From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com;
 receiver=edk2-devel@lists.01.org 
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 5A73522106DC1
 for <edk2-devel@lists.01.org>; Wed, 28 Mar 2018 13:20:17 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
 [10.11.54.3])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id D29864068051;
 Wed, 28 Mar 2018 20:26:55 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-75.rdu2.redhat.com
 [10.10.120.75])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 0F00010B2B26;
 Wed, 28 Mar 2018 20:26:53 +0000 (UTC)
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@lists.01.org>
Cc: Anthony Perard <anthony.perard@citrix.com>,
 Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Eric Dong <eric.dong@intel.com>, Gary Ching-Pang Lin <glin@suse.com>,
 Jordan Justen <jordan.l.justen@intel.com>,
 Julien Grall <julien.grall@linaro.org>, Ruiyu Ni <ruiyu.ni@intel.com>,
 Star Zeng <star.zeng@intel.com>
Date: Wed, 28 Mar 2018 22:26:47 +0200
Message-Id: <20180328202651.1478-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.11.55.5]); Wed, 28 Mar 2018 20:26:55 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]);
 Wed, 28 Mar 2018 20:26:55 +0000 (UTC) for IP:'10.11.54.3'
 DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com'
 HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:''
Subject: [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list for HTTPS boot
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 20:20:18 -0000

Repo:   https://github.com/lersek/edk2.git
Branch: https_cacert_rhbz_1536624

The trusted CA certificates for HTTPS boot can be specified in
EFI_TLS_CA_CERTIFICATE_VARIABLE. The platform may choose to create this
variable as volatile and set it on every boot as appropriate. The OVMF
feature is that the virtualization host passes down an fw_cfg blob that
carries the CA certs trusted on the host side, and the OVMF HTTPS boot
will verify web servers against that certificate bundle. (For (part of)
the host side implementation, refer to
<https://github.com/p11-glue/p11-kit/pull/137.)

The challenge for edk2 is that the CA cert list from the host side is
huge; on my laptop it is 182KB when formatted to the EFI_SIGNATURE_LIST
sequence expected by NetworkPkg/HttpDxe. Storing this in a non-volatile
EFI_TLS_CA_CERTIFICATE_VARIABLE is out of the question, but even when
making EFI_TLS_CA_CERTIFICATE_VARIABLE volatile, there are two limits
that need raising:

(1) the individual limit on volatile variables,
(2) the cumulative limit on volatile variables.

Regarding (1), the edk2 variable driver does not distinguish a limit for
volatile non-auth vs. non-volatile non-auth variables. The first patch
introduces "PcdMaxVolatileVariableSize" for this, in a backwards
compatible way (i.e. platforms that don't care need not learn about it).
The new PCD lets a platform raise the individual limit just for volatile
non-auth variables.

Regarding (2), OvmfPkg/EmuVariableFvbRuntimeDxe has a bug where it
abuses the cumulative limit on volatile variables for the live size of
the emulated non-volatile variable store. The difference is that
"volatile variables" are volatile on the UEFI service API level
(gRT->SetVariable() etc), and the driver stack expects the FVB impls to
use the non-volatile storage PCDs (regardless of the actual FVB backing
store). Patch #2 fixes this (without change in behavior) in
OvmfPkg/EmuVariableFvbRuntimeDxe.

Patch #3 adds a bit of documentation to the OVMF DSC files, as a
continuation of patch #2.

Patch #4 implements the feature, raising both limits (liberated in
earlier patches) and populating EFI_TLS_CA_CERTIFICATE_VARIABLE from
fw_cfg.

I've done reasonable HTTPS boot testing and regression testing too
(including "-bios" with OVMF and pflash with ArmVirtQemu). Indepdent
testing would be highly appreciated (feature and regression alike).

This email is too long and so are the commit messages, but I'm too tired
to trim them; apologies.

Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@linaro.org>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>

Thanks,
Laszlo

Laszlo Ersek (4):
  MdeModulePkg/Variable/RuntimeDxe: introduce PcdMaxVolatileVariableSize
  OvmfPkg/EmuVariableFvbRuntimeDxe: stop using PcdVariableStoreSize
  OvmfPkg: annotate "PcdVariableStoreSize :=
    PcdFlashNvStorageVariableSize"
  OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot

 MdeModulePkg/MdeModulePkg.dec                                     |   8 ++
 MdeModulePkg/MdeModulePkg.uni                                     |   8 ++
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c             |  50 ++++++--
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h             |  12 ++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf |   1 +
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c          |   2 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf        |   1 +
 OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c                            |   6 +-
 OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf                          |   3 +-
 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c               | 133 ++++++++++++++++++++
 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf             |  55 ++++++++
 OvmfPkg/OvmfPkgIa32.dsc                                           |  15 ++-
 OvmfPkg/OvmfPkgIa32X64.dsc                                        |  15 ++-
 OvmfPkg/OvmfPkgX64.dsc                                            |  15 ++-
 14 files changed, 308 insertions(+), 16 deletions(-)
 create mode 100644 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
 create mode 100644 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf

-- 
2.14.1.3.gb7cf6e02401b