Bug 747928

Summary:	app-emulation/qemu: add gnutls TLS policy support(?)
Product:	Gentoo Linux	Reporter:	Vjaceslavs Klimovs <vklimovs>
Component:	Current packages	Assignee:	Matthias Maier <tamiko>
Status:	RESOLVED FIXED
Severity:	normal	CC:	base-system, sam, slyfox, virtualization
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	patch for app-emulation/qemu ebuild patch

Description Vjaceslavs Klimovs 2020-10-12 01:52:49 UTC

Created attachment 664822 [details, diff]
patch for app-emulation/qemu

Gnutls allows TLS ciphersuit configuration to be systemwide. On Gentoo, that configuration lives in /etc/gnutls/config, which is unchanged default. In addition to systemwide configuration, some applications allow application specific settings (app-emulation/libvirt for example, tls_priority= setting). If one wishes to set ciphesuit settings, there are no issues with those applications - one just changes the settings within application itself. However, some applications rely exclusively on centralized mechanism and do not provide a mechanism to control ciphersuits from application itself. For example, app-emulation/qemu does that. 

See https://gitlab.com/libvirt/libvirt/-/issues/66 for detail. 

To be able to set TLS priority setting, one must compile qemu with the attached patch. Ideally, all applications dependent on gnutls would specify a centralized config file priority reference to allow for configuration as envisioned by gnutls maintainers. 

Portage 3.0.8 (python 3.7.8-final-0, default/linux/amd64/17.1/no-multilib/hardened, gcc-9.3.0, glibc-2.31-r6, 5.4.66-gentoo x86_64)
=================================================================
System uname: Linux-5.4.66-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_E3-1285_v6_@_4.10GHz-with-gentoo-2.7
KiB Mem:    65686544 total,  59279956 free
KiB Swap:   33554424 total,  33554424 free
Timestamp of repository gentoo: Sun, 11 Oct 2020 20:00:01 +0000
Head commit of repository gentoo: 7f330da7d87d963fe68d78b858dbe0be8a2fc252
sh bash 5.0_p18
ld GNU ld (Gentoo 2.34 p6) 2.34.0
app-shells/bash:          5.0_p18::gentoo
dev-lang/perl:            5.30.3::gentoo
dev-lang/python:          3.6.11-r2::gentoo, 3.7.8-r2::gentoo, 3.8.5::gentoo
dev-util/cmake:           3.17.4-r1::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.7::gentoo
sys-apps/openrc:          0.42.1::gentoo
sys-apps/sandbox:         2.18::gentoo
sys-devel/autoconf:       2.69-r5::gentoo
sys-devel/automake:       1.16.1-r1::gentoo
sys-devel/binutils:       2.34-r2::gentoo
sys-devel/gcc:            9.3.0-r1::gentoo
sys-devel/gcc-config:     2.3.1::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 5.4-r1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.31-r6::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-max-age: 24
    sync-rsync-verify-jobs: 1
    sync-rsync-extra-opts: 
    sync-rsync-verify-metamanifest: yes

vklimovs
    location: /usr/local/portage/vklimovs
    masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="https://pulley.lan:8080"
INSTALL_MASK="*.la"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j9"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 bzip2 caps crypt hardened iconv ipv6 libglvnd libtirpc ncurses nls nptl openmp pam pcre pie readline seccomp split-usr ssl ssp unicode vhosts xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="cpu disk interface ipmi memory network sensors smart snmp syslog table" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NGINX_MODULES_HTTP="autoindex map proxy rewrite" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2 php7-3 php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_7" PYTHON_TARGETS="python3_7" RUBY_TARGETS="ruby25 ruby26" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Sam James archtester

2020-10-13 00:32:22 UTC

I think I've got the summary right. CCing base-system in case they have input as the gnutls maintainers.

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2020-10-13 06:32:38 UTC

I would prefer Gentoo not to have Gentoo-specific patches around the configuration options.

Can you send the patch upstream to qemu-devel@ ML? https://wiki.qemu.org/Contribute/MailingLists has some pointers.

Comment 3 Vjaceslavs Klimovs 2020-10-17 19:20:24 UTC

Created attachment 666314 [details, diff]
ebuild patch

I was using source patch as an example, it's possible to pass this parameter as part of build configuration, see attached patch.

