From 76a41209b0942fcc76508f1bdee7e7119c79f625 Mon Sep 17 00:00:00 2001 From: Radostin Stoyanov Date: Sun, 31 Mar 2019 12:05:22 +0100 Subject: page-xfer: Add TLS support with X509 certificates This commit adds Transport Layer Security (TLS) support for remote page-server connections. The following command-line options are introduced with this commit: --tls-cacert FILE Trust certificates signed only by this CA --tls-cacrl FILE CA certificate revocation list --tls-cert FILE TLS certificate --tls-key FILE TLS private key --tls Use TLS to secure remote connections The default PKI locations are: CA certificate /etc/pki/CA/cacert.pem CA revocation list /etc/pki/CA/cacrl.pem Client/server certificate /etc/pki/criu/cert.pem Client/server private key /etc/pki/criu/private/key.pem The files cacert.pem and cacrl.pem are optional. If they are not present, and not explicitly specified with a command-line option, CRIU will use only the system's trusted CAs to verify the remote peer's identity. This implies that if a CA certificate is specified using "--tls-cacert" only this CA will be used for verification. If CA certificate (cacert.pem) is not present, certificate revocation list (cacrl.pem) will be ignored. Both (client and server) sides require a private key and certificate. When the "--tls" option is specified, a TLS handshake (key exchange) will be performed immediately after the remote TCP connection has been accepted. X.509 certificates can be generated as follows: -------------------------%<------------------------- # Generate CA key and certificate echo -ne "ca\ncert_signing_key" > temp certtool --generate-privkey > cakey.pem certtool --generate-self-signed \ --template temp \ --load-privkey cakey.pem \ --outfile cacert.pem # Generate server key and certificate echo -ne "cn=$HOSTNAME\nencryption_key\nsigning_key" > temp certtool --generate-privkey > key.pem certtool --generate-certificate \ --template temp \ --load-privkey key.pem \ --load-ca-certificate cacert.pem \ --load-ca-privkey cakey.pem \ --outfile cert.pem rm temp mkdir -p /etc/pki/CA mkdir -p /etc/pki/criu/private mv cacert.pem /etc/pki/CA/ mv cert.pem /etc/pki/criu/ mv key.pem /etc/pki/criu/private -------------------------%<------------------------- Usage Example: Page-server: [src]# criu page-server -D --port --tls [dst]# criu dump --page-server --address --port \ -t -D --tls Lazy migration: [src]# criu dump --lazy-pages --port -t -D --tls [dst]# criu lazy-pages --page-server --address --port \ -D --tls [dst]# criu restore -D --lazy-pages Signed-off-by: Radostin Stoyanov --- criu/uffd.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'criu/uffd.c') diff --git a/criu/uffd.c b/criu/uffd.c index 6699cb14a..5c1e32184 100644 --- a/criu/uffd.c +++ b/criu/uffd.c @@ -37,6 +37,7 @@ #include "page-xfer.h" #include "common/lock.h" #include "rst-malloc.h" +#include "tls.h" #include "fdstore.h" #include "util.h" @@ -1469,5 +1470,7 @@ int cr_lazy_pages(bool daemon) ret = handle_requests(epollfd, events, nr_fds); + tls_terminate_session(); + return ret; } -- cgit v1.2.3