From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D01AA226EAC6B for ; Thu, 12 Apr 2018 01:49:18 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 74B4C406E8C3; Thu, 12 Apr 2018 08:49:17 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-142.rdu2.redhat.com [10.10.120.142]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8829CC1FB6; Thu, 12 Apr 2018 08:49:16 +0000 (UTC) To: Gary Lin Cc: edk2-devel@lists.01.org, Ard Biesheuvel , Jordan Justen References: <20180411104247.3758-1-lersek@redhat.com> <20180411104247.3758-2-lersek@redhat.com> <20180412070825.46rnknrjmg46sw3j@GaryWorkstation> From: Laszlo Ersek Message-ID: <1549bd6e-9cca-6727-f9b9-4a00eeb06988@redhat.com> Date: Thu, 12 Apr 2018 10:49:15 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180412070825.46rnknrjmg46sw3j@GaryWorkstation> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Thu, 12 Apr 2018 08:49:17 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Thu, 12 Apr 2018 08:49:17 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2018 08:49:19 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 04/12/18 09:08, Gary Lin wrote: > On Wed, Apr 11, 2018 at 12:42:39PM +0200, Laszlo Ersek wrote: >> Read the list of trusted cipher suites from fw_cfg and to store it to >> EFI_TLS_CA_CERTIFICATE_VARIABLE. >> >> The fw_cfg file is formatted by the "update-crypto-policies" utility on >> the host side, so that the host settings take effect in guest HTTPS boot >> as well. QEMU forwards the file intact to the firmware. The contents are >> forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to >> NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()). >> > Hi Laszlo, > > The description mentioned "update-crypto-policies" to format the cipher > list. The command is not available in openSUSE and I downloaded the command > from github repo[*]. However, I didn't find any command in the repo > could create the binary cipher list. Right, that feature is underway, and the Crypto team has agreed to implement it for me. My apologies for being unclear about it. Until then, a small shell script like the following can be used: ----- export LC_ALL=C openssl ciphers -V \ | sed -r -n \ -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ | xargs -r -- printf -- '%b' > ciphers.bin ----- > Anyway, I found you also mentioned > "openssl ciphers -V" in the cover letter, and I managed to convert the > plaintext cipher list to the binary array. Maybe the description can be > improved to avoid the confusion. (Or, I just found the wrong program...) No, you are right; I figured I'd describe the end-state in the commit mesage. I guess I can replace The fw_cfg file is formatted by the "update-crypto-policies" utility with The fw_cfg file will be formatted by the "update-crypto-policies" utility in the commit message. > > BTW, the code looks good and works for me. > > Reviewed-by: Gary Lin > Tested-by: Gary Lin Thanks Gary! Laszlo