From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: suse.com, ip: 195.135.221.5, mailfrom: glin@suse.com)
Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5])
 by groups.io with SMTP; Sun, 09 Jun 2019 23:55:29 -0700
Received: from GaryWorkstation.suse.de (unknown.telstraglobal.net [202.47.205.198])
	by smtp.nue.novell.com with ESMTP (NOT encrypted); Mon, 10 Jun 2019 08:55:25 +0200
From: "Gary Lin" <glin@suse.com>
To: devel@edk2.groups.io
Cc: Jordan Justen <jordan.l.justen@intel.com>,
	Laszlo Ersek <lersek@redhat.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH 1/1] OvmfPkg/README: Update the network build flags
Date: Mon, 10 Jun 2019 14:55:09 +0800
Message-Id: <20190610065509.19573-1-glin@suse.com>
X-Mailer: git-send-email 2.21.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

The following network build flags changed due to the inclusion of
NetworkPkg/Network.fdf.inc.

  HTTP_BOOT_ENABLE -> NETWORK_HTTP_BOOT_ENABLE
  TLS_ENABLE -> NETWORK_TLS_ENABLE

This commit also adds NETWORK_ALLOW_HTTP_CONNECTIONS to reflect the
change in OvmfPkg/OvmfPkg*.dsc.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1884
Signed-off-by: Gary Lin <glin@suse.com>
---
 OvmfPkg/README | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/OvmfPkg/README b/OvmfPkg/README
index c014d07bfbdb..3dd28474ead4 100644
--- a/OvmfPkg/README
+++ b/OvmfPkg/README
@@ -260,9 +260,14 @@ HTTPS Boot is an alternative solution to PXE. It replaces the tftp server
 with a HTTPS server so the firmware can download the images through a trusted
 and encrypted connection.
 
-* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and
-  -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while
-  the latter enables TLS support in both NetworkPkg and CryptoPkg.
+* To enable HTTPS Boot, you have to build OVMF with -D NETWORK_HTTP_BOOT_ENABLE
+  and -D NETWORK_TLS_ENABLE. The former brings in the HTTP stack from
+  NetworkPkg while the latter enables TLS support in both NetworkPkg and
+  CryptoPkg.
+
+  If you want to exclude the unsecured HTTP connection completely, OVMF has to
+  be built with -D NETWORK_ALLOW_HTTP_CONNECTIONS=FALSE so that only the HTTPS
+  connections will be accepted.
 
 * By default, there is no trusted certificate. The user has to import the
   certificates either manually with "Tls Auth Configuration" utility in the
-- 
2.21.0