokation to run QEMU as the server for a TLS

s/invokation/invocation/

> encrypted serial dev might be
>=20
>   $ qemu-system-x86_64 \
>       -nodefconfig -nodefaults -device sga -display none \
>       -chardev socket,id=3Ds0,host=3D127.0.0.1,port=3D9000,tls-cred=3Dt=
ls0,server \
>       -device isa-serial,chardev=3Ds0 \
>       -object qcrypto-tls-cred,id=3Dtls0,credtype=3Dx509,\
>         endpoint=3Dserver,dir=3D/home/berrange/security/qemutls,verify-=
peer=3Doff
>=20
> To test with the gnutls-cli tool as the client:
>=20
>   $ gnutls-cli --priority=3DNORMAL -p 9000 \
>        --x509cafile=3D/home/berrange/security/qemutls/ca-cert.pem \
>        127.0.0.1
>=20
> If QEMU was told to use 'anon' credential type, then use the
> priority string 'NOMAL:+ANON-DH' with gnutls-cli

s/NOMAL/NORMAL/

>=20
> Alternatively, if setting up a chardev to operate as a client,
> then the TLS credentials registered must be for the client
> endpoint. First a TLS server must be setup, which can be done
> with the gnutls-serv tool
>=20
>   $ gnutls-serv --priority=3DNORMAL -p 9000 \
>        --x509cafile=3D/home/berrange/security/qemutls/ca-cert.pem \
>        --x509certfile=3D/home/berrange/security/qemutls/server-cert.pem=
 \
>        --x509keyfile=3D/home/berrange/security/qemutls/server-key.pem
>=20
> Then QEMU can connect with
>=20
>   $ qemu-system-x86_64 \
>       -nodefconfig -nodefaults -device sga -display none \
>       -chardev socket,id=3Ds0,host=3D127.0.0.1,port=3D9000,tls-cred=3Dt=
ls0 \
>       -device isa-serial,chardev=3Ds0 \
>       -object qcrypto-tls-cred,id=3Dtls0,credtype=3Dx509,\
>         endpoint=3Dclient,dir=3D/home/berrange/security/qemutls
>=20
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  qapi-schema.json |   2 +
>  qemu-char.c      | 182 ++++++++++++++++++++++++++++++++++++++++++++++-=
--------
>  qemu-options.hx  |   9 ++-
>  3 files changed, 161 insertions(+), 32 deletions(-)
>=20
> diff --git a/qapi-schema.json b/qapi-schema.json
> index ac9594d..062a455 100644
> --- a/qapi-schema.json
> +++ b/qapi-schema.json
> @@ -2782,6 +2782,8 @@
>  # Since: 1.4
>  ##
>  { 'type': 'ChardevSocket', 'data': { 'addr'       : 'SocketAddress',
> +                                     '*tls-cred'  : 'str',
> +                                     '*acl'       : 'str',

Need to document these two fields, along with '(since 2.4)' designators.

> +++ b/qemu-options.hx
> @@ -2009,7 +2009,7 @@ ETEXI
>  DEF("chardev", HAS_ARG, QEMU_OPTION_chardev,
>      "-chardev null,id=3Did[,mux=3Don|off]\n"
>      "-chardev socket,id=3Did[,host=3Dhost],port=3Dport[,to=3Dto][,ipv4=
][,ipv6][,nodelay][,reconnect=3Dseconds]\n"
> -    "         [,server][,nowait][,telnet][,reconnect=3Dseconds][,mux=3D=
on|off] (tcp)\n"
> +    "         [,server][,nowait][,telnet][,reconnect=3Dseconds][,mux=3D=
on|off][,tls-cred=3DID][,acl] (tcp)\n"
>      "-chardev socket,id=3Did,path=3Dpath[,server][,nowait][,telnet][,r=
econnect=3Dseconds][,mux=3Don|off] (unix)\n"
>      "-chardev udp,id=3Did[,host=3Dhost],port=3Dport[,localaddr=3Dlocal=
addr]\n"
>      "         [,localport=3Dlocalport][,ipv4][,ipv6][,mux=3Don|off]\n"=

> @@ -2082,7 +2082,7 @@ Options to each backend are described below.
>  A void device. This device will not emit any data, and will drop any d=
ata it
>  receives. The null backend does not take any options.
> =20
> -@item -chardev socket ,id=3D@var{id} [@var{TCP options} or @var{unix o=
ptions}] [,server] [,nowait] [,telnet] [,reconnect=3D@var{seconds}]
> +@item -chardev socket ,id=3D@var{id} [@var{TCP options} or @var{unix o=
ptions}] [,server] [,nowait] [,telnet] [,reconnect=3D@var{seconds}][,tls-=
cred=3D@var{id}]

Everyone else in this line had space before [

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--V4eb4S2pM7e5ivgFQXmX2UN1CjwnP8wfe
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJVMVB6AAoJEKeha0olJ0NqKMwH/AmdkfDZCTng20hkl5hshyYX
Xo4y6w5NhGZTKhXDmN4E3712Ilgi/MhbAPbIKcot8dLWOWeh1RgVsPWG9EoezQSR
PX/5ePnOtQ+ZmPQxy/dTRa5HrY2oMfi57l/2cQtLR90577J/F6Bj0rS5G6E6AsfD
PZoQWmmm7PFuxaeHzvXkoJ4E3xMwvUpQpfdDRht6xzP9ac1HSvOxDCK+JkLgqDRG
WXsgbA5W4AiT25X136RDlZfhCgzyxyG+rvAuNnMC+m9rK3BHESBfJyVTwUlPy+sf
fv/ZSkuSltSVNQae9yCwwAOl2OlSFWJcLvCUseDOH8jKOa/X+M9TYdRwx94cUvo=
=aWBF
-----END PGP SIGNATURE-----

--V4eb4S2pM7e5ivgFQXmX2UN1CjwnP8wfe--