Comment 4 Larry the Git Cow gentoo-dev

2020-10-18 09:25:20 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59088d47f0af5e6be740f8c86bdfa9afa6b9b78b

commit 59088d47f0af5e6be740f8c86bdfa9afa6b9b78b
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-10-18 09:24:49 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-10-18 09:24:49 +0000

    app-emulation/qemu: allow user'specified @QEMU TLS policy
    
    Patch-by: Vjaceslavs Klimovs
    Closes: https://bugs.gentoo.org/747928
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 app-emulation/qemu/qemu-5.1.0-r2.ebuild | 856 ++++++++++++++++++++++++++++++++
 1 file changed, 856 insertions(+)

Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev

2020-10-18 09:26:21 UTC

(In reply to Vjaceslavs Klimovs from comment #3)
> Created attachment 666314 [details, diff] [details, diff]
> ebuild patch
> 
> I was using source patch as an example, it's possible to pass this parameter
> as part of build configuration, see attached patch.

Applied. Thank you!

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2020-10-18 09:27:25 UTC

I still suggest to send the default change upstream so more distributions could share a common default location for overrides.

Comment 7 Vjaceslavs Klimovs 2020-10-25 19:02:10 UTC

I apologize for reopening this, but after further testing it's clear that this breaks qemu live migrations over TLS on machines that *do not* specify app specific TLS priority in /etc/gnutls/config. 

In other words, this works really well on a machine that specifies e.g.

[priorities]
QEMU = NONE:+VERS-TLS1.2:+AES-128-GCM:+AEAD:+ECDHE-ECDSA:+GROUP-SECP256R1:+SIGN-ECDSA-SHA256

in /etc/gnutls/config, but actually breaks migrations on a machine that does not. 

Would it be possible for ebuild to install /etc/gnutls/config file with something like:

[priorities]
QEMU = NORMAL

?

Once again I apologize for not testing the proposal more thoroughly before suggesting it.

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2020-10-25 19:23:29 UTC

I would prefer if /etc/gnutls/config file would not be owned by 'qemu` package as it does not sound qemu-specific. Would be nice if there was a directory we could throw a file without need to resolve collisions against other package users.

Let's remove the Gentoo-specific plumbing meanwhile and expose a mechanism to pass arbitrary configure options to qemu ebuild via /etc/portage/env.d/.

Comment 9 Larry the Git Cow gentoo-dev

2020-10-25 19:36:54 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8afea161831a0e0de8a056438d02637312c48e5b

commit 8afea161831a0e0de8a056438d02637312c48e5b
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-10-25 19:36:21 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-10-25 19:36:49 +0000

    app-emulation/qemu: plumb EXTRA_CONF_QEMU variable for ./configure
    
    New EXTRA_CONF_QEMU variable To ease passing arbitrary overrides
    to qemu's configure. Usage example:
    
        EXTRA_CONF_QEMU='--tls-priority=@QEMU,NORMAL' emerge -v1 qemu
    
    Expected to be used in make.conf or package.env override.
    
    Use at your own risk!
    
    Closes: https://bugs.gentoo.org/747928
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 app-emulation/qemu/qemu-5.1.0-r1.ebuild | 4 ++++
 app-emulation/qemu/qemu-9999.ebuild     | 4 ++++
 2 files changed, 8 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9221cf6013d85b7bc292a6b44f2ccfeaa9ad52e6

commit 9221cf6013d85b7bc292a6b44f2ccfeaa9ad52e6
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-10-25 19:25:45 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-10-25 19:36:49 +0000

    app-emulation/qemu: revert "allow user-specified @QEMU TLS policy"
    
    `--tls-priority=@QEMU,NORMAL` does not work without extra
    configuration. Let's remove it for now.
    
    Reported-by: Vjaceslavs Klimovs
    Bug: https://bugs.gentoo.org/747928
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 app-emulation/qemu/qemu-5.1.0-r2.ebuild | 856 --------------------------------
 app-emulation/qemu/qemu-9999.ebuild     |   1 -
 2 files changed, 857 deletions(-)