vmm: use TLS encrypted live migration when TLS parameters are provided

For TLS we need certificates (and a key for the TLS server). This
commits adds parameters for that and encrypts the connection with TLS if
the necessary parameters are provided.

On-behalf-of: SAP sebastian.eydam@sap.com
Signed-off-by: Sebastian Eydam <sebastian.eydam@cyberus-technology.de>

Author: amphi

src/bin/ch-remote.rs

@@ -11,6 +11,7 @@ use std::io::Read;
 use std::marker::PhantomData;
 use std::num::NonZeroU32;
 use std::os::unix::net::UnixStream;
+use std::path::PathBuf;
 use std::process;
 
 use api_client::{
@@ -491,7 +492,8 @@ fn rest_api_do_command(matches: &ArgMatches, socket: &mut UnixStream) -> ApiResu
                     .subcommand_matches("send-migration")
                     .unwrap()
                     .get_one::<String>("send_migration_config")
-                    .unwrap(),
+                    .unwrap()
+                    .to_owned(),
                 matches
                     .subcommand_matches("send-migration")
                     .unwrap()
@@ -513,6 +515,11 @@ fn rest_api_do_command(matches: &ArgMatches, socket: &mut UnixStream) -> ApiResu
                     .copied()
                     .and_then(NonZeroU32::new)
                     .unwrap_or(NonZeroU32::new(1).unwrap()),
+                matches
+                    .subcommand_matches("send-migration")
+                    .unwrap()
+                    .get_one::<PathBuf>("tls_dir")
+                    .cloned(),
             );
             simple_api_command(socket, "PUT", "send-migration", Some(&send_migration_data))
                 .map_err(Error::HttpApiClient)
@@ -523,7 +530,13 @@ fn rest_api_do_command(matches: &ArgMatches, socket: &mut UnixStream) -> ApiResu
                     .subcommand_matches("receive-migration")
                     .unwrap()
                     .get_one::<String>("receive_migration_config")
-                    .unwrap(),
+                    .unwrap()
+                    .to_owned(),
+                matches
+                    .subcommand_matches("receive_migration")
+                    .unwrap()
+                    .get_one::<PathBuf>("tls_dir")
+                    .cloned(),
             );
             simple_api_command(
                 socket,
@@ -930,32 +943,35 @@ fn coredump_config(destination_url: &str) -> String {
     serde_json::to_string(&coredump_config).unwrap()
 }
 
-fn receive_migration_data(url: &str) -> String {
+fn receive_migration_data(url: String, tls_dir: Option<PathBuf>) -> String {
     let receive_migration_data = vmm::api::VmReceiveMigrationData {
-        receiver_url: url.to_owned(),
+        receiver_url: url,
         tcp_serial_url: None,
         // Only FDs transmitted via an SCM_RIGHTS UNIX Domain Socket message
         // are valid. Transmitting specific FD nums via the HTTP API is
         // almost always invalid.
         net_fds: None,
+        tls_dir,
     };
 
     serde_json::to_string(&receive_migration_data).unwrap()
 }
 
 fn send_migration_data(
-    url: &str,
+    url: String,
     local: bool,
     downtime: u64,
     migration_timeout: u64,
     connections: NonZeroU32,
+    tls_dir: Option<PathBuf>,
 ) -> String {
     let send_migration_data = vmm::api::VmSendMigrationData {
-        destination_url: url.to_owned(),
+        destination_url: url,
         local,
         downtime,
         migration_timeout,
         connections,
+        tls_dir,
     };
 
     serde_json::to_string(&send_migration_data).unwrap()

vmm/src/api/mod.rs

@@ -35,6 +35,7 @@ pub mod http;
 
 use std::io;
 use std::num::NonZeroU32;
+use std::path::PathBuf;
 use std::sync::mpsc::{RecvError, SendError, Sender, channel};
 
 use micro_http::Body;
@@ -265,6 +266,9 @@ pub struct VmReceiveMigrationData {
     pub tcp_serial_url: Option<String>,
     /// Map with new network FDs on the new host.
     pub net_fds: Option<Vec<RestoredNetConfig>>,
+    /// Directory containing the TLS server certificate (server-cert.pem) and TLS server key (server-key.pem).
+    #[serde(default)]
+    pub tls_dir: Option<PathBuf>,
 }
 
