Re: [PATCH v7 4/5] crypto: Add tls-cipher-suites object

[Daniel P . Berrangé]

On Fri, May 29, 2020 at 01:09:22PM +0200, Laszlo Ersek wrote:
> On 05/28/20 19:31, Philippe Mathieu-Daudé wrote:
> (2) We need an actual commit message for this patch. How about the
> following -- I have liberally stolen and edited comments that Daniel
> made earlier in the Red Hat Bugzilla:
> 
> ---v--- ---v--- ---v--- ---v---
> On the host OS, various aspects of TLS operation are configurable. In
> particular it is possible for the sysadmin to control the TLS
> cipher/protocol algorithms that applications are permitted to use.
> 
> * Any given crypto library has a built-in default priority list defined by
>   the distro maintainer of the libary package (or by upstream).
> 
> * The "crypto-policies" RPM (or equivalent host OS package) provides a
>   config file such as "/etc/crypto-policies/config", where the sysadmin
>   can set a high level (library-independent) policy.
> 
>   The "update-crypto-policies --set" command (or equivalent) is used to
>   translate the global policy to individual library representations,
>   producing files such as "/etc/crypto-policies/back-ends/*.config". The
>   generated files, if present, are loaded by the various crypto libraries
>   to override their own built-in defaults.
> 
>   For example, the GNUTLS library may read
>   "/etc/crypto-policies/back-ends/gnutls.config".
> 
> * A management application (or the QEMU user) may overide the system-wide
>   crypto-policies config via their own config, if they need to diverge
>   from the former.
> 
> Thus the priority order is "QEMU user config" > "crypto-policies system
> config" > "library built-in config".
> 
> Introduce the "tls-cipher-suites" object for exposing the ordered list of
> permitted TLS cipher suites from the host side to the firmware, via
> fw_cfg. The list is represented as an array of IANA_TLS_CIPHER objects.
> The firmware uses the IANA_TLS_CIPHER array for configuring guest-side
> TLS, for example in UEFI HTTPS Boot.
> 
> The priority at which the host-side policy is retrieved is given by the
> "priority" property of the new object type. For example,
> "priority=@SYSTEM" may be used to refer to
> "/etc/crypto-policies/back-ends/gnutls.config" (given that QEMU uses
> GNUTLS).
> ---^--- ---^--- ---^--- ---^---
> 
> (3) I think I have now at least formed an idea about where we should
> document -fw_cfg / "gen_id" in the *manual*.
> 
> The various -object types are already documented extensively; namely in
> section "Generic object creation". Thus, I think we should document
> "tls-cipher-suites" there -- near the already existent "-object tls-*"
> ones.
> 
> I suggest including a manual update to that effect. I think we can mostly
> copy the suggested commit message into the manual as well.
> 
> And then, we can include the new "-fw_cfg" command line option (with
> "gen_id") *right there*. Consequently, we won't need to modify the
> existent "-fw_cfg" documentation bits (about "file" and "string") under
> section "Debug/Expert options".
> 
> Dan: please comment!

I don't really have anything else to say. More docs == better

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|