From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 0201B81ED5 for ; Thu, 24 Nov 2016 19:53:08 -0800 (PST) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga104.jf.intel.com with ESMTP; 24 Nov 2016 19:53:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,693,1473145200"; d="scan'208";a="1063924594" Received: from jiaxinwu-mobl2.ccr.corp.intel.com ([10.239.196.183]) by orsmga001.jf.intel.com with ESMTP; 24 Nov 2016 19:53:06 -0800 From: Jiaxin Wu To: edk2-devel@lists.01.org Cc: Palmer Thomas , Ye Ting , Fu Siyuan , Long Qin , Li Ruth , Zimmer Vincent , Wu Jiaxin Date: Fri, 25 Nov 2016 11:53:04 +0800 Message-Id: <1480045984-132144-1-git-send-email-jiaxin.wu@intel.com> X-Mailer: git-send-email 1.9.5.msysgit.1 MIME-Version: 1.0 Subject: [Patch] Readme.MD: Add the feature support scope X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2016 03:53:09 -0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch is used to add the feature support scope to indicate the feature completeness criteria, and some contents are also updated/refined, e.g. Timeline and Feature Verification section. Cc: Palmer Thomas Cc: Ye Ting Cc: Fu Siyuan Cc: Long Qin Cc: Li Ruth Cc: Zimmer Vincent Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Wu Jiaxin --- Readme.MD | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/Readme.MD b/Readme.MD index a69a2f1..d16eb4c 100644 --- a/Readme.MD +++ b/Readme.MD @@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf ``` #### HTTPS Authentication TLS supports three authentication modes ([RFC5246](https://tools.ietf.org/html/rfc5246)): ``` -1. Total anonymity: the server and client won’t authenticate each other. +1. Total anonymity: the server and client will not authenticate each other. 2. One-way authentication: server authentication with an unauthenticated client. 3. Two-way authentication: authentication of both parties. ``` Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode. Others are not in our current feature support scope. To support one-way authentication mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below. ``` @@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server authentication with an unauthe | Time | Event | Related Module | |:----:|:-----:|:--------------:| | 2015.12 | Initial implementation for HTTPS boot feature by leveraging OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe | | 2016.3 | Provided an UI configured driver to support TLS server authentication. | TlsAuthConfigDxe | | 2016.4-7 | Hotfix and code refine according community feedback. | Tls1.h, TlsLib, HttpDxe | +| 2016.8 | Prevent the CA certificates from the runtime phase attack. | TlsAuthConfigDxe | | 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe | |...|...|...| +## Feature Support Scope +* Feature usage: Load the specified file from the remote HTTPS server successfully and steadily. +* UEFI Arch: IA32 and X64 platform. +* TLS version: TLS1.0/1.1/1.2, version negotiation. +* HTTPS authentication mode: One-way authentication. +* CA certificates management: Private variable, prevent runtime phase attack. + ## Feature Verification -Tomcat and IIS8 are selected as the HTTPS server to verifiy the result, Detiled see below table. +Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the result of loading the UEFI shell boot file (Shell.efi), detailed see below table. | HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 | |:------------:|:-------:|:-------:|:------:| |Tomcat | Pass |Pass | Pass | -|IIS8 | Pass | Pass | Failure | +|IIS 8 | Pass | Pass | Failure | +|Apache2 | Pass | Pass | Pass | ### NOTES TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To make the UEFI HTTPS client in staging works properly, we have to disable TLS version 1.2 in windows server 2012 R2 by the below PowerShell script: ``` New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null -- 1.9.5.msysgit.1