From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=195.135.221.5; helo=smtp.nue.novell.com; envelope-from=glin@suse.com; receiver=edk2-devel@lists.01.org Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6C96D226EAC9F for ; Thu, 12 Apr 2018 02:10:36 -0700 (PDT) Received: from emea4-mta.ukb.novell.com ([10.120.13.87]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Thu, 12 Apr 2018 11:10:35 +0200 Received: from GaryWorkstation (nwb-a10-snat.microfocus.com [10.120.13.202]) by emea4-mta.ukb.novell.com with ESMTP (TLS encrypted); Thu, 12 Apr 2018 10:10:28 +0100 Date: Thu, 12 Apr 2018 17:10:24 +0800 From: Gary Lin To: Laszlo Ersek Cc: edk2-devel@lists.01.org, Ard Biesheuvel , Jordan Justen Message-ID: <20180412091024.ha3z6felf4qwylc2@GaryWorkstation> References: <20180411104247.3758-1-lersek@redhat.com> <20180411104247.3758-2-lersek@redhat.com> <20180412070825.46rnknrjmg46sw3j@GaryWorkstation> <1549bd6e-9cca-6727-f9b9-4a00eeb06988@redhat.com> MIME-Version: 1.0 In-Reply-To: <1549bd6e-9cca-6727-f9b9-4a00eeb06988@redhat.com> User-Agent: NeoMutt/20170912 (1.9.0) Subject: Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2018 09:10:38 -0000 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Apr 12, 2018 at 10:49:15AM +0200, Laszlo Ersek wrote: > On 04/12/18 09:08, Gary Lin wrote: > > On Wed, Apr 11, 2018 at 12:42:39PM +0200, Laszlo Ersek wrote: > >> Read the list of trusted cipher suites from fw_cfg and to store it to > >> EFI_TLS_CA_CERTIFICATE_VARIABLE. > >> > >> The fw_cfg file is formatted by the "update-crypto-policies" utility on > >> the host side, so that the host settings take effect in guest HTTPS boot > >> as well. QEMU forwards the file intact to the firmware. The contents are > >> forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to > >> NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()). > >> > > Hi Laszlo, > > > > The description mentioned "update-crypto-policies" to format the cipher > > list. The command is not available in openSUSE and I downloaded the command > > from github repo[*]. However, I didn't find any command in the repo > > could create the binary cipher list. > > Right, that feature is underway, and the Crypto team has agreed to > implement it for me. My apologies for being unclear about it. Until > then, a small shell script like the following can be used: > > ----- > export LC_ALL=C > > openssl ciphers -V \ > | sed -r -n \ > -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ > | xargs -r -- printf -- '%b' > ciphers.bin > ----- > It would be good to have this script in the description or in the README so that the person who doesn't have the updated update-crypto-policies, like me, can easily generate the cipher list. Cheers, Gary Lin > > Anyway, I found you also mentioned > > "openssl ciphers -V" in the cover letter, and I managed to convert the > > plaintext cipher list to the binary array. Maybe the description can be > > improved to avoid the confusion. (Or, I just found the wrong program...) > > No, you are right; I figured I'd describe the end-state in the commit > mesage. I guess I can replace > > The fw_cfg file is formatted by the "update-crypto-policies" utility > > with > > The fw_cfg file will be formatted by the "update-crypto-policies" > utility > > in the commit message. > > > > > BTW, the code looks good and works for me. > > > > Reviewed-by: Gary Lin > > Tested-by: Gary Lin > > Thanks Gary! > Laszlo >