On 6/24/25 11:03 AM, Jared Rossi wrote: > > > On 6/20/25 11:45 AM, Zhuoying Cai wrote: >> On 6/6/25 10:00 AM, Daniel P. Berrangé wrote: >>> On Wed, Jun 04, 2025 at 05:56:29PM -0400, Zhuoying Cai wrote: >>>> Add boot-certificates as a parameter of s390-ccw-virtio machine type >>>> option. >>>> >>>> The `boot-certificates=/path/dir:/path/file` parameter is implemented >>>> to provide path to either a directory or a single certificate. >>>> >>>> Multiple paths can be delineated using a colon. >>> How do users specify paths which contain a colon as a valid >>> character ? >>> >> It was suggested to separate lists of directories and files with a >> colon, following the convention used by the shell PATH variable. As the >> colon serves as a delimiter, it’s expected that individual paths do not >> contain any colon characters. > > I'm not sure if I understand why this is needed. Why would someone want > to have the certificates in two distinct locations, as opposed to all in > one directory or in sub-directories of a single main certificate > directory? Supporting only one path would simplify both the > implementation and the usage. Could we just not allow multiple paths, > or is there a use case that requires it? >
We chose to support lists of directories and files to provide greater flexibility in the CLI. One use case involves scenarios where some certificates are shipped with the distro (e.g., /usr/path/cert/dir), while additional certificates may be managed by the local admin in a separate location, such as /etc/path/cert/dir. If supporting multiple of directories and files is a concern, the design could be simplified to allow a single directory containing all the certificates required for secure boot, which should still cover typical usage scenarios. I'd appreciate any additional feedback on this design. >> [snip..] >>
