From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 6D445D8110E for ; Tue, 2 Jan 2024 12:42:21 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=y/hI0wWkcvYxVfLVCpJmqOniQ3/7qxF8KJxVBp5ShA4=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:MIME-Version:User-Agent:Subject:To:Cc:References:From:Autocrypt:In-Reply-To:Feedback-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1704199340; v=1; b=rKHsWHeA0I/49d5nxy4tP3gB7q03XSk2H/SqzBKlhb6hgGVc75nColZLtxP3K6ohtgCVXuGB XTj1bOSBZMLGy/Fpz68Dy8CPqYsuF1AIikJ6O8FNlhEf55e8I4ibLAFx6mQh+SF160PmxATGO3p emKBJvttM1XEqey2+F43045Q= X-Received: by 127.0.0.2 with SMTP id l7ipYY7687511x2JX2kyvmnU; Tue, 02 Jan 2024 04:42:20 -0800 X-Received: from a7-10.smtp-out.eu-west-1.amazonses.com (a7-10.smtp-out.eu-west-1.amazonses.com [54.240.7.10]) by mx.groups.io with SMTP id smtpd.web10.27896.1704199339098281311 for ; Tue, 02 Jan 2024 04:42:19 -0800 Message-ID: <0102018cca323415-72e68e82-2db0-4821-897e-8eff33fbe586-000000@eu-west-1.amazonses.com> Date: Tue, 2 Jan 2024 12:42:16 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform TLS policy To: devel@edk2.groups.io, abner.chang@amd.com Cc: Saloni Kasbekar , Zachary Clark-williams , Nickle Wang , Igor Kulchytskyy References: <20231226112839.1152-1-abner.chang@amd.com> <0102018cabfc96cb-073692ee-eb88-4e49-ba2b-0e21850632d8-000000@eu-west-1.amazonses.com> <0102018cb0c83b57-ba6b133e-5f5c-4d05-85dc-bd6e32c87e41-000000@eu-west-1.amazonses.com> <0102018cb10db8bd-9edca239-8a41-4946-ad58-63ddb5a25921-000000@eu-west-1.amazonses.com> <0102018cb2e039d3-9ec4b97f-d3eb-4b4c-a8fd-248d4916f6f8-000000@eu-west-1.amazonses.com> <0102018cc7481f4b-30b20784-217d-4677-8854-055c9e509c70-000000@eu-west-1.amazonses.com> From: "Michael Brown" Autocrypt: addr=mcb30@ipxe.org; keydata= xsFNBGPmfF4BEAC3vcU4aLC/9Uy/rTpmYujbqxQNZje9E34jGvLxO3uYwj4BeHj1Nn5T2TDM Gkc4ngk+mGPsJsIn69YU5cfVN+ch9O7FVfsn6egZsCNeLy6Qz0o//gBaWJodFBeawuBjXXyV HnQZa1p7bA/Lws8minW7NrZ7XZgEBaiVm1v1dNbLEoWR8UL2AMtph5loCQ5jPYQNqp/wH9El /R30GjXvAd1riWyJR2TWSN23J9rnuH2Ue+N4yEnWxAsBQ6M/NFQ5z42w4mYdsnzy1w3PulrL icpSixXHkm3lQcKGtKKX41HvJukSpxCgbHfuHGEJZ7bdhgRic1DHKav0JR8kQhx3gnPh06z8 1Teu2NKkSsTR3Iv6E2x6Yy6H34lKWzBzd8TLNSevesDD/L6NU/HxT9AxrTBuypk9PZGe2VH1 W03XnR/0Mnr0QqQBXcIAERdgNzRJY4VKF75vedf8IooZFUQ4RUlqH+x3aZB9nJ9ET77mPaNi SQVQBxE68uzb7eh2Kf6z7ftOYpWPw1v5HyB3oMmafEDG36SIvNF2wnmNaLQDRnAbTcy4ERgy tpJ3wtQDJeXOePLv8hJ3q7DSuePl7cwz4xy0ZHglW/EXRXLnyRRACfDGowyENoStg06qF+qm edGu1wNtmDZ/lypWm/CkzzpUDFeGP5BLZlqwVX4hn88llfvVzwARAQABzR5NaWNoYWVsIEJy b3duIDxtY2IzMEBpcHhlLm9yZz7CwZEEEwEIADsWIQTgD69MBpjBm2slMvwCNbEKAOtEUAUC Y+Z8nwIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRACNbEKAOtEUFlhD/9ElIUg JxBXpIbF8s7u79OdXLld2Z1DfVmhP5Q+GilPvEeAWHhp689S9B88aNvpwW5zJfxlxcJZO0ay jc7E/vtdNrkXGWNEEXBgdve6m+uL+pW/i5E2htqxbLyfgTJKmsvJ8graHbwrrBS/PA8KuwVJ eAGbBNi3f1gyQQWrLqfTkUpLtuj7A76iVVk0G0a78L69Al84qhK2imqpFJoZt1F8h0Z5ddGv mvf2M/DZp87UXvXjy7X6r7msbMZa6S/Jv0dtWHeZGl3Xu3qzbtjlqFyz2Q7TibHiirsgg/CV BsbH/LLbi/aNCCQ/85C6jAMB0lNzcVZ7ZiKKo+vBNMTycDFk70LA9yjlNf7exHejoXmPkLmH ddapYZ4dzwdOiJlaTu8NZgzXUCt3RDDA1qmZrAOBF/F+tPILAEhenl9kj3blD3mPV2SrWLWY dbahY9BsylUhj/qE1ik5CJXrPotmJhok9Vpg07xKDpVnZXuWLGNIE8018UumO7phLrWQwLb1 wJdN7PG165w4UWf4aQphfwaMKOVU3WDghz3aVSP9rgtm3RsUcYHPKx8IaPcDh2yf0bgG386i Axx3U3UQeyz2Pb9Vigo6DmPwXjLkFr/dukvVLVJLVkUab9ZhhERzWTEEMifUVEK2rGNvA87L VKJ2zOyxWx1e0CPj6fcGbkJ0D10XLs7BTQRj5nxeARAAz18zv2ksRiM6eEKG0qzpiKHVYlVy wtjla+m9wuAIwm314tffY5hjQN46uwTstdhQirjywF1EmcS6KNGiIjmoLim+dqyFP5d/UF5A VjLt0TYq7HjadIxbm2/CvcRnNJ01FkD99xLxV0hFTUAWAUX1mNqQ3MmWIjV89wiT06uuAUog m+jG3RRDyWbUnVELR60mhzccKsaEsjO/HqIERvBwL7tlOJewlPrVyz9Zed9Nhhv0KDAYmdEm kIEEbOfsjRu5I6nIY3NrX+QP9+nmgxADlsjvLXTSU0fT/g7IPEl3gpsQZAbgmrlGcPtvXod8 P4iOmL8GJDU1RdBE9TBOLEbu9UlDRD4zr6tdzRpB9wvXdtSUcNCdHVqJTfq2qjIlBk7x+zQD ayhxzDvTMxD/93K6txKXmVVtfMBsmt9KuD2JBUEAExjsLHqzg48nQg8wF9JYWCWGBb36qpd0 yC6VPzhSLe2Ov3/GyV5ZshO046+OiGxEeaHCwMnDTZF9xrQ5paCwWedlWKvGM2zB64AHuk+M v2ABK/gbDO7eS6p+xz11oD1NHr1HQLRtknfClIqj9AmjgX9maD+4GUrmHaxmkNilIukahotd Un9Up2gX05Wy/S3H/v8RB0kxwWg2Wh065dnyCF4Doe18bcYZvM+iMJmUBag6aDfQlryM04K7 z4ITYDkAEQEAAcLBdgQYAQgAIBYhBOAPr0wGmMGbayUy/AI1sQoA60RQBQJj5nxeAhsMAAoJ EAI1sQoA60RQZj4QAIkiRDVNWynZ4kEdpqmf6hpD++Zycz+LMne4iGRsiyyTf/rPNgskNLrU JD555yDvFiEAhOI27R8YNCJj5byXRDa/Bm6ueClFia+POibt28UEdyOFU9PVcgFaU+VxaBIP rHacHL6A7UKFjmBN7o8VkVF2xXlmFge795mP4/Y3t6qfWUTodrpw1w1t5/bZxZdWqX4pUCpY fEx87jm60+Mj0Tb4VPWXz0UD1q1BDcdYxNa2ISLaJhGJmjjks9eqdFOhPo1fTINMNWF2Alxi jA6WNT8nn9lm1kav75EMYMc8WIR9tb03i+IuKNp2IWwTGBqIUyQj00BhHkZQFl4HxZhV0gXE AWu34Q/Z7hOUXGXq2tvYCxDeaQb2wks93e62lrrUm1JGhPWkVoCI8Md8N2mkonqIfMK8lQ0W WbkYHdKBkgDqhDypNNhkjWNX3JL1kL0c3rqGL381iBAZaGQPygyCx2xH9PDNp59W6u8sXb13 +UX+kXdWU+KYbMTVoO/t4MxUJg6nXPJHz9NCkyluI820l+2OtXZZy0u196evIlUdD6RoTrNK z5OgFxNctVi9BPsQea9du+JlYJ460vZNPz180oczj7iqffd+p9DmAkeK25njWhg3qPeXiNZN 45J9eMChSOaJ0GMGUQndIIxz7PO8IzjbkSHLG5CKrR3MaphMB/0L In-Reply-To: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_DBL_BLOCKED_OPENDNS,URIBL_ZEN_BLOCKED_OPENDNS autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on blyat.fensystems.co.uk Feedback-ID: 1.eu-west-1.fspj4M/5bzJ9NLRzJP0PaxRwxrpZqiDQJ1IF94CF2TA=:AmazonSES X-SES-Outgoing: 2024.01.02-54.240.7.10 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mcb30@ipxe.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: ry2DfTBf2jj6FLkk6CwWqsBJx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=rKHsWHeA; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=none On 02/01/2024 06:06, Chang, Abner via groups.io wrote: >> What do you think about: >> >> - installing TLS on HTTP handle (as you have already implemented) >> >> - using EDKII_HTTP_CALLBACK_PROTOCOL to catch the HttpEventInitSession >> and perform whatever calls are needed to SetData() to modify the TLS >> configuration? >=20 > Leverage HttpNotify is good but still has some problems, as HttpNotify is= designed to notify callback owner about a specific task was done. In order= to keep this HttpNotify nature, we can create a callback point at the end = of TlsCreateChild() with a newly introduced event type says HttpEventTlsChi= ldCreated. The reason we have to create this notification before TlsConfigu= reSession() is because this function uses the default configuration data to= configure TLS. However, it doesn't have to do EfiTlsVerifyHost and TlsConf= igCertificate if there is nothing to verify. > The problem in configuring EfiTlsVerifyHost is It always checks verifica= tion method with EFI_TLS_VERIFY_PEER, while the problem of TlsConfigCertifi= cate is it considers platform always can provide the certificate. Anyway t= o configure TLS after TlsConfigCertificate is to late as the error status a= lready returned earlier. Furthermore the design of HttpNotify doesn't provi= de the output information for caller to determine the different code paths.