From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>,
Gerd Hoffmann <kraxel@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org
Cc: "Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Richard Henderson" <rth@twiddle.net>,
"Artyom Tarasenko" <atar4qemu@gmail.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"David Gibson" <david@gibson.dropbear.id.au>,
"Igor Mammedov" <imammedo@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
qemu-ppc@nongnu.org, qemu-arm@nongnu.org,
"Markus Armbruster" <armbru@redhat.com>,
"Mark Cave-Ayland" <mark.cave-ayland@ilande.co.uk>,
"Thomas Huth" <thuth@redhat.com>,
"Daniel P . Berrange" <berrange@redhat.com>
Subject: [Qemu-devel] [PATCH v2 16/18] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy()
Date: Fri, 8 Mar 2019 02:32:20 +0100 [thread overview]
Message-ID: <20190308013222.12524-17-philmd@redhat.com> (raw)
In-Reply-To: <20190308013222.12524-1-philmd@redhat.com>
The Edk2Crypto object is used to hold configuration values specific
to EDK2.
The edk2_add_host_crypto_policy() function loads crypto policies
from the host, and register them as fw_cfg named file items.
So far only the 'https' policy is supported.
An usercase example is the 'HTTPS Boof' feature of OVMF [*].
Usage example:
$ qemu-system-x86_64 \
-object edk2_crypto,id=https,\
ciphers=/etc/crypto-policies/back-ends/openssl.config,\
cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
(On Fedora these files are provided by the ca-certificates and
crypto-policies packages).
[*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
MAINTAINERS | 8 ++
hw/Makefile.objs | 1 +
hw/firmware/Makefile.objs | 1 +
hw/firmware/uefi_edk2_crypto_policies.c | 166 ++++++++++++++++++++++++
include/hw/firmware/uefi_edk2.h | 28 ++++
5 files changed, 204 insertions(+)
create mode 100644 hw/firmware/Makefile.objs
create mode 100644 hw/firmware/uefi_edk2_crypto_policies.c
create mode 100644 include/hw/firmware/uefi_edk2.h
diff --git a/MAINTAINERS b/MAINTAINERS
index 306fc2aefa..3696b63249 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2205,6 +2205,14 @@ F: include/hw/i2c/smbus_master.h
F: include/hw/i2c/smbus_slave.h
F: include/hw/i2c/smbus_eeprom.h
+EDK2 Firmware
+M: Laszlo Ersek <lersek@redhat.com>
+M: Philippe Mathieu-Daudé <philmd@redhat.com>
+S: Maintained
+F: docs/interop/firmware.json
+F: hw/firmware/uefi_edk2_crypto_policies.c
+F: include/hw/firmware/uefi_edk2.h
+
Usermode Emulation
------------------
Overall
diff --git a/hw/Makefile.objs b/hw/Makefile.objs
index e2fcd6aafc..da4fb91285 100644
--- a/hw/Makefile.objs
+++ b/hw/Makefile.objs
@@ -8,6 +8,7 @@ devices-dirs-$(CONFIG_SOFTMMU) += char/
devices-dirs-$(CONFIG_SOFTMMU) += cpu/
devices-dirs-$(CONFIG_SOFTMMU) += display/
devices-dirs-$(CONFIG_SOFTMMU) += dma/
+devices-dirs-$(CONFIG_SOFTMMU) += firmware/
devices-dirs-$(CONFIG_SOFTMMU) += gpio/
devices-dirs-$(CONFIG_HYPERV) += hyperv/
devices-dirs-$(CONFIG_SOFTMMU) += i2c/
diff --git a/hw/firmware/Makefile.objs b/hw/firmware/Makefile.objs
new file mode 100644
index 0000000000..ea1f6d44df
--- /dev/null
+++ b/hw/firmware/Makefile.objs
@@ -0,0 +1 @@
+common-obj-y += uefi_edk2_crypto_policies.o
diff --git a/hw/firmware/uefi_edk2_crypto_policies.c b/hw/firmware/uefi_edk2_crypto_policies.c
new file mode 100644
index 0000000000..660c7f3655
--- /dev/null
+++ b/hw/firmware/uefi_edk2_crypto_policies.c
@@ -0,0 +1,166 @@
+/*
+ * UEFI EDK2 Support
+ *
+ * Copyright (c) 2019 Red Hat Inc.
+ *
+ * Author:
+ * Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "hw/firmware/uefi_edk2.h"
+
+
+#define TYPE_EDK2_CRYPTO "edk2_crypto"
+
+#define EDK2_CRYPTO_CLASS(klass) \
+ OBJECT_CLASS_CHECK(Edk2CryptoClass, (klass), \
+ TYPE_EDK2_CRYPTO)
+#define EDK2_CRYPTO_GET_CLASS(obj) \
+ OBJECT_GET_CLASS(Edk2CryptoClass, (obj), \
+ TYPE_EDK2_CRYPTO)
+#define EDK2_CRYPTO(obj) \
+ INTERFACE_CHECK(Edk2Crypto, (obj), \
+ TYPE_EDK2_CRYPTO)
+
+typedef struct Edk2Crypto {
+ Object parent_obj;
+
+ /*
+ * Path to the acceptable ciphersuites and the preferred order from
+ * the host-side crypto policy.
