e1a6dc91dd
Pre-Shared Keys (PSK) is a simpler mechanism for enabling TLS
connections than using certificates. It requires only a simple secret
key:
$ mkdir -m 0700 /tmp/keys
$ psktool -u rjones -p /tmp/keys/keys.psk
$ cat /tmp/keys/keys.psk
rjones:d543770c15ad93d76443fb56f501a31969235f47e999720ae8d2336f6a13fcbc
The key can be secretly shared between clients and servers. Clients
must specify the directory containing the "keys.psk" file and a
username (defaults to "qemu"). Servers must specify only the
directory.
Example NBD client:
$ qemu-img info \
--object tls-creds-psk,id=tls0,dir=/tmp/keys,username=rjones,endpoint=client \
--image-opts \
file.driver=nbd,file.host=localhost,file.port=10809,file.tls-creds=tls0,file.export=/
Example NBD server using qemu-nbd:
$ qemu-nbd -t -x / \
--object tls-creds-psk,id=tls0,endpoint=server,dir=/tmp/keys \
--tls-creds tls0 \
image.qcow2
Example NBD server using nbdkit:
$ nbdkit -n -e / -fv \
--tls=on --tls-psk=/tmp/keys/keys.psk \
file file=disk.img
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
42 lines
1.5 KiB
Makefile
42 lines
1.5 KiB
Makefile
crypto-obj-y = init.o
|
|
crypto-obj-y += hash.o
|
|
crypto-obj-$(CONFIG_NETTLE) += hash-nettle.o
|
|
crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += hash-gcrypt.o
|
|
crypto-obj-$(if $(CONFIG_NETTLE),n,$(if $(CONFIG_GCRYPT),n,y)) += hash-glib.o
|
|
crypto-obj-y += hmac.o
|
|
crypto-obj-$(CONFIG_NETTLE) += hmac-nettle.o
|
|
crypto-obj-$(CONFIG_GCRYPT_HMAC) += hmac-gcrypt.o
|
|
crypto-obj-$(if $(CONFIG_NETTLE),n,$(if $(CONFIG_GCRYPT_HMAC),n,y)) += hmac-glib.o
|
|
crypto-obj-y += aes.o
|
|
crypto-obj-y += desrfb.o
|
|
crypto-obj-y += cipher.o
|
|
crypto-obj-$(CONFIG_AF_ALG) += afalg.o
|
|
crypto-obj-$(CONFIG_AF_ALG) += cipher-afalg.o
|
|
crypto-obj-$(CONFIG_AF_ALG) += hash-afalg.o
|
|
crypto-obj-y += tlscreds.o
|
|
crypto-obj-y += tlscredsanon.o
|
|
crypto-obj-y += tlscredspsk.o
|
|
crypto-obj-y += tlscredsx509.o
|
|
crypto-obj-y += tlssession.o
|
|
crypto-obj-y += secret.o
|
|
crypto-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
|
|
crypto-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS_RND)) += random-gnutls.o
|
|
crypto-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS_RND),n,y)) += random-platform.o
|
|
crypto-obj-y += pbkdf.o
|
|
crypto-obj-$(CONFIG_NETTLE_KDF) += pbkdf-nettle.o
|
|
crypto-obj-$(if $(CONFIG_NETTLE_KDF),n,$(CONFIG_GCRYPT_KDF)) += pbkdf-gcrypt.o
|
|
crypto-obj-y += ivgen.o
|
|
crypto-obj-y += ivgen-essiv.o
|
|
crypto-obj-y += ivgen-plain.o
|
|
crypto-obj-y += ivgen-plain64.o
|
|
crypto-obj-y += afsplit.o
|
|
crypto-obj-y += xts.o
|
|
crypto-obj-y += block.o
|
|
crypto-obj-y += block-qcow.o
|
|
crypto-obj-y += block-luks.o
|
|
|
|
# Let the userspace emulators avoid linking gnutls/etc
|
|
crypto-aes-obj-y = aes.o
|
|
|
|
stub-obj-y += pbkdf-stub.o
|