From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: suse.com, ip: 15.124.2.85, mailfrom: glin@suse.com) Received: from m4a0039g.houston.softwaregrp.com (m4a0039g.houston.softwaregrp.com [15.124.2.85]) by groups.io with SMTP; Thu, 27 Jun 2019 21:48:42 -0700 Received: FROM m4a0039g.houston.softwaregrp.com (15.120.17.146) BY m4a0039g.houston.softwaregrp.com WITH ESMTP; Fri, 28 Jun 2019 04:45:07 +0000 Received: from M9W0067.microfocus.com (2002:f79:be::f79:be) by M4W0334.microfocus.com (2002:f78:1192::f78:1192) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Fri, 28 Jun 2019 04:48:27 +0000 Received: from NAM01-SN1-obe.outbound.protection.outlook.com (15.124.72.12) by M9W0067.microfocus.com (15.121.0.190) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10 via Frontend Transport; Fri, 28 Jun 2019 04:48:27 +0000 Received: from MN2PR18MB2495.namprd18.prod.outlook.com (20.179.83.217) by MN2PR18MB3312.namprd18.prod.outlook.com (10.255.237.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Fri, 28 Jun 2019 04:48:26 +0000 Received: from MN2PR18MB2495.namprd18.prod.outlook.com ([fe80::c930:cd8a:d6b4:da3b]) by MN2PR18MB2495.namprd18.prod.outlook.com ([fe80::c930:cd8a:d6b4:da3b%3]) with mapi id 15.20.2032.018; Fri, 28 Jun 2019 04:48:26 +0000 From: "Gary Lin" To: Laszlo Ersek CC: edk2-devel-groups-io , