diff options
Diffstat (limited to 'qemu-options.hx')
| -rw-r--r-- | qemu-options.hx | 85 |
1 files changed, 84 insertions, 1 deletions
diff --git a/qemu-options.hx b/qemu-options.hx index 5affc82e..49afe6c 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3627,7 +3627,7 @@ expensive operation that consumes random pool entropy, so it is recommended that a persistent set of parameters be generated upfront and saved. -@item -object tls-creds-x509,id=@var{id},endpoint=@var{endpoint},dir=@var{/path/to/cred/dir},verify-peer=@var{on|off} +@item -object tls-creds-x509,id=@var{id},endpoint=@var{endpoint},dir=@var{/path/to/cred/dir},verify-peer=@var{on|off},passwordid=@var{id} Creates a TLS anonymous credentials object, which can be used to provide TLS support on network backends. The @option{id} parameter is a unique @@ -3654,6 +3654,12 @@ in PEM format, in filenames @var{ca-cert.pem}, @var{ca-crl.pem} (optional), @var{server-cert.pem} (only servers), @var{server-key.pem} (only servers), @var{client-cert.pem} (only clients), and @var{client-key.pem} (only clients). +For the @var{server-key.pem} and @var{client-key.pem} files which +contain sensitive private keys, it is possible to use an encrypted +version by providing the @var{passwordid} parameter. This provides +the ID of a previously created @code{secret} object containing the +password for decryption. + @item -object filter-buffer,id=@var{id},netdev=@var{netdevid},interval=@var{t}[,queue=@var{all|rx|tx}] Interval @var{t} can't be 0, this filter batches the packet delivery: all @@ -3678,6 +3684,83 @@ Dump the network traffic on netdev @var{dev} to the file specified by The file format is libpcap, so it can be analyzed with tools such as tcpdump or Wireshark. +@item -object secret,id=@var{id},data=@var{string},format=@var{raw|base64}[,keyid=@var{secretid},iv=@var{string}] +@item -object secret,id=@var{id},file=@var{filename},format=@var{raw|base64}[,keyid=@var{secretid},iv=@var{string}] + +Defines a secret to store a password, encryption key, or some other sensitive +data. The sensitive data can either be passed directly via the @var{data} +parameter, or indirectly via the @var{file} parameter. Using the @var{data} +parameter is insecure unless the sensitive data is encrypted. + +The sensitive data can be provided in raw format (the default), or base64. +When encoded as JSON, the raw format only supports valid UTF-8 characters, +so base64 is recommended for sending binary data. QEMU will convert from +which ever format is provided to the format it needs internally. eg, an +RBD password can be provided in raw format, even though it will be base64 +encoded when passed onto the RBD sever. + +For added protection, it is possible to encrypt the data associated with +a secret using the AES-256-CBC cipher. Use of encryption is indicated +by providing the @var{keyid} and @var{iv} parameters. The @var{keyid} +parameter provides the ID of a previously defined secret that contains +the AES-256 decryption key. This key should be 32-bytes long and be +base64 encoded. The @var{iv} parameter provides the random initialization +vector used for encryption of this particular secret and should be a +base64 encrypted string of the 32-byte IV. + +The simplest (insecure) usage is to provide the secret inline + +@example + + # $QEMU -object secret,id=sec0,data=letmein,format=raw + +@end example + +The simplest secure usage is to provide the secret via a file + + # echo -n "letmein" > mypasswd.txt + # $QEMU -object secret,id=sec0,file=mypasswd.txt,format=raw + +For greater security, AES-256-CBC should be used. To illustrate usage, +consider the openssl command line tool which can encrypt the data. Note +that when encrypting, the plaintext must be padded to the cipher block +size (32 bytes) using the standard PKCS#5/6 compatible padding algorithm. + +First a master key needs to be created in base64 encoding: + +@example + # openssl rand -base64 32 > key.b64 + # KEY=$(base64 -d key.b64 | hexdump -v -e '/1 "%02X"') +@end example + +Each secret to be encrypted needs to have a random initialization vector +generated. These do not need to be kept secret + +@example + # openssl rand -base64 16 > iv.b64 + # IV=$(base64 -d iv.b64 | hexdump -v -e '/1 "%02X"') +@end example + +The secret to be defined can now be encrypted, in this case we're +telling openssl to base64 encode the result, but it could be left +as raw bytes if desired. + +@example + # SECRET=$(echo -n "letmein" | + openssl enc -aes-256-cbc -a -K $KEY -iv $IV) +@end example + +When launching QEMU, create a master secret pointing to @code{key.b64} +and specify that to be used to decrypt the user password. Pass the +contents of @code{iv.b64} to the second secret + +@example + # $QEMU \ + -object secret,id=secmaster0,format=base64,file=key.b64 \ + -object secret,id=sec0,keyid=secmaster0,format=base64,\ + data=$SECRET,iv=$(<iv.b64) +@end example + @end table ETEXI |