 #[derive(Clone, Deserialize, Serialize, Debug)]
@@ -287,6 +291,9 @@ pub struct VmSendMigrationData {
     /// The number of parallel connections for migration
     #[serde(default = "default_connections")]
     pub connections: NonZeroU32,
+    /// Directory containing the TLS root CA certificate (ca-cert.pem)
+    #[serde(default)]
+    pub tls_dir: Option<PathBuf>,
 }
 
 // Default value for downtime the same as qemu.

vmm/src/lib.rs

@@ -21,7 +21,6 @@ use std::collections::HashMap;
 use std::fs::File;
 use std::io::{ErrorKind, Read, Write, stdout};
 use std::net::{TcpListener, TcpStream};
-use std::num::NonZeroU32;
 use std::os::fd::{AsFd, BorrowedFd};
 use std::os::unix::io::{AsRawFd, FromRawFd, RawFd};
 use std::os::unix::net::{UnixListener, UnixStream};
@@ -60,7 +59,9 @@ use vm_memory::{
 };
 use vm_migration::protocol::*;
 use vm_migration::tls::{TlsConnectionWrapper, TlsStream};
-use vm_migration::{Migratable, MigratableError, Pausable, Snapshot, Snapshottable, Transportable};
+use vm_migration::{
+    Migratable, MigratableError, Pausable, Snapshot, Snapshottable, Transportable, tls,
+};
 use vmm_sys_util::eventfd::EventFd;
 use vmm_sys_util::signal::unblock_signal;
 use vmm_sys_util::sock_ctrl_msg::ScmSocket;
@@ -1232,15 +1233,15 @@ impl SendAdditionalConnections {
     const CHUNK_SIZE: u64 = 64 /* MiB */ << 20;
 
     fn new(
-        destination: &str,
-        connections: NonZeroU32,
+        send_data_migration: &VmSendMigrationData,
         guest_mem: &GuestMemoryAtomic<GuestMemoryMmap>,
     ) -> std::result::Result<Self, MigratableError> {
         let mut threads = Vec::new();
         let mut channels = Vec::new();
 
-        for n in 0..(connections.get() - 1) {
-            let socket = (match send_migration_socket(destination) {
+        let additional_connections = send_data_migration.connections.get() - 1;
+        for n in 0..(additional_connections) {
+            let socket = (match send_migration_socket(send_data_migration) {
                 Err(e) if n == 0 => {
                     // If we encounter a problem on the first additional
                     // connection, we just assume the other side doesn't support
@@ -1384,17 +1385,31 @@ impl Drop for SendAdditionalConnections {
 
 /// Establishes a connection to a migration destination socket (TCP or UNIX).
 fn send_migration_socket(
-    destination_url: &str,
+    send_data_migration: &VmSendMigrationData,
 ) -> std::result::Result<SocketStream, MigratableError> {
-    if let Some(address) = destination_url.strip_prefix("tcp:") {
+    if let Some(address) = send_data_migration.destination_url.strip_prefix("tcp:") {
         info!("Connecting to TCP socket at {}", address);
 
         let socket = TcpStream::connect(address).map_err(|e| {
             MigratableError::MigrateSend(anyhow!("Error connecting to TCP socket: {}", e))
         })?;
 
-        Ok(SocketStream::Tcp(socket))
-    } else if let Some(path) = destination_url.strip_prefix("unix:") {
+        if send_data_migration.tls_dir.is_none() {
+            Ok(SocketStream::Tcp(socket))
+        } else {
+            info!("Live Migration will be encrypted using TLS.");
+            // The address may still contain a port. I think we should build something more robust to also handle IPv6.
+            let tls_stream = tls::client_stream(
+                socket,
+                send_data_migration.tls_dir.as_ref().unwrap(),
+                address
+                    .split_once(':')
+                    .map(|(host, _)| host)
+                    .unwrap_or(address),
+            )?;
+            Ok(SocketStream::Tls(TlsStream::Client(tls_stream)))
+        }
+    } else if let Some(path) = &send_data_migration.destination_url.strip_prefix("unix:") {
         info!("Connecting to UNIX socket at {:?}", path);
 
         let socket = UnixStream::connect(path).map_err(|e| {
@@ -1404,30 +1419,39 @@ fn send_migration_socket(
         Ok(SocketStream::Unix(socket))
     } else {
         Err(MigratableError::MigrateSend(anyhow!(
-            "Invalid destination: {destination_url}"
+            "Invalid destination: {}",
+            send_data_migration.destination_url
         )))
     }
 }
 
 /// Creates a listener socket for receiving incoming migration connections (TCP or UNIX).
 fn receive_migration_listener(
-    receiver_url: &str,
+    receiver_data_migration: &VmReceiveMigrationData,
 ) -> std::result::Result<ReceiveListener, MigratableError> {
-    if let Some(address) = receiver_url.strip_prefix("tcp:") {
-        TcpListener::bind(address)
-            .map_err(|e| {
-                MigratableError::MigrateReceive(anyhow!("Error binding to TCP socket: {}", e))
-            })
-            .map(ReceiveListener::Tcp)
-    } else if let Some(path) = receiver_url.strip_prefix("unix:") {
+    if let Some(address) = receiver_data_migration.receiver_url.strip_prefix("tcp:") {
+        let listener = TcpListener::bind(address).map_err(|e| {
+            MigratableError::MigrateReceive(anyhow!("Error binding to TCP socket: {}", e))
+        })?;
+
+        if receiver_data_migration.tls_dir.is_none() {
+            Ok(ReceiveListener::Tcp(listener))
+        } else {
+            Ok(ReceiveListener::Tls(
+                listener,
+                TlsConnectionWrapper::new(receiver_data_migration.tls_dir.as_ref().unwrap()),
+            ))
+        }
+    } else if let Some(path) = receiver_data_migration.receiver_url.strip_prefix("unix:") {
         UnixListener::bind(path)
             .map_err(|e| {
                 MigratableError::MigrateReceive(anyhow!("Error binding to UNIX socket: {}", e))
             })
             .map(|listener| ReceiveListener::Unix(listener, Some(path.into())))
     } else {
         Err(MigratableError::MigrateSend(anyhow!(
-            "Invalid source: {receiver_url}"
+            "Invalid source: {}",
+            receiver_data_migration.receiver_url
         )))
     }
 }
@@ -2054,11 +2078,7 @@ impl Vmm {
         s: &mut MigrationState,
         send_data_migration: &VmSendMigrationData,
     ) -> result::Result<(), MigratableError> {
-        let mem_send = SendAdditionalConnections::new(
-            &send_data_migration.destination_url,
-            send_data_migration.connections,
-            &vm.guest_memory(),
-        )?;
+        let mem_send = SendAdditionalConnections::new(send_data_migration, &vm.guest_memory())?;
 
         // Start logging dirty pages
         vm.start_dirty_log()?;
@@ -2139,7 +2159,7 @@ impl Vmm {
         let mut s = MigrationState::new();
 
         // Set up the socket connection
-        let mut socket = send_migration_socket(&send_data_migration.destination_url)?;
+        let mut socket = send_migration_socket(&send_data_migration)?;
 
         // Start the migration
         Request::start().write_to(&mut socket)?;
@@ -3317,7 +3337,7 @@ impl RequestHandler for Vmm {
             receive_data_migration.receiver_url, &receive_data_migration.net_fds
         );
 
-        let mut listener = receive_migration_listener(&receive_data_migration.receiver_url)?;
+        let mut listener = receive_migration_listener(&receive_data_migration)?;
         // Accept the connection and get the socket
         let mut socket = listener.accept().map_err(|e| {
             warn!("Failed to accept migration connection: {}", e);