On Fri, May 29, 2020 at 11:35:53AM +0100, Daniel P. Berrangé wrote:
> From: Alexey Krasikov <alex-krasi...@yandex-team.ru>
>
> Add the ability for the secret object to obtain secret data from the
> Linux in-kernel key managment and retention facility, as an extra option
> to the existing ones: reading from a file or passing directly as a
> string.
>
> The secret is identified by the key serial number. The upper layers
> need to instantiate the key and make sure the QEMU process has access
> permissions to read it.
>
> Signed-off-by: Alexey Krasikov <alex-krasi...@yandex-team.ru>
> Signed-off-by: Daniel P. Berrangé <berra...@redhat.com>
> ---
> configure | 38 ++++++++
> crypto/Makefile.objs | 1 +
> crypto/secret_keyring.c | 148 ++++++++++++++++++++++++++++++++
> include/crypto/secret_keyring.h | 52 +++++++++++
> 4 files changed, 239 insertions(+)
> create mode 100644 crypto/secret_keyring.c
> create mode 100644 include/crypto/secret_keyring.h
>
> diff --git a/configure b/configure
> index 2ffe365e2c..d95ff4e0b3 100755
> --- a/configure
> +++ b/configure
> @@ -510,6 +510,7 @@ default_devices="yes"
> plugins="no"
> fuzzing="no"
> rng_none="no"
> +secret_keyring="yes"
>
> supported_cpu="no"
> supported_os="no"
> @@ -1606,6 +1607,10 @@ for opt do
> ;;
> --disable-rng-none) rng_none=no
> ;;
> + --enable-keyring) secret_keyring="yes"
> + ;;
> + --disable-keyring) secret_keyring="no"
> + ;;
> *)
> echo "ERROR: unknown option $opt"
> echo "Try '$0 --help' for more information"
> @@ -6272,6 +6277,34 @@ case "$slirp" in
> ;;
> esac
>
> +##########################################
> +# check for usable __NR_keyctl syscall
> +
> +if test "$linux" = "yes" ; then
> +
> + have_keyring=no
> + cat > $TMPC << EOF
> +#include <errno.h>
> +#include <asm/unistd.h>
> +#include <linux/keyctl.h>
> +#include <unistd.h>
> +int main(void) {
> + return syscall(__NR_keyctl, KEYCTL_READ, 0, NULL, NULL, 0);
> +}
> +EOF
> + if compile_prog "" "" ; then
> + have_keyring=yes
> + fi
> +fi
> +if test "$secret_keyring" = "yes"
> +then
> + if test "$have_keyring" != "yes"
> + then
> + error_exit "syscall __NR_keyctl requested, \
> +but not implemented on your system"
> + fi
> +fi
This logic doesn't correctly disable keyring on Non-Linux native
builds by default. eg mingw as reported by patchew
I'm going to repost with the following squashed in
diff --git a/configure b/configure
index f2ff722f7e..f17c2fd72e 100755
--- a/configure
+++ b/configure
@@ -510,7 +510,7 @@ default_devices="yes"
plugins="no"
fuzzing="no"
rng_none="no"
-secret_keyring="yes"
+secret_keyring=""
supported_cpu="no"
supported_os="no"
@@ -6296,12 +6296,19 @@ EOF
have_keyring=yes
fi
fi
-if test "$secret_keyring" = "yes"
+if test "$secret_keyring" != "no"
then
- if test "$have_keyring" != "yes"
+ if test "$have_keyring" == "yes"
then
- error_exit "syscall __NR_keyctl requested, \
+ secret_keyring=yes
+ else
+ if test "$secret_keyring" = "yes"
+ then
+ error_exit "syscall __NR_keyctl requested, \
but not implemented on your system"
+ else
+ secret_keyring=no
+ fi
fi
fi
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