+ */
+ char *ciphers_path;
+
+ /* Path to the trusted CA certificates configured on the host side. */
+ char *cacerts_path;
+} Edk2Crypto;
+
+typedef struct Edk2CryptoClass {
+ ObjectClass parent_class;
+} Edk2CryptoClass;
+
+
+static void edk2_crypto_prop_set_ciphers(Object *obj, const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->ciphers_path);
+ s->ciphers_path = g_strdup(value);
+}
+
+static char *edk2_crypto_prop_get_ciphers(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ return g_strdup(s->ciphers_path);
+}
+
+static void edk2_crypto_prop_set_cacerts(Object *obj, const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->cacerts_path);
+ s->cacerts_path = g_strdup(value);
+}
+
+static char *edk2_crypto_prop_get_cacerts(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ return g_strdup(s->cacerts_path);
+}
+
+static void edk2_crypto_finalize(Object *obj)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->ciphers_path);
+ g_free(s->cacerts_path);
+}
+
+static void edk2_crypto_class_init(ObjectClass *oc, void *data)
+{
+ object_class_property_add_str(oc, "ciphers",
+ edk2_crypto_prop_get_ciphers,
+ edk2_crypto_prop_set_ciphers,
+ NULL);
+ object_class_property_add_str(oc, "cacerts",
+ edk2_crypto_prop_get_cacerts,
+ edk2_crypto_prop_set_cacerts,
+ NULL);
+}
+
+static const TypeInfo edk2_crypto_info = {
+ .parent = TYPE_OBJECT,
+ .name = TYPE_EDK2_CRYPTO,
+ .instance_size = sizeof(Edk2Crypto),
+ .instance_finalize = edk2_crypto_finalize,
+ .class_size = sizeof(Edk2CryptoClass),
+ .class_init = edk2_crypto_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void edk2_crypto_register_types(void)
+{
+ type_register_static(&edk2_crypto_info);
+}
+
+type_init(edk2_crypto_register_types);
+
+static Edk2Crypto *edk2_crypto_by_id(const char *edk_crypto_id, Error **errp)
+{
+ Object *obj;
+ Object *container;
+
+ container = object_get_objects_root();
+ obj = object_resolve_path_component(container,
+ edk_crypto_id);
+ if (!obj) {
+ error_setg(errp, "Cannot find EDK2 crypto object ID %s",
+ edk_crypto_id);
+ return NULL;
+ }
+
+ if (!object_dynamic_cast(obj, TYPE_EDK2_CRYPTO)) {
+ error_setg(errp, "Object '%s' is not a EDK2 crypto subclass",
+ edk_crypto_id);
+ return NULL;
+ }
+
+ return EDK2_CRYPTO(obj);
+}
+
+void edk2_add_host_crypto_policy(FWCfgState *fw_cfg)
+{
+ Edk2Crypto *s;
+
+ s = edk2_crypto_by_id("https", NULL);
+ if (!s) {
+ return;
+ }
+
+ if (s->ciphers_path) {
+ /* TODO g_free the returned pointer */
+ fw_cfg_add_file_from_host(fw_cfg, "etc/edk2/https/ciphers",
+ s->ciphers_path, NULL);
+ }
+
+ if (s->cacerts_path) {
+ /* TODO g_free the returned pointer */
+ fw_cfg_add_file_from_host(fw_cfg, "etc/edk2/https/cacerts",
+ s->cacerts_path, NULL);
+ }
+}
diff --git a/include/hw/firmware/uefi_edk2.h b/include/hw/firmware/uefi_edk2.h
new file mode 100644
index 0000000000..e0b2fb160a
--- /dev/null
+++ b/include/hw/firmware/uefi_edk2.h
@@ -0,0 +1,28 @@
+/*
+ * UEFI EDK2 Support
+ *
+ * Copyright (c) 2019 Red Hat Inc.
+ *
+ * Author:
+ * Philippe Mathieu-Daudé <philmd@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef HW_FIRMWARE_UEFI_EDK2_H
+#define HW_FIRMWARE_UEFI_EDK2_H
+
+#include "hw/nvram/fw_cfg.h"
+
+/**
+ * edk2_add_host_crypto_policy:
+ * @s: fw_cfg device being modified
+ *
+ * Add a new named file containing the host crypto policy.
+ *
+ * Currently only the 'https' policy is supported.
