cyberus-technology · amphi · Nov 25, 2025
diff --git a/src/ch/ch_conf.c b/src/ch/ch_conf.c
@@ -168,6 +168,9 @@ virCHDriverConfigNew(bool privileged)
         cfg->saveDir = g_strdup_printf("%s/ch/save", configbasedir);
     }
 
+    // TODO: we should read this from a config file.
+    cfg->migrateTLSx509certdir = g_strdup_printf("%s/pki", cfg->configDir);
+
     return cfg;
 }
 
@@ -185,6 +188,8 @@ virCHDriverConfigDispose(void *obj)
     g_free(cfg->saveDir);
     g_free(cfg->stateDir);
     g_free(cfg->logDir);
+
+    g_free(cfg->migrateTLSx509certdir);
 }
 
 #define MIN_VERSION ((15 * 1000000) + (0 * 1000) + (0))

diff --git a/src/ch/ch_conf.h b/src/ch/ch_conf.h
@@ -53,6 +53,8 @@ struct _virCHDriverConfig {
     gid_t group;
 
     bool stdioLogD;
+
+    char *migrateTLSx509certdir;
 };
 
 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virCHDriverConfig, virObjectUnref);

diff --git a/src/ch/ch_domain.h b/src/ch/ch_domain.h
@@ -58,6 +58,7 @@ struct _chMigrationDstArgs {
     virCond cond;
     volatile bool success;
     char *tcp_serial_url;
+    bool use_tls;
 };
 
 #define CH_DOMAIN_PRIVATE(vm) \

diff --git a/src/ch/ch_driver.c b/src/ch/ch_driver.c
@@ -2756,7 +2756,8 @@ chDoMigrateDstReceive(void *opaque)
                                      args->def,
                                      args->driver,
                                      &args->cond,
-                                     args->tcp_serial_url) < 0) {
+                                     args->tcp_serial_url,
+                                     args->use_tls) < 0) {
         DBG("Migration receive failed.");
         args->success = false;
         return;
@@ -2926,6 +2927,7 @@ chDomainMigratePrepare3(virConnectPtr dconn,
     args->driver = driver;
     args->success = false;
     args->tcp_serial_url = NULL;
+    args->use_tls = flags & VIR_MIGRATE_TLS;
 
     if (vm->def->nserials > 0 &&
         vm->def->serials[0]->source->type == VIR_DOMAIN_CHR_TYPE_TCP) {
@@ -3089,7 +3091,8 @@ chDomainMigratePerform3Impl(virDomainObj *vm,
                             int *cookieoutlen,
                             unsigned long flags,
                             const char *dname,
-                            unsigned parallel_connections)
+                            unsigned parallel_connections,
+                            bool use_tls)
 {
     virCHDomainObjPrivate *priv = vm->privateData;
     g_autofree char *id = NULL;
@@ -3100,8 +3103,8 @@ chDomainMigratePerform3Impl(virDomainObj *vm,
     int rc = -1;
     g_autoptr(virCHDriverConfig) cfg = virCHDriverGetConfig(driver);
 
-    DBG("chDomainMigratePerform3Impl %s %s %s %lu %s %u",
-        xmlin, dconnuri, uri, flags, dname, parallel_connections);
+    DBG("chDomainMigratePerform3Impl %s %s %s %lu %s %u %s",
+        xmlin, dconnuri, uri, flags, dname, parallel_connections, use_tls ? "true" : "false");
 
     if (!priv->monitor) {
         VIR_ERROR(_("VMs monitor not initialized"));
@@ -3154,7 +3157,7 @@ chDomainMigratePerform3Impl(virDomainObj *vm,
         uri = uri_out;
     }
 
-    if (virCHMonitorMigrationSend(priv->monitor, uri, parallel_connections) < 0) {
+    if (virCHMonitorMigrationSend(priv->monitor, uri, parallel_connections, use_tls, driver->config->migrateTLSx509certdir) < 0) {
         DBG("Migration send failed.");
         dconn->driver->domainMigrateFinish3(dconn, vm->def->name, NULL, 0, NULL, NULL, NULL, uri, flags, 1);
         rc = -1;
@@ -3245,7 +3248,8 @@ chDomainMigratePerform3(virDomainPtr dom,
                                      cookieoutlen,
                                      flags,
                                      dname,
-                                     1);
+                                     1,
+                                    false);
 
 cleanup:
     virDomainObjEndAPI(&vm);
@@ -3270,6 +3274,7 @@ chDomainMigratePerform3Params(virDomainPtr dom,
     virDomainObj *vm;
     virCHDriver *driver = dom->conn->privateData;
     int rc = -1;
+    bool use_tls = false;
 
     if (virTypedParamsGetString(params, nparams,
                                 VIR_MIGRATE_PARAM_URI,
@@ -3302,6 +3307,8 @@ chDomainMigratePerform3Params(virDomainPtr dom,
         parallel_connections = 1;
     }
 
