RFE: generate "/etc/crypto-policies/back-ends/edk2.config"

Downstream tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1559564

This feature request is for a new back-end generator in the crypto-policies package https://fedoraproject.org/wiki/Changes/CryptoPolicy; more precisely in the update-crypto-policies(8) tool.

The current back-ends are listed in the update-crypto-policies(8) manual page. A new back-end, called "EDK2", is being requested. The output file should be "edk2.config".

EDK2 stands for "EFI Development Kit II". It is a project for the development of firmware that conforms to the PI (Platform Init) and/or UEFI specifications.

Such firmware is available for QEMU/KVM virtual machines. The firmware platforms are usually known as "OVMF" (for x86 VMs) and "ArmVirtQemu" or "AAVMF" (for ARM/ARM64 VMs).

UEFI supports HTTPS boot; that is, the above-mentioned virtual firmware can boot a virtual machine off the network, and not just via PXE, but also via HTTPS. For this, the firmware uses OpenSSL internally, but the configuration interface is peculiar. The subject of this RFE is to expose "the acceptable ciphersuites and the preferred order" from the host side, in the file "/etc/crypto-policies/back-ends/edk2.config", such that the userspace part of the VMM (namely QEMU) can pass it to the virtual firmware without any processing. This way the crypto policy configured on the virt host will also apply to the HTTPS boot carried out by the UEFI VM.

Section "28.10.2 EFI TLS Protocol" of the UEFI-2.7 spec http://uefi.org/specifications defines the following structure:

typedef struct {
  UINT8 Data1;
  UINT8 Data2;
} EFI_TLS_CIPHER;

Note: The definition of EFI_TLS_CIPHER is from RFC 5246 A.4.1.Hello Messages. The value of EFI_TLS_CIPHER is from TLS Cipher Suite Registry of IANA.

The "update-crypto-policies" utility should please transform the cipher list to an array of EFI_TLS_CIPHER elements, and store that array in "edk2.config". The size need not be stored separately (it can be deduced from the file size).