From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5A73522106DC1 for ; Wed, 28 Mar 2018 13:20:17 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D29864068051; Wed, 28 Mar 2018 20:26:55 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-75.rdu2.redhat.com [10.10.120.75]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0F00010B2B26; Wed, 28 Mar 2018 20:26:53 +0000 (UTC) From: Laszlo Ersek To: edk2-devel-01 Cc: Anthony Perard , Ard Biesheuvel , Eric Dong , Gary Ching-Pang Lin , Jordan Justen , Julien Grall , Ruiyu Ni , Star Zeng Date: Wed, 28 Mar 2018 22:26:47 +0200 Message-Id: <20180328202651.1478-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 28 Mar 2018 20:26:55 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 28 Mar 2018 20:26:55 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list for HTTPS boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2018 20:20:18 -0000 Repo: https://github.com/lersek/edk2.git Branch: https_cacert_rhbz_1536624 The trusted CA certificates for HTTPS boot can be specified in EFI_TLS_CA_CERTIFICATE_VARIABLE. The platform may choose to create this variable as volatile and set it on every boot as appropriate. The OVMF feature is that the virtualization host passes down an fw_cfg blob that carries the CA certs trusted on the host side, and the OVMF HTTPS boot will verify web servers against that certificate bundle. (For (part of) the host side implementation, refer to SetVariable() etc), and the driver stack expects the FVB impls to use the non-volatile storage PCDs (regardless of the actual FVB backing store). Patch #2 fixes this (without change in behavior) in OvmfPkg/EmuVariableFvbRuntimeDxe. Patch #3 adds a bit of documentation to the OVMF DSC files, as a continuation of patch #2. Patch #4 implements the feature, raising both limits (liberated in earlier patches) and populating EFI_TLS_CA_CERTIFICATE_VARIABLE from fw_cfg. I've done reasonable HTTPS boot testing and regression testing too (including "-bios" with OVMF and pflash with ArmVirtQemu). Indepdent testing would be highly appreciated (feature and regression alike). This email is too long and so are the commit messages, but I'm too tired to trim them; apologies. Cc: Anthony Perard Cc: Ard Biesheuvel Cc: Eric Dong Cc: Gary Ching-Pang Lin Cc: Jordan Justen Cc: Julien Grall Cc: Ruiyu Ni Cc: Star Zeng Thanks, Laszlo Laszlo Ersek (4): MdeModulePkg/Variable/RuntimeDxe: introduce PcdMaxVolatileVariableSize OvmfPkg/EmuVariableFvbRuntimeDxe: stop using PcdVariableStoreSize OvmfPkg: annotate "PcdVariableStoreSize := PcdFlashNvStorageVariableSize" OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot MdeModulePkg/MdeModulePkg.dec | 8 ++ MdeModulePkg/MdeModulePkg.uni | 8 ++ MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 50 ++++++-- MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h | 12 ++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 1 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c | 2 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 1 + OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c | 6 +- OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf | 3 +- OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 133 ++++++++++++++++++++ OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 55 ++++++++ OvmfPkg/OvmfPkgIa32.dsc | 15 ++- OvmfPkg/OvmfPkgIa32X64.dsc | 15 ++- OvmfPkg/OvmfPkgX64.dsc | 15 ++- 14 files changed, 308 insertions(+), 16 deletions(-) create mode 100644 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c create mode 100644 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf -- 2.14.1.3.gb7cf6e02401b