Re: [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list for HTTPS boot

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Gary Lin <glin@suse.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2-devel-01 <edk2-devel@lists.01.org>,
	Anthony Perard <anthony.perard@citrix.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	Eric Dong <eric.dong@intel.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Julien Grall <julien.grall@linaro.org>,
	Ruiyu Ni <ruiyu.ni@intel.com>, Star Zeng <star.zeng@intel.com>
Subject: Re: [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list for HTTPS boot
Date: Fri, 30 Mar 2018 12:39:17 +0800	[thread overview]
Message-ID: <20180330043917.cwsofdpo634yejpo@GaryWorkstation> (raw)
In-Reply-To: <20180328202651.1478-1-lersek@redhat.com>

On Wed, Mar 28, 2018 at 10:26:47PM +0200, Laszlo Ersek wrote:
> Repo:   https://github.com/lersek/edk2.git
> Branch: https_cacert_rhbz_1536624
> 
This patch series is great and I like it :)
Configuring the CA list dynamically is really useful and flexible for
the administrator.

I read the code and tested it with my self-signed server, and it worked
as expected.

Reviewed-by: Gary Lin <glin@suse.com>
Tested-by: Gary Lin <glin@suse.com>

> The trusted CA certificates for HTTPS boot can be specified in
> EFI_TLS_CA_CERTIFICATE_VARIABLE. The platform may choose to create this
> variable as volatile and set it on every boot as appropriate. The OVMF
> feature is that the virtualization host passes down an fw_cfg blob that
> carries the CA certs trusted on the host side, and the OVMF HTTPS boot
> will verify web servers against that certificate bundle. (For (part of)
> the host side implementation, refer to
> <https://github.com/p11-glue/p11-kit/pull/137.)
> 
> The challenge for edk2 is that the CA cert list from the host side is
> huge; on my laptop it is 182KB when formatted to the EFI_SIGNATURE_LIST
> sequence expected by NetworkPkg/HttpDxe. Storing this in a non-volatile
> EFI_TLS_CA_CERTIFICATE_VARIABLE is out of the question, but even when
> making EFI_TLS_CA_CERTIFICATE_VARIABLE volatile, there are two limits
> that need raising:
> 
> (1) the individual limit on volatile variables,
> (2) the cumulative limit on volatile variables.
> 
> Regarding (1), the edk2 variable driver does not distinguish a limit for
> volatile non-auth vs. non-volatile non-auth variables. The first patch
> introduces "PcdMaxVolatileVariableSize" for this, in a backwards
> compatible way (i.e. platforms that don't care need not learn about it).
> The new PCD lets a platform raise the individual limit just for volatile
> non-auth variables.
> 
> Regarding (2), OvmfPkg/EmuVariableFvbRuntimeDxe has a bug where it
> abuses the cumulative limit on volatile variables for the live size of
> the emulated non-volatile variable store. The difference is that
> "volatile variables" are volatile on the UEFI service API level
> (gRT->SetVariable() etc), and the driver stack expects the FVB impls to
> use the non-volatile storage PCDs (regardless of the actual FVB backing
> store). Patch #2 fixes this (without change in behavior) in
> OvmfPkg/EmuVariableFvbRuntimeDxe.
> 
> Patch #3 adds a bit of documentation to the OVMF DSC files, as a
> continuation of patch #2.
> 
> Patch #4 implements the feature, raising both limits (liberated in
> earlier patches) and populating EFI_TLS_CA_CERTIFICATE_VARIABLE from
> fw_cfg.
> 
> I've done reasonable HTTPS boot testing and regression testing too
> (including "-bios" with OVMF and pflash with ArmVirtQemu). Indepdent
> testing would be highly appreciated (feature and regression alike).
> 
> This email is too long and so are the commit messages, but I'm too tired
> to trim them; apologies.
> 
> Cc: Anthony Perard <anthony.perard@citrix.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Gary Ching-Pang Lin <glin@suse.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Julien Grall <julien.grall@linaro.org>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Star Zeng <star.zeng@intel.com>
> 
> Thanks,
> Laszlo
> 
> Laszlo Ersek (4):
>   MdeModulePkg/Variable/RuntimeDxe: introduce PcdMaxVolatileVariableSize
>   OvmfPkg/EmuVariableFvbRuntimeDxe: stop using PcdVariableStoreSize
>   OvmfPkg: annotate "PcdVariableStoreSize :=
>     PcdFlashNvStorageVariableSize"
>   OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot
> 
>  MdeModulePkg/MdeModulePkg.dec                                     |   8 ++
>  MdeModulePkg/MdeModulePkg.uni                                     |   8 ++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c             |  50 ++++++--
>  MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h             |  12 ++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf |   1 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c          |   2 +-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf        |   1 +
>  OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c                            |   6 +-
>  OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf                          |   3 +-
>  OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c               | 133 ++++++++++++++++++++
>  OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf             |  55 ++++++++
>  OvmfPkg/OvmfPkgIa32.dsc                                           |  15 ++-
>  OvmfPkg/OvmfPkgIa32X64.dsc                                        |  15 ++-
>  OvmfPkg/OvmfPkgX64.dsc                                            |  15 ++-
>  14 files changed, 308 insertions(+), 16 deletions(-)
>  create mode 100644 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
>  create mode 100644 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf
> 
> -- 
> 2.14.1.3.gb7cf6e02401b
> 
>

next prev parent reply	other threads:[~2018-03-30  4:39 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-28 20:26 [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list for HTTPS boot Laszlo Ersek
2018-03-28 20:26 ` [PATCH 1/4] MdeModulePkg/Variable/RuntimeDxe: introduce PcdMaxVolatileVariableSize Laszlo Ersek
2018-03-29  1:34   ` Zeng, Star
2018-03-29 12:19     ` Laszlo Ersek
2018-03-30  0:54       ` Zeng, Star
2018-03-28 20:26 ` [PATCH 2/4] OvmfPkg/EmuVariableFvbRuntimeDxe: stop using PcdVariableStoreSize Laszlo Ersek
2018-03-30 10:57   ` Ard Biesheuvel
2018-03-28 20:26 ` [PATCH 3/4] OvmfPkg: annotate "PcdVariableStoreSize := PcdFlashNvStorageVariableSize" Laszlo Ersek
2018-03-30 10:58   ` Ard Biesheuvel
2018-03-28 20:26 ` [PATCH 4/4] OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot Laszlo Ersek
2018-03-30 11:00   ` Ard Biesheuvel
2018-03-29  4:56 ` [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list " Palmer, Thomas
2018-03-29 11:57   ` Laszlo Ersek
2018-03-29 18:17     ` Palmer, Thomas
2018-03-30  4:39 ` Gary Lin [this message]
2018-03-30 19:43 ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180330043917.cwsofdpo634yejpo@GaryWorkstation \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox