On Tue, Jun 23, 2026 at 06:26:03 +0000, Abhisek Panda wrote:
> To enable TLS-PSK-based authentication scheme, add support for
> instantiating the tls-creds-psk object through QEMU monitor. In order
> to remove the TLS-related objects from a QEMU instance, augment the
> qemuDomainDelTLSObjects handler to also consider the TLS-PSK object.
>
> Suggested-by: Tejus GK <[email protected]>
> Signed-off-by: Abhisek Panda <[email protected]>
> ---
> src/qemu/qemu_alias.c | 11 +++++
> src/qemu/qemu_alias.h | 3 ++
> src/qemu/qemu_hotplug.c | 58 ++++++++++++++++++++++++---
> src/qemu/qemu_hotplug.h | 14 ++++++-
> src/qemu/qemu_migration_params.c | 69 ++++++++++++++++++++++++++++++--
> src/qemu/qemu_migration_params.h | 8 ++++
> 6 files changed, 152 insertions(+), 11 deletions(-)
>
> diff --git a/src/qemu/qemu_alias.c b/src/qemu/qemu_alias.c
> index b41794a5fa..a4894a681f 100644
> --- a/src/qemu/qemu_alias.c
> +++ b/src/qemu/qemu_alias.c
> @@ -883,6 +883,17 @@ qemuAliasTLSx509ObjFromSrcAlias(const char *srcAlias)
> return g_strdup_printf("obj%s_tlsx509_0", srcAlias);
> }
>
> +/* qemuAliasTLSPSKObjFromSrcAlias
> + * @srcAlias: Pointer to a source alias string
> + *
> + * Generate and return a string to be used as the TLS PSK object alias
> + */
> +char *
> +qemuAliasTLSPSKObjFromSrcAlias(const char *srcAlias)
> +{
> + return g_strdup_printf("obj%s_tlspsk_0", srcAlias);
> +}
> +
As noted in previous patch, there's just one TLS backend object possible
here so there isn't really need to encode what type is used in the alias
name.
It'll simplify much of the rest of the patch.
> @@ -1881,6 +1885,48 @@ qemuDomainDelChardevTLSObjects(virQEMUDriver *driver,
> }
>
>
> +int
> +qemuDomainAddTLSPSKObjects(virDomainObj *vm,
> + virDomainAsyncJob asyncJob,
> + virJSONValue **tlsPSKProps)
> +{
> + qemuDomainObjPrivate *priv = vm->privateData;
> + virErrorPtr orig_err;
> +
> + if (!tlsPSKProps)
> + return 0;
> +
> + if (qemuDomainObjEnterMonitorAsync(vm, asyncJob) < 0)
> + return -1;
> +
> + if (tlsPSKProps && *tlsPSKProps &&
> + qemuMonitorAddObject(priv->mon, tlsPSKProps, NULL) < 0)
> + goto error;
> +
> + qemuDomainObjExitMonitor(vm);
> + return 0;
> +
> + error:
> + virErrorPreserveLast(&orig_err);
> + qemuDomainObjExitMonitor(vm);
> + virErrorRestore(&orig_err);
> + return -1;
> +}
> +
> +
> +int
> +qemuDomainGetTLSPSKObjects(const char *tlsPSKdir,
> + bool tlsListen,
> + const char *alias,
> + virJSONValue **tlsPSKProps)
> +{
> + if (qemuBuildTLSPSKBackendProps(tlsPSKdir, tlsListen, alias,
> tlsPSKProps) < 0)
> + return -1;
> +
> + return 0;
> +}
Both of the above wrappers seem rather minimal and used from just one
place. I'd suggest you just move the code into
qemuMigrationParamsEnableTLSPSK instead.
> +
> +
> static int
> qemuDomainAttachRedirdevDevice(virQEMUDriver *driver,
> virDomainObj *vm,
[...]
> diff --git a/src/qemu/qemu_migration_params.c
> b/src/qemu/qemu_migration_params.c
> index c91ae89c9b..846d97b4d1 100644
> --- a/src/qemu/qemu_migration_params.c
> +++ b/src/qemu/qemu_migration_params.c
[...]
> @@ -1237,6 +1237,65 @@ qemuMigrationParamsEnableTLSx509(virQEMUDriver *driver,
> }
>
>
> +/* qemuMigrationParamsEnableTLSPSK
> + * @driver: pointer to qemu driver
> + * @vm: domain object
> + * @tlsListen: server or client
> + * @asyncJob: Migration job to join
> + * @tlsPSKAlias: alias to be generated for TLS-PSK object
> + * @migParams: migration parameters to set
> + *
> + * Create the TLS PSK objects for the migration and set the migParams value.
> + *
> + * Returns 0 on success, -1 on failure
> + */
> +int
> +qemuMigrationParamsEnableTLSPSK(virQEMUDriver *driver,
> + virDomainObj *vm,
> + bool tlsListen,
> + int asyncJob,
> + char **tlsPSKAlias,
> + qemuMigrationParams *migParams)
> +{
> + qemuDomainJobPrivate *jobPriv = vm->job->privateData;
> + g_autoptr(virJSONValue) tlsPSKProps = NULL;
> + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
> + char uuidstr[VIR_UUID_STRING_BUFLEN];
> + g_autofree char *dir_path = NULL;
> +
> + virUUIDFormat(vm->def->uuid, uuidstr);
> + dir_path = g_strdup_printf("%s/%s", cfg->stateDir, uuidstr);
> +
> + if (!jobPriv->migParams->params[QEMU_MIGRATION_PARAM_TLS_CREDS].set) {
> + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
> + _("TLS migration is not supported with this QEMU
> binary"));
At the point where qemu supports TLS PSK it surely supports TLS as whole
so this check is pointless.
What you need instead is a capability check that the PSK backend object
is supported instead.
> + return -1;
> + }
> +
> + if (!(*tlsPSKAlias =
> qemuAliasTLSPSKObjFromSrcAlias(QEMU_MIGRATION_TLS_ALIAS_BASE)))
> + return -1;
> +
> + if (qemuDomainGetTLSPSKObjects(dir_path, tlsListen,
> + *tlsPSKAlias, &tlsPSKProps) < 0)
> + return -1;
> +
> + /* Ensure the domain doesn't already have the TLS-PSK objects defined.
> + * This should prevent any issues just in case some cleanup wasn't
> + * properly completed (both src and dst use the same alias) or
> + * some other error path. */
> + qemuDomainDelTLSObjects(vm, asyncJob, NULL, NULL, *tlsPSKAlias);
> +
> + if (qemuDomainAddTLSPSKObjects(vm, asyncJob, &tlsPSKProps) < 0)
> + return -1;
> +
> + if (qemuMigrationParamsSetString(migParams,
> QEMU_MIGRATION_PARAM_TLS_CREDS,
> + *tlsPSKAlias) < 0)
> + return -1;
> +
> + return 0;
> +}
> +
> +
> /* qemuMigrationParamsDisableTLS
> * @vm: domain object
> * @migParams: Pointer to a migration parameters block
> @@ -1281,8 +1340,8 @@ qemuMigrationParamsTLSHostnameIsSet(qemuMigrationParams
> *migParams)