qemu block: Add internals for handling 'secret' corresponding to TLS key

Add infrastructure for hot- and cold-plug of the secret object holding
decryption key for the TLS key.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>

diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c
index b00694c96ff4edc3760b79e3b7a683c72a954a45..36fc6784de71b41c3a1019bad8418f0df7ab8fb2 100644 (file)
--- a/src/qemu/qemu_block.c
+++ b/src/qemu/qemu_block.c
@@ -1542,7 +1542,9 @@ qemuBlockStorageSourceAttachDataFree(qemuBlockStorageSourceAttachDataPtr data)
     virJSONValueFree(data->httpcookiesecretProps);
     virJSONValueFree(data->encryptsecretProps);
     virJSONValueFree(data->tlsProps);
+    virJSONValueFree(data->tlsKeySecretProps);
     VIR_FREE(data->tlsAlias);
+    VIR_FREE(data->tlsKeySecretAlias);
     VIR_FREE(data->authsecretAlias);
     VIR_FREE(data->encryptsecretAlias);
     VIR_FREE(data->httpcookiesecretAlias);
@@ -1617,6 +1619,11 @@ qemuBlockStorageSourceAttachApplyStorageDeps(qemuMonitorPtr mon,
                              &data->httpcookiesecretAlias) < 0)
         return -1;
 
+    if (data->tlsKeySecretProps &&
+        qemuMonitorAddObject(mon, &data->tlsKeySecretProps,
+                             &data->tlsKeySecretAlias) < 0)
+        return -1;
+
     if (data->tlsProps &&
         qemuMonitorAddObject(mon, &data->tlsProps, &data->tlsAlias) < 0)
         return -1;
@@ -1766,6 +1773,8 @@ qemuBlockStorageSourceAttachRollback(qemuMonitorPtr mon,
     if (data->tlsAlias)
         ignore_value(qemuMonitorDelObject(mon, data->tlsAlias, false));
 
+    if (data->tlsKeySecretAlias)
+        ignore_value(qemuMonitorDelObject(mon, data->tlsKeySecretAlias, false));
 
     virErrorRestore(&orig_err);
 }
@@ -1821,6 +1830,9 @@ qemuBlockStorageSourceDetachPrepare(virStorageSourcePtr src,
 
         if (srcpriv->httpcookie)
             data->httpcookiesecretAlias = g_strdup(srcpriv->httpcookie->s.aes.alias);
+
+        if (srcpriv->tlsKeySecret)
+            data->tlsKeySecretAlias = g_strdup(srcpriv->tlsKeySecret->s.aes.alias);
     }
 
     return g_steal_pointer(&data);

diff --git a/src/qemu/qemu_block.h b/src/qemu/qemu_block.h
index 24b87e79db51b55fc1afbbc5e02bdc62f5925b0a..b1bdb39613f47d19bfb62eb6b1d324a1ebb81313 100644 (file)
--- a/src/qemu/qemu_block.h
+++ b/src/qemu/qemu_block.h
@@ -105,6 +105,8 @@ struct qemuBlockStorageSourceAttachData {
 
     virJSONValuePtr tlsProps;
     char *tlsAlias;
+    virJSONValuePtr tlsKeySecretProps;
+    char *tlsKeySecretAlias;
 };
 
 

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 6e7fd59561ea134a1fe366d94d15c9cf0a766a0d..0c4c77cf8c338a27bf949d2913c43b7f35abee46 100644 (file)
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -2047,6 +2047,7 @@ qemuBuildBlockStorageSourceAttachDataCommandline(virCommandPtr cmd,
         qemuBuildObjectCommandline(cmd, data->authsecretProps) < 0 ||
         qemuBuildObjectCommandline(cmd, data->encryptsecretProps) < 0 ||
         qemuBuildObjectCommandline(cmd, data->httpcookiesecretProps) < 0 ||
+        qemuBuildObjectCommandline(cmd, data->tlsKeySecretProps) < 0 ||
         qemuBuildObjectCommandline(cmd, data->tlsProps) < 0)
         return -1;
 
@@ -10161,6 +10162,7 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSourcePtr src,
                                           virQEMUCapsPtr qemuCaps)
 {
     qemuDomainStorageSourcePrivatePtr srcpriv = QEMU_DOMAIN_STORAGE_SOURCE_PRIVATE(src);
+    const char *tlsKeySecretAlias = NULL;
 
     if (src->pr &&
         !virStoragePRDefIsManaged(src->pr) &&
@@ -10180,11 +10182,18 @@ qemuBuildStorageSourceAttachPrepareCommon(virStorageSourcePtr src,
         if (srcpriv->httpcookie &&
             qemuBuildSecretInfoProps(srcpriv->httpcookie, &data->httpcookiesecretProps) < 0)
             return -1;
+
+        if (srcpriv->tlsKeySecret) {
+            if (qemuBuildSecretInfoProps(srcpriv->tlsKeySecret, &data->tlsKeySecretProps) < 0)
+                return -1;
+
+            tlsKeySecretAlias = srcpriv->tlsKeySecret->s.aes.alias;
+        }
     }
 
     if (src->haveTLS == VIR_TRISTATE_BOOL_YES &&
         qemuBuildTLSx509BackendProps(src->tlsCertdir, false, true, src->tlsAlias,
-                                     NULL, qemuCaps, &data->tlsProps) < 0)
+                                     tlsKeySecretAlias, qemuCaps, &data->tlsProps) < 0)
         return -1;
 
     return 0;