From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=195.135.221.5; helo=smtp.nue.novell.com; envelope-from=glin@suse.com; receiver=edk2-devel@lists.01.org Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 18A85226EAC7E for ; Thu, 12 Apr 2018 03:17:37 -0700 (PDT) Received: from emea4-mta.ukb.novell.com ([10.120.13.87]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Thu, 12 Apr 2018 12:17:35 +0200 Received: from GaryWorkstation (nwb-a10-snat.microfocus.com [10.120.13.202]) by emea4-mta.ukb.novell.com with ESMTP (TLS encrypted); Thu, 12 Apr 2018 11:17:15 +0100 Date: Thu, 12 Apr 2018 18:17:11 +0800 From: Gary Lin To: Laszlo Ersek Cc: edk2-devel@lists.01.org, Ard Biesheuvel , Jordan Justen Message-ID: <20180412101711.2aszvfvwde4wahkx@GaryWorkstation> References: <20180411104247.3758-1-lersek@redhat.com> <20180411104247.3758-2-lersek@redhat.com> <20180412070825.46rnknrjmg46sw3j@GaryWorkstation> <1549bd6e-9cca-6727-f9b9-4a00eeb06988@redhat.com> <20180412091024.ha3z6felf4qwylc2@GaryWorkstation> MIME-Version: 1.0 In-Reply-To: User-Agent: NeoMutt/20170912 (1.9.0) Subject: Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2018 10:17:38 -0000 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Apr 12, 2018 at 11:43:35AM +0200, Laszlo Ersek wrote: > On 04/12/18 11:10, Gary Lin wrote: > > On Thu, Apr 12, 2018 at 10:49:15AM +0200, Laszlo Ersek wrote: > >> On 04/12/18 09:08, Gary Lin wrote: > >>> On Wed, Apr 11, 2018 at 12:42:39PM +0200, Laszlo Ersek wrote: > >>>> Read the list of trusted cipher suites from fw_cfg and to store it to > >>>> EFI_TLS_CA_CERTIFICATE_VARIABLE. > >>>> > >>>> The fw_cfg file is formatted by the "update-crypto-policies" utility on > >>>> the host side, so that the host settings take effect in guest HTTPS boot > >>>> as well. QEMU forwards the file intact to the firmware. The contents are > >>>> forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to > >>>> NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()). > >>>> > >>> Hi Laszlo, > >>> > >>> The description mentioned "update-crypto-policies" to format the cipher > >>> list. The command is not available in openSUSE and I downloaded the command > >>> from github repo[*]. However, I didn't find any command in the repo > >>> could create the binary cipher list. > >> > >> Right, that feature is underway, and the Crypto team has agreed to > >> implement it for me. My apologies for being unclear about it. Until > >> then, a small shell script like the following can be used: > >> > >> ----- > >> export LC_ALL=C > >> > >> openssl ciphers -V \ > >> | sed -r -n \ > >> -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ > >> | xargs -r -- printf -- '%b' > ciphers.bin > >> ----- > >> > > It would be good to have this script in the description or in the README > > so that the person who doesn't have the updated update-crypto-policies, > > like me, can easily generate the cipher list. > > I can include this in the commit message, sure. > > If you think OvmfPkg/README would be a better place for it: can you > please submit a patch? ;) It's not just that I'm overloaded (although I > am), but I always welcome documentation contributions with enthusiasm. > If the documentation captures real life "user stories", that's for the best. > > You could introduce an "HTTPS Boot" section to the README, between > "Network Support" and "OVMF Flash Layout". You contributed quite a bit > to HTTPS enablement anyway! > Sounds good. I'm also thinking about collecting the fw_cfg entries in OVMF and documenting them in README. Currently, those entries look like black magic to the users. > It's up to you, of course :) If you don't have the time, I'll add the > script to the commit message. > I can find some time next week. No guarantee though ;) Thanks, Gary Lin > Thanks, > Laszlo > > > > > Cheers, > > > > Gary Lin > > > >>> Anyway, I found you also mentioned > >>> "openssl ciphers -V" in the cover letter, and I managed to convert the > >>> plaintext cipher list to the binary array. Maybe the description can be > >>> improved to avoid the confusion. (Or, I just found the wrong program...) > >> > >> No, you are right; I figured I'd describe the end-state in the commit > >> mesage. I guess I can replace > >> > >> The fw_cfg file is formatted by the "update-crypto-policies" utility > >> > >> with > >> > >> The fw_cfg file will be formatted by the "update-crypto-policies" > >> utility > >> > >> in the commit message. > >> > >>> > >>> BTW, the code looks good and works for me. > >>> > >>> Reviewed-by: Gary Lin > >>> Tested-by: Gary Lin > >> > >> Thanks Gary! > >> Laszlo > >> > >