+    use_tls = flags & VIR_MIGRATE_TLS;
+
     DBG("chDomainMigratePerform3Params dconnuri: %s dname: %s parallel connection: %d", dconnuri, dname, parallel_connections);
 
     if (!(vm = virCHDomainObjFromDomain(dom)))
@@ -3321,7 +3328,8 @@ chDomainMigratePerform3Params(virDomainPtr dom,
                                      cookieoutlen,
                                      flags,
                                      dname,
-                                     parallel_connections);
+                                     parallel_connections,
+                                     use_tls);
 error:
     virDomainObjEndAPI(&vm);
     return rc;

diff --git a/src/ch/ch_monitor.c b/src/ch/ch_monitor.c
@@ -1667,7 +1667,9 @@ int virCHMonitorRemoveDevice(virCHMonitor *mon,
 
 int virCHMonitorMigrationSend(virCHMonitor *mon,
                               const char *dst_uri,
-                              unsigned parallel_connections)
+                              unsigned parallel_connections,
+                              bool use_tls,
+                              char *tls_dir)
 {
     g_autofree char *url = NULL;
     int responseCode = 0;
@@ -1692,6 +1694,19 @@ int virCHMonitorMigrationSend(virCHMonitor *mon,
             return -1;
     }
 
+    if (use_tls) {
+      if (!virFileExists(tls_dir)) {
+        virReportError(
+            VIR_ERR_CONF_SYNTAX,
+            _("migrate_tls_x509_cert_dir directory '%1$s' does not exist"),
+            tls_dir);
+        return -1;
+      }
+
+      if (virJSONValueObjectAppendString(content, "tls_dir", tls_dir) != 0)
+        return -1;
+    }
+
     if (!(payload = virJSONValueToString(content, false)))
         return -1;
 
@@ -1814,7 +1829,8 @@ int virCHMonitorMigrationReceive(virCHMonitor *mon,
                                  virDomainDef *vmdef,
                                  virCHDriver *driver,
                                  virCond *cond,
-                                 char *tcp_serial_url)
+                                 char *tcp_serial_url,
+                                 bool use_tls)
 {
     size_t i = 0;
     VIR_AUTOCLOSE mon_sockfd = -1;
@@ -1891,6 +1907,20 @@ int virCHMonitorMigrationReceive(virCHMonitor *mon,
             goto out;
         }
     }
+
+    if (use_tls) {
+      if (!virFileExists(driver->config->migrateTLSx509certdir)) {
+        virReportError(
+            VIR_ERR_CONF_SYNTAX,
+            _("migrate_tls_x509_cert_dir directory '%1$s' does not exist"),
+            driver->config->migrateTLSx509certdir);
+        return -1;
+      }
+
+      if (virJSONValueObjectAppendString(content, "tls_dir", driver->config->migrateTLSx509certdir) != 0)
+        return -1;
+    }
+
     if (!(payload = virJSONValueToString(content, false))) {
         rc = -1;
         goto out;

diff --git a/src/ch/ch_monitor.h b/src/ch/ch_monitor.h
@@ -139,10 +139,12 @@ int virCHMonitorSaveVM(virCHMonitor *mon,
                        const char *to);
 int virCHMonitorMigrationSend(virCHMonitor *mon,
                               const char *dst_uri,
-                              unsigned parallel_connections);
+                              unsigned parallel_connections,
+                              bool use_tls,
+                              char *tls_dir);
 int virCHMonitorMigrationReceive(virCHMonitor *mon,
                                  const char *rcv_uri,
-                                 virDomainDef *vmdef, virCHDriver *driver, virCond *cond, char* tcp_serial_url);
+                                 virDomainDef *vmdef, virCHDriver *driver, virCond *cond, char* tcp_serial_url, bool use_tls);
 int virCHMonitorRemoveDevice(virCHMonitor *mon, const char* device_id);
 int virCHMonitorGetInfo(virCHMonitor *mon, virJSONValue **info);