On Fri, Apr 11, 2025 at 01:57:26PM +0100, Daniel P. Berrangé wrote:
> On Fri, Apr 11, 2025 at 12:44:17PM +0200, Thomas Huth wrote:
> > On 08/04/2025 17.55, Zhuoying Cai wrote:
> > > The `-boot-certificates /path/dir:/path/file` option is implemented
> > > to provide path to either a directory or a single certificate.
> > >
> > > Multiple paths can be delineated using a colon.
> > >
> > > Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
> > > ---
> > > qemu-options.hx | 11 +++++++++++
> > > system/vl.c | 22 ++++++++++++++++++++++
> > > 2 files changed, 33 insertions(+)
> > >
> > > diff --git a/qemu-options.hx b/qemu-options.hx
> > > index dc694a99a3..b460c63490 100644
> > > --- a/qemu-options.hx
> > > +++ b/qemu-options.hx
> > > @@ -1251,6 +1251,17 @@ SRST
> > > Set system UUID.
> > > ERST
> > > +DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates,
> > > + "-boot-certificates /path/directory:/path/file\n"
> > > + " Provide a path to a directory or a boot
> > > certificate.\n"
> > > + " A colon may be used to delineate multiple
> > > paths.\n",
> > > + QEMU_ARCH_S390X)
> > > +SRST
> > > +``-boot-certificates /path/directory:/path/file``
> > > + Provide a path to a directory or a boot certificate.
> > > + A colon may be used to delineate multiple paths.
> > > +ERST
> >
> > Unless there is a really, really good reason for introducing new top-level
> > options to QEMU, this should rather be added to one of the existing options
> > instead.
> >
> > I assume this is very specific to s390x, isn't it? So the best way is likely
> > to add this as a parameter of the machine type option, so that the user
> > would specify:
> >
> > qemu-system-s390x -machine s390-ccw-virtio,boot-certificates=/path/to/certs
> >
> > See the other object_class_property_add() statements in
> > ccw_machine_class_init() for some examples how to do this.
>
> With other arches that use EDK2 (x86, arm64, riscv64, loongarch64) we
> pass this info via fw_cfg
s/this info/this kind of info/
because technically the stuff below is certs for PXE boot downloads,
not certs for secureboot. The latter are hardcoded in the EDK varstore
at boot time, so any setup of certs for secureboot is out of band
from QEMU startup
>
> -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>
>
> Assuming this series is trying to implement a pre-existing s390x machine
> standard for passing certs, then it seems inevitable that it will need
> a different config approach than we use for EDK2.
>
> With regards,
> Daniel
> --
> |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o- https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
>
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
