Bug 1301057 - RFE: add support for securely passing passwords to QEMU block drivers
Summary: RFE: add support for securely passing passwords to QEMU block drivers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Daniel Berrangé
QA Contact: FuXiangChun
URL:
Whiteboard:
Depends On:
Blocks: 1182074 1425757
TreeView+ depends on / blocked
 
Reported: 2016-01-22 13:13 UTC by Daniel Berrangé
Modified: 2017-02-22 10:28 UTC (History)
9 users (show)

Fixed In Version: qemu-kvm-rhev-2.6.0-22.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1425757 (view as bug list)
Environment:
Last Closed: 2016-11-07 20:57:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2673 0 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2016-11-08 01:06:13 UTC

Description Daniel Berrangé 2016-01-22 13:13:45 UTC 
Description of problem:
The QEMU rbd and iscsi block drivers both have the ability to accept passwords for authenticating with their remote network services. In both cases though, these passwords are directly passed as QEMU block driver properties, which means the security sensitive data is visible in the process listing and any logfiles generated by libvirt. This problem is CVE-2015-5160 against libvirt

To fix this CVE we need to support a mechanism to pass passwords to block drivers without exposing them in plain text anywhere. The recently merged 'QCryptoSecret' object type in QEMU supports such a mechanism. There are patches proposed to leverage this in the rbd, iscsi and curl block drivers

https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg04083.html
Comment 5 Daniel Berrangé 2016-08-24 21:45:49 UTC 
There are three block drivers to test with this fix, curl (http, https, ftp, protocols), rbd and iscsi. For each of these we need to test operation against a server that requires password authentication. Some examples to test:

iSCSI server:
    
      $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=iscsi,url=iscsi://example.com/target-foo/lun1,\
                user=dan,password-secret=sec0

RBD server:

      echo "QVFDVm41aE82SHpGQWhBQXEwTkN2OGp0SmNJY0UrSE9CbE1RMUE=" > poolkey.b64
      $QEMU -object secret,id=secret0,file=poolkey.b64,format=base64 \
            -drive driver=rbd,filename=rbd:pool/image:id=myname:\
                   auth_supported=cephx,password-secret=secret0
    
HTTP server without proxy:

     $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -drive driver=http,url=http://example.com/some.img,\
                username=dan,password-secret=sec0

HTTP server with proxy server requiring auth too


     $QEMU \
         -object secret,id=sec0,filename=/home/berrange/example.pw \
         -object secret,id=sec1,filename=/home/berrange/proxy.pw \
         -drive driver=http,url=http://example.com/some.img,\
                username=dan,password-secret=sec0,\
                proxy-username=dan,proxy-password-secret=sec1
Comment 29 errata-xmlrpc 2016-11-07 20:57:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html
Note You need to log in before you can comment on or make changes to this bug.