From: Gary Lin <glin@suse.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2-devel@lists.01.org,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jordan Justen <jordan.l.justen@intel.com>
Subject: Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot
Date: Thu, 12 Apr 2018 17:10:24 +0800 [thread overview]
Message-ID: <20180412091024.ha3z6felf4qwylc2@GaryWorkstation> (raw)
In-Reply-To: <1549bd6e-9cca-6727-f9b9-4a00eeb06988@redhat.com>
On Thu, Apr 12, 2018 at 10:49:15AM +0200, Laszlo Ersek wrote:
> On 04/12/18 09:08, Gary Lin wrote:
> > On Wed, Apr 11, 2018 at 12:42:39PM +0200, Laszlo Ersek wrote:
> >> Read the list of trusted cipher suites from fw_cfg and to store it to
> >> EFI_TLS_CA_CERTIFICATE_VARIABLE.
> >>
> >> The fw_cfg file is formatted by the "update-crypto-policies" utility on
> >> the host side, so that the host settings take effect in guest HTTPS boot
> >> as well. QEMU forwards the file intact to the firmware. The contents are
> >> forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to
> >> NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()).
> >>
> > Hi Laszlo,
> >
> > The description mentioned "update-crypto-policies" to format the cipher
> > list. The command is not available in openSUSE and I downloaded the command
> > from github repo[*]. However, I didn't find any command in the repo
> > could create the binary cipher list.
>
> Right, that feature is underway, and the Crypto team has agreed to
> implement it for me. My apologies for being unclear about it. Until
> then, a small shell script like the following can be used:
>
> -----
> export LC_ALL=C
>
> openssl ciphers -V \
> | sed -r -n \
> -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
> | xargs -r -- printf -- '%b' > ciphers.bin
> -----
>
It would be good to have this script in the description or in the README
so that the person who doesn't have the updated update-crypto-policies,
like me, can easily generate the cipher list.
Cheers,
Gary Lin
> > Anyway, I found you also mentioned
> > "openssl ciphers -V" in the cover letter, and I managed to convert the
> > plaintext cipher list to the binary array. Maybe the description can be
> > improved to avoid the confusion. (Or, I just found the wrong program...)
>
> No, you are right; I figured I'd describe the end-state in the commit
> mesage. I guess I can replace
>
> The fw_cfg file is formatted by the "update-crypto-policies" utility
>
> with
>
> The fw_cfg file will be formatted by the "update-crypto-policies"
> utility
>
> in the commit message.
>
> >
> > BTW, the code looks good and works for me.
> >
> > Reviewed-by: Gary Lin <glin@suse.com>
> > Tested-by: Gary Lin <glin@suse.com>
>
> Thanks Gary!
> Laszlo
>
next prev parent reply other threads:[~2018-04-12 9:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-11 10:42 [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot Laszlo Ersek
2018-04-12 7:08 ` Gary Lin
2018-04-12 8:49 ` Laszlo Ersek
2018-04-12 9:10 ` Gary Lin [this message]
2018-04-12 9:43 ` Laszlo Ersek
2018-04-12 10:17 ` Gary Lin
2018-04-12 17:10 ` Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 2/9] MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 3/9] NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 4/9] NetworkPkg/TlsDxe: clean up byte order conversion " Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 5/9] CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 6/9] CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 7/9] CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 8/9] CryptoPkg/TlsLib: sanitize lib classes in internal header and INF Laszlo Ersek
2018-04-11 10:42 ` [PATCH v2 9/9] CryptoPkg/TlsLib: rewrite TlsSetCipherList() Laszlo Ersek
2018-04-12 6:32 ` [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites Long, Qin
2018-04-12 8:51 ` Laszlo Ersek
2018-04-12 7:28 ` Wu, Jiaxin
2018-04-12 8:50 ` Laszlo Ersek
2018-04-13 12:10 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180412091024.ha3z6felf4qwylc2@GaryWorkstation \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox