From 993aec27aa39aa90f89f227d8f82cc1f8062386e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 11 Oct 2018 20:21:11 +0200 Subject: crypto: Add tls-cipher-suites object MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On the host OS, various aspects of TLS operation are configurable. In particular it is possible for the sysadmin to control the TLS cipher/protocol algorithms that applications are permitted to use. * Any given crypto library has a built-in default priority list defined by the distro maintainer of the library package (or by upstream). * The "crypto-policies" RPM (or equivalent host OS package) provides a config file such as "/etc/crypto-policies/config", where the sysadmin can set a high level (library-independent) policy. The "update-crypto-policies --set" command (or equivalent) is used to translate the global policy to individual library representations, producing files such as "/etc/crypto-policies/back-ends/*.config". The generated files, if present, are loaded by the various crypto libraries to override their own built-in defaults. For example, the GNUTLS library may read "/etc/crypto-policies/back-ends/gnutls.config". * A management application (or the QEMU user) may overide the system-wide crypto-policies config via their own config, if they need to diverge from the former. Thus the priority order is "QEMU user config" > "crypto-policies system config" > "library built-in config". Introduce the "tls-cipher-suites" object for exposing the ordered list of permitted TLS cipher suites from the host side to the guest firmware, via fw_cfg. The list is represented as an array of bytes. The priority at which the host-side policy is retrieved is given by the "priority" property of the new object type. For example, "priority=@SYSTEM" may be used to refer to "/etc/crypto-policies/back-ends/gnutls.config" (given that QEMU uses GNUTLS). The firmware uses the IANA_TLS_CIPHER array for configuring guest-side TLS, for example in UEFI HTTPS Boot. [Description from Daniel P. Berrangé, edited by Laszlo Ersek.] Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Daniel P. Berrangé Acked-by: Laszlo Ersek Message-Id: <20200623172726.21040-2-philmd@redhat.com> --- include/crypto/tls-cipher-suites.h | 39 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 include/crypto/tls-cipher-suites.h (limited to 'include') diff --git a/include/crypto/tls-cipher-suites.h b/include/crypto/tls-cipher-suites.h new file mode 100644 index 0000000..28b3a73 --- /dev/null +++ b/include/crypto/tls-cipher-suites.h @@ -0,0 +1,39 @@ +/* + * QEMU TLS Cipher Suites Registry (RFC8447) + * + * Copyright (c) 2018-2020 Red Hat, Inc. + * + * Author: Philippe Mathieu-Daudé + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef QCRYPTO_TLSCIPHERSUITES_H +#define QCRYPTO_TLSCIPHERSUITES_H + +#include "qom/object.h" +#include "crypto/tlscreds.h" + +#define TYPE_QCRYPTO_TLS_CIPHER_SUITES "tls-cipher-suites" +#define QCRYPTO_TLS_CIPHER_SUITES(obj) \ + OBJECT_CHECK(QCryptoTLSCipherSuites, (obj), TYPE_QCRYPTO_TLS_CIPHER_SUITES) + +typedef struct QCryptoTLSCipherSuites { + /* */ + QCryptoTLSCreds parent_obj; + /* */ +} QCryptoTLSCipherSuites; + +/** + * qcrypto_tls_cipher_suites_get_data: + * @obj: pointer to a TLS cipher suites object + * @errp: pointer to a NULL-initialized error object + * + * Returns: reference to a byte array containing the data. + * The caller should release the reference when no longer + * required. + */ +GByteArray *qcrypto_tls_cipher_suites_get_data(QCryptoTLSCipherSuites *obj, + Error **errp); + +#endif /* QCRYPTO_TLSCIPHERSUITES_H */ -- cgit v1.1 From 3203148917d035b09f71986ac2eaa19a352d6d9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Thu, 14 May 2020 15:15:38 +0200 Subject: hw/nvram/fw_cfg: Add the FW_CFG_DATA_GENERATOR interface MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The FW_CFG_DATA_GENERATOR allows any object to produce blob of data consumable by the fw_cfg device. Reviewed-by: Laszlo Ersek Signed-off-by: Philippe Mathieu-Daudé Reviewed-by: Daniel P. Berrangé Message-Id: <20200623172726.21040-3-philmd@redhat.com> --- include/hw/nvram/fw_cfg.h | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) (limited to 'include') diff --git a/include/hw/nvram/fw_cfg.h b/include/hw/nvram/fw_cfg.h index 25d9307..11feae3 100644 --- a/include/hw/nvram/fw_cfg.h +++ b/include/hw/nvram/fw_cfg.h @@ -9,11 +9,36 @@ #define TYPE_FW_CFG "fw_cfg" #define TYPE_FW_CFG_IO "fw_cfg_io" #define TYPE_FW_CFG_MEM "fw_cfg_mem" +#define TYPE_FW_CFG_DATA_GENERATOR_INTERFACE "fw_cfg-data-generator" #define FW_CFG(obj) OBJECT_CHECK(FWCfgState, (obj), TYPE_FW_CFG) #define FW_CFG_IO(obj) OBJECT_CHECK(FWCfgIoState, (obj), TYPE_FW_CFG_IO) #define FW_CFG_MEM(obj) OBJECT_CHECK(FWCfgMemState, (obj), TYPE_FW_CFG_MEM) +#define FW_CFG_DATA_GENERATOR_CLASS(class) \ + OBJECT_CLASS_CHECK(FWCfgDataGeneratorClass, (class), \ + TYPE_FW_CFG_DATA_GENERATOR_INTERFACE) +#define FW_CFG_DATA_GENERATOR_GET_CLASS(obj) \ + OBJECT_GET_CLASS(FWCfgDataGeneratorClass, (obj), \ + TYPE_FW_CFG_DATA_GENERATOR_INTERFACE) + +typedef struct FWCfgDataGeneratorClass { + /*< private >*/ + InterfaceClass parent_class; + /*< public >*/ + + /** + * get_data: + * @obj: the object implementing this interface + * @errp: pointer to a NULL-initialized error object + * + * Returns: reference to a byte array containing the data. + * The caller should release the reference when no longer + * required. + */ + GByteArray *(*get_data)(Object *obj, Error **errp); +} FWCfgDataGeneratorClass; + typedef struct fw_cfg_file FWCfgFile; #define FW_CFG_ORDER_OVERRIDE_VGA 70 @@ -263,6 +288,24 @@ void fw_cfg_add_file_callback(FWCfgState *s, const char *filename, void *fw_cfg_modify_file(FWCfgState *s, const char *filename, void *data, size_t len); +/** + * fw_cfg_add_from_generator: + * @s: fw_cfg device being modified + * @filename: name of new fw_cfg file item + * @gen_id: name of object implementing FW_CFG_DATA_GENERATOR interface + * @errp: pointer to a NULL initialized error object + * + * Add a new NAMED fw_cfg item with the content generated from the + * @gen_id object. The data generated by the @gen_id object is copied + * into the data structure of the fw_cfg device. + * The next available (unused) selector key starting at FW_CFG_FILE_FIRST + * will be used; also, a new entry will be added to the file directory + * structure residing at key value FW_CFG_FILE_DIR, containing the item name, + * data size, and assigned selector key value. + */ +void fw_cfg_add_from_generator(FWCfgState *s, const char *filename, + const char *gen_id, Error **errp); + FWCfgState *fw_cfg_init_io_dma(uint32_t iobase, uint32_t dma_iobase, AddressSpace *dma_as); FWCfgState *fw_cfg_init_io(uint32_t iobase); -- cgit v1.1