Skip to content

Custom UEFI certificates - API change #5247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Dec 21, 2023
Merged

Custom UEFI certificates - API change #5247

merged 6 commits into from
Dec 21, 2023

Conversation

@benjamreis
Copy link
Contributor

Solves: #5245

@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch 9 times, most recently from ae2452a to 49880ea Compare November 17, 2023 12:53
lindig
lindig reviewed Nov 17, 2023
View reviewed changes
ocaml/xapi/xapi_pool.ml Outdated
let get_uefi_certificates ~__context ~self =
let custom_certs = Db.Pool.get_custom_uefi_certificates ~__context ~self in
match (!Xapi_globs.allow_custom_uefi_certs, custom_certs) with
| false, _ | true, "" ->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This suggests the empty string has a special meaning. Is this obvious for the user?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the design clearing the custom UEFI certificates would default back to using the default ones.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some docs can be added clarifying this clearing. An alternative could be to add an api function called Pool.clear_custom_uefi_certs

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the empty string has special meaning, I would like to see that documented in the function that sets the string. Usually we try to avoid giving an empty string special meaning and use option values instead: it is more obvious that None has a special meaning.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this special meaning of an empty value is already present currently in Db.Pool.{set,}uefi_certificates. We just moved this to the new field, to keep the amount of changes to a minimum.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added in the doc of the setter the defaulting back when empty behavior. :)

@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch 3 times, most recently from bd6a757 to 7b54eb2 Compare November 20, 2023 09:23
psafont
psafont reviewed Nov 20, 2023
View reviewed changes
psafont
psafont reviewed Nov 20, 2023
View reviewed changes
@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch 3 times, most recently from 06adb4b to 693ac7a Compare November 20, 2023 09:47
psafont
psafont reviewed Nov 20, 2023
View reviewed changes
@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch 4 times, most recently from 9e420bd to 7bdc699 Compare November 20, 2023 15:00
lindig
lindig reviewed Nov 20, 2023
View reviewed changes
ocaml/xapi/xapi_pool.ml Outdated
let get_uefi_certificates ~__context ~self =
let custom_certs = Db.Pool.get_custom_uefi_certificates ~__context ~self in
match (!Xapi_globs.allow_custom_uefi_certs, custom_certs) with
| false, _ | true, "" ->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the empty string has special meaning, I would like to see that documented in the function that sets the string. Usually we try to avoid giving an empty string special meaning and use option values instead: it is more obvious that None has a special meaning.

@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch 6 times, most recently from 4822862 to f0857b0 Compare November 22, 2023 09:55
@benjamreis benjamreis mentioned this pull request Dec 6, 2023
Merged
@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch from 73447b6 to d6eaf75 Compare December 6, 2023 14:54
@stormi
Copy link
Contributor

stormi commented Dec 6, 2023

Late remarks:

  • I initially misunderstood Pau's comment regarding ocaml/xapi-cli-server/records.ml, so we still need to update it.
  • To fully implement my design, pool.uefi_certificates needs to be updated at XAPI start regardless of the value of allow-custom-uefi-certs.

Don't merge yet :)

@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch 3 times, most recently from 8fef70d to ffd3d8b Compare December 7, 2023 09:54
@benjamreis
Copy link
Contributor Author

I've added the xe cli part for this PR and an helper to get the correct uefi certificates in Helpers.ml

@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch from ffd3d8b to ce56312 Compare December 7, 2023 09:57
@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch from 46572aa to a52663f Compare December 11, 2023 17:54
@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch from a52663f to 97473dd Compare December 19, 2023 10:36
@benjamreis
Copy link
Contributor Author

benjamreis commented Dec 19, 2023
edited
Loading

last force push was to fix typos in the commit messages, everything is good and validated on our side so good for merge according to us! :)

@benjamreis benjamreis requested a review from lindig December 19, 2023 10:42
@benjamreis
Copy link
Contributor Author

The format error does not concern my changes, not sure what to do 🤔

@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch from 97473dd to 88c89e8 Compare December 19, 2023 12:06
@benjamreis
Copy link
Contributor Author

rebased on master for format change.

@stormi
Copy link
Contributor

stormi commented Dec 21, 2023

How about a merge of this as a Christmas gift? 😉

lindig
lindig approved these changes Dec 21, 2023
View reviewed changes
ocaml/idl/datamodel_pool.ml Outdated
call ~name:"set_custom_uefi_certificates" ~lifecycle:[]
~doc:
"Set custom UEFI certificates for a pool and all its hosts. Need \
`allow-custom-uefi-verts` set to true in conf. If empty: default back \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo? "verts"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed! Fixed 😇

benjamreis and others added 6 commits December 21, 2023 10:58
@benjamreis
Rename 'override_uefi_certs' with 'allow_custom_uefi_certs'
3073e1e 
Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
@benjamreis
Introduce new methods for custom uefi certs
568382b 
- `Pool.set/get_custom_uefi_certificates`
- `Pool/Host.set_uefi_certificates` deprecated
- `Pool.get_uefi_certificates` return the certificates used by the pool

Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
@benjamreis
Do not break symlink when no custom certificates are set
2587c90 
Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
@benjamreis
Do not fail when fullpath is given to extract certificates
5196f53 
Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
@benjamreis
Check for used UEFI certificates when updating vm platform
dfa9b94 
Signed-off-by: BenjiReis <benjamin.reis@vates.fr>
@benjamreis
Always set pool.uefi_certificates
70e07d0 
They'are also needed to fallback when custom are empty

Signed-off-by: Benjamin Reis <benjamin.reis@vates.tech>
@benjamreis benjamreis force-pushed the custom-uefi-cert-api-change branch from 88c89e8 to 70e07d0 Compare December 21, 2023 09:58
psafont
psafont reviewed Dec 21, 2023
View reviewed changes
ocaml/idl/datamodel_pool.ml
~lifecycle:
[
(Published, "22.16.0", "")
; (Deprecated, "23.32.0", "use set_custom_uefi_certificates instead")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the latest version

@psafont psafont merged commit 5724962 into xapi-project:master Dec 21, 2023
@psafont psafont deleted the custom-uefi-cert-api-change branch December 21, 2023 10:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lindig lindig lindig approved these changes

@psafont psafont psafont approved these changes

+1 more reviewer

@stormi stormi stormi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@benjamreis @psafont @robhoes @stormi @lindig