From 35106c2df2eda83e5f7fea356d80c11fed93df1f Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Tue, 22 Mar 2011 16:28:41 +0100 Subject: [PATCH 1/7] spice-qemu-char: Fix flow control in client -> guest direction In the old spice-vmc device we used to have: last_out = virtio_serial_write(&svc->port, p, MIN(len, VMC_MAX_HOST_WRITE)); if (last_out > 0) ... Now in the chardev backend we have: last_out = MIN(len, VMC_MAX_HOST_WRITE); qemu_chr_read(scd->chr, p, last_out); if (last_out > 0) { ... Which causes us to no longer detect if the virtio port is not ready to receive data from us. chardev actually has a mechanism to detect this, but it requires a separate call to qemu_chr_can_read, before calling qemu_chr_read (which return void). This patch uses qemu_chr_can_read to fix the flow control from client to guest. Signed-off-by: Hans de Goede --- spice-qemu-char.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/spice-qemu-char.c b/spice-qemu-char.c index fa15a71e14..605c241239 100644 --- a/spice-qemu-char.c +++ b/spice-qemu-char.c @@ -36,14 +36,13 @@ static int vmc_write(SpiceCharDeviceInstance *sin, const uint8_t *buf, int len) while (len > 0) { last_out = MIN(len, VMC_MAX_HOST_WRITE); - qemu_chr_read(scd->chr, p, last_out); - if (last_out > 0) { - out += last_out; - len -= last_out; - p += last_out; - } else { + if (qemu_chr_can_read(scd->chr) < last_out) { break; } + qemu_chr_read(scd->chr, p, last_out); + out += last_out; + len -= last_out; + p += last_out; } dprintf(scd, 3, "%s: %lu/%zd\n", __func__, out, len + out); From d4970b071f698a4f3984487bbb97d1ecc36f5950 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Sun, 27 Mar 2011 16:43:54 +0200 Subject: [PATCH 2/7] spice: add option for disabling copy paste support Some people want to be able disable spice's guest <-> client copy paste support because of security considerations. [ kraxel: drop old-version error message ] --- qemu-config.c | 3 +++ qemu-options.hx | 3 +++ ui/spice-core.c | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/qemu-config.c b/qemu-config.c index 5d7ffa2f23..04c97e52c2 100644 --- a/qemu-config.c +++ b/qemu-config.c @@ -384,6 +384,9 @@ QemuOptsList qemu_spice_opts = { },{ .name = "disable-ticketing", .type = QEMU_OPT_BOOL, + },{ + .name = "disable-copy-paste", + .type = QEMU_OPT_BOOL, },{ .name = "x509-dir", .type = QEMU_OPT_STRING, diff --git a/qemu-options.hx b/qemu-options.hx index 82e085a229..63e8cb0a1b 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -717,6 +717,9 @@ Set the password you need to authenticate. @item disable-ticketing Allow client connects without authentication. +@item disable-copy-paste +Disable copy paste between the client and the guest. + @item tls-port= Set the TCP port spice is listening on for encrypted channels. diff --git a/ui/spice-core.c b/ui/spice-core.c index ef56ed61a9..a3351f39b5 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c @@ -554,6 +554,12 @@ void qemu_spice_init(void) spice_server_set_noauth(spice_server); } +#if SPICE_SERVER_VERSION >= 0x000801 + if (qemu_opt_get_bool(opts, "disable-copy-paste", 0)) { + spice_server_set_agent_copypaste(spice_server, false); + } +#endif + compression = SPICE_IMAGE_COMPRESS_AUTO_GLZ; str = qemu_opt_get(opts, "image-compression"); if (str) { From 42138043f29b350219a45895017cf677237b6a97 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 16 May 2011 09:28:58 +0200 Subject: [PATCH 3/7] qxl: add to the list of devices which disable the default vga Signed-off-by: Gerd Hoffmann --- vl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/vl.c b/vl.c index b362871089..2021bbb48b 100644 --- a/vl.c +++ b/vl.c @@ -289,6 +289,7 @@ static struct { { .driver = "VGA", .flag = &default_vga }, { .driver = "cirrus-vga", .flag = &default_vga }, { .driver = "vmware-svga", .flag = &default_vga }, + { .driver = "qxl-vga", .flag = &default_vga }, }; static int default_driver_check(QemuOpts *opts, void *opaque) From 48b3ed0a68b8c1b288b4e15743ea39b7b5b318c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 17 May 2011 10:40:33 +0200 Subject: [PATCH 4/7] spice: add SASL support Turn on SASL support by appending "sasl" to the spice arguments, which requires that the client use SASL to authenticate with the spice. The exact choice of authentication method used is controlled from the system / user's SASL configuration file for the 'qemu' service. This is typically found in /etc/sasl2/qemu.conf. If running QEMU as an unprivileged user, an environment variable SASL_CONF_PATH can be used to make it search alternate locations for the service config. While some SASL auth methods can also provide data encryption (eg GSSAPI), it is recommended that SASL always be combined with the 'tls' and 'x509' settings to enable use of SSL and server certificates. This ensures a data encryption preventing compromise of authentication credentials. It requires support from spice 0.8.1. [ kraxel: moved spell fix to separate commit ] Signed-off-by: Gerd Hoffmann --- qemu-config.c | 3 +++ qemu-options.hx | 13 +++++++++++++ ui/spice-core.c | 12 ++++++++++++ 3 files changed, 28 insertions(+) diff --git a/qemu-config.c b/qemu-config.c index 04c97e52c2..b00aa3ae89 100644 --- a/qemu-config.c +++ b/qemu-config.c @@ -387,6 +387,9 @@ QemuOptsList qemu_spice_opts = { },{ .name = "disable-copy-paste", .type = QEMU_OPT_BOOL, + },{ + .name = "sasl", + .type = QEMU_OPT_BOOL, },{ .name = "x509-dir", .type = QEMU_OPT_STRING, diff --git a/qemu-options.hx b/qemu-options.hx index 63e8cb0a1b..d9edff7d35 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -714,6 +714,19 @@ Force using the specified IP version. @item password= Set the password you need to authenticate. +@item sasl +Require that the client use SASL to authenticate with the spice. +The exact choice of authentication method used is controlled from the +system / user's SASL configuration file for the 'qemu' service. This +is typically found in /etc/sasl2/qemu.conf. If running QEMU as an +unprivileged user, an environment variable SASL_CONF_PATH can be used +to make it search alternate locations for the service config. +While some SASL auth methods can also provide data encryption (eg GSSAPI), +it is recommended that SASL always be combined with the 'tls' and +'x509' settings to enable use of SSL and server certificates. This +ensures a data encryption preventing compromise of authentication +credentials. + @item disable-ticketing Allow client connects without authentication. diff --git a/ui/spice-core.c b/ui/spice-core.c index a3351f39b5..457d34d8bd 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c @@ -549,6 +549,18 @@ void qemu_spice_init(void) if (password) { spice_server_set_ticket(spice_server, password, 0, 0, 0); } + if (qemu_opt_get_bool(opts, "sasl", 0)) { +#if SPICE_SERVER_VERSION >= 0x000900 /* 0.9.0 */ + if (spice_server_set_sasl_appname(spice_server, "qemu") == -1 || + spice_server_set_sasl(spice_server, 1) == -1) { + fprintf(stderr, "spice: failed to enable sasl\n"); + exit(1); + } +#else + fprintf(stderr, "spice: sasl is not available (spice >= 0.9 required)\n"); + exit(1); +#endif + } if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) { auth = "none"; spice_server_set_noauth(spice_server); From 44bd6907de2018f8abb28fcee3dda8a7cfbf9c96 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 17 May 2011 10:40:43 +0200 Subject: [PATCH 5/7] qemu-config: comment spell fix Signed-off-by: Gerd Hoffmann --- qemu-config.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/qemu-config.c b/qemu-config.c index b00aa3ae89..c63741c6b1 100644 --- a/qemu-config.c +++ b/qemu-config.c @@ -306,7 +306,7 @@ static QemuOptsList qemu_trace_opts = { .name = "file", .type = QEMU_OPT_STRING, }, - { /* end if list */ } + { /* end of list */ } }, }; #endif @@ -436,7 +436,7 @@ QemuOptsList qemu_spice_opts = { .name = "playback-compression", .type = QEMU_OPT_BOOL, }, - { /* end if list */ } + { /* end of list */ } }, }; @@ -452,7 +452,7 @@ QemuOptsList qemu_option_rom_opts = { .name = "romfile", .type = QEMU_OPT_STRING, }, - { /* end if list */ } + { /* end of list */ } }, }; From 012b80d3f904c9a4d4ea85036ba8d4d1acf12e7d Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 17 May 2011 10:48:14 +0200 Subject: [PATCH 6/7] spice: require spice 0.6.0 or newer. This patch raises the minimum required spice version to 0.6.0 and drops a few ifdefs. 0.6.0 is the first stable release with the current libspice-server API, there shouldn't be any 0.5.x development versions deployed any more. Signed-off-by: Gerd Hoffmann --- configure | 2 +- ui/spice-core.c | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/configure b/configure index d38b952c86..11f85bf7d9 100755 --- a/configure +++ b/configure @@ -2431,7 +2431,7 @@ int main(void) { spice_server_new(); return 0; } EOF spice_cflags=$($pkg_config --cflags spice-protocol spice-server 2>/dev/null) spice_libs=$($pkg_config --libs spice-protocol spice-server 2>/dev/null) - if $pkg_config --atleast-version=0.5.3 spice-server >/dev/null 2>&1 && \ + if $pkg_config --atleast-version=0.6.0 spice-server >/dev/null 2>&1 && \ compile_prog "$spice_cflags" "$spice_libs" ; then spice="yes" libs_softmmu="$libs_softmmu $spice_libs" diff --git a/ui/spice-core.c b/ui/spice-core.c index 457d34d8bd..dd9905be36 100644 --- a/ui/spice-core.c +++ b/ui/spice-core.c @@ -299,8 +299,6 @@ static int parse_name(const char *string, const char *optname, exit(1); } -#if SPICE_SERVER_VERSION >= 0x000600 /* 0.6.0 */ - static const char *stream_video_names[] = { [ SPICE_STREAM_VIDEO_OFF ] = "off", [ SPICE_STREAM_VIDEO_ALL ] = "all", @@ -309,8 +307,6 @@ static const char *stream_video_names[] = { #define parse_stream_video(_name) \ name2enum(_name, stream_video_names, ARRAY_SIZE(stream_video_names)) -#endif /* >= 0.6.0 */ - static const char *compression_names[] = { [ SPICE_IMAGE_COMPRESS_OFF ] = "off", [ SPICE_IMAGE_COMPRESS_AUTO_GLZ ] = "auto_glz", @@ -593,8 +589,6 @@ void qemu_spice_init(void) } spice_server_set_zlib_glz_compression(spice_server, wan_compr); -#if SPICE_SERVER_VERSION >= 0x000600 /* 0.6.0 */ - str = qemu_opt_get(opts, "streaming-video"); if (str) { int streaming_video = parse_stream_video(str); @@ -606,8 +600,6 @@ void qemu_spice_init(void) spice_server_set_playback_compression (spice_server, qemu_opt_get_bool(opts, "playback-compression", 1)); -#endif /* >= 0.6.0 */ - qemu_opt_foreach(opts, add_channel, NULL, 0); spice_server_init(spice_server, &core_interface); From 212496c98219df17913f3157a7bf85575b32384f Mon Sep 17 00:00:00 2001 From: Alon Levy Date: Wed, 18 May 2011 17:34:36 +0300 Subject: [PATCH 7/7] qxl: fix cmdlog for vga Signed-off-by: Alon Levy Signed-off-by: Gerd Hoffmann --- hw/qxl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hw/qxl.c b/hw/qxl.c index 2bb36c660f..1906e84fab 100644 --- a/hw/qxl.c +++ b/hw/qxl.c @@ -357,7 +357,9 @@ static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext) ret = true; } qemu_mutex_unlock(&qxl->ssd.lock); - qxl_log_command(qxl, "vga", ext); + if (ret) { + qxl_log_command(qxl, "vga", ext); + } return ret; case QXL_MODE_COMPAT: case QXL_MODE_NATIVE: