The Edk2Crypto object is used to hold configuration values specific
to EDK2.
The edk2_add_host_crypto_policy() function loads crypto policies
from the host, and register them as fw_cfg named file items.
So far only the 'https' policy is supported.
A usercase example is the 'HTTPS Boof' feature of OVMF [*].
Usage example:
- via the command line:
$ qemu-system-x86_64 \
--object edk2_crypto,id=https,\
ciphers=/etc/crypto-policies/back-ends/openssl.config,\
cacerts=/etc/pki/ca-trust/extracted/edk2/cacerts.bin
- via QMP:
{
"execute": "object-add",
"arguments": {
"qom-type": "edk2_crypto",
"id": "https",
"props": {
"ciphers": "/etc/crypto-policies/back-ends/openssl.config",
"cacerts": "/etc/pki/ca-trust/extracted/edk2/cacerts.bin"
}
}
}
(On Fedora these files are provided by the ca-certificates and
crypto-policies packages).
[*]: https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
---
v3:
- inverted the if() logic
- '-object' -> '--object' in commit description (Eric)
- reworded the 'TODO: g_free' comment
v4:
- do not return pointer to alloc'd data (Markus)
- INTERFACE_CHECK -> OBJECT_CLASS_CHECK (Markus)
- path -> filename (Laszlo)
- dropped the 'TODO: g_free' comment (Markus)
v5:
- only allow 1 singleton using the UserCreatableClass::complete
callback (Markus, Laszlo)
- object own fw_cfg 'file' content, no need for
fw_cfg_add_file_from_host() (Laszlo)
- g_file_get_contents() called when object is instantiated
and report error, the machine 'done' notifier do not have
to manage errors (do not fail).
- add QMP example
-
- do not add docs/interop/firmware.json to MAINTAINERS
---
MAINTAINERS | 2 +
hw/Makefile.objs | 1 +
hw/firmware/Makefile.objs | 1 +
hw/firmware/uefi_edk2_crypto_policies.c | 209 ++++++++++++++++++++++++
include/hw/firmware/uefi_edk2.h | 30 ++++
5 files changed, 243 insertions(+)
create mode 100644 hw/firmware/Makefile.objs
create mode 100644 hw/firmware/uefi_edk2_crypto_policies.c
create mode 100644 include/hw/firmware/uefi_edk2.h
diff --git a/MAINTAINERS b/MAINTAINERS
index d32c5c2313..28de489134 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -2262,6 +2262,8 @@ EDK2 Firmware
M: Laszlo Ersek <ler...@redhat.com>
M: Philippe Mathieu-Daudé <phi...@redhat.com>
S: Supported
+F: hw/firmware/uefi_edk2_crypto_policies.c
+F: include/hw/firmware/uefi_edk2.h
F: pc-bios/descriptors/??-edk2-*.json
F: pc-bios/edk2-*
F: roms/Makefile.edk2
diff --git a/hw/Makefile.objs b/hw/Makefile.objs
index d770926ba9..c13b6ee0dd 100644
--- a/hw/Makefile.objs
+++ b/hw/Makefile.objs
@@ -8,6 +8,7 @@ devices-dirs-$(CONFIG_SOFTMMU) += char/
devices-dirs-$(CONFIG_SOFTMMU) += cpu/
devices-dirs-$(CONFIG_SOFTMMU) += display/
devices-dirs-$(CONFIG_SOFTMMU) += dma/
+devices-dirs-$(CONFIG_SOFTMMU) += firmware/
devices-dirs-$(CONFIG_SOFTMMU) += gpio/
devices-dirs-$(CONFIG_HYPERV) += hyperv/
devices-dirs-$(CONFIG_I2C) += i2c/
diff --git a/hw/firmware/Makefile.objs b/hw/firmware/Makefile.objs
new file mode 100644
index 0000000000..ea1f6d44df
--- /dev/null
+++ b/hw/firmware/Makefile.objs
@@ -0,0 +1 @@
+common-obj-y += uefi_edk2_crypto_policies.o
diff --git a/hw/firmware/uefi_edk2_crypto_policies.c
b/hw/firmware/uefi_edk2_crypto_policies.c
new file mode 100644
index 0000000000..a0164272ea
--- /dev/null
+++ b/hw/firmware/uefi_edk2_crypto_policies.c
@@ -0,0 +1,209 @@
+/*
+ * UEFI EDK2 Support
+ *
+ * Copyright (c) 2019 Red Hat Inc.
