Cc: Palmer Thomas Cc: Long Qin Cc: Ye Ting Cc: Fu Siyuan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiaxin Wu --- Readme.MD | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Readme.MD b/Readme.MD index 2411042..389935e 100644 --- a/Readme.MD +++ b/Readme.MD @@ -31,11 +31,17 @@ CryptoPkg/Library/TlsLib/TlsLib.inf NetworkPkg/TlsDxe/TlsDxe.inf NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf ``` #### HTTPS Authentication -Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode [RFC5246](https://tools.ietf.org/html/rfc5246). To support this mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below. +TLS supports three authentication modes ([RFC5246](https://tools.ietf.org/html/rfc5246)): +``` +1. Total anonymity: the server and client won’t authenticate each other. +2. One-way authentication: server authentication with an unauthenticated client. +3. Two-way authentication: authentication of both parties. +``` +Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode. Others are not in our current feature support scope. To support one-way authentication mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below. ``` #define EFI_TLS_CA_CERTIFICATE_GUID \ { \ 0xfd2340D0, 0x3dab, 0x4349, { 0xa6, 0xc7, 0x3b, 0x4f, 0x12, 0xb4, 0x8e, 0xae } \ } -- 1.9.5.msysgit.1