diff mbox series

[v1,01/24] Add -boot-certificates /path/dir:/path/file option in QEMU command line

Message ID 20250408155527.123341-2-zycai@linux.ibm.com (mailing list archive)
State New
Headers show
Series Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices | expand

Commit Message

Zhuoying Cai April 8, 2025, 3:55 p.m. UTC
The `-boot-certificates /path/dir:/path/file` option is implemented
to provide path to either a directory or a single certificate.

Multiple paths can be delineated using a colon.

Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
 qemu-options.hx | 11 +++++++++++
 system/vl.c     | 22 ++++++++++++++++++++++
 2 files changed, 33 insertions(+)

Comments

Thomas Huth April 11, 2025, 10:44 a.m. UTC | #1
On 08/04/2025 17.55, Zhuoying Cai wrote:
> The `-boot-certificates /path/dir:/path/file` option is implemented
> to provide path to either a directory or a single certificate.
> 
> Multiple paths can be delineated using a colon.
> 
> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> ---
>   qemu-options.hx | 11 +++++++++++
>   system/vl.c     | 22 ++++++++++++++++++++++
>   2 files changed, 33 insertions(+)
> 
> diff --git a/qemu-options.hx b/qemu-options.hx
> index dc694a99a3..b460c63490 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -1251,6 +1251,17 @@ SRST
>       Set system UUID.
>   ERST
>   
> +DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates,
> +    "-boot-certificates /path/directory:/path/file\n"
> +    "                  Provide a path to a directory or a boot certificate.\n"
> +    "                  A colon may be used to delineate multiple paths.\n",
> +    QEMU_ARCH_S390X)
> +SRST
> +``-boot-certificates /path/directory:/path/file``
> +    Provide a path to a directory or a boot certificate.
> +    A colon may be used to delineate multiple paths.
> +ERST

Unless there is a really, really good reason for introducing new top-level 
options to QEMU, this should rather be added to one of the existing options 
instead.

I assume this is very specific to s390x, isn't it? So the best way is likely 
to add this as a parameter of the machine type option, so that the user 
would specify:

  qemu-system-s390x -machine s390-ccw-virtio,boot-certificates=/path/to/certs

See the other object_class_property_add() statements in 
ccw_machine_class_init() for some examples how to do this.

  Thomas
Daniel P. Berrangé April 11, 2025, 12:57 p.m. UTC | #2
On Fri, Apr 11, 2025 at 12:44:17PM +0200, Thomas Huth wrote:
> On 08/04/2025 17.55, Zhuoying Cai wrote:
> > The `-boot-certificates /path/dir:/path/file` option is implemented
> > to provide path to either a directory or a single certificate.
> > 
> > Multiple paths can be delineated using a colon.
> > 
> > Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> > ---
> >   qemu-options.hx | 11 +++++++++++
> >   system/vl.c     | 22 ++++++++++++++++++++++
> >   2 files changed, 33 insertions(+)
> > 
> > diff --git a/qemu-options.hx b/qemu-options.hx
> > index dc694a99a3..b460c63490 100644
> > --- a/qemu-options.hx
> > +++ b/qemu-options.hx
> > @@ -1251,6 +1251,17 @@ SRST
> >       Set system UUID.
> >   ERST
> > +DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates,
> > +    "-boot-certificates /path/directory:/path/file\n"
> > +    "                  Provide a path to a directory or a boot certificate.\n"
> > +    "                  A colon may be used to delineate multiple paths.\n",
> > +    QEMU_ARCH_S390X)
> > +SRST
> > +``-boot-certificates /path/directory:/path/file``
> > +    Provide a path to a directory or a boot certificate.
> > +    A colon may be used to delineate multiple paths.
> > +ERST
> 
> Unless there is a really, really good reason for introducing new top-level
> options to QEMU, this should rather be added to one of the existing options
> instead.
> 
> I assume this is very specific to s390x, isn't it? So the best way is likely
> to add this as a parameter of the machine type option, so that the user
> would specify:
> 
>  qemu-system-s390x -machine s390-ccw-virtio,boot-certificates=/path/to/certs
> 
> See the other object_class_property_add() statements in
> ccw_machine_class_init() for some examples how to do this.

With other arches that use EDK2 (x86, arm64, riscv64, loongarch64) we
pass this info via fw_cfg

   -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>

Assuming this series is trying to implement a pre-existing s390x machine
standard for passing certs, then it seems inevitable that it will need
a different config approach than we use for EDK2.

With regards,
Daniel
Daniel P. Berrangé April 11, 2025, 1:33 p.m. UTC | #3
On Fri, Apr 11, 2025 at 01:57:26PM +0100, Daniel P. Berrangé wrote:
> On Fri, Apr 11, 2025 at 12:44:17PM +0200, Thomas Huth wrote:
> > On 08/04/2025 17.55, Zhuoying Cai wrote:
> > > The `-boot-certificates /path/dir:/path/file` option is implemented
> > > to provide path to either a directory or a single certificate.
> > > 
> > > Multiple paths can be delineated using a colon.
> > > 
> > > Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> > > ---
> > >   qemu-options.hx | 11 +++++++++++
> > >   system/vl.c     | 22 ++++++++++++++++++++++
> > >   2 files changed, 33 insertions(+)
> > > 
> > > diff --git a/qemu-options.hx b/qemu-options.hx
> > > index dc694a99a3..b460c63490 100644
> > > --- a/qemu-options.hx
> > > +++ b/qemu-options.hx
> > > @@ -1251,6 +1251,17 @@ SRST
> > >       Set system UUID.
> > >   ERST
> > > +DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates,
> > > +    "-boot-certificates /path/directory:/path/file\n"
> > > +    "                  Provide a path to a directory or a boot certificate.\n"
> > > +    "                  A colon may be used to delineate multiple paths.\n",
> > > +    QEMU_ARCH_S390X)
> > > +SRST
> > > +``-boot-certificates /path/directory:/path/file``
> > > +    Provide a path to a directory or a boot certificate.
> > > +    A colon may be used to delineate multiple paths.
> > > +ERST
> > 
> > Unless there is a really, really good reason for introducing new top-level
> > options to QEMU, this should rather be added to one of the existing options
> > instead.
> > 
> > I assume this is very specific to s390x, isn't it? So the best way is likely
> > to add this as a parameter of the machine type option, so that the user
> > would specify:
> > 
> >  qemu-system-s390x -machine s390-ccw-virtio,boot-certificates=/path/to/certs
> > 
> > See the other object_class_property_add() statements in
> > ccw_machine_class_init() for some examples how to do this.
> 
> With other arches that use EDK2 (x86, arm64, riscv64, loongarch64) we
> pass this info via fw_cfg

s/this info/this kind of info/

because technically the stuff below is certs for PXE boot downloads,
not certs for secureboot. The latter are hardcoded in the EDK varstore
at boot time, so any setup of certs for secureboot is out of band
from QEMU startup

> 
>    -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>
> 
> Assuming this series is trying to implement a pre-existing s390x machine
> standard for passing certs, then it seems inevitable that it will need
> a different config approach than we use for EDK2.
> 
> With regards,
> Daniel
> -- 
> |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org         -o-            https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
> 
> 

With regards,
Daniel
Zhuoying Cai April 11, 2025, 5:45 p.m. UTC | #4
On 4/11/25 8:57 AM, Daniel P. Berrangé wrote:
> On Fri, Apr 11, 2025 at 12:44:17PM +0200, Thomas Huth wrote:
>> On 08/04/2025 17.55, Zhuoying Cai wrote:
>>> The `-boot-certificates /path/dir:/path/file` option is implemented
>>> to provide path to either a directory or a single certificate.
>>>
>>> Multiple paths can be delineated using a colon.
>>>
>>> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
>>> ---
>>>   qemu-options.hx | 11 +++++++++++
>>>   system/vl.c     | 22 ++++++++++++++++++++++
>>>   2 files changed, 33 insertions(+)
>>>
>>> diff --git a/qemu-options.hx b/qemu-options.hx
>>> index dc694a99a3..b460c63490 100644
>>> --- a/qemu-options.hx
>>> +++ b/qemu-options.hx
>>> @@ -1251,6 +1251,17 @@ SRST
>>>       Set system UUID.
>>>   ERST
>>> +DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates,
>>> +    "-boot-certificates /path/directory:/path/file\n"
>>> +    "                  Provide a path to a directory or a boot certificate.\n"
>>> +    "                  A colon may be used to delineate multiple paths.\n",
>>> +    QEMU_ARCH_S390X)
>>> +SRST
>>> +``-boot-certificates /path/directory:/path/file``
>>> +    Provide a path to a directory or a boot certificate.
>>> +    A colon may be used to delineate multiple paths.
>>> +ERST
>>
>> Unless there is a really, really good reason for introducing new top-level
>> options to QEMU, this should rather be added to one of the existing options
>> instead.
>>
>> I assume this is very specific to s390x, isn't it? So the best way is likely
>> to add this as a parameter of the machine type option, so that the user
>> would specify:
>>
>>  qemu-system-s390x -machine s390-ccw-virtio,boot-certificates=/path/to/certs
>>
>> See the other object_class_property_add() statements in
>> ccw_machine_class_init() for some examples how to do this.
> 
> With other arches that use EDK2 (x86, arm64, riscv64, loongarch64) we
> pass this info via fw_cfg
> 
>    -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>
> 
> Assuming this series is trying to implement a pre-existing s390x machine
> standard for passing certs, then it seems inevitable that it will need
> a different config approach than we use for EDK2.
> 
> With regards,
> Daniel

Thank you for your feedback.

The -boot-certificates option aims to provide a path to either a
directory or a single certificate on the host. The certificate(s) will
be loaded into the key store and used during signature verification.

s390x will likely need to handle certificates differently from other
architectures.

Regards,
Joy
diff mbox series

Patch

diff --git a/qemu-options.hx b/qemu-options.hx
index dc694a99a3..b460c63490 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1251,6 +1251,17 @@  SRST
     Set system UUID.
 ERST
 
+DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates,
+    "-boot-certificates /path/directory:/path/file\n"
+    "                  Provide a path to a directory or a boot certificate.\n"
+    "                  A colon may be used to delineate multiple paths.\n",
+    QEMU_ARCH_S390X)
+SRST
+``-boot-certificates /path/directory:/path/file``
+    Provide a path to a directory or a boot certificate.
+    A colon may be used to delineate multiple paths.
+ERST
+
 DEFHEADING()
 
 DEFHEADING(Block device options:)
diff --git a/system/vl.c b/system/vl.c
index ec93988a03..bd6197c887 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -510,6 +510,20 @@  static QemuOptsList qemu_action_opts = {
     },
 };
 
+static QemuOptsList qemu_boot_certificates_opts = {
+    .name = "boot-certificates",
+    .implied_opt_name = "boot-certificates",
+    .merge_lists = true,
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_boot_certificates_opts.head),
+    .desc = {
+       {
+           .name = "boot-certificates",
+           .type = QEMU_OPT_STRING,
+       },
+        { /* end of list */}
+    },
+};
+
 const char *qemu_get_vm_name(void)
 {
     return qemu_name;
@@ -2879,6 +2893,7 @@  void qemu_init(int argc, char **argv)
     qemu_add_opts(&qemu_semihosting_config_opts);
     qemu_add_opts(&qemu_fw_cfg_opts);
     qemu_add_opts(&qemu_action_opts);
+    qemu_add_opts(&qemu_boot_certificates_opts);
     qemu_add_run_with_opts();
     module_call_init(MODULE_INIT_OPTS);
 
@@ -3024,6 +3039,13 @@  void qemu_init(int argc, char **argv)
             case QEMU_OPTION_boot:
                 machine_parse_property_opt(qemu_find_opts("boot-opts"), "boot", optarg);
                 break;
+            case QEMU_OPTION_boot_certificates:
+                opts = qemu_opts_parse_noisily(qemu_find_opts("boot-certificates"),
+                                               optarg, true);
+                if (!opts) {
+                    exit(1);
+                }
+                break;
             case QEMU_OPTION_fda:
             case QEMU_OPTION_fdb:
                 drive_add(IF_FLOPPY, popt->index - QEMU_OPTION_fda,