+ *
+ * Author:
+ * Philippe Mathieu-Daudé <phi...@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "hw/firmware/uefi_edk2.h"
+
+
+#define TYPE_EDK2_CRYPTO "edk2_crypto"
+
+#define EDK2_CRYPTO_CLASS(klass) \
+ OBJECT_CLASS_CHECK(Edk2CryptoClass, (klass), \
+ TYPE_EDK2_CRYPTO)
+#define EDK2_CRYPTO_GET_CLASS(obj) \
+ OBJECT_GET_CLASS(Edk2CryptoClass, (obj), \
+ TYPE_EDK2_CRYPTO)
+#define EDK2_CRYPTO(obj) \
+ OBJECT_CHECK(Edk2Crypto, (obj), \
+ TYPE_EDK2_CRYPTO)
+
+typedef struct FWCfgHostContent {
+ /*
+ * Path to the acceptable ciphersuites and the preferred order from
+ * the host-side crypto policy.
+ */
+ char *filename;
+ /*
+ * Add a new NAMED fw_cfg item as a raw "blob" of the given size. The data
+ * referenced by the starting pointer is only linked, NOT copied, into the
+ * data structure of the fw_cfg device.
+ */
+ char *contents;
+
+ size_t contents_length;
+} FWCfgHostContent;
+
+typedef struct Edk2Crypto {
+ Object parent_obj;
+
+ /*
+ * Path to the acceptable ciphersuites and the preferred order from
+ * the host-side crypto policy.
+ */
+ FWCfgHostContent ciphers;
+ /* Path to the trusted CA certificates configured on the host side. */
+ FWCfgHostContent cacerts;
+} Edk2Crypto;
+
+typedef struct Edk2CryptoClass {
+ ObjectClass parent_class;
+} Edk2CryptoClass;
+
+static Edk2Crypto *edk2_crypto_by_policy_id(const char *policy_id, Error
**errp)
+{
+ Object *obj;
+
+ obj = object_resolve_path_component(object_get_objects_root(), policy_id);
+ if (!obj) {
+ error_setg(errp, "Cannot find EDK2 crypto policy ID %s", policy_id);
+ return NULL;
+ }
+
+ if (!object_dynamic_cast(obj, TYPE_EDK2_CRYPTO)) {
+ error_setg(errp, "Object '%s' is not a EDK2 crypto subclass",
+ policy_id);
+ return NULL;
+ }
+
+ return EDK2_CRYPTO(obj);
+}
+
+static void edk2_crypto_prop_set_ciphers(Object *obj, const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->ciphers.filename);
+ s->ciphers.filename = g_strdup(value);
+}
+
+static char *edk2_crypto_prop_get_ciphers(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ return g_strdup(s->ciphers.filename);
+}
+
+static void edk2_crypto_prop_set_cacerts(Object *obj, const char *value,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->cacerts.filename);
+ s->cacerts.filename = g_strdup(value);
+}
+
+static char *edk2_crypto_prop_get_cacerts(Object *obj,
+ Error **errp G_GNUC_UNUSED)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ return g_strdup(s->cacerts.filename);
+}
+
+static void edk2_crypto_complete(UserCreatable *uc, Error **errp)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(uc);
+ Error *local_err = NULL;
+ GError *gerr = NULL;
+
+ if (s->ciphers.filename) {
+ if (!g_file_get_contents(s->ciphers.filename, &s->ciphers.contents,
+ &s->ciphers.contents_length, &gerr)) {
+ goto report_error;
+ }
+ }
+ if (s->cacerts.filename) {
