On Fri, May 29, 2020 at 11:35:53AM +0100, Daniel P. Berrangé wrote: > From: Alexey Krasikov <alex-krasi...@yandex-team.ru> > > Add the ability for the secret object to obtain secret data from the > Linux in-kernel key managment and retention facility, as an extra option > to the existing ones: reading from a file or passing directly as a > string. > > The secret is identified by the key serial number. The upper layers > need to instantiate the key and make sure the QEMU process has access > permissions to read it. > > Signed-off-by: Alexey Krasikov <alex-krasi...@yandex-team.ru> > Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> > --- > configure | 38 ++++++++ > crypto/Makefile.objs | 1 + > crypto/secret_keyring.c | 148 ++++++++++++++++++++++++++++++++ > include/crypto/secret_keyring.h | 52 +++++++++++ > 4 files changed, 239 insertions(+) > create mode 100644 crypto/secret_keyring.c > create mode 100644 include/crypto/secret_keyring.h > > diff --git a/configure b/configure > index 2ffe365e2c..d95ff4e0b3 100755 > --- a/configure > +++ b/configure > @@ -510,6 +510,7 @@ default_devices="yes" > plugins="no" > fuzzing="no" > rng_none="no" > +secret_keyring="yes" > > supported_cpu="no" > supported_os="no" > @@ -1606,6 +1607,10 @@ for opt do > ;; > --disable-rng-none) rng_none=no > ;; > + --enable-keyring) secret_keyring="yes" > + ;; > + --disable-keyring) secret_keyring="no" > + ;; > *) > echo "ERROR: unknown option $opt" > echo "Try '$0 --help' for more information" > @@ -6272,6 +6277,34 @@ case "$slirp" in > ;; > esac > > +########################################## > +# check for usable __NR_keyctl syscall > + > +if test "$linux" = "yes" ; then > + > + have_keyring=no > + cat > $TMPC << EOF > +#include <errno.h> > +#include <asm/unistd.h> > +#include <linux/keyctl.h> > +#include <unistd.h> > +int main(void) { > + return syscall(__NR_keyctl, KEYCTL_READ, 0, NULL, NULL, 0); > +} > +EOF > + if compile_prog "" "" ; then > + have_keyring=yes > + fi > +fi > +if test "$secret_keyring" = "yes" > +then > + if test "$have_keyring" != "yes" > + then > + error_exit "syscall __NR_keyctl requested, \ > +but not implemented on your system" > + fi > +fi
This logic doesn't correctly disable keyring on Non-Linux native builds by default. eg mingw as reported by patchew I'm going to repost with the following squashed in diff --git a/configure b/configure index f2ff722f7e..f17c2fd72e 100755 --- a/configure +++ b/configure @@ -510,7 +510,7 @@ default_devices="yes" plugins="no" fuzzing="no" rng_none="no" -secret_keyring="yes" +secret_keyring="" supported_cpu="no" supported_os="no" @@ -6296,12 +6296,19 @@ EOF have_keyring=yes fi fi -if test "$secret_keyring" = "yes" +if test "$secret_keyring" != "no" then - if test "$have_keyring" != "yes" + if test "$have_keyring" == "yes" then - error_exit "syscall __NR_keyctl requested, \ + secret_keyring=yes + else + if test "$secret_keyring" = "yes" + then + error_exit "syscall __NR_keyctl requested, \ but not implemented on your system" + else + secret_keyring=no + fi fi fi Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|