+ */
+void edk2_add_host_crypto_policy(FWCfgState *s);
+
+#endif /* HW_FIRMWARE_UEFI_EDK2_H */
--
2.20.1
next prev parent reply other threads:[~2019-03-08 1:35 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-08 1:32 [Qemu-devel] [PATCH v2 00/18] fw_cfg: reduce memleaks, add QMP/HMP info + edk2_add_host_crypto_policy Philippe Mathieu-Daudé
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 01/18] hw/arm/virt: Remove null-check in virt_build_smbios() Philippe Mathieu-Daudé
2019-03-09 14:09 ` Markus Armbruster
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 02/18] hw/i386: Remove unused include Philippe Mathieu-Daudé
2019-03-08 9:22 ` Laszlo Ersek
2019-03-08 11:32 ` [Qemu-devel] [Qemu-ppc] " Thomas Huth
2019-03-09 14:54 ` [Qemu-devel] [Qemu-trivial] " Laurent Vivier
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 03/18] cutils: Add qemu_strdup_hexlify() and qemu_strdup_unhexlify() Philippe Mathieu-Daudé
2019-03-08 9:48 ` Laszlo Ersek
2019-03-09 14:32 ` Markus Armbruster
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 04/18] hw/nvram/fw_cfg: Add trace events Philippe Mathieu-Daudé
2019-03-08 9:57 ` Laszlo Ersek
2019-03-08 10:59 ` Philippe Mathieu-Daudé
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 05/18] hw/nvram/fw_cfg: Use the ldst API Philippe Mathieu-Daudé
2019-03-08 10:02 ` Laszlo Ersek
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 06/18] hw/nvram/fw_cfg: Remove the unnecessary boot_splash_filedata_size Philippe Mathieu-Daudé
2019-03-08 6:49 ` Thomas Huth
2019-03-09 14:53 ` [Qemu-devel] [Qemu-trivial] " Laurent Vivier
2019-03-08 10:05 ` [Qemu-devel] " Laszlo Ersek
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 07/18] hw/nvram/fw_cfg: Add fw_cfg_common_unrealize() Philippe Mathieu-Daudé
2019-03-08 6:55 ` Thomas Huth
2019-03-08 10:29 ` Laszlo Ersek
2019-03-09 14:44 ` Markus Armbruster
2019-03-09 14:47 ` Markus Armbruster
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 08/18] hw/nvram/fw_cfg: Move fw_cfg_file_slots_allocate() to common_realize() Philippe Mathieu-Daudé
2019-03-08 10:19 ` Laszlo Ersek
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 09/18] hw/nvram/fw_cfg: Free file_slots in common_unrealize() Philippe Mathieu-Daudé
2019-03-08 10:31 ` Laszlo Ersek
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 10/18] hw/nvram/fw_cfg: Add reboot_timeout to FWCfgState Philippe Mathieu-Daudé
2019-03-08 11:04 ` Laszlo Ersek
2019-03-08 11:22 ` Philippe Mathieu-Daudé
2019-03-08 11:29 ` Philippe Mathieu-Daudé
2019-03-08 13:48 ` Michael S. Tsirkin
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 11/18] hw/nvram/fw_cfg: Add boot_splash.time_le16 " Philippe Mathieu-Daudé
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 12/18] hw/nvram/fw_cfg: Keep reference of file_data in FWCfgState Philippe Mathieu-Daudé
2019-03-08 7:02 ` Thomas Huth
2019-03-08 11:16 ` Laszlo Ersek
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 13/18] hw/nvram/fw_cfg: Add QMP 'info fw_cfg' command Philippe Mathieu-Daudé
2019-03-08 2:04 ` Eric Blake
2019-03-08 11:08 ` Philippe Mathieu-Daudé
2019-03-08 17:31 ` Eric Blake
2019-03-08 18:07 ` Philippe Mathieu-Daudé
2019-03-08 20:00 ` Laszlo Ersek
2019-03-08 20:18 ` Philippe Mathieu-Daudé
2019-03-09 15:04 ` Markus Armbruster
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 14/18] hw/nvram/fw_cfg: Add HMP " Philippe Mathieu-Daudé
2019-03-08 15:49 ` Dr. David Alan Gilbert
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 15/18] hw/nvram/fw_cfg: Add fw_cfg_add_file_from_host() Philippe Mathieu-Daudé
2019-03-08 1:32 ` Philippe Mathieu-Daudé [this message]
2019-03-08 2:16 ` [Qemu-devel] [PATCH v2 16/18] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy() Eric Blake
2019-03-09 18:08 ` Philippe Mathieu-Daudé
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 17/18] hw/i386: Use edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-03-08 1:32 ` [Qemu-devel] [PATCH v2 18/18] hw/arm/virt: " Philippe Mathieu-Daudé
2019-03-08 11:25 ` [Qemu-devel] [PATCH v2 00/18] fw_cfg: reduce memleaks, add QMP/HMP info + edk2_add_host_crypto_policy Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190308013222.12524-17-philmd@redhat.com \
--to=philmd@redhat.com \
--cc=armbru@redhat.com \
--cc=atar4qemu@gmail.com \
--cc=berrange@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=ehabkost@redhat.com \
--cc=imammedo@redhat.com \
--cc=kraxel@redhat.com \
--cc=lersek@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=mark.cave-ayland@ilande.co.uk \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-ppc@nongnu.org \
--cc=rth@twiddle.net \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).