From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Andrew Jones <drjones@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-devel@nongnu.org, qemu-arm@nongnu.org,
Paolo Bonzini <pbonzini@redhat.com>,
Laszlo Ersek <lersek@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy()
Date: Mon, 24 Jun 2019 16:11:38 +0100 [thread overview]
Message-ID: <20190624151138.GJ17698@redhat.com> (raw)
In-Reply-To: <20190620122132.10075-2-philmd@redhat.com>
On Thu, Jun 20, 2019 at 02:21:30PM +0200, Philippe Mathieu-Daudé wrote:
> The Edk2Crypto object is used to hold configuration values specific
> to EDK2.
>
> The edk2_add_host_crypto_policy() function loads crypto policies
> from the host, and register them as fw_cfg named file items.
> So far only the 'https' policy is supported.
>
> A usercase example is the 'HTTPS Boof' feature of OVMF [*].
>
> Usage example:
>
> - via the command line:
>
> $ qemu-system-x86_64 \
> --object edk2_crypto,id=https,\
> ciphers=/etc/crypto-policies/back-ends/openssl.config,\
> cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
>
> - via QMP:
>
> {
> "execute": "object-add",
> "arguments": {
> "qom-type": "edk2_crypto",
> "id": "https",
> "props": {
> "ciphers": "/etc/crypto-policies/back-ends/openssl.config",
> "cacerts": "/etc/pki/ca-trust/extracted/edk2/cacerts.bin"
> }
> }
> }
These commands / args create an object with ID "https" but you are
not telling anything to use this object, which makes me fear that
you have some code somewhere hardcoded to mandate an object with
an ID of "https".....
> +static void edk2_add_host_crypto_policy_https(FWCfgState *fw_cfg)
> +{
> + Edk2Crypto *s;
> +
> + s = edk2_crypto_by_policy_id("https", NULL);
....indeed you have hardcoded use of a particular object ID.
This is not good - choice of what strings to use for object IDs is something
for the the management app - QEMU must not be dictating certain magic IDs.
There needs to be a command line arg somewhere to tell the firmware what
object ID provides the data.
Given that you're triggering load of this object from the machine type
initializer code, having an arg to the -machine option is a natural
choice.
ie something like this:
$ qemu-system-x86_64 \
--object edk2_crypto,id=edkpolicy0,\
ciphers=/etc/crypto-policies/back-ends/openssl.config,\
cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin \
--machine q35,edk2_crypto_policy=edkpolicy0
I don't see a compelling reason to separate https policy out as an
explicit tunable, distinct from other, yet to be invented, needs for
crypto policy even if EDK2 itself is fine grained in this way.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2019-06-24 15:12 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 12:21 [Qemu-devel] [PATCH RESEND v5 0/3] fw_cfg: Add edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-20 12:21 ` [Qemu-devel] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-24 14:53 ` Laszlo Ersek
2019-06-24 15:14 ` Laszlo Ersek
2019-06-24 15:23 ` Daniel P. Berrangé
2019-06-24 15:11 ` Daniel P. Berrangé [this message]
2019-06-20 12:21 ` [Qemu-devel] [PATCH v5 2/3] hw/i386: Use edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-24 15:00 ` Laszlo Ersek
2019-06-20 12:21 ` [Qemu-devel] [PATCH v5 3/3] hw/arm/virt: " Philippe Mathieu-Daudé
2019-06-24 15:01 ` Laszlo Ersek
2019-06-20 13:55 ` [Qemu-devel] [PATCH RESEND v5 0/3] fw_cfg: Add edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190624151138.GJ17698@redhat.com \
--to=berrange@redhat.com \
--cc=drjones@redhat.com \
--cc=ehabkost@redhat.com \
--cc=lersek@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).