From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: qemu-devel@nongnu.org, Laszlo Ersek <lersek@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Andrew Jones" <drjones@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-arm@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: [Qemu-arm] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy()
Date: Thu, 20 Jun 2019 14:21:30 +0200 [thread overview]
Message-ID: <20190620122132.10075-2-philmd@redhat.com> (raw)
In-Reply-To: <20190620122132.10075-1-philmd@redhat.com>
The Edk2Crypto object is used to hold configuration values specific
to EDK2.
The edk2_add_host_crypto_policy() function loads crypto policies
from the host, and register them as fw_cfg named file items.
So far only the 'https' policy is supported.
A usercase example is the 'HTTPS Boof' feature of OVMF [*].
Usage example:
- via the command line:
$ qemu-system-x86_64 \
--object edk2_crypto,id=https,\
ciphers=/etc/crypto-policies/back-ends/openssl.config,\
cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
- via QMP:
{
"execute": "object-add",
"arguments": {
"qom-type": "edk2_crypto",
"id": "https",
"props": {
"ciphers": "/etc/crypto-policies/back-ends/openssl.config",
"cacerts": "/etc/pki/ca-trust/extracted/edk2/cacerts.bin"
}
}
}
(On Fedora these files are provided by the ca-certificates and
crypto-policies packages).
[*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
v3:
- inverted the if() logic
- '-object' -> '--object' in commit description (Eric)
- reworded the 'TODO: g_free' comment
v4:
- do not return pointer to alloc'd data (Markus)
- INTERFACE_CHECK -> OBJECT_CLASS_CHECK (Markus)
- path -> filename (Laszlo)
- dropped the 'TODO: g_free' comment (Markus)
v5:
- only allow 1 singleton using the UserCreatableClass::complete
callback (Markus, Laszlo)
- object own fw_cfg 'file' content, no need for
fw_cfg_add_file_from_host() (Laszlo)
- g_file_get_contents() called when object is instantiated
and report error, the machine 'done' notifier do not have
to manage errors (do not fail).
- add QMP example
-
- do not add docs/interop/firmware.json to MAINTAINERS
---
MAINTAINERS | 2 +
hw/Makefile.objs | 1 +
hw/firmware/Makefile.objs | 1 +
hw/firmware/uefi_edk2_crypto_policies.c | 209 ++++++++++++++++++++++++
include/hw/firmware/uefi_edk2.h | 30 ++++
5 files changed, 243 insertions(+)
create mode 100644 hw/firmware/Makefile.objs
create mode 100644 hw/firmware/uefi_edk2_crypto_policies.c
create mode 100644 include/hw/firmware/uefi_edk2.h
diff --git a/MAINTAINERS b/MAINTAINERS
index d32c5c2313..28de489134 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2262,6 +2262,8 @@ EDK2 Firmware
M: Laszlo Ersek <lersek@redhat.com>
M: Philippe Mathieu-Daudé <philmd@redhat.com>
S: Supported
+F: hw/firmware/uefi_edk2_crypto_policies.c
+F: include/hw/firmware/uefi_edk2.h
F: pc-bios/descriptors/??-edk2-*.json
F: pc-bios/edk2-*
F: roms/Makefile.edk2
diff --git a/hw/Makefile.objs b/hw/Makefile.objs
index d770926ba9..c13b6ee0dd 100644
--- a/hw/Makefile.objs
+++ b/hw/Makefile.objs
@@ -8,6 +8,7 @@ devices-dirs-$(CONFIG_SOFTMMU) += char/
devices-dirs-$(CONFIG_SOFTMMU) += cpu/
devices-dirs-$(CONFIG_SOFTMMU) += display/
devices-dirs-$(CONFIG_SOFTMMU) += dma/
+devices-dirs-$(CONFIG_SOFTMMU) += firmware/
devices-dirs-$(CONFIG_SOFTMMU) += gpio/
devices-dirs-$(CONFIG_HYPERV) += hyperv/
devices-dirs-$(CONFIG_I2C) += i2c/
diff --git a/hw/firmware/Makefile.objs b/hw/firmware/Makefile.objs
new file mode 100644
index 0000000000..ea1f6d44df
--- /dev/null
+++ b/hw/firmware/Makefile.objs
@@ -0,0 +1 @@
+common-obj-y += uefi_edk2_crypto_policies.o
diff --git a/hw/firmware/uefi_edk2_crypto_policies.c b/hw/firmware/uefi_edk2_crypto_policies.c
new file mode 100644
index 0000000000..a0164272ea
--- /dev/null
+++ b/hw/firmware/uefi_edk2_crypto_policies.c
@@ -0,0 +1,209 @@
+/*
+ * UEFI EDK2 Support
+ *
+ * Copyright (c) 2019 Red Hat Inc.
+ *
+ * Author:
+ * Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "hw/firmware/uefi_edk2.h"
+
+
+#define TYPE_EDK2_CRYPTO "edk2_crypto"
+
+#define EDK2_CRYPTO_CLASS(klass) \
+ OBJECT_CLASS_CHECK(Edk2CryptoClass, (klass), \
+ TYPE_EDK2_CRYPTO)
+#define EDK2_CRYPTO_GET_CLASS(obj) \
+ OBJECT_GET_CLASS(Edk2CryptoClass, (obj), \
+ TYPE_EDK2_CRYPTO)
+#define EDK2_CRYPTO(obj) \
+ OBJECT_CHECK(Edk2Crypto, (obj), \
+ TYPE_EDK2_CRYPTO)
+
+typedef struct FWCfgHostContent {
+ /*
+ * Path to the acceptable ciphersuites and the preferred order from
+ * the host-side crypto policy.
+ */
+ char *filename;
+ /*
+ * Add a new NAMED fw_cfg item as a raw "blob" of the given size. The data
+ * referenced by the starting pointer is only linked, NOT copied, into the
+ * data structure of the fw_cfg device.
+ */
+ char *contents;
+
+ size_t contents_length;
+} FWCfgHostContent;
+
+typedef struct Edk2Crypto {
+ Object parent_obj;
+
+ /*
+ * Path to the acceptable ciphersuites and the preferred order from
+ * the host-side crypto policy.
+ */
+ FWCfgHostContent ciphers;
+ /* Path to the trusted CA certificates configured on the host side. */
+ FWCfgHostContent cacerts;
+} Edk2Crypto;
+
+typedef struct Edk2CryptoClass {
+ ObjectClass parent_class;
+} Edk2CryptoClass;
+
+static Edk2Crypto *edk2_crypto_by_policy_id(const char *policy_id, Error **errp)
+{
+ Object *obj;
+
+ obj = object_resolve_path_component(object_get_objects_root(), policy_id);
+ if (!obj) {
+ error_setg(errp, "Cannot find EDK2 crypto policy ID %s", policy_id);
+ return NULL;
+ }
+
+ if (!object_dynamic_cast(obj, TYPE_EDK2_CRYPTO)) {
+ error_setg(errp, "Object '%s' is not a EDK2 crypto subclass",
+ policy_id);
+ return NULL;
+ }
+
+ return EDK2_CRYPTO(obj);
+}
+
+static void edk2_crypto_prop_set_ciphers(Object *obj, const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->ciphers.filename);
+ s->ciphers.filename = g_strdup(value);
+}
+
+static char *edk2_crypto_prop_get_ciphers(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ return g_strdup(s->ciphers.filename);
+}
+
+static void edk2_crypto_prop_set_cacerts(Object *obj, const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->cacerts.filename);
+ s->cacerts.filename = g_strdup(value);
+}
+
+static char *edk2_crypto_prop_get_cacerts(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ return g_strdup(s->cacerts.filename);
+}
+
+static void edk2_crypto_complete(UserCreatable *uc, Error **errp)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(uc);
+ Error *local_err = NULL;
+ GError *gerr = NULL;
+
+ if (s->ciphers.filename) {
+ if (!g_file_get_contents(s->ciphers.filename, &s->ciphers.contents,
+ &s->ciphers.contents_length, &gerr)) {
+ goto report_error;
+ }
+ }
+ if (s->cacerts.filename) {
+ if (!g_file_get_contents(s->cacerts.filename, &s->cacerts.contents,
+ &s->cacerts.contents_length, &gerr)) {
+ goto report_error;
+ }
+ }
+ return;
+
+ report_error:
+ error_setg(&local_err, "%s", gerr->message);
+ g_error_free(gerr);
+ error_propagate_prepend(errp, local_err, "EDK2 crypto policy: ");
+}
+
+static void edk2_crypto_finalize(Object *obj)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->ciphers.filename);
