[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-arm] [Qemu-devel] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto a

From: Laszlo Ersek
Subject: Re: [Qemu-arm] [Qemu-devel] [PATCH v5 1/3] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy()
Date: Mon, 24 Jun 2019 17:14:23 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 06/24/19 16:53, Laszlo Ersek wrote:
> (+Daniel)
> On 06/20/19 14:21, Philippe Mathieu-Daudé wrote:

>>   $ qemu-system-x86_64 \
>>       --object edk2_crypto,id=https,\
>>               ciphers=/etc/crypto-policies/back-ends/openssl.config,\
>>               cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin

(12) Regarding the command line. It just occurs to me that Daniel
suggested [*] that libvirt should not be taught about this feature

Thus, I think we need properties that are "smarter" than plain
user-specified strings:

- they should have default values (the ones your example includes above)

- for each of the properties: if the default pathname fails to identify
a file, then treat it as a normal situation (leave the corresponding
fields NULL)

- if the user overrides the default, and the pathname resolution fails,
then that should generate an error

- the user should be permitted to override the default such that the
corresponding setting is disabled (i.e. no error, but also no loading)

It's too bad that I'm not sure about the right way to implement this. It
reminds me of On/Off/Auto, but only vaguely.

In fact, if we never want to teach libvirt about this feature, then we
essentially expect QEMU to auto-load these files, whenever they exist --
even if the guest ends up booting something other than edk2 firmware!

[*] https://bugzilla.redhat.com/show_bug.cgi?id=1536624#c11 --
unfortunately, this is a private RHBZ :(


reply via email to

[Prev in Thread] Current Thread [Next in Thread]