Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot

[Gary Lin <glin@suse.com>]

On Thu, Apr 12, 2018 at 11:43:35AM +0200, Laszlo Ersek wrote:
> On 04/12/18 11:10, Gary Lin wrote:
> > On Thu, Apr 12, 2018 at 10:49:15AM +0200, Laszlo Ersek wrote:
> >> On 04/12/18 09:08, Gary Lin wrote:
> >>> On Wed, Apr 11, 2018 at 12:42:39PM +0200, Laszlo Ersek wrote:
> >>>> Read the list of trusted cipher suites from fw_cfg and to store it to
> >>>> EFI_TLS_CA_CERTIFICATE_VARIABLE.
> >>>>
> >>>> The fw_cfg file is formatted by the "update-crypto-policies" utility on
> >>>> the host side, so that the host settings take effect in guest HTTPS boot
> >>>> as well. QEMU forwards the file intact to the firmware. The contents are
> >>>> forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to
> >>>> NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()).
> >>>>
> >>> Hi Laszlo,
> >>>
> >>> The description mentioned "update-crypto-policies" to format the cipher
> >>> list. The command is not available in openSUSE and I downloaded the command
> >>> from github repo[*]. However, I didn't find any command in the repo
> >>> could create the binary cipher list.
> >>
> >> Right, that feature is underway, and the Crypto team has agreed to
> >> implement it for me. My apologies for being unclear about it. Until
> >> then, a small shell script like the following can be used:
> >>
> >> -----
> >> export LC_ALL=C
> >>
> >> openssl ciphers -V \
> >> | sed -r -n \
> >>     -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
> >> | xargs -r -- printf -- '%b' > ciphers.bin
> >> -----
> >>
> > It would be good to have this script in the description or in the README
> > so that the person who doesn't have the updated update-crypto-policies,
> > like me, can easily generate the cipher list.
> 
> I can include this in the commit message, sure.
> 
> If you think OvmfPkg/README would be a better place for it: can you
> please submit a patch? ;) It's not just that I'm overloaded (although I
> am), but I always welcome documentation contributions with enthusiasm.
> If the documentation captures real life "user stories", that's for the best.
> 
> You could introduce an "HTTPS Boot" section to the README, between
> "Network Support" and "OVMF Flash Layout". You contributed quite a bit
> to HTTPS enablement anyway!
> 
Sounds good. I'm also thinking about collecting the fw_cfg entries in
OVMF and documenting them in README. Currently, those entries look like
black magic to the users.

> It's up to you, of course :) If you don't have the time, I'll add the
> script to the commit message.
> 
I can find some time next week. No guarantee though ;)

Thanks,

Gary Lin

> Thanks,
> Laszlo
> 
> > 
> > Cheers,
> > 
> > Gary Lin
> > 
> >>> Anyway, I found you also mentioned
> >>> "openssl ciphers -V" in the cover letter, and I managed to convert the
> >>> plaintext cipher list to the binary array. Maybe the description can be
> >>> improved to avoid the confusion. (Or, I just found the wrong program...)
> >>
> >> No, you are right; I figured I'd describe the end-state in the commit
> >> mesage. I guess I can replace
> >>
> >>   The fw_cfg file is formatted by the "update-crypto-policies" utility
> >>
> >> with
> >>
> >>   The fw_cfg file will be formatted by the "update-crypto-policies"
> >>   utility
> >>
> >> in the commit message.
> >>
> >>>
> >>> BTW, the code looks good and works for me.
> >>>
> >>> Reviewed-by: Gary Lin <glin@suse.com>
> >>> Tested-by: Gary Lin <glin@suse.com>
> >>
> >> Thanks Gary!
> >> Laszlo
> >>
> 
>