[PATCH 1/1] OvmfPkg/README: add HTTPS Boot

[PATCH 1/1] OvmfPkg/README: add HTTPS Boot

[Gary Lin]

Add the new section for HTTPS Boot.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Gary Lin <glin@suse.com>
---
 OvmfPkg/README | 50 ++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/OvmfPkg/README b/OvmfPkg/README
index 00fb71848200..a84b6a30aaed 100644
--- a/OvmfPkg/README
+++ b/OvmfPkg/README
@@ -254,6 +254,56 @@ longer.)
     VirtioNetDxe         |                                        x
     Intel BootUtil (X64) |   x
 
+=== HTTPS Boot ===
+
+HTTPS Boot is an alternative solution to PXE. It replaces the tftp server
+with a HTTPS server so the firmware can download the images through a trusted
+and encrypted connection.
+
+* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and
+  -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while the
+  the later enables TLS support in both NetworkPkg and CryptPkg.
+
+* By default, there is no trusted certificate. The user has to import the
+  certificates either manually with "Tls Auth Configuration" utility in the
+  firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts.
+
+  -fw_cfg name=etc/edk2/https/cacerts,file=<sigdb>
+
+  The blob for etc/edk2/https/cacerts has to be in the format of Signature
+  Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the
+  certificate list.
+
+* Bsides the trusted certificates, it's also possible to configure the trusted
+  cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.
+
+  -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>
+
+  OVMF expects a binary UINT16 array which is compirsed of the cipher suites
+  HEX IDs(*4). If the cipher suite list is given, OVMF will choose the cipher
+  suite from the intersection of the given list and the built-in cipher
+  suites. Otherwise, OVMF just chooses whatever proper cipher suites from the
+  built-in ones.
+
+  While the tool(*5) to create the cipher suite array is still under
+  development, the array can be generated with the following script:
+
+  export LC_ALL=C
+  openssl ciphers -V \
+  | sed -r -n \
+     -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
+  | xargs -r -- printf -- '%b' > ciphers.bin
+
+  This script creates ciphers.bin that contains all the cipher suite IDs
+  supported by openssl. Of course, you can append your own list to
+  "openssl ciphers -V" in the script to limit the supported cipher suites.
+
+(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.
+(*2) p11-kit: https://github.com/p11-glue/p11-kit/
+(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c
+(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table
+(*5) update-crypto-policies: https://github.com/nmav/fedora-crypto-policies
+
 === OVMF Flash Layout ===
 
 Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash)
-- 
2.16.3

Re: [PATCH 1/1] OvmfPkg/README: add HTTPS Boot

[Laszlo Ersek]

On 04/19/18 11:55, Gary Lin wrote:
> Add the new section for HTTPS Boot.
> 
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
>  OvmfPkg/README | 50 ++++++++++++++++++++
>  1 file changed, 50 insertions(+)
> 
> diff --git a/OvmfPkg/README b/OvmfPkg/README
> index 00fb71848200..a84b6a30aaed 100644
> --- a/OvmfPkg/README
> +++ b/OvmfPkg/README
> @@ -254,6 +254,56 @@ longer.)
>      VirtioNetDxe         |                                        x
>      Intel BootUtil (X64) |   x
>  
> +=== HTTPS Boot ===
> +
> +HTTPS Boot is an alternative solution to PXE. It replaces the tftp server
> +with a HTTPS server so the firmware can download the images through a trusted
> +and encrypted connection.
> +
> +* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and
> +  -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while the
> +  the later enables TLS support in both NetworkPkg and CryptPkg.

Two typos here: "the the later" should be "the latter" (with double
"t"). And CryptPkg should be CryptoPkg.

> +
> +* By default, there is no trusted certificate. The user has to import the
> +  certificates either manually with "Tls Auth Configuration" utility in the
> +  firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts.
> +
> +  -fw_cfg name=etc/edk2/https/cacerts,file=<sigdb>
> +
> +  The blob for etc/edk2/https/cacerts has to be in the format of Signature
> +  Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the
> +  certificate list.

This looks great. I suggest adding the command line for p11-kit (I
should have included that earlier in a commit message or a blurb -- sorry!):

  p11-kit extract --format=edk2-cacerts --filter=ca-anchors \
    --overwrite --purpose=server-auth <certdb>

> +
> +* Bsides the trusted certificates, it's also possible to configure the trusted

Typo: "Bsides".

> +  cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.
> +
> +  -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>
> +
> +  OVMF expects a binary UINT16 array which is compirsed of the cipher suites

- s/is compirsed of/comprises/

or else

- s/is compirsed of/consists of/

> +  HEX IDs(*4). If the cipher suite list is given, OVMF will choose the cipher
> +  suite from the intersection of the given list and the built-in cipher
> +  suites. Otherwise, OVMF just chooses whatever proper cipher suites from the
> +  built-in ones.
> +
> +  While the tool(*5) to create the cipher suite array is still under
> +  development, the array can be generated with the following script:
> +
> +  export LC_ALL=C
> +  openssl ciphers -V \
> +  | sed -r -n \
> +     -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
> +  | xargs -r -- printf -- '%b' > ciphers.bin
> +
> +  This script creates ciphers.bin that contains all the cipher suite IDs
> +  supported by openssl.

Please insert here, "according to the local host configuration".

> Of course, you can append your own list to
> +  "openssl ciphers -V" in the script to limit the supported cipher suites.

