qemu-e2k/qapi
Daniel P. Berrange ac1d887849 crypto: add QCryptoSecret object class for password/key handling
Introduce a new QCryptoSecret object class which will be used
for providing passwords and keys to other objects which need
sensitive credentials.

The new object can provide secret values directly as properties,
or indirectly via a file. The latter includes support for file
descriptor passing syntax on UNIX platforms. Ordinarily passing
secret values directly as properties is insecure, since they
are visible in process listings, or in log files showing the
CLI args / QMP commands. It is possible to use AES-256-CBC to
encrypt the secret values though, in which case all that is
visible is the ciphertext.  For ad hoc developer testing though,
it is fine to provide the secrets directly without encryption
so this is not explicitly forbidden.

The anticipated scenario is that libvirtd will create a random
master key per QEMU instance (eg /var/run/libvirt/qemu/$VMNAME.key)
and will use that key to encrypt all passwords it provides to
QEMU via '-object secret,....'.  This avoids the need for libvirt
(or other mgmt apps) to worry about file descriptor passing.

It also makes life easier for people who are scripting the
management of QEMU, for whom FD passing is significantly more
complex.

Providing data inline (insecure, only for ad hoc dev testing)

  $QEMU -object secret,id=sec0,data=letmein

Providing data indirectly in raw format

  printf "letmein" > mypasswd.txt
  $QEMU -object secret,id=sec0,file=mypasswd.txt

Providing data indirectly in base64 format

  $QEMU -object secret,id=sec0,file=mykey.b64,format=base64

Providing data with encryption

  $QEMU -object secret,id=master0,file=mykey.b64,format=base64 \
        -object secret,id=sec0,data=[base64 ciphertext],\
	           keyid=master0,iv=[base64 IV],format=base64

Note that 'format' here refers to the format of the ciphertext
data. The decrypted data must always be in raw byte format.

More examples are shown in the updated docs.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-12-18 16:25:08 +00:00
..
block-core.json blkdebug: Avoid '.' in enum values 2015-12-17 08:21:27 +01:00
block.json qapi: add missing @ 2015-10-08 19:46:47 +03:00
common.json kvm: add support for -machine kernel_irqchip=split 2015-12-17 17:15:40 +01:00
crypto.json crypto: add QCryptoSecret object class for password/key handling 2015-12-18 16:25:08 +00:00
event.json migration: create migration event 2015-07-07 14:54:55 +02:00
introspect.json qapi: Document introspection stability considerations 2015-11-17 08:42:07 +01:00
Makefile.objs
opts-visitor.c qapi: Simplify visits of optional fields 2015-12-17 08:21:29 +01:00
qapi-dealloc-visitor.c qapi: Introduce a first class 'any' type 2015-09-21 09:56:49 +02:00
qapi-util.c
qapi-visit-core.c qapi: Shorter visits of optional fields 2015-12-17 08:21:29 +01:00
qmp-dispatch.c qapi: Add alias for ErrorClass 2015-12-17 08:21:28 +01:00
qmp-event.c qapi/qmp-event.c: Don't manually include os-win32.h/os-posix.h 2015-08-19 16:29:53 +01:00
qmp-input-visitor.c qapi: Simplify visits of optional fields 2015-12-17 08:21:29 +01:00
qmp-output-visitor.c qapi: Introduce a first class 'any' type 2015-09-21 09:56:49 +02:00
qmp-registry.c
rocker.json
string-input-visitor.c qapi: Simplify visits of optional fields 2015-12-17 08:21:29 +01:00
string-output-visitor.c Include qapi/qmp/qerror.h exactly where needed 2015-06-22 18:20:41 +02:00
trace.json