On 05/29/20 13:18, Daniel P. Berrangé wrote: > On Fri, May 29, 2020 at 01:09:22PM +0200, Laszlo Ersek wrote: >> On 05/28/20 19:31, Philippe Mathieu-Daudé wrote: >> (2) We need an actual commit message for this patch. How about the >> following -- I have liberally stolen and edited comments that Daniel >> made earlier in the Red Hat Bugzilla: >> >> ---v--- ---v--- ---v--- ---v--- >> On the host OS, various aspects of TLS operation are configurable. In >> particular it is possible for the sysadmin to control the TLS >> cipher/protocol algorithms that applications are permitted to use. >> >> * Any given crypto library has a built-in default priority list defined by >> the distro maintainer of the libary package (or by upstream). >> >> * The "crypto-policies" RPM (or equivalent host OS package) provides a >> config file such as "/etc/crypto-policies/config", where the sysadmin >> can set a high level (library-independent) policy. >> >> The "update-crypto-policies --set" command (or equivalent) is used to >> translate the global policy to individual library representations, >> producing files such as "/etc/crypto-policies/back-ends/*.config". The >> generated files, if present, are loaded by the various crypto libraries >> to override their own built-in defaults. >> >> For example, the GNUTLS library may read >> "/etc/crypto-policies/back-ends/gnutls.config". >> >> * A management application (or the QEMU user) may overide the system-wide >> crypto-policies config via their own config, if they need to diverge >> from the former. >> >> Thus the priority order is "QEMU user config" > "crypto-policies system >> config" > "library built-in config". >> >> Introduce the "tls-cipher-suites" object for exposing the ordered list of >> permitted TLS cipher suites from the host side to the firmware, via >> fw_cfg. The list is represented as an array of IANA_TLS_CIPHER objects. >> The firmware uses the IANA_TLS_CIPHER array for configuring guest-side >> TLS, for example in UEFI HTTPS Boot. >> >> The priority at which the host-side policy is retrieved is given by the >> "priority" property of the new object type. For example, >> "priority=@SYSTEM" may be used to refer to >> "/etc/crypto-policies/back-ends/gnutls.config" (given that QEMU uses >> GNUTLS). >> ---^--- ---^--- ---^--- ---^--- >> >> (3) I think I have now at least formed an idea about where we should >> document -fw_cfg / "gen_id" in the *manual*. >> >> The various -object types are already documented extensively; namely in >> section "Generic object creation". Thus, I think we should document >> "tls-cipher-suites" there -- near the already existent "-object tls-*" >> ones. >> >> I suggest including a manual update to that effect. I think we can mostly >> copy the suggested commit message into the manual as well. >> >> And then, we can include the new "-fw_cfg" command line option (with >> "gen_id") *right there*. Consequently, we won't need to modify the >> existent "-fw_cfg" documentation bits (about "file" and "string") under >> section "Debug/Expert options". >> >> Dan: please comment! > > I don't really have anything else to say. More docs == better
Thanks! Just wanted to be sure I wasn't suggesting something egregious. Laszlo
