On Tue, Jun 23, 2026 at 06:25:59 +0000, Abhisek Panda wrote: > For encrypted migration of VMs, QEMU provides the TLS-PSK > authentication apart from TLS certificates. This mechanism relies on > pre-shared keys (a secret key that is known to both sender and receiver > prior to secure communication) for providing secure transfer of data. > Libvirt handles the lifecycle of pre-shared keys, managing their > generation, persistent storage, and cleanup. > > Add the "migrate_tls_psk_length" configuration attribute to qemu.conf > to allow users to define the size of the pre-shared key. > > Signed-off-by: Abhisek Panda <[email protected]> > --- > src/qemu/libvirtd_qemu.aug | 1 + > src/qemu/qemu.conf.in | 8 ++++++++ > src/qemu/qemu_conf.c | 10 ++++++++++ > src/qemu/qemu_conf.h | 1 + > src/qemu/test_libvirtd_qemu.aug.in | 1 + > 5 files changed, 21 insertions(+) > > diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug > index 311992e441..d58f995282 100644 > --- a/src/qemu/libvirtd_qemu.aug > +++ b/src/qemu/libvirtd_qemu.aug > @@ -68,6 +68,7 @@ module Libvirtd_qemu = > | str_entry "migrate_tls_x509_secret_uuid" > | str_entry "migrate_tls_priority" > | bool_entry "migrate_tls_force" > + | int_entry "migrate_tls_psk_length" > > let backup_entry = str_entry "backup_tls_x509_cert_dir" > | bool_entry "backup_tls_x509_verify" > diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in > index 97b0141cf6..7f36bd1a68 100644 > --- a/src/qemu/qemu.conf.in > +++ b/src/qemu/qemu.conf.in > @@ -437,6 +437,14 @@ > #migrate_tls_force = 0 > > > +# The TLS-PSK authentication relies on pre-shared keys for providing secure > transfer of data. > +# When TLS-PSK is enabled for the migration operation, Libvirt manages the > lifecycle of the > +# pre-shared key files. For the key generation process, users can specify > the pre-shared > +# key size in bytes. The default value is set to 32 bytes. > +# > +#migrate_tls_psk_length = 32
'psktool' from the gnutls project specifies a maximum key size of 512 bytes. I didn't find a reasonable explanation why though. We might need to limit this if there is a technical limit.
