page-xfer: Add TLS support with X509 certificates

This commit adds Transport Layer Security (TLS) support for remote page-server connections. The following command-line options are introduced with this commit: --tls-cacert FILE Trust certificates signed only by this CA --tls-cacrl FILE CA certificate revocation list --tls-cert FILE TLS certificate --tls-key FILE TLS private key --tls Use TLS to secure remote connections The default PKI locations are: CA certificate /etc/pki/CA/cacert.pem CA revocation list /etc/pki/CA/cacrl.pem Client/server certificate /etc/pki/criu/cert.pem Client/server private key /etc/pki/criu/private/key.pem The files cacert.pem and cacrl.pem are optional. If they are not present, and not explicitly specified with a command-line option, CRIU will use only the system's trusted CAs to verify the remote peer's identity. This implies that if a CA certificate is specified using "--tls-cacert" only this CA will be used for verification. If CA certificate (cacert.pem) is not present, certificate revocation list (cacrl.pem) will be ignored. Both (client and server) sides require a private key and certificate. When the "--tls" option is specified, a TLS handshake (key exchange) will be performed immediately after the remote TCP connection has been accepted. X.509 certificates can be generated as follows: -------------------------%<------------------------- # Generate CA key and certificate echo -ne "ca\ncert_signing_key" > temp certtool --generate-privkey > cakey.pem certtool --generate-self-signed \ --template temp \ --load-privkey cakey.pem \ --outfile cacert.pem # Generate server key and certificate echo -ne "cn=$HOSTNAME\nencryption_key\nsigning_key" > temp certtool --generate-privkey > key.pem certtool --generate-certificate \ --template temp \ --load-privkey key.pem \ --load-ca-certificate cacert.pem \ --load-ca-privkey cakey.pem \ --outfile cert.pem rm temp mkdir -p /etc/pki/CA mkdir -p /etc/pki/criu/private mv cacert.pem /etc/pki/CA/ mv cert.pem /etc/pki/criu/ mv key.pem /etc/pki/criu/private -------------------------%<------------------------- Usage Example: Page-server: [src]# criu page-server -D <PATH> --port <PORT> --tls [dst]# criu dump --page-server --address <SRC> --port <PORT> \ -t <PID> -D <PATH> --tls Lazy migration: [src]# criu dump --lazy-pages --port <PORT> -t <PID> -D <PATH> --tls [dst]# criu lazy-pages --page-server --address <SRC> --port <PORT> \ -D <PATH> --tls [dst]# criu restore -D <PATH> --lazy-pages Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>
2026-01-23 02:14:37 +00:00 · 2019-03-31 12:05:22 +01:00 · 2019-03-31 12:05:22 +01:00 · 76a41209b0
commit 76a41209b0
parent b7230b6132
11 changed files with 546 additions and 34 deletions
--- a/Documentation/criu.txt
+++ b/Documentation/criu.txt
@ -594,6 +594,33 @@ Launches *criu* in page server mode.
    remote *lazy-pages* daemon to request memory pages in random
    order.

+*--tls-cacert* 'file'::
+    Specifies the path to a trusted Certificate Authority (CA) certificate
+    file to be used for verification of a client or server certificate.
+    The 'file' must be in PEM format. When this option is used only the
+    specified CA is used for verification. Otherwise, the system's trusted CAs
+    and, if present, '/etc/pki/CA/cacert.pem' will be used.
+
+*--tls-cacrl* 'file'::
+    Specifies a path to a Certificate Revocation List (CRL) 'file' which
+    contains a list of revoked certificates that should no longer be trusted.
+    The 'file' must be in PEM format. When this option is not specified, the
+    file, if present, '/etc/pki/CA/cacrl.pem' will be used.
+
+*--tls-cert* 'file'::
+    Specifies a path to a file that contains a X.509 certificate to present
+    to the remote entity. The 'file' must be in PEM format. When this option
+    is not specified, the default location ('/etc/pki/criu/cert.pem') will be
+    used.
+
+*--tls-key* 'file'::
+    Specifies a path to a file that contains TLS private key. The 'file' must
+    be in PEM format. When this option is not the default location
+    ('/etc/pki/criu/private/key.pem') will be used.
+
+*--tls*::
+    Use TLS to secure remote connections.
+
 *lazy-pages*
 ~~~~~~~~~~~~
 Launches *criu* in lazy-pages daemon mode.