On Fri, Apr 17, 2015 at 12:27:06PM -0600, Eric Blake wrote: > On 04/17/2015 08:22 AM, Daniel P. Berrange wrote: > > This integrates support for QIOChannelTLS object in the TCP > > chardev backend. If the 'tls-cred=NAME' option is passed with > > the '-chardev tcp' argument, then it will setup the chardev > > such that the client is required to establish a TLS handshake > > when connecting. The 'acl' option will further enable the > > creation of a 'char.$ID.tlspeername' ACL which will be used > > to validate the client x509 certificate, if provided. > > > > A complete invokation to run QEMU as the server for a TLS > > s/invokation/invocation/ > > > encrypted serial dev might be > > > > $ qemu-system-x86_64 \ > > -nodefconfig -nodefaults -device sga -display none \ > > -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0,server \ > > -device isa-serial,chardev=s0 \ > > -object qcrypto-tls-cred,id=tls0,credtype=x509,\ > > endpoint=server,dir=/home/berrange/security/qemutls,verify-peer=off > > > > To test with the gnutls-cli tool as the client: > > > > $ gnutls-cli --priority=NORMAL -p 9000 \ > > --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \ > > 127.0.0.1 > > > > If QEMU was told to use 'anon' credential type, then use the > > priority string 'NOMAL:+ANON-DH' with gnutls-cli > > s/NOMAL/NORMAL/ > > > > > Alternatively, if setting up a chardev to operate as a client, > > then the TLS credentials registered must be for the client > > endpoint. First a TLS server must be setup, which can be done > > with the gnutls-serv tool > > > > $ gnutls-serv --priority=NORMAL -p 9000 \ > > --x509cafile=/home/berrange/security/qemutls/ca-cert.pem \ > > --x509certfile=/home/berrange/security/qemutls/server-cert.pem \ > > --x509keyfile=/home/berrange/security/qemutls/server-key.pem > > > > Then QEMU can connect with > > > > $ qemu-system-x86_64 \ > > -nodefconfig -nodefaults -device sga -display none \ > > -chardev socket,id=s0,host=127.0.0.1,port=9000,tls-cred=tls0 \ > > -device isa-serial,chardev=s0 \ > > -object qcrypto-tls-cred,id=tls0,credtype=x509,\ > > endpoint=client,dir=/home/berrange/security/qemutls > > > > Signed-off-by: Daniel P. Berrange <berra...@redhat.com> > > --- > > qapi-schema.json | 2 + > > qemu-char.c | 182 > > ++++++++++++++++++++++++++++++++++++++++++++++--------- > > qemu-options.hx | 9 ++- > > 3 files changed, 161 insertions(+), 32 deletions(-) > > > > diff --git a/qapi-schema.json b/qapi-schema.json > > index ac9594d..062a455 100644 > > --- a/qapi-schema.json > > +++ b/qapi-schema.json > > @@ -2782,6 +2782,8 @@ > > # Since: 1.4 > > ## > > { 'type': 'ChardevSocket', 'data': { 'addr' : 'SocketAddress', > > + '*tls-cred' : 'str', > > + '*acl' : 'str', > > Need to document these two fields, along with '(since 2.4)' designators.
Ah, ok forgot about that. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|