From: Gary Lin <glin@suse.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2-devel@lists.01.org,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jordan Justen <jordan.l.justen@intel.com>
Subject: Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot
Date: Thu, 12 Apr 2018 15:08:46 +0800 [thread overview]
Message-ID: <20180412070825.46rnknrjmg46sw3j@GaryWorkstation> (raw)
In-Reply-To: <20180411104247.3758-2-lersek@redhat.com>
On Wed, Apr 11, 2018 at 12:42:39PM +0200, Laszlo Ersek wrote:
> Read the list of trusted cipher suites from fw_cfg and to store it to
> EFI_TLS_CA_CERTIFICATE_VARIABLE.
>
> The fw_cfg file is formatted by the "update-crypto-policies" utility on
> the host side, so that the host settings take effect in guest HTTPS boot
> as well. QEMU forwards the file intact to the firmware. The contents are
> forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to
> NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()).
>
Hi Laszlo,
The description mentioned "update-crypto-policies" to format the cipher
list. The command is not available in openSUSE and I downloaded the command
from github repo[*]. However, I didn't find any command in the repo
could create the binary cipher list. Anyway, I found you also mentioned
"openssl ciphers -V" in the cover letter, and I managed to convert the
plaintext cipher list to the binary array. Maybe the description can be
improved to avoid the confusion. (Or, I just found the wrong program...)
BTW, the code looks good and works for me.
Reviewed-by: Gary Lin <glin@suse.com>
Tested-by: Gary Lin <glin@suse.com>
Cheers,
Gary Lin
[*] https://github.com/nmav/fedora-crypto-policies
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Gary Ching-Pang Lin <glin@suse.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
>
> Notes:
> v2:
> - no change
>
> OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 3 +-
> OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 98 ++++++++++++++++++++
> 2 files changed, 100 insertions(+), 1 deletion(-)
>
> diff --git a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf
> index 5f83582a8313..40754ea5a2f3 100644
> --- a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf
> +++ b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf
> @@ -46,10 +46,11 @@ [LibraryClasses]
> DebugLib
> MemoryAllocationLib
> QemuFwCfgLib
> UefiRuntimeServicesTableLib
>
> [Guids]
> - gEfiTlsCaCertificateGuid ## PRODUCES ## Variable:L"TlsCaCertificate"
> + gEdkiiHttpTlsCipherListGuid ## PRODUCES ## Variable:L"HttpTlsCipherList"
> + gEfiTlsCaCertificateGuid ## PRODUCES ## Variable:L"TlsCaCertificate"
>
> [Depex]
> gEfiVariableWriteArchProtocolGuid
> diff --git a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
> index b5b33bc4fc69..74c393e5462f 100644
> --- a/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
> +++ b/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
> @@ -17,12 +17,13 @@
>
> **/
>
> #include <Uefi/UefiBaseType.h>
> #include <Uefi/UefiSpec.h>
>
> +#include <Guid/HttpTlsCipherList.h>
> #include <Guid/TlsAuthentication.h>
>
> #include <Library/BaseLib.h>
> #include <Library/DebugLib.h>
> #include <Library/MemoryAllocationLib.h>
> #include <Library/QemuFwCfgLib.h>
> @@ -118,16 +119,113 @@ SetCaCerts (
> gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCaCertsSize));
>
> FreeHttpsCaCerts:
> FreePool (HttpsCaCerts);
> }
>
> +/**
> + Read the list of trusted cipher suites from the fw_cfg file
> + "etc/edk2/https/ciphers", and store it to
> + gEdkiiHttpTlsCipherListGuid:EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.
> +
> + The contents are propagated by NetworkPkg/HttpDxe to NetworkPkg/TlsDxe; the
> + list is processed by the latter.
> +**/
> +STATIC
> +VOID
> +SetCipherSuites (
> + VOID
> + )
> +{
> + EFI_STATUS Status;
> + FIRMWARE_CONFIG_ITEM HttpsCiphersItem;
> + UINTN HttpsCiphersSize;
> + VOID *HttpsCiphers;
> +
> + Status = QemuFwCfgFindFile ("etc/edk2/https/ciphers", &HttpsCiphersItem,
> + &HttpsCiphersSize);
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_VERBOSE, "%a:%a: not touching cipher suites\n",
> + gEfiCallerBaseName, __FUNCTION__));
> + return;
> + }
> + //
> + // From this point on, any failure is fatal. An ordered cipher preference
> + // list is available from QEMU, thus we cannot let the firmware attempt HTTPS
> + // boot with either pre-existent or non-existent preferences. An empty set of
> + // cipher suites does not fail HTTPS boot automatically; the default cipher
> + // suite preferences would take effect, and we must prevent that.