+ g_free(s->ciphers.contents);
+ g_free(s->cacerts.filename);
+ g_free(s->cacerts.contents);
+}
+
+static void edk2_crypto_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = edk2_crypto_complete;
+
+ object_class_property_add_str(oc, "ciphers",
+ edk2_crypto_prop_get_ciphers,
+ edk2_crypto_prop_set_ciphers,
+ NULL);
+ object_class_property_add_str(oc, "cacerts",
+ edk2_crypto_prop_get_cacerts,
+ edk2_crypto_prop_set_cacerts,
+ NULL);
+}
+
+static const TypeInfo edk2_crypto_info = {
+ .parent = TYPE_OBJECT,
+ .name = TYPE_EDK2_CRYPTO,
+ .instance_size = sizeof(Edk2Crypto),
+ .instance_finalize = edk2_crypto_finalize,
+ .class_size = sizeof(Edk2CryptoClass),
+ .class_init = edk2_crypto_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void edk2_crypto_register_types(void)
+{
+ type_register_static(&edk2_crypto_info);
+}
+
+type_init(edk2_crypto_register_types);
+
+static void edk2_add_host_crypto_policy_https(FWCfgState *fw_cfg)
+{
+ Edk2Crypto *s;
+
+ s = edk2_crypto_by_policy_id("https", NULL);
+ if (!s) {
+ return;
+ }
+ if (s->ciphers.contents_length) {
+ fw_cfg_add_file(fw_cfg, "etc/edk2/https/ciphers",
+ s->ciphers.contents, s->ciphers.contents_length);
+ }
+ if (s->cacerts.contents_length) {
+ fw_cfg_add_file(fw_cfg, "etc/edk2/https/cacerts",
+ s->cacerts.contents, s->cacerts.contents_length);
+ }
+}
+
+void edk2_add_host_crypto_policy(FWCfgState *fw_cfg)
+{
+ edk2_add_host_crypto_policy_https(fw_cfg);
+}
diff --git a/include/hw/firmware/uefi_edk2.h b/include/hw/firmware/uefi_edk2.h
new file mode 100644
index 0000000000..f8f81c5cb2
--- /dev/null
+++ b/include/hw/firmware/uefi_edk2.h
@@ -0,0 +1,30 @@
+/*
+ * UEFI EDK2 Support
+ *
+ * Copyright (c) 2019 Red Hat Inc.
+ *
+ * Author:
+ * Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef HW_FIRMWARE_UEFI_EDK2_H
+#define HW_FIRMWARE_UEFI_EDK2_H
+
+#include "hw/nvram/fw_cfg.h"
+
+/**
+ * edk2_add_host_crypto_policy:
+ * @fw_cfg: fw_cfg device being modified
+ *
+ * Add a new named file containing the host crypto policy.
+ *
+ * This method is called by the machine_done() Notifier of
+ * some implementations of MachineState, currently the X86
+ * PCMachineState and the ARM VirtMachineState.
+ */
+void edk2_add_host_crypto_policy(FWCfgState *fw_cfg);
+
+#endif /* HW_FIRMWARE_UEFI_EDK2_H */
--
2.20.1
WARNING: multiple messages have this Message-ID (diff)
From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: qemu-devel@nongnu.org, Laszlo Ersek <lersek@redhat.com>
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Andrew Jones" <drjones@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-arm@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: [Qemu-devel] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy()
Date: Thu, 20 Jun 2019 14:21:30 +0200 [thread overview]
Message-ID: <20190620122132.10075-2-philmd@redhat.com> (raw)
In-Reply-To: <20190620122132.10075-1-philmd@redhat.com>
The Edk2Crypto object is used to hold configuration values specific
to EDK2.
The edk2_add_host_crypto_policy() function loads crypto policies
from the host, and register them as fw_cfg named file items.
So far only the 'https' policy is supported.
A usercase example is the 'HTTPS Boof' feature of OVMF [*].
Usage example:
- via the command line:
$ qemu-system-x86_64 \
--object edk2_crypto,id=https,\
ciphers=/etc/crypto-policies/back-ends/openssl.config,\
cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
- via QMP:
{
"execute": "object-add",
"arguments": {
"qom-type": "edk2_crypto",
"id": "https",
"props": {
"ciphers": "/etc/crypto-policies/back-ends/openssl.config",
"cacerts": "/etc/pki/ca-trust/extracted/edk2/cacerts.bin"
}
}
}
(On Fedora these files are provided by the ca-certificates and
crypto-policies packages).
[*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
v3:
- inverted the if() logic
- '-object' -> '--object' in commit description (Eric)
- reworded the 'TODO: g_free' comment
v4:
- do not return pointer to alloc'd data (Markus)
- INTERFACE_CHECK -> OBJECT_CLASS_CHECK (Markus)
- path -> filename (Laszlo)
- dropped the 'TODO: g_free' comment (Markus)
v5:
- only allow 1 singleton using the UserCreatableClass::complete
callback (Markus, Laszlo)
- object own fw_cfg 'file' content, no need for
fw_cfg_add_file_from_host() (Laszlo)
- g_file_get_contents() called when object is instantiated
and report error, the machine 'done' notifier do not have
to manage errors (do not fail).
- add QMP example
-
- do not add docs/interop/firmware.json to MAINTAINERS
---
MAINTAINERS | 2 +
hw/Makefile.objs | 1 +
hw/firmware/Makefile.objs | 1 +
hw/firmware/uefi_edk2_crypto_policies.c | 209 ++++++++++++++++++++++++
include/hw/firmware/uefi_edk2.h | 30 ++++
5 files changed, 243 insertions(+)
create mode 100644 hw/firmware/Makefile.objs
create mode 100644 hw/firmware/uefi_edk2_crypto_policies.c
create mode 100644 include/hw/firmware/uefi_edk2.h
diff --git a/MAINTAINERS b/MAINTAINERS
index d32c5c2313..28de489134 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2262,6 +2262,8 @@ EDK2 Firmware
M: Laszlo Ersek <lersek@redhat.com>
M: Philippe Mathieu-Daudé <philmd@redhat.com>
S: Supported
+F: hw/firmware/uefi_edk2_crypto_policies.c
+F: include/hw/firmware/uefi_edk2.h
F: pc-bios/descriptors/??-edk2-*.json
F: pc-bios/edk2-*
F: roms/Makefile.edk2
diff --git a/hw/Makefile.objs b/hw/Makefile.objs
index d770926ba9..c13b6ee0dd 100644
--- a/hw/Makefile.objs
+++ b/hw/Makefile.objs
@@ -8,6 +8,7 @@ devices-dirs-$(CONFIG_SOFTMMU) += char/
devices-dirs-$(CONFIG_SOFTMMU) += cpu/
devices-dirs-$(CONFIG_SOFTMMU) += display/
devices-dirs-$(CONFIG_SOFTMMU) += dma/
+devices-dirs-$(CONFIG_SOFTMMU) += firmware/
devices-dirs-$(CONFIG_SOFTMMU) += gpio/
devices-dirs-$(CONFIG_HYPERV) += hyperv/
devices-dirs-$(CONFIG_I2C) += i2c/
diff --git a/hw/firmware/Makefile.objs b/hw/firmware/Makefile.objs
new file mode 100644
index 0000000000..ea1f6d44df
--- /dev/null
+++ b/hw/firmware/Makefile.objs
@@ -0,0 +1 @@
+common-obj-y += uefi_edk2_crypto_policies.o
diff --git a/hw/firmware/uefi_edk2_crypto_policies.c b/hw/firmware/uefi_edk2_crypto_policies.c
new file mode 100644
index 0000000000..a0164272ea
--- /dev/null
+++ b/hw/firmware/uefi_edk2_crypto_policies.c
@@ -0,0 +1,209 @@
+/*
+ * UEFI EDK2 Support
+ *
+ * Copyright (c) 2019 Red Hat Inc.
