Bug 1301057

Summary: RFE: add support for securely passing passwords to QEMU block drivers
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Berrangé <berrange>
Component: qemu-kvm-rhevAssignee: Daniel Berrangé <berrange>
Status: CLOSED ERRATA QA Contact: FuXiangChun <xfu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: berrange, chayang, huding, juzhang, knoel, mrezanin, virt-maint, xfu, yanyang
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-rhev-2.6.0-22.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1425757 (view as bug list) Environment:
Last Closed: 2016-11-07 20:57:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1182074, 1425757    

Description Daniel Berrangé 2016-01-22 13:13:45 UTC 
Description of problem:
The QEMU rbd and iscsi block drivers both have the ability to accept passwords for authenticating with their remote network services. In both cases though, these passwords are directly passed as QEMU block driver properties, which means the security sensitive data is visible in the process listing and any logfiles generated by libvirt. This problem is CVE-2015-5160 against libvirt

To fix this CVE we need to support a mechanism to pass passwords to block drivers without exposing them in plain text anywhere. The recently merged 'QCryptoSecret' object type in QEMU supports such a mechanism. There are patches proposed to leverage this in the rbd, iscsi and curl block drivers

https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg04083.html
Comment 5 Daniel Berrangé 2016-08-24 21:45:49 UTC 
There are three block drivers to test with this fix, curl (http, https, ftp, protocols), rbd and iscsi. For each of these we need to test operation against a server that requires password authentication. Some examples to test:

iSCSI server:
    
      $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\
                user=dan,password-secret=sec0

RBD server:

      echo "QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=" > poolkey.b64
      $QEMU -object secret,id=secret0,file=poolkey.b64,format=base64 \
            -drive driver=rbd,filename=rbd:pool/image:id=myname:\
                   auth_supported=cephx,password-secret=secret0
    
HTTP server without proxy:

     $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=http,url=http://example.com/some.img,\
                username=dan,password-secret=sec0

HTTP server with proxy server requiring auth too


     $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -object secret,id=sec1,filename=/home/berrange/proxy.pw \
         -drive driver=http,url=http://example.com/some.img,\
                username=dan,password-secret=sec0,\
                proxy-username=dan,proxy-password-secret=sec1
Comment 29 errata-xmlrpc 2016-11-07 20:57:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html