firmware (and crypto) patches

- add the tls-cipher-suites object, - add the ability to QOM objects to produce data consumable by the fw_cfg device, - let the tls-cipher-suites object implement the FW_CFG_DATA_GENERATOR interface. This is required by EDK2 'HTTPS Boot' feature of OVMF to tell the guest which TLS ciphers it can use. CI jobs results: 704724619 162938106 https://cirrus-ci.com/build/4682977303068672 -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAl8AsDQACgkQ4+MsLN6t wN4HLA//Sxi7iYWp3OygX1F7A9XpWxuWNVjThBJzao00y0qxWQ7G6l/YTDeNYOoD dE/HsyUd3QtvC6/c79zoqyOb5m+WtQNsQmHAO4LZdR16TPNvTdCZ2lNgWYRIjuHJ obvYy2ingKpnlzd5V1bioTlUw0AOchk86pMnTVAsoKPXWqsOrPB+PYmE9tFRxqVY 5WVW7rnhtcJ05ajeIWhgndhW7fM4lvoWdZyctTIhWttQ9WkhyKAYKHQrmgOcsbUp soOfK9oHRH1XuUsC0SHpPmUQbp/c5cyCS1D7nDuIe/lPNNfWCVeUKkny495Vgj4d nK6MI1PQ4Bw2VBfMMxO4dXl2rnzlVjSnXXUP56IdfZHlOr+5gPh7uZvfZXN3AmHC km9MBt2IWrDYAriMwHhqumzHMIFmNVdqdXaYZYzagwwFzy8VNLgzQEFQYHsIXtl3 7pfvZVtIbSfXFGfktY3vu4sBZNAAk3mAOc04faF3CuTvXp5m0Duc0boO38eLDCbp 5mV2uEUJ9zQzcSoLqfLGiYCBFX9C8XdjdX+u9gMHhNb04y5c6r/zZZKpH7ZfwEc1 WdwXzEor+h3yW06dV1WdOGlMUqVt3Xx9GaJBW57XbdMQQ2O2m+TfMcYLeVLsXtvf aHUKOZdBxRKFcbA7zARhZ4xyzNQVddz3+aTGpzpP/xIL4TXrzHQ= =QArU -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/philmd-gitlab/tags/fw_cfg-20200704' into staging firmware (and crypto) patches - add the tls-cipher-suites object, - add the ability to QOM objects to produce data consumable by the fw_cfg device, - let the tls-cipher-suites object implement the FW_CFG_DATA_GENERATOR interface. This is required by EDK2 'HTTPS Boot' feature of OVMF to tell the guest which TLS ciphers it can use. CI jobs results: 704724619 162938106 https://cirrus-ci.com/build/4682977303068672 # gpg: Signature made Sat 04 Jul 2020 17:37:08 BST # gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE # gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full] # Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE * remotes/philmd-gitlab/tags/fw_cfg-20200704: crypto/tls-cipher-suites: Produce fw_cfg consumable blob softmmu/vl: Allow -fw_cfg 'gen_id' option to use the 'etc/' namespace softmmu/vl: Let -fw_cfg option take a 'gen_id' argument hw/nvram/fw_cfg: Add the FW_CFG_DATA_GENERATOR interface crypto: Add tls-cipher-suites object Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2025-08-05 00:33:55 -06:00 · 2020-07-09 20:01:43 +01:00 · 2020-07-09 20:01:43 +01:00 · aecdfcc3f8
commit aecdfcc3f8
parent aff2caf6b3 69699f3055
9 changed files with 326 additions and 10 deletions
--- a/qemu-options.hx
+++ b/qemu-options.hx
@ -4579,6 +4579,43 @@ SRST
        string as described at
        https://gnutls.org/manual/html_node/Priority-Strings.html.

+    ``-object tls-cipher-suites,id=id,priority=priority``
+        Creates a TLS cipher suites object, which can be used to control
+        the TLS cipher/protocol algorithms that applications are permitted
+        to use.
+
+        The ``id`` parameter is a unique ID which frontends will use to
+        access the ordered list of permitted TLS cipher suites from the
+        host.
+
+        The ``priority`` parameter allows to override the global default
+        priority used by gnutls. This can be useful if the system
+        administrator needs to use a weaker set of crypto priorities for
+        QEMU without potentially forcing the weakness onto all
+        applications. Or conversely if one wants wants a stronger
+        default for QEMU than for all other applications, they can do
+        this through this parameter. Its format is a gnutls priority
+        string as described at
+        https://gnutls.org/manual/html_node/Priority-Strings.html.
+
+        An example of use of this object is to control UEFI HTTPS Boot.
+        The tls-cipher-suites object exposes the ordered list of permitted
+        TLS cipher suites from the host side to the guest firmware, via
+        fw_cfg. The list is represented as an array of IANA_TLS_CIPHER
+        objects. The firmware uses the IANA_TLS_CIPHER array for configuring
+        guest-side TLS.
+
+        In the following example, the priority at which the host-side policy
+        is retrieved is given by the ``priority`` property.
+        Given that QEMU uses GNUTLS, ``priority=@SYSTEM`` may be used to
+        refer to /etc/crypto-policies/back-ends/gnutls.config.
+
+        .. parsed-literal::
+
+             # |qemu_system| \
+                 -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \
+                 -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0
+
    ``-object filter-buffer,id=id,netdev=netdevid,interval=t[,queue=all|rx|tx][,status=on|off][,position=head|tail|id=<id>][,insert=behind|before]``
        Interval t can't be 0, this filter batches the packet delivery:
        all packets arriving in a given interval on netdev netdevid are