+ *
+ * Author:
+ * Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "hw/firmware/uefi_edk2.h"
+
+
+#define TYPE_EDK2_CRYPTO "edk2_crypto"
+
+#define EDK2_CRYPTO_CLASS(klass) \
+ OBJECT_CLASS_CHECK(Edk2CryptoClass, (klass), \
+ TYPE_EDK2_CRYPTO)
+#define EDK2_CRYPTO_GET_CLASS(obj) \
+ OBJECT_GET_CLASS(Edk2CryptoClass, (obj), \
+ TYPE_EDK2_CRYPTO)
+#define EDK2_CRYPTO(obj) \
+ OBJECT_CHECK(Edk2Crypto, (obj), \
+ TYPE_EDK2_CRYPTO)
+
+typedef struct FWCfgHostContent {
+ /*
+ * Path to the acceptable ciphersuites and the preferred order from
+ * the host-side crypto policy.
+ */
+ char *filename;
+ /*
+ * Add a new NAMED fw_cfg item as a raw "blob" of the given size. The data
+ * referenced by the starting pointer is only linked, NOT copied, into the
+ * data structure of the fw_cfg device.
+ */
+ char *contents;
+
+ size_t contents_length;
+} FWCfgHostContent;
+
+typedef struct Edk2Crypto {
+ Object parent_obj;
+
+ /*
+ * Path to the acceptable ciphersuites and the preferred order from
+ * the host-side crypto policy.
+ */
+ FWCfgHostContent ciphers;
+ /* Path to the trusted CA certificates configured on the host side. */
+ FWCfgHostContent cacerts;
+} Edk2Crypto;
+
+typedef struct Edk2CryptoClass {
+ ObjectClass parent_class;
+} Edk2CryptoClass;
+
+static Edk2Crypto *edk2_crypto_by_policy_id(const char *policy_id, Error **errp)
+{
+ Object *obj;
+
+ obj = object_resolve_path_component(object_get_objects_root(), policy_id);
+ if (!obj) {
+ error_setg(errp, "Cannot find EDK2 crypto policy ID %s", policy_id);
+ return NULL;
+ }
+
+ if (!object_dynamic_cast(obj, TYPE_EDK2_CRYPTO)) {
+ error_setg(errp, "Object '%s' is not a EDK2 crypto subclass",
+ policy_id);
+ return NULL;
+ }
+
+ return EDK2_CRYPTO(obj);
+}
+
+static void edk2_crypto_prop_set_ciphers(Object *obj, const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->ciphers.filename);
+ s->ciphers.filename = g_strdup(value);
+}
+
+static char *edk2_crypto_prop_get_ciphers(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ return g_strdup(s->ciphers.filename);
+}
+
+static void edk2_crypto_prop_set_cacerts(Object *obj, const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->cacerts.filename);
+ s->cacerts.filename = g_strdup(value);
+}
+
+static char *edk2_crypto_prop_get_cacerts(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ return g_strdup(s->cacerts.filename);
+}
+
+static void edk2_crypto_complete(UserCreatable *uc, Error **errp)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(uc);
+ Error *local_err = NULL;
+ GError *gerr = NULL;
+
+ if (s->ciphers.filename) {
+ if (!g_file_get_contents(s->ciphers.filename, &s->ciphers.contents,
+ &s->ciphers.contents_length, &gerr)) {
+ goto report_error;
+ }
+ }
+ if (s->cacerts.filename) {
+ if (!g_file_get_contents(s->cacerts.filename, &s->cacerts.contents,
+ &s->cacerts.contents_length, &gerr)) {
+ goto report_error;
+ }
+ }
+ return;
+
+ report_error:
+ error_setg(&local_err, "%s", gerr->message);
+ g_error_free(gerr);
+ error_propagate_prepend(errp, local_err, "EDK2 crypto policy: ");
+}
+
+static void edk2_crypto_finalize(Object *obj)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->ciphers.filename);
+ g_free(s->ciphers.contents);
+ g_free(s->cacerts.filename);
+ g_free(s->cacerts.contents);
+}
+
+static void edk2_crypto_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = edk2_crypto_complete;
+
