From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.20; helo=mga02.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 9D1032095747B for ; Tue, 27 Mar 2018 20:21:50 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 Mar 2018 20:28:28 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,369,1517904000"; d="scan'208";a="29470363" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by orsmga006.jf.intel.com with ESMTP; 27 Mar 2018 20:28:28 -0700 Received: from fmsmsx118.amr.corp.intel.com (10.18.116.18) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 27 Mar 2018 20:28:27 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx118.amr.corp.intel.com (10.18.116.18) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 27 Mar 2018 20:28:27 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.80]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.166]) with mapi id 14.03.0319.002; Wed, 28 Mar 2018 11:28:25 +0800 From: "Zeng, Star" To: Laszlo Ersek , "Fu, Siyuan" , "Wu, Jiaxin" CC: edk2-devel-01 , "Daniel P. Berrange" , "Zeng, Star" Thread-Topic: [edk2] internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE Thread-Index: AQHTwLQ+7HOAVzUTv02/nACIg4IYiKPkclcAgACUSHA= Date: Wed, 28 Mar 2018 03:28:24 +0000 Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103BA73C29@shsmsx102.ccr.corp.intel.com> References: <32764418-f00f-2423-216d-24b3f842a3c7@redhat.com> In-Reply-To: Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2018 03:21:51 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Is there a PCD pointers to the siglist? For adding PcdMaxVolatileVariableSize: non-authenticated, volatile, I think= it is acceptable if there are use cases. Thanks, Star -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Lasz= lo Ersek Sent: Wednesday, March 28, 2018 10:32 AM To: Fu, Siyuan ; Wu, Jiaxin Cc: edk2-devel-01 ; Daniel P. Berrange ; Zeng, Star Subject: Re: [edk2] internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE Hi, On 03/21/18 02:30, Fu, Siyuan wrote: > Hi, Laszlo > > The data structure of EFI_TLS_CA_CERTIFICATE_VARIABLE is=20 > EFI_SIGNATURE_LIST and we have documented this in HTTPs Boot wiki > page: > https://github.com/tianocore/tianocore.github.io/wiki/HTTPS-Boot > > You can refer section 31.4.1 "Signature Database" in UEFI 2.7 A for a=20 > detail description of EFI_SIGNATURE_LIST structure. I implemented a "p11-kit" extractor so that it produces a sequence of EFI_S= IGNATURE_LIST objects, each siglist containing a single EFI_SIGNATURE_DATA = object (with an X509 CA certificate in it). In order to test that, I started writing the OVMF enablement patches, on to= p of the following series (pending review): [edk2] [PATCH 0/5] NetworkPkg: HTTP and TLS updates In the OVMF platform code, I created EFI_TLS_CA_CERTIFICATE_VARIABLE as a *= volatile* and boot-service only variable, so that there would be no flash i= mpact, regardless of the number and size of the certificates that the extra= ctor produced. Unfortunately, I still ran into a limitation here. The EFI_SIGNATURE_LIST b= undle produced by the extractor is 182 KB in size (it comes from the Mozill= a CA root certificate bundle, aka the "ca-certificates" package). In order = to create such a large variable, I had to raise the following two PCDs for = OVMF: - PcdVariableStoreSize: this controls the cumulative storage size for *volatile* variables. - PcdMaxVariableSize: this limits the individual variable size for non-authenticated variables, *regardless* of their volatility. I set PcdMaxVariableSize to 256KB (to accommodate the 182KB size mentioned = above, and to leave a bit of margin). I set PcdVariableStoreSize to 512KB (= so that there would be quite a bit of volatile space left after a 256KB vol= atile variable was created). And this is where the variable driver runs into an assertion failure: > ASSERT MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c(3809): > GetNonVolatileMaxVariableSize () < (VariableStoreLength - sizeof > (VARIABLE_STORE_HEADER)) The GetNonVolatileMaxVariableSize() function calculates the maximum of PcdM= axVariableSize and PcdMaxAuthVariableSize. This is not good because I didn'= t mean to raise PcdMaxVariableSize for non-volatile purposes; I only meant = to raise it for volatile storage. Then the InitNonVolatileVariableStore() function attempts to fit this maxim= um into the *flash* storage. Obviously, individual 256KB variables (which I= never meant to place into flash) don't fit into flash, and the ASSERT() fires. The issue is that the variable driver does not distinguish the max variable= size between volatile and non-volatile storage, and the non-volatile avail= ability effectively limits the volatile one. I think we should have three PCDs: - PcdMaxVariableSize: non-authenticated, non-volatile - PcdMaxAuthVariableSize: authenticated, non-volatile - PcdMaxVolatileVariableSize: non-authenticated, volatile (The fourth variation needs no PCD because authenticated volatile variables= make no sense.) How can we solve this? Thanks, Laszlo _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel