On Fri, May 29, 2020 at 01:09:22PM +0200, Laszlo Ersek wrote: > On 05/28/20 19:31, Philippe Mathieu-Daudé wrote: > (2) We need an actual commit message for this patch. How about the > following -- I have liberally stolen and edited comments that Daniel > made earlier in the Red Hat Bugzilla: > > ---v--- ---v--- ---v--- ---v--- > On the host OS, various aspects of TLS operation are configurable. In > particular it is possible for the sysadmin to control the TLS > cipher/protocol algorithms that applications are permitted to use. > > * Any given crypto library has a built-in default priority list defined by > the distro maintainer of the libary package (or by upstream). > > * The "crypto-policies" RPM (or equivalent host OS package) provides a > config file such as "/etc/crypto-policies/config", where the sysadmin > can set a high level (library-independent) policy. > > The "update-crypto-policies --set" command (or equivalent) is used to > translate the global policy to individual library representations, > producing files such as "/etc/crypto-policies/back-ends/*.config". The > generated files, if present, are loaded by the various crypto libraries > to override their own built-in defaults. > > For example, the GNUTLS library may read > "/etc/crypto-policies/back-ends/gnutls.config". > > * A management application (or the QEMU user) may overide the system-wide > crypto-policies config via their own config, if they need to diverge > from the former. > > Thus the priority order is "QEMU user config" > "crypto-policies system > config" > "library built-in config". > > Introduce the "tls-cipher-suites" object for exposing the ordered list of > permitted TLS cipher suites from the host side to the firmware, via > fw_cfg. The list is represented as an array of IANA_TLS_CIPHER objects. > The firmware uses the IANA_TLS_CIPHER array for configuring guest-side > TLS, for example in UEFI HTTPS Boot. > > The priority at which the host-side policy is retrieved is given by the > "priority" property of the new object type. For example, > "priority=@SYSTEM" may be used to refer to > "/etc/crypto-policies/back-ends/gnutls.config" (given that QEMU uses > GNUTLS). > ---^--- ---^--- ---^--- ---^--- > > (3) I think I have now at least formed an idea about where we should > document -fw_cfg / "gen_id" in the *manual*. > > The various -object types are already documented extensively; namely in > section "Generic object creation". Thus, I think we should document > "tls-cipher-suites" there -- near the already existent "-object tls-*" > ones. > > I suggest including a manual update to that effect. I think we can mostly > copy the suggested commit message into the manual as well. > > And then, we can include the new "-fw_cfg" command line option (with > "gen_id") *right there*. Consequently, we won't need to modify the > existent "-fw_cfg" documentation bits (about "file" and "string") under > section "Debug/Expert options". > > Dan: please comment!
I don't really have anything else to say. More docs == better Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
