public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [Patch] Readme.MD: Add the feature support scope
@ 2016-11-25  3:53 Jiaxin Wu
  2016-11-25  7:36 ` Wu, Jiaxin
  0 siblings, 1 reply; 2+ messages in thread
From: Jiaxin Wu @ 2016-11-25  3:53 UTC (permalink / raw)
  To: edk2-devel
  Cc: Palmer Thomas, Ye Ting, Fu Siyuan, Long Qin, Li Ruth,
	Zimmer Vincent, Wu Jiaxin

This patch is used to add the feature support scope to indicate
the feature completeness criteria, and some contents are also 
updated/refined, e.g. Timeline and Feature Verification section.

Cc: Palmer Thomas <thomas.palmer@hpe.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Li Ruth <ruth.li@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 Readme.MD | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/Readme.MD b/Readme.MD
index a69a2f1..d16eb4c 100644
--- a/Readme.MD
+++ b/Readme.MD
@@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
 ```
 
 #### HTTPS Authentication
 TLS supports three authentication modes ([RFC5246](https://tools.ietf.org/html/rfc5246)):
 ```
-1. Total anonymity: the server and client won’t authenticate each other.
+1. Total anonymity: the server and client will not authenticate each other.
 2. One-way authentication: server authentication with an unauthenticated client.
 3. Two-way authentication: authentication of both parties.
 ```
 Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode. Others are not in our current feature support scope. To support one-way authentication mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below.
 ```
@@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server authentication with an unauthe
 | Time | Event | Related Module |
 |:----:|:-----:|:--------------:|
 | 2015.12 | Initial implementation for HTTPS boot feature by leveraging OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe |
 | 2016.3 | Provided an UI configured driver to support TLS server authentication. | TlsAuthConfigDxe |
 | 2016.4-7 | Hotfix and code refine according community feedback. | Tls1.h, TlsLib, HttpDxe |
+| 2016.8 | Prevent the CA certificates from the runtime phase attack. | TlsAuthConfigDxe |
 | 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe |
 |...|...|...|
 
+## Feature Support Scope
+*	Feature usage: Load the specified file from the remote HTTPS server successfully and steadily.
+* UEFI Arch: IA32 and X64 platform.
+*	TLS version: TLS1.0/1.1/1.2, version negotiation.
+*	HTTPS authentication mode: One-way authentication.
+*	CA certificates management: Private variable, prevent runtime phase attack.
+
 ## Feature Verification
-Tomcat and IIS8 are selected as the HTTPS server to verifiy the result, Detiled see below table.
+Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the result of loading the UEFI shell boot file (Shell.efi), detailed see below table.
 
 | HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 |
 |:------------:|:-------:|:-------:|:------:|
 |Tomcat | Pass |Pass | Pass |
-|IIS8 | Pass | Pass | Failure |
+|IIS 8 | Pass | Pass | Failure |
+|Apache2 | Pass | Pass | Pass |
 
 ### NOTES
 TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To make the UEFI HTTPS client in staging works properly, we have to disable TLS version 1.2 in windows server 2012 R2 by the below PowerShell script:
 ```
 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
-- 
1.9.5.msysgit.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Patch] Readme.MD: Add the feature support scope
  2016-11-25  3:53 [Patch] Readme.MD: Add the feature support scope Jiaxin Wu
@ 2016-11-25  7:36 ` Wu, Jiaxin
  0 siblings, 0 replies; 2+ messages in thread
From: Wu, Jiaxin @ 2016-11-25  7:36 UTC (permalink / raw)
  To: edk2-devel@lists.01.org
  Cc: Palmer Thomas, Ye, Ting, Fu, Siyuan, Long, Qin, Li, Ruth,
	Zimmer, Vincent

Please ignore this patch since the subject prefix is incorrect ([staging/HTTPS-TLS][PATCH]). 

Thanks,
Jiaxin

> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Friday, November 25, 2016 11:53 AM
> To: edk2-devel@lists.01.org
> Cc: Palmer Thomas <thomas.palmer@hpe.com>; Ye, Ting
> <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Long, Qin
> <qin.long@intel.com>; Li, Ruth <ruth.li@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [Patch] Readme.MD: Add the feature support scope
> 
> This patch is used to add the feature support scope to indicate the feature
> completeness criteria, and some contents are also updated/refined, e.g.
> Timeline and Feature Verification section.
> 
> Cc: Palmer Thomas <thomas.palmer@hpe.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Cc: Li Ruth <ruth.li@intel.com>
> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
>  Readme.MD | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/Readme.MD b/Readme.MD
> index a69a2f1..d16eb4c 100644
> --- a/Readme.MD
> +++ b/Readme.MD
> @@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>  ```
> 
>  #### HTTPS Authentication
>  TLS supports three authentication modes
> ([RFC5246](https://tools.ietf.org/html/rfc5246)):
>  ```
> -1. Total anonymity: the server and client won’t authenticate each other.
> +1. Total anonymity: the server and client will not authenticate each other.
>  2. One-way authentication: server authentication with an unauthenticated
> client.
>  3. Two-way authentication: authentication of both parties.
>  ```
>  Currently, HTTPS boot feature only support server authentication with an
> unauthenticated client mode. Others are not in our current feature support
> scope. To support one-way authentication mode, server CA certificate is
> required by Client. Private variable is used to configure this CA certificate.
> **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server
> CA certificate must be configured first to enable HTTPS boot feature. The
> variable name and GUID are defined as below.
>  ```
> @@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server
> authentication with an unauthe  | Time | Event | Related Module |  |:----:|:--
> ---:|:--------------:|  | 2015.12 | Initial implementation for HTTPS boot feature
> by leveraging OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe |  | 2016.3 |
> Provided an UI configured driver to support TLS server authentication. |
> TlsAuthConfigDxe |  | 2016.4-7 | Hotfix and code refine according community
> feedback. | Tls1.h, TlsLib, HttpDxe |
> +| 2016.8 | Prevent the CA certificates from the runtime phase attack. |
> +| TlsAuthConfigDxe |
>  | 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe |  |...|...|...|
> 
> +## Feature Support Scope
> +*	Feature usage: Load the specified file from the remote HTTPS server
> successfully and steadily.
> +* UEFI Arch: IA32 and X64 platform.
> +*	TLS version: TLS1.0/1.1/1.2, version negotiation.
> +*	HTTPS authentication mode: One-way authentication.
> +*	CA certificates management: Private variable, prevent runtime phase
> attack.
> +
>  ## Feature Verification
> -Tomcat and IIS8 are selected as the HTTPS server to verifiy the result,
> Detiled see below table.
> +Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the
> result of loading the UEFI shell boot file (Shell.efi), detailed see below table.
> 
>  | HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 |  |:------------:|:-------:|:-------:|:---
> ---:|
>  |Tomcat | Pass |Pass | Pass |
> -|IIS8 | Pass | Pass | Failure |
> +|IIS 8 | Pass | Pass | Failure |
> +|Apache2 | Pass | Pass | Pass |
> 
>  ### NOTES
>  TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT
> collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To make
> the UEFI HTTPS client in staging works properly, we have to disable TLS
> version 1.2 in windows server 2012 R2 by the below PowerShell script:
>  ```
>  New-Item
> 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Pr
> otocols\TLS 1.2\Server' -Force | Out-Null
> --
> 1.9.5.msysgit.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-11-25  7:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-25  3:53 [Patch] Readme.MD: Add the feature support scope Jiaxin Wu
2016-11-25  7:36 ` Wu, Jiaxin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox