On 4/11/25 8:57 AM, Daniel P. Berrangé wrote:
> On Fri, Apr 11, 2025 at 12:44:17PM +0200, Thomas Huth wrote:
>> On 08/04/2025 17.55, Zhuoying Cai wrote:
>>> The `-boot-certificates /path/dir:/path/file` option is implemented
>>> to provide path to either a directory or a single certificate.
>>>
>>> Multiple paths can be delineated using a colon.
>>>
>>> Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
>>> ---
>>> qemu-options.hx | 11 +++++++++++
>>> system/vl.c | 22 ++++++++++++++++++++++
>>> 2 files changed, 33 insertions(+)
>>>
>>> diff --git a/qemu-options.hx b/qemu-options.hx
>>> index dc694a99a3..b460c63490 100644
>>> --- a/qemu-options.hx
>>> +++ b/qemu-options.hx
>>> @@ -1251,6 +1251,17 @@ SRST
>>> Set system UUID.
>>> ERST
>>> +DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates,
>>> + "-boot-certificates /path/directory:/path/file\n"
>>> + " Provide a path to a directory or a boot
>>> certificate.\n"
>>> + " A colon may be used to delineate multiple paths.\n",
>>> + QEMU_ARCH_S390X)
>>> +SRST
>>> +``-boot-certificates /path/directory:/path/file``
>>> + Provide a path to a directory or a boot certificate.
>>> + A colon may be used to delineate multiple paths.
>>> +ERST
>>
>> Unless there is a really, really good reason for introducing new top-level
>> options to QEMU, this should rather be added to one of the existing options
>> instead.
>>
>> I assume this is very specific to s390x, isn't it? So the best way is likely
>> to add this as a parameter of the machine type option, so that the user
>> would specify:
>>
>> qemu-system-s390x -machine s390-ccw-virtio,boot-certificates=/path/to/certs
>>
>> See the other object_class_property_add() statements in
>> ccw_machine_class_init() for some examples how to do this.
>
> With other arches that use EDK2 (x86, arm64, riscv64, loongarch64) we
> pass this info via fw_cfg
>
> -fw_cfg name=etc/edk2/https/cacerts,file=<certdb>
>
> Assuming this series is trying to implement a pre-existing s390x machine
> standard for passing certs, then it seems inevitable that it will need
> a different config approach than we use for EDK2.
>
> With regards,
> Daniel
Thank you for your feedback.
The -boot-certificates option aims to provide a path to either a
directory or a single certificate on the host. The certificate(s) will
be loaded into the key store and used during signature verification.
s390x will likely need to handle certificates differently from other
architectures.
Regards,
Joy
