Hi Eric, On 3/8/19 3:16 AM, Eric Blake wrote: > On 3/7/19 7:32 PM, Philippe Mathieu-Daudé wrote: >> The Edk2Crypto object is used to hold configuration values specific >> to EDK2. >> >> The edk2_add_host_crypto_policy() function loads crypto policies >> from the host, and register them as fw_cfg named file items. >> So far only the 'https' policy is supported. >> >> An usercase example is the 'HTTPS Boof' feature of OVMF [*]. > > s/An/A/ since "user" is a pronounced or hard 'u' (English is funny, but > the rule of thumb is you add the consonant only before a soft u, and not > a pronounced one; as in "give an umbrella to a unicorn")
I appreciate the correction, thanks :) >> >> Usage example: >> >> $ qemu-system-x86_64 \ >> -object edk2_crypto,id=https,\ > > Might as well use --object (both spellings work for qemu, but since > --object is the only spelling for qemu-img/qemu-nbd, being consistent > between the lot is useful). $ git grep -- ' -object ' | wc -l 83 ^ cover various subsystems: $ git grep -l -- ' -object ' docs/amd-memory-encryption.txt docs/can.txt docs/memory-hotplug.txt docs/nvdimm.txt docs/pr-manager.rst docs/pvrdma.txt docs/replay.txt hw/virtio/vhost-user.c include/authz/listfile.h include/authz/pamacct.h include/authz/simple.h include/crypto/secret.h include/crypto/tlscredsanon.h include/crypto/tlscredsx509.h qapi/misc.json qemu-doc.texi qemu-options.hx target/i386/sev_i386.h tests/bios-tables-test.c tests/qemu-iotests/127 tests/qemu-iotests/200 tests/vhost-user-test.c $ git grep -- ' --object ' | wc -l 252 ^ mostly for the block subsystem: $ git grep -l -- ' --object ' block/vxhs.c include/crypto/tlscredspsk.h qemu-doc.texi qemu-img.texi qemu-io.c qemu-nbd.c qemu-nbd.texi tests/qemu-iotests/049 tests/qemu-iotests/049.out tests/qemu-iotests/087 tests/qemu-iotests/134 tests/qemu-iotests/149.out tests/qemu-iotests/158 tests/qemu-iotests/178 tests/qemu-iotests/188 tests/qemu-iotests/189 tests/qemu-iotests/198 tests/qemu-iotests/233 I'll change, but I'm not sure what is the default we should enforce... > >> ciphers=/etc/crypto-policies/back-ends/openssl.config,\ >> cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin > > (I really should follow through on my threat to teach QemuOpts to ignore > whitespace after ','; but for this commit message, it's obvious the > indentation has to be stripped for the command line to be valid) > >> >> (On Fedora these files are provided by the ca-certificates and >> crypto-policies packages). >> >> [*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README >> >> Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com> >> ---