= So with above, how can we skip configuring TLS again with the default val= ues in HttpSupport.c even platform code already configured it before TlsCon= figureSession()? I may not have been clear enough: I'm suggesting that we allow=20 TlsConfigureSession() to perform its normal configuration, and then use=20 the HttpEventInitSession callback to modify this configuration (e.g.=20 setting EFI_TLS_VERIFY_NONE). Yes, this would mean that a tiny amount of unnecessary work is done=20 (e.g. first setting EFI_TLS_VERIFY_PEER, then later changing it to=20 EFI_TLS_VERIFY_NONE) but this is a negligible amount of execution time=20 and allows us to keep the code simple. The HttpEventInitSession callback is guaranteed to be called before the=20 calls to HttpGenRequestMessage() and HttpTransmitTcp() (even if running=20 at TPL_APPLICATION with network polling taking place) and so is=20 guaranteed to be a safe point at which to perform additional TLS=20 configuration via SetData(). So, to expand on what I wrote before, I'm suggesting: - refactor TlsCreateChild() to install the TLS protocols on the HTTP=20 handle (as you have already implemented). - (optional) Remove TlsChildHandle and replace with a boolean flag. - No further changes required to HttpDxe, as far as I can tell. - In RedfishRestExDxe, install an EDKII_HTTP_CALLBACK_PROTOCOL before=20 calling EFI_HTTP_PROTOCOL.Request(). - Allow the call to Request() to perform its normal TLS configuration=20 via TlsConfigureSession(), as though the connection were going to=20 perform host verification etc as per the platform default policy. This=20 configuration should succeed, with no error returned. - In the RedfishRestExDxe callback, check for HttpEventInitSession and=20 use calls to EFI_TLS_CONFIGURATION_PROTOCOL.SetData() to modify the TLS=20 configuration to e.g. set EFI_TLS_VERIFY_NONE. To make the callback implementation easier, you may want to extend=20 HttpNotify() to take HTTP_PROTOCOL *HttpInstance as its first parameter,=20 and then pass HttpInstance->Handle as an additional parameter to the=20 callback method, i.e.: typedef VOID (EFIAPI *EDKII_HTTP_CALLBACK)( IN EDKII_HTTP_CALLBACK_PROTOCOL *This, IN EFI_HANDLE HttpHandle, IN EDKII_HTTP_CALLBACK_EVENT Event, IN EFI_STATUS EventStatus ); VOID HttpNotify ( IN HTTP_PROTOCOL *HttpInstance, IN EDKII_HTTP_CALLBACK_EVENT Event, IN EFI_STATUS EventStatus ) { ... HttpCallback->Callback ( HttpCallback, HttpInstance->Handle, Event, EventStatus ); ... } Since EDKII_HTTP_CALLBACK_PROTOCOL is internal to EDK2 (and not covered=20 by the UEFI specification), this change should be possible. I've=20 checked all of the HttpNotify() call sites in the EDK2 repo, and they do=20 all have an HttpInstance available to use. Thanks, Michael -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#113033): https://edk2.groups.io/g/devel/message/113033 Mute This Topic: https://groups.io/mt/103368438/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-