From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com;
 receiver=edk2-devel@lists.01.org 
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id C141A2117B552
 for <edk2-devel@lists.01.org>; Wed, 21 Nov 2018 03:07:19 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 49E113086259;
 Wed, 21 Nov 2018 11:07:19 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-240.rdu2.redhat.com
 [10.10.120.240])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 3D5AB5F7DB;
 Wed, 21 Nov 2018 11:07:18 +0000 (UTC)
To: Fu Siyuan <siyuan.fu@intel.com>, edk2-devel@lists.01.org
Cc: Anthony Perard <anthony.perard@citrix.com>,
 Jordan Justen <jordan.l.justen@intel.com>
References: <20181121052819.15744-1-siyuan.fu@intel.com>
 <20181121052819.15744-6-siyuan.fu@intel.com>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <19a413d8-c461-2f4b-9665-66c76deb4c3a@redhat.com>
Date: Wed, 21 Nov 2018 12:07:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20181121052819.15744-6-siyuan.fu@intel.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.49]); Wed, 21 Nov 2018 11:07:19 +0000 (UTC)
Subject: Re: [PATCH 5/6] OvmfPkg: Update DSC/FDF to use NetworkPkg's include fragment file.
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 11:07:20 -0000
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

As I said, I wouldn't like to review this patch in detail right now.
Just some light comments:

On 11/21/18 06:28, Fu Siyuan wrote:
> This patch updates the platform DSC/FDF files to use the include fragment
> files provided by NetworkPkg.
> The feature enabling flags in [Defines] section have been updated to use
> the NetworkPkg's terms, and the value has been overridden with the original
> default value on this platform.
> 
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Julien Grall <julien.grall@linaro.org>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
> ---
>  OvmfPkg/OvmfPkgIa32.dsc    | 52 ++++---------------
>  OvmfPkg/OvmfPkgIa32.fdf    | 25 +--------
>  OvmfPkg/OvmfPkgIa32X64.dsc | 53 ++++----------------
>  OvmfPkg/OvmfPkgIa32X64.fdf | 25 +--------
>  OvmfPkg/OvmfPkgX64.dsc     | 52 ++++---------------
>  OvmfPkg/OvmfPkgX64.fdf     | 25 +--------
>  6 files changed, 36 insertions(+), 196 deletions(-)
> 
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index eccf34d3d1cb..5d6ea3e67001 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -35,12 +35,21 @@ [Defines]
>    # -D FLAG=VALUE
>    #
>    DEFINE SECURE_BOOT_ENABLE      = FALSE
> -  DEFINE NETWORK_IP6_ENABLE      = FALSE
> -  DEFINE HTTP_BOOT_ENABLE        = FALSE
>    DEFINE SMM_REQUIRE             = FALSE
>    DEFINE TLS_ENABLE              = FALSE
>    DEFINE TPM2_ENABLE             = FALSE
>  
> +  DEFINE NETWORK_IP6_ENABLE = FALSE
> +  #
> +  # TLS_ENABLE flag is used to control platform specific configuration for TLS support.
> +  # NETWORK_TLS_ENABLE should always be set to FALSE.
> +  #
> +  DEFINE NETWORK_TLS_ENABLE = FALSE

(1) Ah, OK, I understand, so basically the suggestion is that OVMF not
make use of NETWORK_TLS_ENABLE, but continue using its own TLS_ENABLE
solution.

Hmmm. I wonder if that's helpful at all. To me it seems to increase the
confusion rather than decrease it.

I guess it can work, but then we should rename TLS_ENABLE to something
better, such as "PLATFORM_TLS_ENABLE". And this comment should be more
detailed *why* we do that. (We do that because we configure the CA
certificates and the cipher suites with a null class lib instance hooked
into TlsAuthConfigDxe, which downloads the necessary data from QEMU via
fw_cfg.)

> +  DEFINE NETWORK_HTTP_BOOT_ENABLE       = FALSE
> +  DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE

(2) This (i.e. NETWORK_ALLOW_HTTP_CONNECTIONS=FALSE) is wrong. We set
PcdAllowHttpConnections to TRUE on purpose. See commit 4b2fb7986d57
("OvmfPkg: Allow HTTP connections if HTTP Boot enabled", 2017-01-23).

More after you post v2, I think.

Thanks!
Laszlo