From: Laszlo Ersek <lersek@redhat.com>
To: "Philippe Mathieu-Daudé" <philmd@redhat.com>, qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
Andrew Jones <drjones@redhat.com>,
"Daniel P. Berrange" <berrange@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-arm@nongnu.org, Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy()
Date: Mon, 24 Jun 2019 17:14:23 +0200 [thread overview]
Message-ID: <ebe04ce2-0e0a-c764-e235-3aabd420439e@redhat.com> (raw)
In-Reply-To: <6a0086e7-79ea-fc5e-6359-c1d4d256bf6e@redhat.com>
On 06/24/19 16:53, Laszlo Ersek wrote:
> (+Daniel)
>
> On 06/20/19 14:21, Philippe Mathieu-Daudé wrote:
>> $ qemu-system-x86_64 \
>> --object edk2_crypto,id=https,\
>> ciphers=/etc/crypto-policies/back-ends/openssl.config,\
>> cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
(12) Regarding the command line. It just occurs to me that Daniel
suggested [*] that libvirt should not be taught about this feature
specifically.
Thus, I think we need properties that are "smarter" than plain
user-specified strings:
- they should have default values (the ones your example includes above)
- for each of the properties: if the default pathname fails to identify
a file, then treat it as a normal situation (leave the corresponding
fields NULL)
- if the user overrides the default, and the pathname resolution fails,
then that should generate an error
- the user should be permitted to override the default such that the
corresponding setting is disabled (i.e. no error, but also no loading)
It's too bad that I'm not sure about the right way to implement this. It
reminds me of On/Off/Auto, but only vaguely.
In fact, if we never want to teach libvirt about this feature, then we
essentially expect QEMU to auto-load these files, whenever they exist --
even if the guest ends up booting something other than edk2 firmware!
[*] https://bugzilla.redhat.com/show_bug.cgi?id=1536624#c11 --
unfortunately, this is a private RHBZ :(
Thanks
Laszlo
next prev parent reply other threads:[~2019-06-24 15:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 12:21 [Qemu-devel] [PATCH RESEND v5 0/3] fw_cfg: Add edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-20 12:21 ` [Qemu-devel] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-24 14:53 ` Laszlo Ersek
2019-06-24 15:14 ` Laszlo Ersek [this message]
2019-06-24 15:23 ` Daniel P. Berrangé
2019-06-24 15:11 ` Daniel P. Berrangé
2019-06-20 12:21 ` [Qemu-devel] [PATCH v5 2/3] hw/i386: Use edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
2019-06-24 15:00 ` Laszlo Ersek
2019-06-20 12:21 ` [Qemu-devel] [PATCH v5 3/3] hw/arm/virt: " Philippe Mathieu-Daudé
2019-06-24 15:01 ` Laszlo Ersek
2019-06-20 13:55 ` [Qemu-devel] [PATCH RESEND v5 0/3] fw_cfg: Add edk2_add_host_crypto_policy() Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ebe04ce2-0e0a-c764-e235-3aabd420439e@redhat.com \
--to=lersek@redhat.com \
--cc=berrange@redhat.com \
--cc=drjones@redhat.com \
--cc=ehabkost@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-arm@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).