From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54901) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aRMGq-0006j7-Ia for qemu-devel@nongnu.org; Thu, 04 Feb 2016 10:56:37 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aRMGp-0007sf-Dt for qemu-devel@nongnu.org; Thu, 04 Feb 2016 10:56:36 -0500 Sender: Paolo Bonzini References: <1453385961-10718-1-git-send-email-berrange@redhat.com> From: Paolo Bonzini Message-ID: <56B374AB.5030008@redhat.com> Date: Thu, 4 Feb 2016 16:56:27 +0100 MIME-Version: 1.0 In-Reply-To: <1453385961-10718-1-git-send-email-berrange@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v4 0/3] Use QCryptoSecret for block device passwords List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" , qemu-devel@nongnu.org Cc: Jeff Cody , Markus Armbruster , qemu-block@nongnu.org On 21/01/2016 15:19, Daniel P. Berrange wrote: > This series was previously posted: > > v1: https://lists.gnu.org/archive/html/qemu-devel/2015-10/msg04365.html > v2: https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg03809.html > v3: https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03461.html > > The RBD, Curl and iSCSI block device drivers all need the ability > to accept a password to authenticate with the remote network storage > server. Currently RBD and iSCSI both just take the password in clear > text as part of the block parameters which is insecure (passwords are > visible in the process listing), while Curl doesn't support auth at > all. > > This series updates all three drivers so that they use the recently > merged QCryptoSecret API for getting passwords. Each driver gains > a 'passwordid' property that can be set to provide the ID of a > QCryptoSecret object instance, which in turn provides the actual > password data. > > This series is required in order to fix a long standing CVE security > flaw in libvirt, whereby passwords are exposed in the command line > arguments and so visible in process listing > > This series would benefit from the --object additions to qemu-img, > qemu-io and qemu-nbd, but this is not a pre-requisite for its merge > as it us still useful in the system emulator without that support: > > https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg03381.html > > Changed in v4: > > - Rename 'password-id' to 'password-secret', 'proxy-password-id' > to 'proxy-password-secret' (Paolo) > > Changed in v3: > > - Rename 'passwordid' to 'password-id', 'proxypasswordid' > to 'proxy-password-id' and 'proxyusername' to 'proxy-username' > (Markus) > > Daniel P. Berrange (3): > rbd: add support for getting password from QCryptoSecret object > curl: add support for HTTP authentication parameters > iscsi: add support for getting CHAP password via QCryptoSecret API > > block/curl.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > block/iscsi.c | 24 +++++++++++++++++++++- > block/rbd.c | 47 ++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 136 insertions(+), 1 deletion(-) > Ping? Jeff, these three are all network-based block device drivers so I think you can apply the whole series. Thanks!