From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=195.135.221.5; helo=smtp.nue.novell.com; envelope-from=glin@suse.com; receiver=edk2-devel@lists.01.org Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 12FDC22683917 for ; Thu, 19 Apr 2018 02:56:01 -0700 (PDT) Received: from localhost.localdomain (unknown.telstraglobal.net [134.159.103.118]) by smtp.nue.novell.com with ESMTP (NOT encrypted); Thu, 19 Apr 2018 11:55:57 +0200 From: Gary Lin To: edk2-devel@lists.01.org Cc: Ard Biesheuvel , Jordan Justen , Laszlo Ersek Date: Thu, 19 Apr 2018 17:55:43 +0800 Message-Id: <20180419095543.15548-1-glin@suse.com> X-Mailer: git-send-email 2.16.3 Subject: [PATCH 1/1] OvmfPkg/README: add HTTPS Boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Apr 2018 09:56:02 -0000 Add the new section for HTTPS Boot. Cc: Ard Biesheuvel Cc: Jordan Justen Cc: Laszlo Ersek Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Gary Lin --- OvmfPkg/README | 50 ++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/OvmfPkg/README b/OvmfPkg/README index 00fb71848200..a84b6a30aaed 100644 --- a/OvmfPkg/README +++ b/OvmfPkg/README @@ -254,6 +254,56 @@ longer.) VirtioNetDxe | x Intel BootUtil (X64) | x +=== HTTPS Boot === + +HTTPS Boot is an alternative solution to PXE. It replaces the tftp server +with a HTTPS server so the firmware can download the images through a trusted +and encrypted connection. + +* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and + -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while the + the later enables TLS support in both NetworkPkg and CryptPkg. + +* By default, there is no trusted certificate. The user has to import the + certificates either manually with "Tls Auth Configuration" utility in the + firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts. + + -fw_cfg name=etc/edk2/https/cacerts,file= + + The blob for etc/edk2/https/cacerts has to be in the format of Signature + Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the + certificate list. + +* Bsides the trusted certificates, it's also possible to configure the trusted + cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers. + + -fw_cfg name=etc/edk2/https/ciphers,file= + + OVMF expects a binary UINT16 array which is compirsed of the cipher suites + HEX IDs(*4). If the cipher suite list is given, OVMF will choose the cipher + suite from the intersection of the given list and the built-in cipher + suites. Otherwise, OVMF just chooses whatever proper cipher suites from the + built-in ones. + + While the tool(*5) to create the cipher suite array is still under + development, the array can be generated with the following script: + + export LC_ALL=C + openssl ciphers -V \ + | sed -r -n \ + -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ + | xargs -r -- printf -- '%b' > ciphers.bin + + This script creates ciphers.bin that contains all the cipher suite IDs + supported by openssl. Of course, you can append your own list to + "openssl ciphers -V" in the script to limit the supported cipher suites. + +(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A. +(*2) p11-kit: https://github.com/p11-glue/p11-kit/ +(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c +(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table +(*5) update-crypto-policies: https://github.com/nmav/fedora-crypto-policies + === OVMF Flash Layout === Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash) -- 2.16.3