Bug 1301057 - RFE: add support for securely passing passwords to QEMU block drivers
Summary: RFE: add support for securely passing passwords to QEMU block drivers
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Daniel Berrangé
QA Contact: FuXiangChun
Depends On:
Blocks: 1182074 1425757
TreeView+ depends on / blocked
Reported: 2016-01-22 13:13 UTC by Daniel Berrangé
Modified: 2017-02-22 10:28 UTC (History)
9 users (show)

Fixed In Version: qemu-kvm-rhev-2.6.0-22.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1425757 (view as bug list)
Last Closed: 2016-11-07 20:57:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2673 0 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2016-11-08 01:06:13 UTC

Description Daniel Berrangé 2016-01-22 13:13:45 UTC
Description of problem:
The QEMU rbd and iscsi block drivers both have the ability to accept passwords for authenticating with their remote network services. In both cases though, these passwords are directly passed as QEMU block driver properties, which means the security sensitive data is visible in the process listing and any logfiles generated by libvirt. This problem is CVE-2015-5160 against libvirt

To fix this CVE we need to support a mechanism to pass passwords to block drivers without exposing them in plain text anywhere. The recently merged 'QCryptoSecret' object type in QEMU supports such a mechanism. There are patches proposed to leverage this in the rbd, iscsi and curl block drivers


Comment 5 Daniel Berrangé 2016-08-24 21:45:49 UTC
There are three block drivers to test with this fix, curl (http, https, ftp, protocols), rbd and iscsi. For each of these we need to test operation against a server that requires password authentication. Some examples to test:

iSCSI server:
      $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\

RBD server:

      echo "QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=" > poolkey.b64
      $QEMU -object secret,id=secret0,file=poolkey.b64,format=base64 \
            -drive driver=rbd,filename=rbd:pool/image:id=myname:\
HTTP server without proxy:

     $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=http,url=http://example.com/some.img,\

HTTP server with proxy server requiring auth too

     $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -object secret,id=sec1,filename=/home/berrange/proxy.pw \
         -drive driver=http,url=http://example.com/some.img,\

Comment 29 errata-xmlrpc 2016-11-07 20:57:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.