On Tue, Jun 23, 2020 at 07:27:22PM +0200, Philippe Mathieu-Daudé wrote: > On the host OS, various aspects of TLS operation are configurable. > In particular it is possible for the sysadmin to control the TLS > cipher/protocol algorithms that applications are permitted to use. > > * Any given crypto library has a built-in default priority list > defined by the distro maintainer of the library package (or by > upstream). > > * The "crypto-policies" RPM (or equivalent host OS package) > provides a config file such as "/etc/crypto-policies/config", > where the sysadmin can set a high level (library-independent) > policy. > > The "update-crypto-policies --set" command (or equivalent) is > used to translate the global policy to individual library > representations, producing files such as > "/etc/crypto-policies/back-ends/*.config". The generated files, > if present, are loaded by the various crypto libraries to > override their own built-in defaults. > > For example, the GNUTLS library may read > "/etc/crypto-policies/back-ends/gnutls.config". > > * A management application (or the QEMU user) may overide the > system-wide crypto-policies config via their own config, if > they need to diverge from the former. > > Thus the priority order is "QEMU user config" > "crypto-policies > system config" > "library built-in config". > > Introduce the "tls-cipher-suites" object for exposing the ordered > list of permitted TLS cipher suites from the host side to the > guest firmware, via fw_cfg. The list is represented as an array > of bytes. > > The priority at which the host-side policy is retrieved is given > by the "priority" property of the new object type. For example, > "priority=@SYSTEM" may be used to refer to > "/etc/crypto-policies/back-ends/gnutls.config" (given that QEMU > uses GNUTLS). > > The firmware uses the IANA_TLS_CIPHER array for configuring > guest-side TLS, for example in UEFI HTTPS Boot. > > [Description from Daniel P. Berrangé, edited by Laszlo Ersek.] > > Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com> > --- > v10: rewrote logic (danpb) > --- > include/crypto/tls-cipher-suites.h | 39 ++++++++++ > crypto/tls-cipher-suites.c | 115 +++++++++++++++++++++++++++++ > crypto/Makefile.objs | 1 + > crypto/trace-events | 5 ++ > qemu-options.hx | 19 +++++ > 5 files changed, 179 insertions(+) > create mode 100644 include/crypto/tls-cipher-suites.h > create mode 100644 crypto/tls-cipher-suites.c
Reviewed-by: Daniel P. Berrangé <berra...@redhat.com> > > diff --git a/include/crypto/tls-cipher-suites.h > b/include/crypto/tls-cipher-suites.h > new file mode 100644 > index 0000000000..1be7917233 > --- /dev/null > +++ b/include/crypto/tls-cipher-suites.h > @@ -0,0 +1,39 @@ > +/* > + * QEMU TLS Cipher Suites Registry (RFC8447) > + * > + * Copyright (c) 2019 Red Hat, Inc. nit-pick, we could make that 2019-2020, likewise other files. No need to respin just for that though. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|