On 04/17/2015 08:22 AM, Daniel P. Berrange wrote: > This integrates support for QIOChannelTLS object in the TCP > chardev backend. If the 'tls-cred=NAME' option is passed with > the '-chardev tcp' argument, then it will setup the chardev > such that the client is required to establish a TLS handshake > when connecting. The 'acl' option will further enable the > creation of a 'char.$ID.tlspeername' ACL which will be used > to validate the client x509 certificate, if provided. > > A complete invokation to run QEMU as the server for a TLS
s/invokation/invocation/ > encrypted serial dev might be > > $ qemu-system-x86_64 \ > -nodefconfig -nodefaults -device sga -display none \ > -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \ > -device isa-serial,chardev=s0 \ > -object qcrypto-tls-cred,id=tls0,credtype=x509,\ > endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off > > To test with the gnutls-cli tool as the client: > > $ gnutls-cli --priority=NORMAL -p 9000 \ > --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \ > 127.0.0.1 > > If QEMU was told to use 'anon' credential type, then use the > priority string 'NOMAL:+ANON-DH' with gnutls-cli s/NOMAL/NORMAL/ > > Alternatively, if setting up a chardev to operate as a client, > then the TLS credentials registered must be for the client > endpoint. First a TLS server must be setup, which can be done > with the gnutls-serv tool > > $ gnutls-serv --priority=NORMAL -p 9000 \ > --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \ > --x509certfile=/home/berrange/security/qemutls/server-cert.pem \ > --x509keyfile=/home/berrange/security/qemutls/server-key.pem > > Then QEMU can connect with > > $ qemu-system-x86_64 \ > -nodefconfig -nodefaults -device sga -display none \ > -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \ > -device isa-serial,chardev=s0 \ > -object qcrypto-tls-cred,id=tls0,credtype=x509,\ > endpoint=client,dir=/home/berrange/security/qemutls > > Signed-off-by: Daniel P. Berrange <berra...@redhat.com> > --- > qapi-schema.json | 2 + > qemu-char.c | 182 > ++++++++++++++++++++++++++++++++++++++++++++++--------- > qemu-options.hx | 9 ++- > 3 files changed, 161 insertions(+), 32 deletions(-) > > diff --git a/qapi-schema.json b/qapi-schema.json > index ac9594d..062a455 100644 > --- a/qapi-schema.json > +++ b/qapi-schema.json > @@ -2782,6 +2782,8 @@ > # Since: 1.4 > ## > { 'type': 'ChardevSocket', 'data': { 'addr' : 'SocketAddress', > + '*tls-cred' : 'str', > + '*acl' : 'str', Need to document these two fields, along with '(since 2.4)' designators. > +++ b/qemu-options.hx > @@ -2009,7 +2009,7 @@ ETEXI > DEF("chardev", HAS_ARG, QEMU_OPTION_chardev, > "-chardev null,id=id[,mux=on|off]\n" > "-chardev > socket,id=id[,host=host],port=port[,to=to][,ipv4][,ipv6][,nodelay][,reconnect=seconds]\n" > - " [,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off] > (tcp)\n" > + " > [,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off][,tls-cred=ID][,acl] > (tcp)\n" > "-chardev > socket,id=id,path=path[,server][,nowait][,telnet][,reconnect=seconds][,mux=on|off] > (unix)\n" > "-chardev udp,id=id[,host=host],port=port[,localaddr=localaddr]\n" > " [,localport=localport][,ipv4][,ipv6][,mux=on|off]\n" > @@ -2082,7 +2082,7 @@ Options to each backend are described below. > A void device. This device will not emit any data, and will drop any data it > receives. The null backend does not take any options. > > -@item -chardev socket ,id=@var{id} [@var{TCP options} or @var{unix options}] > [,server] [,nowait] [,telnet] [,reconnect=@var{seconds}] > +@item -chardev socket ,id=@var{id} [@var{TCP options} or @var{unix options}] > [,server] [,nowait] [,telnet] [,reconnect=@var{seconds}][,tls-cred=@var{id}] Everyone else in this line had space before [ -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature