Re: [PATCH v1 01/24] Add -boot-certificates /path/dir:/path/file option in QEMU command line

Fri, 11 Apr 2025 05:58:31 -0700 

On Fri, Apr 11, 2025 at 12:44:17PM +0200, Thomas Huth wrote:
> On 08/04/2025 17.55, Zhuoying Cai wrote:
> > The `-boot-certificates /path/dir:/path/file` option is implemented
> > to provide path to either a directory or a single certificate.
> > 
> > Multiple paths can be delineated using a colon.
> > 
> > Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
> > ---
> >   qemu-options.hx | 11 +++++++++++
> >   system/vl.c     | 22 ++++++++++++++++++++++
> >   2 files changed, 33 insertions(+)
> > 
> > diff --git a/qemu-options.hx b/qemu-options.hx
> > index dc694a99a3..b460c63490 100644
> > --- a/qemu-options.hx
> > +++ b/qemu-options.hx
> > @@ -1251,6 +1251,17 @@ SRST
> >       Set system UUID.
> >   ERST
> > +DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates,
> > +    "-boot-certificates /path/directory:/path/file\n"
> > +    "                  Provide a path to a directory or a boot 
> > certificate.\n"
> > +    "                  A colon may be used to delineate multiple paths.\n",
> > +    QEMU_ARCH_S390X)
> > +SRST
> > +``-boot-certificates /path/directory:/path/file``
> > +    Provide a path to a directory or a boot certificate.
> > +    A colon may be used to delineate multiple paths.
> > +ERST
> 
> Unless there is a really, really good reason for introducing new top-level
> options to QEMU, this should rather be added to one of the existing options
> instead.
> 
> I assume this is very specific to s390x, isn't it? So the best way is likely
> to add this as a parameter of the machine type option, so that the user
> would specify:
> 
>  qemu-system-s390x -machine s390-ccw-virtio,boot-certificates=/path/to/certs
> 
> See the other object_class_property_add() statements in
> ccw_machine_class_init() for some examples how to do this.

With other arches that use EDK2 (x86, arm64, riscv64, loongarch64) we
pass this info via fw_cfg

   -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>

Assuming this series is trying to implement a pre-existing s390x machine
standard for passing certs, then it seems inevitable that it will need
a different config approach than we use for EDK2.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Reply via email to