Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Laszlo Ersek <lersek@redhat.com>
To: Gary Lin <glin@suse.com>
Cc: edk2-devel@lists.01.org,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Jordan Justen <jordan.l.justen@intel.com>
Subject: Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot
Date: Thu, 12 Apr 2018 10:49:15 +0200	[thread overview]
Message-ID: <1549bd6e-9cca-6727-f9b9-4a00eeb06988@redhat.com> (raw)
In-Reply-To: <20180412070825.46rnknrjmg46sw3j@GaryWorkstation>

On 04/12/18 09:08, Gary Lin wrote:
> On Wed, Apr 11, 2018 at 12:42:39PM +0200, Laszlo Ersek wrote:
>> Read the list of trusted cipher suites from fw_cfg and to store it to
>> EFI_TLS_CA_CERTIFICATE_VARIABLE.
>>
>> The fw_cfg file is formatted by the "update-crypto-policies" utility on
>> the host side, so that the host settings take effect in guest HTTPS boot
>> as well. QEMU forwards the file intact to the firmware. The contents are
>> forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to
>> NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()).
>>
> Hi Laszlo,
> 
> The description mentioned "update-crypto-policies" to format the cipher
> list. The command is not available in openSUSE and I downloaded the command
> from github repo[*]. However, I didn't find any command in the repo
> could create the binary cipher list.

Right, that feature is underway, and the Crypto team has agreed to
implement it for me. My apologies for being unclear about it. Until
then, a small shell script like the following can be used:

-----
export LC_ALL=C

openssl ciphers -V \
| sed -r -n \
    -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
| xargs -r -- printf -- '%b' > ciphers.bin
-----

> Anyway, I found you also mentioned
> "openssl ciphers -V" in the cover letter, and I managed to convert the
> plaintext cipher list to the binary array. Maybe the description can be
> improved to avoid the confusion. (Or, I just found the wrong program...)

No, you are right; I figured I'd describe the end-state in the commit
mesage. I guess I can replace

  The fw_cfg file is formatted by the "update-crypto-policies" utility

with

  The fw_cfg file will be formatted by the "update-crypto-policies"
  utility

in the commit message.

> 
> BTW, the code looks good and works for me.
> 
> Reviewed-by: Gary Lin <glin@suse.com>
> Tested-by: Gary Lin <glin@suse.com>

Thanks Gary!
Laszlo

next prev parent reply	other threads:[~2018-04-12  8:49 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-11 10:42 [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot Laszlo Ersek
2018-04-12  7:08   ` Gary Lin
2018-04-12  8:49     ` Laszlo Ersek [this message]
2018-04-12  9:10       ` Gary Lin
2018-04-12  9:43         ` Laszlo Ersek
2018-04-12 10:17           ` Gary Lin
2018-04-12 17:10             ` Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 2/9] MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 3/9] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 4/9] NetworkPkg/TlsDxe: clean up byte order conversion " Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 5/9] CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 6/9] CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 7/9] CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 8/9] CryptoPkg/TlsLib: sanitize lib classes in internal header and INF Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 9/9] CryptoPkg/TlsLib: rewrite TlsSetCipherList() Laszlo Ersek
2018-04-12  6:32 ` [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Long, Qin
2018-04-12  8:51   ` Laszlo Ersek
2018-04-12  7:28 ` Wu, Jiaxin
2018-04-12  8:50   ` Laszlo Ersek
2018-04-13 12:10 ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1549bd6e-9cca-6727-f9b9-4a00eeb06988@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox