On Tue, Feb 28, 2017 at 02:51:39PM -0800, ashish mittal wrote: > On Mon, Feb 27, 2017 at 1:22 AM, Daniel P. Berrange <berra...@redhat.com> > wrote:
> >> + ret = -EINVAL; > >> + goto out; > >> + } > >> + > >> + secretid = qemu_opt_get(opts, VXHS_OPT_SECRETID); > >> + if (!secretid) { > >> + error_setg(&local_err, "please specify the ID of the secret to be > >> " > >> + "used for authenticating to target"); > >> + qdict_del(backing_options, str); > >> + ret = -EINVAL; > >> + goto out; > >> + } > >> + > >> + /* check if we got password via the --object argument */ > >> + password = qcrypto_secret_lookup_as_utf8(secretid, &local_err); > >> + if (local_err != NULL) { > >> + trace_vxhs_get_creds(user, secretid, password); > >> + qdict_del(backing_options, str); > >> + ret = -EINVAL; > >> + goto out; > >> + } > >> + trace_vxhs_get_creds(user, secretid, password); > >> + > >> s->vdisk_hostinfo.host = g_strdup(server_host_opt); > >> > >> s->vdisk_hostinfo.port = g_ascii_strtoll(qemu_opt_get(tcp_opts, > > The next thing we need consensus on, is to decide exactly what > additional information to pass. > > (1) Current security implementation in VxHS uses the SSL key and > certificate files. Do you think we can achieve all the intended > security goals if we pass these two files paths (and names?) from the > command line? Yes, that's how other parts of QEMU deal with SSL NB, QEMU needs to pass 3 paths to libqnoio - the client cert, the client key, and the certificate authority certlist > (2) If we are OK to continue with the present security scheme (using > key and cert), then the only additional change needed might be to > accept these files on the command line. Yep, I think that's the minimum required change to make this mergable. > (3) If we decide to rely on file permissions and SELinux policy to > protect these key/cert files, then we don't need to pass the file > names as a secret, instead, passing them as regular qemu_opt_get() > options might be enough. That's correct - you can assume file permissions protect the cert files. I would expect the syntax to work as follows $QEMU -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu/vxhs,endpoint=client \ -drive driver=vxhs,...other..opts...,tls-creds=tls0 When you see the 'tls-creds' flag, you can lookup the corresponding QCryptoTLSCredsX509 object and extract the 'dir' property from it. The include/crypto/tlscredsx509.h file has constants defined for the standard filenames - eg you would concatenate the directory with the constants QCRYPTO_TLS_CREDS_X509_CLIENT_KEY. This gives the filenames you can then pass to libqnio Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|