+ if (!g_file_get_contents(s->cacerts.filename, &s->cacerts.contents,
+ &s->cacerts.contents_length, &gerr)) {
+ goto report_error;
+ }
+ }
+ return;
+
+ report_error:
+ error_setg(&local_err, "%s", gerr->message);
+ g_error_free(gerr);
+ error_propagate_prepend(errp, local_err, "EDK2 crypto policy: ");
+}
+
+static void edk2_crypto_finalize(Object *obj)
+{
+ Edk2Crypto *s = EDK2_CRYPTO(obj);
+
+ g_free(s->ciphers.filename);
+ g_free(s->ciphers.contents);
+ g_free(s->cacerts.filename);
+ g_free(s->cacerts.contents);
+}
+
+static void edk2_crypto_class_init(ObjectClass *oc, void *data)
+{
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+
+ ucc->complete = edk2_crypto_complete;
+
+ object_class_property_add_str(oc, "ciphers",
+ edk2_crypto_prop_get_ciphers,
+ edk2_crypto_prop_set_ciphers,
+ NULL);
+ object_class_property_add_str(oc, "cacerts",
+ edk2_crypto_prop_get_cacerts,
+ edk2_crypto_prop_set_cacerts,
+ NULL);
+}
+
+static const TypeInfo edk2_crypto_info = {
+ .parent = TYPE_OBJECT,
+ .name = TYPE_EDK2_CRYPTO,
+ .instance_size = sizeof(Edk2Crypto),
+ .instance_finalize = edk2_crypto_finalize,
+ .class_size = sizeof(Edk2CryptoClass),
+ .class_init = edk2_crypto_class_init,
+ .interfaces = (InterfaceInfo[]) {
+ { TYPE_USER_CREATABLE },
+ { }
+ }
+};
+
+static void edk2_crypto_register_types(void)
+{
+ type_register_static(&edk2_crypto_info);
+}
+
+type_init(edk2_crypto_register_types);
+
+static void edk2_add_host_crypto_policy_https(FWCfgState *fw_cfg)
+{
+ Edk2Crypto *s;
+
+ s = edk2_crypto_by_policy_id("https", NULL);
+ if (!s) {
+ return;
+ }
+ if (s->ciphers.contents_length) {
+ fw_cfg_add_file(fw_cfg, "etc/edk2/https/ciphers",
+ s->ciphers.contents, s->ciphers.contents_length);
+ }
+ if (s->cacerts.contents_length) {
+ fw_cfg_add_file(fw_cfg, "etc/edk2/https/cacerts",
+ s->cacerts.contents, s->cacerts.contents_length);
+ }
+}
+
+void edk2_add_host_crypto_policy(FWCfgState *fw_cfg)
+{
+ edk2_add_host_crypto_policy_https(fw_cfg);
+}
diff --git a/include/hw/firmware/uefi_edk2.h b/include/hw/firmware/uefi_edk2.h
new file mode 100644
index 0000000000..f8f81c5cb2
--- /dev/null
+++ b/include/hw/firmware/uefi_edk2.h
@@ -0,0 +1,30 @@
+/*
+ * UEFI EDK2 Support
+ *
+ * Copyright (c) 2019 Red Hat Inc.
+ *
+ * Author:
+ * Philippe Mathieu-Daudé <phi...@redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#ifndef HW_FIRMWARE_UEFI_EDK2_H
+#define HW_FIRMWARE_UEFI_EDK2_H
+
+#include "hw/nvram/fw_cfg.h"
+
+/**
+ * edk2_add_host_crypto_policy:
+ * @fw_cfg: fw_cfg device being modified
+ *
+ * Add a new named file containing the host crypto policy.
+ *
+ * This method is called by the machine_done() Notifier of
+ * some implementations of MachineState, currently the X86
+ * PCMachineState and the ARM VirtMachineState.
+ */
+void edk2_add_host_crypto_policy(FWCfgState *fw_cfg);
+
+#endif /* HW_FIRMWARE_UEFI_EDK2_H */
--
2.20.1