This last sentence is a bit unclear. If we append another list, then the
cipher suite set gets (possibly) extended, not limited.

Furthermore, please add another sentence here: "In the future (after
release 2.12), QEMU should populate both above fw_cfg files
automatically from the local host configuration, and enable the user to
override either with dedicated options or properties".

> +
> +(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.
> +(*2) p11-kit: https://github.com/p11-glue/p11-kit/
> +(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c
> +(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table
> +(*5) update-crypto-policies: https://github.com/nmav/fedora-crypto-policies

To my knowledge the right URL for (*5) is:

https://gitlab.com/redhat-crypto/fedora-crypto-policies

> +
>  === OVMF Flash Layout ===
>  
>  Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash)
> 

Thank you Gary for doing this!
Laszlo

Re: [PATCH 1/1] OvmfPkg/README: add HTTPS Boot

[Gary Lin]

On Fri, Apr 20, 2018 at 01:07:17PM +0200, Laszlo Ersek wrote:
> On 04/19/18 11:55, Gary Lin wrote:
> > Add the new section for HTTPS Boot.
> > 
> > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Contributed-under: TianoCore Contribution Agreement 1.1
> > Signed-off-by: Gary Lin <glin@suse.com>
> > ---
> >  OvmfPkg/README | 50 ++++++++++++++++++++
> >  1 file changed, 50 insertions(+)
> > 
> > diff --git a/OvmfPkg/README b/OvmfPkg/README
> > index 00fb71848200..a84b6a30aaed 100644
> > --- a/OvmfPkg/README
> > +++ b/OvmfPkg/README
> > @@ -254,6 +254,56 @@ longer.)
> >      VirtioNetDxe         |                                        x
> >      Intel BootUtil (X64) |   x
> >  
> > +=== HTTPS Boot ===
> > +
> > +HTTPS Boot is an alternative solution to PXE. It replaces the tftp server
> > +with a HTTPS server so the firmware can download the images through a trusted
> > +and encrypted connection.
> > +
> > +* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and
> > +  -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while the
> > +  the later enables TLS support in both NetworkPkg and CryptPkg.
> 
> Two typos here: "the the later" should be "the latter" (with double
> "t"). And CryptPkg should be CryptoPkg.
> 
Oops. Will fix it.

> > +
> > +* By default, there is no trusted certificate. The user has to import the
> > +  certificates either manually with "Tls Auth Configuration" utility in the
> > +  firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts.
> > +
> > +  -fw_cfg name=etc/edk2/https/cacerts,file=<sigdb>
> > +
> > +  The blob for etc/edk2/https/cacerts has to be in the format of Signature
> > +  Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the
> > +  certificate list.
> 
> This looks great. I suggest adding the command line for p11-kit (I
> should have included that earlier in a commit message or a blurb -- sorry!):
> 
>   p11-kit extract --format=edk2-cacerts --filter=ca-anchors \
>     --overwrite --purpose=server-auth <certdb>
> 
I'll also add the efisiglit command :)

> > +
> > +* Bsides the trusted certificates, it's also possible to configure the trusted
> 
> Typo: "Bsides".
Will fix it.

> 
> > +  cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.
> > +
> > +  -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>
> > +
> > +  OVMF expects a binary UINT16 array which is compirsed of the cipher suites
> 
> - s/is compirsed of/comprises/
> 
> or else
> 
> - s/is compirsed of/consists of/
> 
Will fix it.

> > +  HEX IDs(*4). If the cipher suite list is given, OVMF will choose the cipher
> > +  suite from the intersection of the given list and the built-in cipher
> > +  suites. Otherwise, OVMF just chooses whatever proper cipher suites from the
> > +  built-in ones.
> > +
> > +  While the tool(*5) to create the cipher suite array is still under
> > +  development, the array can be generated with the following script:
> > +
> > +  export LC_ALL=C
> > +  openssl ciphers -V \
> > +  | sed -r -n \
> > +     -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
> > +  | xargs -r -- printf -- '%b' > ciphers.bin
> > +
> > +  This script creates ciphers.bin that contains all the cipher suite IDs
> > +  supported by openssl.
> 
> Please insert here, "according to the local host configuration".
> 
Ok.

> > Of course, you can append your own list to
> > +  "openssl ciphers -V" in the script to limit the supported cipher suites.
> 
> This last sentence is a bit unclear. If we append another list, then the
> cipher suite set gets (possibly) extended, not limited.
> 
My idea is to state that it's possible to provide a limited set of
cipher suites instead of including all of them. Will change the wording
to make it clear.

> Furthermore, please add another sentence here: "In the future (after
> release 2.12), QEMU should populate both above fw_cfg files
> automatically from the local host configuration, and enable the user to
> override either with dedicated options or properties".
> 
Ok.

> > +
> > +(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.
> > +(*2) p11-kit: https://github.com/p11-glue/p11-kit/
> > +(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c
> > +(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table
> > +(*5) update-crypto-policies: https://github.com/nmav/fedora-crypto-policies
> 
> To my knowledge the right URL for (*5) is:
> 
> https://gitlab.com/redhat-crypto/fedora-crypto-policies
> 
Ah, I didn't notice the link. Thanks for pointing it out.

> > +
> >  === OVMF Flash Layout ===
> >  
> >  Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash)
> > 
> 
> Thank you Gary for doing this!
No problem :)

I'll send a V2 later.

Gary Lin