[v4,0/4] fw_cfg: Add edk2_add_host_crypto_policy()

Message ID	20190312225632.29777-1-philmd@redhat.com
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@redhat.com> To: qemu-devel@nongnu.org Date: Tue, 12 Mar 2019 23:56:28 +0100 Message-Id: <20190312225632.29777-1-philmd@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Qemu-devel] [PATCH v4 0/4] fw_cfg: Add edk2_add_host_crypto_policy() Precedence: list Cc: Peter Maydell <peter.maydell@linaro.org>, Eduardo Habkost <ehabkost@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, =?utf-8?q?Philippe_Mathieu-Dau?= =?utf-8?b?ZMOp?= <philmd@redhat.com>, Markus Armbruster <armbru@redhat.com>, qemu-arm@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, Laszlo Ersek <lersek@redhat.com> Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
Series	fw_cfg: Add edk2_add_host_crypto_policy() \| expand [v4,0/4] fw_cfg: Add edk2_add_host_crypto_policy() [v4,1/4] hw/nvram/fw_cfg: Add fw_cfg_add_file_from_host() [v4,2/4] hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy() [v4,3/4] hw/i386: Use edk2_add_host_crypto_policy() [v4,4/4] hw/arm/virt: Use edk2_add_host_crypto_policy()

Message ID

20190312225632.29777-1-philmd@redhat.com

Headers

From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <philmd@redhat.com>
To: qemu-devel@nongnu.org
Date: Tue, 12 Mar 2019 23:56:28 +0100
Message-Id: <20190312225632.29777-1-philmd@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] [PATCH v4 0/4] fw_cfg: Add
	edk2_add_host_crypto_policy()
Precedence: list
Cc: Peter Maydell <peter.maydell@linaro.org>, Eduardo Habkost
	<ehabkost@redhat.com>, 	"Michael S. Tsirkin" <mst@redhat.com>,
	=?utf-8?q?Philippe_Mathieu-Dau?= =?utf-8?b?ZMOp?= <philmd@redhat.com>,
	Markus Armbruster <armbru@redhat.com>, qemu-arm@nongnu.org, 
	Gerd Hoffmann <kraxel@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, 
	Laszlo Ersek <lersek@redhat.com>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

Series

fw_cfg: Add edk2_add_host_crypto_policy() | expand

Message

Philippe Mathieu-Daudé March 12, 2019, 10:56 p.m. UTC

Hi,

This series consists of:
- add fw_cfg_add_file_from_host()
- add edk2_add_host_crypto_policy() and the Edk2Crypto object

The Edk2Crypto object is used to hold configuration values specific
to EDK2.

The edk2_add_host_crypto_policy() function loads crypto policies
from the host, and register them as fw_cfg named file items.

So far only the 'https' policy is supported.

A usercase example is the 'HTTPS Boof' feature of OVMF [*].

Usage example:

$ qemu-system-x86_64 \
    --object edk2_crypto,id=https,\
        ciphers=/etc/crypto-policies/back-ends/openssl.config,\
        cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin

(On Fedora these files are provided by the ca-certificates and
crypto-policies packages).

[*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README

Since v3:
- Addressed Markus' comments (do not care about heap)
Since v2:
- Split of
Since v1:
- Addressed Michael and Laszlo comments.

Please review,

Phil.

$ git backport-diff -u fw_cfg_edk2_crypto_policies-v3
Key:
[####] : number of functional differences between upstream/downstream patch
The flags [FC] indicate (F)unctional and (C)ontextual differences, respectively

001/4:[0022] [FC] 'hw/nvram/fw_cfg: Add fw_cfg_add_file_from_host()'
002/4:[0085] [FC] 'hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy()'
003/4:[0002] [FC] 'hw/i386: Use edk2_add_host_crypto_policy()'
004/4:[0002] [FC] 'hw/arm/virt: Use edk2_add_host_crypto_policy()'

v3: https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg02965.html
v2: https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg02522.html
v1: https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg01598.html

Philippe Mathieu-Daudé (4):
  hw/nvram/fw_cfg: Add fw_cfg_add_file_from_host()
  hw/firmware: Add Edk2Crypto and edk2_add_host_crypto_policy()
  hw/i386: Use edk2_add_host_crypto_policy()
  hw/arm/virt: Use edk2_add_host_crypto_policy()

 MAINTAINERS                             |   8 ++
 hw/Makefile.objs                        |   1 +
 hw/arm/virt.c                           |   7 +
 hw/firmware/Makefile.objs               |   1 +
 hw/firmware/uefi_edk2_crypto_policies.c | 182 ++++++++++++++++++++++++
 hw/i386/pc.c                            |   7 +
 hw/nvram/fw_cfg.c                       |  23 +++
 include/hw/firmware/uefi_edk2.h         |  30 ++++
 include/hw/nvram/fw_cfg.h               |  25 ++++
 9 files changed, 284 insertions(+)
 create mode 100644 hw/firmware/Makefile.objs
 create mode 100644 hw/firmware/uefi_edk2_crypto_policies.c
 create mode 100644 include/hw/firmware/uefi_edk2.h

Comments

Markus Armbruster March 13, 2019, 9:28 a.m. UTC | #1

Philippe Mathieu-Daudé <philmd@redhat.com> writes:

> Hi,
>
> This series consists of:
> - add fw_cfg_add_file_from_host()
> - add edk2_add_host_crypto_policy() and the Edk2Crypto object
>
> The Edk2Crypto object is used to hold configuration values specific
> to EDK2.
>
> The edk2_add_host_crypto_policy() function loads crypto policies
> from the host, and register them as fw_cfg named file items.
>
> So far only the 'https' policy is supported.
>
> A usercase example is the 'HTTPS Boof' feature of OVMF [*].
>
> Usage example:
>
> $ qemu-system-x86_64 \
>     --object edk2_crypto,id=https,\
>         ciphers=/etc/crypto-policies/back-ends/openssl.config,\
>         cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
>
> (On Fedora these files are provided by the ca-certificates and
> crypto-policies packages).
>
> [*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
>
> Since v3:
> - Addressed Markus' comments (do not care about heap)
> Since v2:
> - Split of
> Since v1:
> - Addressed Michael and Laszlo comments.
>
> Please review,

I can't pass judgement on the feature's utility, but the code looks sane
to me.

Reviewed-by: Markus Armbruster <armbru@redhat.com>

Laszlo Ersek March 13, 2019, 10:44 a.m. UTC | #2

On 03/12/19 23:56, Philippe Mathieu-Daudé wrote:
> Hi,
> 
> This series consists of:
> - add fw_cfg_add_file_from_host()
> - add edk2_add_host_crypto_policy() and the Edk2Crypto object
> 
> The Edk2Crypto object is used to hold configuration values specific
> to EDK2.
> 
> The edk2_add_host_crypto_policy() function loads crypto policies
> from the host, and register them as fw_cfg named file items.
> 
> So far only the 'https' policy is supported.
> 
> A usercase example is the 'HTTPS Boof' feature of OVMF [*].
> 
> Usage example:
> 
> $ qemu-system-x86_64 \
>     --object edk2_crypto,id=https,\
>         ciphers=/etc/crypto-policies/back-ends/openssl.config,\
>         cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
> 
> (On Fedora these files are provided by the ca-certificates and
> crypto-policies packages).
> 
> [*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
> 
> Since v3:
> - Addressed Markus' comments (do not care about heap)
> Since v2:
> - Split of
> Since v1:
> - Addressed Michael and Laszlo comments.
> 
> Please review,

sorry about seeing this just now. My email load has been extreme, and
the only way I can deal with it is a *strict* FIFO approach. It gives me
unparalleled throughput [*] and acceptable latency, but it does cause me
to respond to out-of-date emails on occasion.

[*] "unparalleled" not by other people, but by other workflows I could
choose

Nevertheless I think my comments under v3 apply just the same here.

Thanks
Laszlo

Philippe Mathieu-Daudé March 13, 2019, 11:25 a.m. UTC | #3

On 3/13/19 11:44 AM, Laszlo Ersek wrote:
> On 03/12/19 23:56, Philippe Mathieu-Daudé wrote:
>> Hi,
>>
>> This series consists of:
>> - add fw_cfg_add_file_from_host()
>> - add edk2_add_host_crypto_policy() and the Edk2Crypto object
>>
>> The Edk2Crypto object is used to hold configuration values specific
>> to EDK2.
>>
>> The edk2_add_host_crypto_policy() function loads crypto policies
>> from the host, and register them as fw_cfg named file items.
>>
>> So far only the 'https' policy is supported.
>>
>> A usercase example is the 'HTTPS Boof' feature of OVMF [*].
>>
>> Usage example:
>>
>> $ qemu-system-x86_64 \
>>     --object edk2_crypto,id=https,\
>>         ciphers=/etc/crypto-policies/back-ends/openssl.config,\
>>         cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
>>
>> (On Fedora these files are provided by the ca-certificates and
>> crypto-policies packages).
>>
>> [*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
>>
>> Since v3:
>> - Addressed Markus' comments (do not care about heap)
>> Since v2:
>> - Split of
>> Since v1:
>> - Addressed Michael and Laszlo comments.
>>
>> Please review,
> 
> sorry about seeing this just now. My email load has been extreme, and
> the only way I can deal with it is a *strict* FIFO approach. It gives me
> unparalleled throughput [*] and acceptable latency, but it does cause me
> to respond to out-of-date emails on occasion.
> 
> [*] "unparalleled" not by other people, but by other workflows I could
> choose
> 
> Nevertheless I think my comments under v3 apply just the same here.

Yes, I'll work on v5 based on your v3 comments.

Thanks!

Phil.