From: "Alex Bennée" <alex.bennee@linaro.org>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Josh Durgin <jdurgin@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
qemu-block@nongnu.org, qemu-devel@nongnu.org,
Markus Armbruster <armbru@redhat.com>,
Ronnie Sahlberg <ronniesahlberg@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 00/17] Framework for securely passing secrets to QEMU
Date: Mon, 19 Oct 2015 17:05:58 +0100 [thread overview]
Message-ID: <87r3kqetcp.fsf@linaro.org> (raw)
In-Reply-To: <1445267389-21846-1-git-send-email-berrange@redhat.com>
Daniel P. Berrange <berrange@redhat.com> writes:
> There are a variety of places where QEMU needs to have access
> to passwords, encryption keys or similar kinds of secrets.
>
<snip>
>
> Example usage for creating secrets...
>
> Direct password, insecure, for ad-hoc developer testing only
>
> $QEMU -object secret,id=sec0,data=letmein
>
> Indirect password via a file, good for production
>
> echo -n "letmein" > mypasswd.txt
> $QEMU -object secret,id=sec0,file=mypasswd.txt
>
> The file based approach supports file descriptor passing,
> so mgmt apps can use that to dynamically add passwords to
> running QEMU.
>
> There is a better way though, which is to use an encrypted
> secret. The intent here is that a mgmt app (like libvirt)
> will generate a random AES-256 key for each virtual machine
> it starts (saved in eg /var/run/libvirt/qemu/$GUEST.key)
> It can then use the direct password passing, but encrypt
> the data.
>
> $QEMU \
> -object secret,id=secmaster0,file=/var/run/libvirt/qemu/$GUEST.key,format=base64 \
> -object secret,id=sec0,data=[base64 ciphertext],\
> keyid=secmaster0,iv=[base64 initialization vector]
>
> This means that the mgmt app does not need to worry about
> file descriptor passing at all. It can just use regular
> object properties, safe in the knowledge that the data is
> protected by a secret AES key shared only between QEMU
> and the mgmt app.
>
> Use of encrypted secrets is not restricted to directly
> provided inline data. If the secret is stored in an
> external file, that can be encrypted too
>
> $QEMU \
> -object secret,id=secmaster0,file=/var/run/libvirt/qemu/$GUEST.key,format=base64 \
> -object secret,id=sec0,file=/some/secret/file.aes,\
> keyid=secmaster0,iv=[base64 initialization vector]
>
>
>
> Example usage for referencing secrets...
>
> CURL:
>
> $QEMU -object secret,id=sec0... \
> -drive driver=http,url=http://example.com/someimg.qcow2,\
> user=dan,passwordid=sec0
>
> $QEMU -object secret,id=sec0... -object secret,id=sec1 \
> -drive driver=http,url=http://example.com/someimg.qcow2,\
> user=dan,passwordid=sec0,proxyuser=dan,passwordid=sec1
>
> iSCSI:
>
> $QEMU -object secret,id=sec0... \
> -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\
> user=dan,passwordid=sec0
>
> RBD:
>
> $QEMU -object secret,id=sec0... \
> -drive driver=rbd,file=rbd:pool/image:id=myname,\
> auth-supported-cephx,authsecret=sec0
>
> QCow/Qcow2 encryption
>
> $QEMU -object secret,id=sec0... \
> -drive file=someimage.qcow2,keyid=sec0
So one use case which I don't see here but do on other programs that
need to access secrets is calling an external program and reading its
stdout. This is simpler than having to mess around with passing FDs
although there may be security concerns having QEMU create new tasks on
the system.
--
Alex Bennée
next prev parent reply other threads:[~2015-10-19 16:06 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-19 15:09 [Qemu-devel] [PATCH 00/17] Framework for securely passing secrets to QEMU Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 01/17] crypto: add QCryptoSecret object class for password/key handling Daniel P. Berrange
2015-10-19 15:18 ` Paolo Bonzini
2015-10-19 15:24 ` Daniel P. Berrange
2015-10-19 15:40 ` Paolo Bonzini
2015-10-19 15:46 ` Daniel P. Berrange
2015-10-19 16:12 ` Paolo Bonzini
2015-10-19 16:24 ` Daniel P. Berrange
2015-10-19 16:28 ` Paolo Bonzini
2015-10-19 16:30 ` Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 02/17] crypto: add support for loading encrypted x509 keys Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 03/17] rbd: add support for getting password from QCryptoSecret object Daniel P. Berrange
2015-10-19 22:57 ` Josh Durgin
2015-10-20 8:35 ` Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 04/17] curl: add support for HTTP authentication parameters Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 05/17] iscsi: add support for getting CHAP password via QCryptoSecret API Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 06/17] qcow: add a 'keyid' parameter to qcow options Daniel P. Berrange
2015-10-28 13:56 ` Eric Blake
2015-10-19 15:09 ` [Qemu-devel] [PATCH 07/17] qcow2: add a 'keyid' parameter to qcow2 options Daniel P. Berrange
2015-10-19 23:29 ` Eric Blake
2015-10-28 13:58 ` Eric Blake
2015-10-19 15:09 ` [Qemu-devel] [PATCH 08/17] qom: add user_creatable_add & user_creatable_del methods Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 09/17] qemu-img: add support for --object command line arg Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 10/17] qemu-nbd: " Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 11/17] qemu-io: " Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 12/17] qemu-io: allow specifying image as a set of options args Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 13/17] qemu-nbd: " Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 14/17] qemu-img: " Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 15/17] block: rip out all traces of password prompting Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 16/17] block: remove all encryption handling APIs Daniel P. Berrange
2015-10-19 15:09 ` [Qemu-devel] [PATCH 17/17] block: remove support for writing to qcow/qcow2 encrypted images Daniel P. Berrange
2015-10-19 16:05 ` Alex Bennée [this message]
2015-10-19 16:14 ` [Qemu-devel] [PATCH 00/17] Framework for securely passing secrets to QEMU Daniel P. Berrange
2015-10-19 17:13 ` Dr. David Alan Gilbert
2015-10-19 17:46 ` Daniel P. Berrange
2015-10-23 15:31 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r3kqetcp.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=jdurgin@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=ronniesahlberg@gmail.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).