On Thu, Sep 18, 2025 at 08:56:39AM +0200, Markus Armbruster wrote: > Zhuoying Cai <[email protected]> writes: > > > Introduce a new `boot-certs` machine type option for the s390-ccw-virtio > > machine. This allows users to specify one or more certificate file paths > > or directories to be used during secure boot. > > > > Each entry is specified using the syntax: > > boot-certs.<index>.path=/path/to/cert.pem > > > > Multiple paths can be specify using array properties: > > boot-certs.0.path=/path/to/cert.pem, > > boot-certs.1.path=/path/to/cert-dir, > > boot-certs.2.path=/path/to/another-dir... > > Given we can specifiy a directory containing any number of certificate > files, is the ability to specify multiple paths worth the additional > complexity?
The typical scenario would be point to somewhere in /etc/pki for some globally provided certs, and then also point to somewhere local ($HOME) for custom extra certs. So IMHO it is reasonable to want multiple paths, to avoid copying around certs from different locations. > > > Signed-off-by: Zhuoying Cai <[email protected]> > > [...] > > > diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json > > index 966dbd61d2..51bf791fe6 100644 > > --- a/qapi/machine-s390x.json > > +++ b/qapi/machine-s390x.json > > @@ -119,3 +119,25 @@ > > { 'command': 'query-s390x-cpu-polarization', 'returns': > > 'CpuPolarizationInfo', > > 'features': [ 'unstable' ] > > } > > + > > +## > > +# @BootCertificate: > > +# > > +# Boot certificate for secure IPL. > > +# > > +# @path: path to an X.509 certificate file or a directory containing > > certificate files. > > +# > > +# Since: 10.2 > > +## > > +{ 'struct': 'BootCertificate', > > + 'data': {'path': 'str'} } > > I'd call this BootCertificates (plural), because it can pull in any > number, not just than one. > > > + > > +## > > +# @DummyBootCertificates: > > +# > > +# Not used by QMP; hack to let us use BootCertificateList internally. > > +# > > +# Since: 10.2 > > +## > > +{ 'struct': 'DummyBootCertificates', > > + 'data': {'unused-boot-certs': ['BootCertificate'] } } > > diff --git a/qapi/pragma.json b/qapi/pragma.json > > index 023a2ef7bc..66401837ad 100644 > > --- a/qapi/pragma.json > > +++ b/qapi/pragma.json > > @@ -49,6 +49,7 @@ > > 'DisplayProtocol', > > 'DriveBackupWrapper', > > 'DummyBlockCoreForceArrays', > > + 'DummyBootCertificates', > > 'DummyForceArrays', > > 'DummyVirtioForceArrays', > > 'HotKeyMod', > With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
