From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [PATCH v10 1/5] crypto: Add tls-cipher-suites object
Date: Thu, 25 Jun 2020 12:11:54 +0100 [thread overview]
Message-ID: <20200625111154.GI1009994@redhat.com> (raw)
In-Reply-To: <20200623172726.21040-2-philmd@redhat.com>
On Tue, Jun 23, 2020 at 07:27:22PM +0200, Philippe Mathieu-Daudé wrote:
> On the host OS, various aspects of TLS operation are configurable.
> In particular it is possible for the sysadmin to control the TLS
> cipher/protocol algorithms that applications are permitted to use.
>
> * Any given crypto library has a built-in default priority list
> defined by the distro maintainer of the library package (or by
> upstream).
>
> * The "crypto-policies" RPM (or equivalent host OS package)
> provides a config file such as "/etc/crypto-policies/config",
> where the sysadmin can set a high level (library-independent)
> policy.
>
> The "update-crypto-policies --set" command (or equivalent) is
> used to translate the global policy to individual library
> representations, producing files such as
> "/etc/crypto-policies/back-ends/*.config". The generated files,
> if present, are loaded by the various crypto libraries to
> override their own built-in defaults.
>
> For example, the GNUTLS library may read
> "/etc/crypto-policies/back-ends/gnutls.config".
>
> * A management application (or the QEMU user) may overide the
> system-wide crypto-policies config via their own config, if
> they need to diverge from the former.
>
> Thus the priority order is "QEMU user config" > "crypto-policies
> system config" > "library built-in config".
>
> Introduce the "tls-cipher-suites" object for exposing the ordered
> list of permitted TLS cipher suites from the host side to the
> guest firmware, via fw_cfg. The list is represented as an array
> of bytes.
>
> The priority at which the host-side policy is retrieved is given
> by the "priority" property of the new object type. For example,
> "priority=@SYSTEM" may be used to refer to
> "/etc/crypto-policies/back-ends/gnutls.config" (given that QEMU
> uses GNUTLS).
>
> The firmware uses the IANA_TLS_CIPHER array for configuring
> guest-side TLS, for example in UEFI HTTPS Boot.
>
> [Description from Daniel P. Berrangé, edited by Laszlo Ersek.]
>
> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> ---
> v10: rewrote logic (danpb)
> ---
> include/crypto/tls-cipher-suites.h | 39 ++++++++++
> crypto/tls-cipher-suites.c | 115 +++++++++++++++++++++++++++++
> crypto/Makefile.objs | 1 +
> crypto/trace-events | 5 ++
> qemu-options.hx | 19 +++++
> 5 files changed, 179 insertions(+)
> create mode 100644 include/crypto/tls-cipher-suites.h
> create mode 100644 crypto/tls-cipher-suites.c
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
>
> diff --git a/include/crypto/tls-cipher-suites.h b/include/crypto/tls-cipher-suites.h
> new file mode 100644
> index 0000000000..1be7917233
> --- /dev/null
> +++ b/include/crypto/tls-cipher-suites.h
> @@ -0,0 +1,39 @@
> +/*
> + * QEMU TLS Cipher Suites Registry (RFC8447)
> + *
> + * Copyright (c) 2019 Red Hat, Inc.
nit-pick, we could make that 2019-2020, likewise other files.
No need to respin just for that though.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-06-25 11:15 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-23 17:27 [PATCH v10 0/5] fw_cfg: Add FW_CFG_DATA_GENERATOR; crypto: Add tls-cipher-suites Philippe Mathieu-Daudé
2020-06-23 17:27 ` [PATCH v10 1/5] crypto: Add tls-cipher-suites object Philippe Mathieu-Daudé
2020-06-25 11:11 ` Daniel P. Berrangé [this message]
2020-07-02 10:57 ` Laszlo Ersek
2020-06-23 17:27 ` [PATCH v10 2/5] hw/nvram/fw_cfg: Add the FW_CFG_DATA_GENERATOR interface Philippe Mathieu-Daudé
2020-06-25 11:12 ` Daniel P. Berrangé
2020-06-23 17:27 ` [PATCH v10 3/5] softmmu/vl: Let -fw_cfg option take a 'gen_id' argument Philippe Mathieu-Daudé
2020-06-25 11:14 ` Daniel P. Berrangé
2020-06-23 17:27 ` [PATCH v10 4/5] softmmu/vl: Allow -fw_cfg 'gen_id' option to use the 'etc/' namespace Philippe Mathieu-Daudé
2020-06-25 11:14 ` Daniel P. Berrangé
2020-06-23 17:27 ` [PATCH v10 5/5] crypto/tls-cipher-suites: Produce fw_cfg consumable blob Philippe Mathieu-Daudé
2020-06-25 11:15 ` Daniel P. Berrangé
2020-07-02 10:58 ` Laszlo Ersek
2020-06-23 17:30 ` [PATCH v10 0/5] fw_cfg: Add FW_CFG_DATA_GENERATOR; crypto: Add tls-cipher-suites Philippe Mathieu-Daudé
2020-07-01 10:31 ` Daniel P. Berrangé
2020-07-01 10:34 ` Philippe Mathieu-Daudé
2020-07-02 11:00 ` Laszlo Ersek
2020-07-02 11:01 ` Daniel P. Berrangé
2020-07-02 11:03 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200625111154.GI1009994@redhat.com \
--to=berrange@redhat.com \
--cc=lersek@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.