Add infrastructure for hot- and cold-plug of the secret object holding
decryption key for the TLS key.
Signed-off-by: Peter Krempa
---
src/qemu/qemu_block.c | 12
src/qemu/qemu_block.h | 2 ++
src/qemu/qemu_command.c | 11 ++-
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index b00694c96f..36fc6784de 100644
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1542,7 +1542,9 @@
qemuBlockStorageSourceAttachDataFree(qemuBlockStorageSourceAttachDataPtr data)
virJSONValueFree(data->httpcookiesecretProps);
virJSONValueFree(data->encryptsecretProps);
virJSONValueFree(data->tlsProps);
+virJSONValueFree(data->tlsKeySecretProps);
VIR_FREE(data->tlsAlias);
+VIR_FREE(data->tlsKeySecretAlias);
VIR_FREE(data->authsecretAlias);
VIR_FREE(data->encryptsecretAlias);
VIR_FREE(data->httpcookiesecretAlias);
@@ -1617,6 +1619,11 @@
qemuBlockStorageSourceAttachApplyStorageDeps(qemuMonitorPtr mon,
>httpcookiesecretAlias) < 0)
return -1;
+if (data->tlsKeySecretProps &&
+qemuMonitorAddObject(mon, >tlsKeySecretProps,
+ >tlsKeySecretAlias) < 0)
+return -1;
+
if (data->tlsProps &&
qemuMonitorAddObject(mon, >tlsProps, >tlsAlias) < 0)
return -1;
@@ -1766,6 +1773,8 @@ qemuBlockStorageSourceAttachRollback(qemuMonitorPtr mon,
if (data->tlsAlias)
ignore_value(qemuMonitorDelObject(mon, data->tlsAlias, false));
+if (data->tlsKeySecretAlias)
+ignore_value(qemuMonitorDelObject(mon, data->tlsKeySecretAlias,
false));
virErrorRestore(_err);
}
@@ -1821,6 +1830,9 @@ qemuBlockStorageSourceDetachPrepare(virStorageSourcePtr
src,
if (srcpriv->httpcookie)
data->httpcookiesecretAlias =
g_strdup(srcpriv->httpcookie->s.aes.alias);
+
+if (srcpriv->tlsKeySecret)
+data->tlsKeySecretAlias =
g_strdup(srcpriv->tlsKeySecret->s.aes.alias);
}
return g_steal_pointer();
diff --git a/src/qemu/qemu_block.h b/src/qemu/qemu_block.h
index 24b87e79db..b1bdb39613 100644
--- a/src/qemu/qemu_block.h
+++ b/src/qemu/qemu_block.h
@@ -105,6 +105,8 @@ struct qemuBlockStorageSourceAttachData {
virJSONValuePtr tlsProps;
char *tlsAlias;
+virJSONValuePtr tlsKeySecretProps;
+char *tlsKeySecretAlias;
};
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 6e7fd59561..0c4c77cf8c 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -2047,6 +2047,7 @@
qemuBuildBlockStorageSourceAttachDataCommandline(virCommandPtr cmd,
qemuBuildObjectCommandline(cmd, data->authsecretProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->encryptsecretProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->httpcookiesecretProps) < 0 ||
+qemuBuildObjectCommandline(cmd, data->tlsKeySecretProps) < 0 ||
qemuBuildObjectCommandline(cmd, data->tlsProps) < 0)
return -1;
@@ -10161,6 +10162,7 @@
qemuBuildStorageSourceAttachPrepareCommon(virStorageSourcePtr src,
virQEMUCapsPtr qemuCaps)
{
qemuDomainStorageSourcePrivatePtr srcpriv =
QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
+const char *tlsKeySecretAlias = NULL;
if (src->pr &&
!virStoragePRDefIsManaged(src->pr) &&
@@ -10180,11 +10182,18 @@
qemuBuildStorageSourceAttachPrepareCommon(virStorageSourcePtr src,
if (srcpriv->httpcookie &&
qemuBuildSecretInfoProps(srcpriv->httpcookie,
>httpcookiesecretProps) < 0)
return -1;
+
+if (srcpriv->tlsKeySecret) {
+if (qemuBuildSecretInfoProps(srcpriv->tlsKeySecret,
>tlsKeySecretProps) < 0)
+return -1;
+
+tlsKeySecretAlias = srcpriv->tlsKeySecret->s.aes.alias;
+}
}
if (src->haveTLS == VIR_TRISTATE_BOOL_YES &&
qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true,
src->tlsAlias,
- NULL, qemuCaps, >tlsProps) < 0)
+ tlsKeySecretAlias, qemuCaps,
>tlsProps) < 0)
return -1;
return 0;
--
2.26.2