> + //
> + // Delete the current EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE if it exists. If
> + // the variable exists with EFI_VARIABLE_NON_VOLATILE attribute, we cannot
> + // make it volatile without deleting it first.
> + //
> + Status = gRT->SetVariable (
> + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName
> + &gEdkiiHttpTlsCipherListGuid, // VendorGuid
> + 0, // Attributes
> + 0, // DataSize
> + NULL // Data
> + );
> + if (EFI_ERROR (Status) && (Status != EFI_NOT_FOUND)) {
> + DEBUG ((DEBUG_ERROR, "%a:%a: failed to delete %g:\"%s\"\n",
> + gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid,
> + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE));
> + goto Done;
> + }
> +
> + if (HttpsCiphersSize == 0) {
> + DEBUG ((DEBUG_ERROR, "%a:%a: list of cipher suites must not be empty\n",
> + gEfiCallerBaseName, __FUNCTION__));
> + Status = EFI_INVALID_PARAMETER;
> + goto Done;
> + }
> +
> + HttpsCiphers = AllocatePool (HttpsCiphersSize);
> + if (HttpsCiphers == NULL) {
> + DEBUG ((DEBUG_ERROR, "%a:%a: failed to allocate HttpsCiphers\n",
> + gEfiCallerBaseName, __FUNCTION__));
> + Status = EFI_OUT_OF_RESOURCES;
> + goto Done;
> + }
> +
> + QemuFwCfgSelectItem (HttpsCiphersItem);
> + QemuFwCfgReadBytes (HttpsCiphersSize, HttpsCiphers);
> +
> + Status = gRT->SetVariable (
> + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE, // VariableName
> + &gEdkiiHttpTlsCipherListGuid, // VendorGuid
> + EFI_VARIABLE_BOOTSERVICE_ACCESS, // Attributes
> + HttpsCiphersSize, // DataSize
> + HttpsCiphers // Data
> + );
> + if (EFI_ERROR (Status)) {
> + DEBUG ((DEBUG_ERROR, "%a:%a: failed to set %g:\"%s\"\n",
> + gEfiCallerBaseName, __FUNCTION__, &gEdkiiHttpTlsCipherListGuid,
> + EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE));
> + goto FreeHttpsCiphers;
> + }
> +
> + DEBUG ((DEBUG_VERBOSE, "%a:%a: stored list of cipher suites (%Lu byte(s))\n",
> + gEfiCallerBaseName, __FUNCTION__, (UINT64)HttpsCiphersSize));
> +
> +FreeHttpsCiphers:
> + FreePool (HttpsCiphers);
> +
> +Done:
> + if (EFI_ERROR (Status)) {
> + ASSERT_EFI_ERROR (Status);
> + CpuDeadLoop ();
> + }
> +}
> +
> RETURN_STATUS
> EFIAPI
> TlsAuthConfigInit (
> VOID
> )
> {
> SetCaCerts ();
> + SetCipherSuites ();
>
> return RETURN_SUCCESS;
> }
> --
> 2.14.1.3.gb7cf6e02401b
>
>
>
next prev parent reply other threads:[~2018-04-12 7:09 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-11 10:42 [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot Laszlo Ersek
2018-04-12 7:08 ` Gary Lin [this message]
2018-04-12 8:49 ` Laszlo Ersek
2018-04-12 9:10 ` Gary Lin
2018-04-12 9:43 ` Laszlo Ersek
2018-04-12 10:17 ` Gary Lin
2018-04-12 17:10 ` Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 2/9] MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 3/9] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 4/9] NetworkPkg/TlsDxe: clean up byte order conversion " Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 5/9] CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 6/9] CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 7/9] CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 8/9] CryptoPkg/TlsLib: sanitize lib classes in internal header and INF Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 9/9] CryptoPkg/TlsLib: rewrite TlsSetCipherList() Laszlo Ersek
2018-04-12 6:32 ` [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Long, Qin
2018-04-12 8:51 ` Laszlo Ersek
2018-04-12 7:28 ` Wu, Jiaxin
2018-04-12 8:50 ` Laszlo Ersek
2018-04-13 12:10 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180412070825.46rnknrjmg46sw3j@GaryWorkstation \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox