From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@lists.01.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Gary Ching-Pang Lin <glin@suse.com>,
Jiaxin Wu <jiaxin.wu@intel.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Liming Gao <liming.gao@intel.com>,
Michael D Kinney <michael.d.kinney@intel.com>,
Qin Long <qin.long@intel.com>, Siyuan Fu <siyuan.fu@intel.com>,
Ting Ye <ting.ye@intel.com>
Subject: [PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites
Date: Tue, 3 Apr 2018 16:51:36 +0200 [thread overview]
Message-ID: <20180403145149.8925-1-lersek@redhat.com> (raw)
Repo: https://github.com/lersek/edk2.git
Branch: tls_ciphers
Earlier I posted two patch sets for better platform control of the CA
certificates used in HTTPS booting (and for putting that control to use
in OVMF):
[edk2] [PATCH 0/5] NetworkPkg: HTTP and TLS updates
[edk2] [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list
for HTTPS boot
These series have been committed; thank you everyone that helped with
review and testing.
My next goal is better platform control of the TLS cipher suites that
are used in HTTPS booting (and similarly, putting that control to use in
OVMF). That's what this series is about.
You'll see references to TianoCore BZ#915 in the commit messages. The BZ
is not public just yet, because I originally thought that I found
security issues. It turns out that's not the case, so the BZ should be
opened up soon. Either way, the commit messages contain enough
information about the code changes.
I'm aware some of my reviewers are currently traveling for business --
please take your time and feel free to review the patches whenever it
best suits you.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Thanks!
Laszlo
Laszlo Ersek (13):
OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS
boot
MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC
NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList
NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList
CryptoPkg/TlsLib: replace TlsGetCipherString() with
TlsGetCipherMapping()
CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping()
function
CryptoPkg/TlsLib: pre-compute OpensslCipherLength in
TlsCipherMappingTable
CryptoPkg/TlsLib: add the "TlsMappingTable.sh" POSIX shell script
CryptoPkg/TlsLib: extend "TlsCipherMappingTable"
CryptoPkg/TlsLib: sort [LibraryClasses] section in the INF file
CryptoPkg/TlsLib: sanitize lib classes in internal header and INF
CryptoPkg/TlsLib: clean up leading comment for TlsSetCipherList()
CryptoPkg/TlsLib: rewrite TlsSetCipherList()
CryptoPkg/Include/Library/TlsLib.h | 9 +-
CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 +
CryptoPkg/Library/TlsLib/TlsConfig.c | 448 +++++++++++++++++---
CryptoPkg/Library/TlsLib/TlsLib.inf | 11 +-
CryptoPkg/Library/TlsLib/TlsMappingTable.sh | 140 ++++++
MdePkg/Include/Protocol/Tls.h | 10 +
NetworkPkg/TlsDxe/TlsProtocol.c | 17 +-
OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 98 +++++
OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 3 +-
9 files changed, 664 insertions(+), 76 deletions(-)
create mode 100644 CryptoPkg/Library/TlsLib/TlsMappingTable.sh
--
2.14.1.3.gb7cf6e02401b
next reply other threads:[~2018-04-03 14:51 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-03 14:51 Laszlo Ersek [this message]
2018-04-03 14:51 ` [PATCH 01/13] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot Laszlo Ersek
2018-04-03 14:51 ` [PATCH 02/13] MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC Laszlo Ersek
2018-04-03 15:08 ` Gao, Liming
2018-04-04 10:32 ` Laszlo Ersek
2018-04-10 1:51 ` Fu, Siyuan
2018-04-03 14:51 ` [PATCH 03/13] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList Laszlo Ersek
2018-04-10 1:51 ` Fu, Siyuan
2018-04-03 14:51 ` [PATCH 04/13] NetworkPkg/TlsDxe: clean up byte order conversion " Laszlo Ersek
2018-04-10 1:53 ` Fu, Siyuan
2018-04-03 14:51 ` [PATCH 05/13] CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() Laszlo Ersek
2018-04-03 14:51 ` [PATCH 06/13] CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function Laszlo Ersek
2018-04-03 14:51 ` [PATCH 07/13] CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable Laszlo Ersek
2018-04-03 14:51 ` [PATCH 08/13] CryptoPkg/TlsLib: add the "TlsMappingTable.sh" POSIX shell script Laszlo Ersek
2018-04-03 14:51 ` [PATCH 09/13] CryptoPkg/TlsLib: extend "TlsCipherMappingTable" Laszlo Ersek
2018-04-03 14:51 ` [PATCH 10/13] CryptoPkg/TlsLib: sort [LibraryClasses] section in the INF file Laszlo Ersek
2018-04-03 14:51 ` [PATCH 11/13] CryptoPkg/TlsLib: sanitize lib classes in internal header and INF Laszlo Ersek
2018-04-03 14:51 ` [PATCH 12/13] CryptoPkg/TlsLib: clean up leading comment for TlsSetCipherList() Laszlo Ersek
2018-04-03 14:51 ` [PATCH 13/13] CryptoPkg/TlsLib: rewrite TlsSetCipherList() Laszlo Ersek
2018-04-10 4:09 ` [PATCH 00/13] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Wu, Jiaxin
2018-04-10 7:40 ` Long, Qin
2018-04-10 10:02 ` Laszlo Ersek
2018-04-10 10:10 ` Laszlo Ersek
2018-04-10 16:56 ` Long, Qin
2018-04-10 9:47 ` Laszlo Ersek
2018-04-10 17:06 ` Long, Qin
2018-04-10 20:06 ` Laszlo Ersek
2018-04-11 1:59 ` Wu, Jiaxin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180403145149.8925-1-lersek@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox