From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by ml01.01.org (Postfix) with ESMTP id C08411A1E0B for ; Tue, 16 Aug 2016 00:20:02 -0700 (PDT) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga104.fm.intel.com with ESMTP; 16 Aug 2016 00:20:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,529,1464678000"; d="scan'208";a="1026144790" Received: from jiaxinwu-mobl2.ccr.corp.intel.com ([10.239.196.151]) by fmsmga001.fm.intel.com with ESMTP; 16 Aug 2016 00:20:01 -0700 From: Jiaxin Wu To: edk2-devel@lists.01.org Cc: Palmer Thomas , Long Qin , Ye Ting , Fu Siyuan Date: Tue, 16 Aug 2016 15:19:56 +0800 Message-Id: <1471331997-39972-2-git-send-email-jiaxin.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 In-Reply-To: <1471331997-39972-1-git-send-email-jiaxin.wu@intel.com> References: <1471331997-39972-1-git-send-email-jiaxin.wu@intel.com> MIME-Version: 1.0 Subject: [staging/HTTPS-TLS][PATCH 1/2] Readme.MD: Clarify the feature support scope X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2016 07:20:02 -0000 Content-Type: text/plain; charset=y Content-Transfer-Encoding: 8bit Cc: Palmer Thomas Cc: Long Qin Cc: Ye Ting Cc: Fu Siyuan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiaxin Wu --- Readme.MD | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Readme.MD b/Readme.MD index 2411042..389935e 100644 --- a/Readme.MD +++ b/Readme.MD @@ -31,11 +31,17 @@ CryptoPkg/Library/TlsLib/TlsLib.inf NetworkPkg/TlsDxe/TlsDxe.inf NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf ``` #### HTTPS Authentication -Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode [RFC5246](https://tools.ietf.org/html/rfc5246). To support this mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below. +TLS supports three authentication modes ([RFC5246](https://tools.ietf.org/html/rfc5246)): +``` +1. Total anonymity: the server and client won’t authenticate each other. +2. One-way authentication: server authentication with an unauthenticated client. +3. Two-way authentication: authentication of both parties. +``` +Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode. Others are not in our current feature support scope. To support one-way authentication mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below. ``` #define EFI_TLS_CA_CERTIFICATE_GUID \ { \ 0xfd2340D0, 0x3dab, 0x4349, { 0xa6, 0xc7, 0x3b, 0x4f, 0x12, 0xb4, 0x8e, 0xae } \ } -- 1.9.5.msysgit.1