+ object_class_property_add_str(oc, "ciphers",
+ edk2_crypto_prop_get_ciphers,
+ edk2_crypto_prop_set_ciphers,
+ NULL);
+ object_class_property_add_str(oc, "cacerts",
+ edk2_crypto_prop_get_cacerts,
+ edk2_crypto_prop_set_cacerts,
+ NULL);
+}
+
+static const TypeInfo edk2_crypto_info = {
+ .parent = TYPE_OBJECT,
+ .name = TYPE_EDK2_CRYPTO,
+ .instance_size = sizeof(Edk2Crypto),
+ .instance_finalize = edk2_crypto_finalize,
+ .class_size = sizeof(Edk2CryptoClass),
+ .class_init = edk2_crypto_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void edk2_crypto_register_types(void)
+{
+ type_register_static(&edk2_crypto_info);
+}
+
+type_init(edk2_crypto_register_types);
+
+static void edk2_add_host_crypto_policy_https(FWCfgState *fw_cfg)
+{
+ Edk2Crypto *s;
+
+ s = edk2_crypto_by_policy_id("https", NULL);
+ if (!s) {
+ return;
+ }
+ if (s->ciphers.contents_length) {
+ fw_cfg_add_file(fw_cfg, "etc/edk2/https/ciphers",
+ s->ciphers.contents, s->ciphers.contents_length);
+ }
+ if (s->cacerts.contents_length) {
+ fw_cfg_add_file(fw_cfg, "etc/edk2/https/cacerts",
+ s->cacerts.contents, s->cacerts.contents_length);
+ }
+}
+
+void edk2_add_host_crypto_policy(FWCfgState *fw_cfg)
+{
+ edk2_add_host_crypto_policy_https(fw_cfg);
+}
diff --git a/include/hw/firmware/uefi_edk2.h b/include/hw/firmware/uefi_edk2.h
new file mode 100644
index 0000000000..f8f81c5cb2
--- /dev/null
+++ b/include/hw/firmware/uefi_edk2.h
@@ -0,0 +1,30 @@
+/*
+ * UEFI EDK2 Support
+ *
+ * Copyright (c) 2019 Red Hat Inc.
+ *
+ * Author:
+ * Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef HW_FIRMWARE_UEFI_EDK2_H
+#define HW_FIRMWARE_UEFI_EDK2_H
+
+#include "hw/nvram/fw_cfg.h"
+
+/**
+ * edk2_add_host_crypto_policy:
+ * @fw_cfg: fw_cfg device being modified
+ *
+ * Add a new named file containing the host crypto policy.
+ *
+ * This method is called by the machine_done() Notifier of
+ * some implementations of MachineState, currently the X86
+ * PCMachineState and the ARM VirtMachineState.
+ */
+void edk2_add_host_crypto_policy(FWCfgState *fw_cfg);
+
+#endif /* HW_FIRMWARE_UEFI_EDK2_H */
--
2.20.1
next prev parent reply other threads:[~2019-06-20 12:45 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 12:21 [Qemu-devel] [PATCH RESEND v5 0/3] fw_cfg: Add edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-20 12:21 ` Philippe Mathieu-Daudé [this message]
2019-06-20 12:21 ` [Qemu-devel] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-24 14:53 ` Laszlo Ersek
2019-06-24 15:14 ` [Qemu-arm] " Laszlo Ersek
2019-06-24 15:14 ` Laszlo Ersek
2019-06-24 15:23 ` [Qemu-arm] " Daniel P. Berrangé
2019-06-24 15:23 ` Daniel P. Berrangé
2019-06-24 15:11 ` Daniel P. Berrangé
2019-06-20 12:21 ` [Qemu-arm] [PATCH v5 2/3] hw/i386: Use edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-20 12:21 ` [Qemu-devel] " Philippe Mathieu-Daudé
2019-06-24 15:00 ` [Qemu-arm] " Laszlo Ersek
2019-06-24 15:00 ` Laszlo Ersek
2019-06-20 12:21 ` [Qemu-devel] [PATCH v5 3/3] hw/arm/virt: " Philippe Mathieu-Daudé
2019-06-24 15:01 ` Laszlo Ersek
2019-06-20 13:55 ` [Qemu-arm] [PATCH RESEND v5 0/3] fw_cfg: Add edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-20 13:55 ` [Qemu-devel] " Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190620122132.10075-2-philmd@redhat.com \
--to=philmd@redhat.com \
--cc=drjones@redhat.com \
--cc=ehabkost@redhat.com \
--cc=lersek@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.