From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id E6847226085CF for ; Tue, 3 Apr 2018 07:51:57 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 37DDA722E8; Tue, 3 Apr 2018 14:51:57 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-185.rdu2.redhat.com [10.10.120.185]) by smtp.corp.redhat.com (Postfix) with ESMTP id EB0E32026E0E; Tue, 3 Apr 2018 14:51:55 +0000 (UTC) From: Laszlo Ersek To: edk2-devel-01 Cc: Ard Biesheuvel , Gary Ching-Pang Lin , Jordan Justen Date: Tue, 3 Apr 2018 16:51:37 +0200 Message-Id: <20180403145149.8925-2-lersek@redhat.com> In-Reply-To: <20180403145149.8925-1-lersek@redhat.com> References: <20180403145149.8925-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:51:57 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 14:51:57 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: [PATCH 01/13] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2018 14:51:58 -0000 Read the list of trusted cipher suites from fw_cfg and to store it to EFI_TLS_CA_CERTIFICATE_VARIABLE. The fw_cfg file is formatted by the "update-crypto-policies" utility on the host side, so that the host settings take effect in guest HTTPS boot as well. QEMU forwards the file intact to the firmware. The contents are forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()). Cc: Ard Biesheuvel Cc: Gary Ching-Pang Lin Cc: Jordan Justen Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 3 +- OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 98 ++++++++++++++++++++ 2 files changed, 100 insertions(+), 1 deletion(-) diff --git a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf index 5f83582a8313..40754ea5a2f3 100644 --- a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf +++ b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf @@ -46,10 +46,11 @@ [LibraryClasses] DebugLib MemoryAllocationLib QemuFwCfgLib UefiRuntimeServicesTableLib [Guids] - gEfiTlsCaCertificateGuid ## PRODUCES ## Variable:L"TlsCaCertificate" + gEdkiiHttpTlsCipherListGuid ## PRODUCES ## Variable:L"HttpTlsCipherList" + gEfiTlsCaCertificateGuid ## PRODUCES ## Variable:L"TlsCaCertificate" [Depex] gEfiVariableWriteArchProtocolGuid diff --git a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c index b5b33bc4fc69..74c393e5462f 100644 --- a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c +++ b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c @@ -17,12 +17,13 @@ **/ #include #include +#include #include #include #include #include #include @@ -118,16 +119,113 @@ SetCaCerts ( gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCaCertsSize)); FreeHttpsCaCerts: FreePool (HttpsCaCerts); } +/** + Read the list of trusted cipher suites from the fw_cfg file + "etc/edk2/https/ciphers", and store it to + gEdkiiHttpTlsCipherListGuid:EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE. + + The contents are propagated by NetworkPkg/HttpDxe to NetworkPkg/TlsDxe; the + list is processed by the latter. +**/ +STATIC +VOID +SetCipherSuites ( + VOID + ) +{ + EFI_STATUS Status; + FIRMWARE_CONFIG_ITEM HttpsCiphersItem; + UINTN HttpsCiphersSize; + VOID *HttpsCiphers; + + Status = QemuFwCfgFindFile ("etc/edk2/https/ciphers", &HttpsCiphersItem, + &HttpsCiphersSize); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching cipher suites\n", + gEfiCallerBaseName, __FUNCTION__)); + return; + } + // + // From this point on, any failure is fatal. An ordered cipher preference + // list is available from QEMU, thus we cannot let the firmware attempt HTTPS + // boot with either pre-existent or non-existent preferences. An empty set of + // cipher suites does not fail HTTPS boot automatically; the default cipher + // suite preferences would take effect, and we must prevent that. + // + // Delete the current EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE if it exists. If + // the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we cannot + // make it volatile without deleting it first. + // + Status = gRT->SetVariable ( + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName + &gEdkiiHttpTlsCipherListGuid, // VendorGuid + 0, // Attributes + 0, // DataSize + NULL // Data + ); + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) { + DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n", + gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid, + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE)); + goto Done; + } + + if (HttpsCiphersSize == 0) { + DEBUG ((DEBUG_ERROR, "%a:%a: list of cipher suites must not be empty\n", + gEfiCallerBaseName, __FUNCTION__)); + Status = EFI_INVALID_PARAMETER; + goto Done; + } + + HttpsCiphers = AllocatePool (HttpsCiphersSize); + if (HttpsCiphers == NULL) { + DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCiphers\n", + gEfiCallerBaseName, __FUNCTION__)); + Status = EFI_OUT_OF_RESOURCES; + goto Done; + } + + QemuFwCfgSelectItem (HttpsCiphersItem); + QemuFwCfgReadBytes (HttpsCiphersSize, HttpsCiphers); + + Status = gRT->SetVariable ( + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName + &gEdkiiHttpTlsCipherListGuid, // VendorGuid + EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes + HttpsCiphersSize, // DataSize + HttpsCiphers // Data + ); + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\"\n", + gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid, + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE)); + goto FreeHttpsCiphers; + } + + DEBUG ((DEBUG_VERBOSE, "%a:%a: stored list of cipher suites (%Lu byte(s))\n", + gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCiphersSize)); + +FreeHttpsCiphers: + FreePool (HttpsCiphers); + +Done: + if (EFI_ERROR (Status)) { + ASSERT_EFI_ERROR (Status); + CpuDeadLoop (); + } +} + RETURN_STATUS EFIAPI TlsAuthConfigInit ( VOID ) { SetCaCerts (); + SetCipherSuites (); return RETURN_SUCCESS; } -- 2.14.1.3.gb7cf6e02401b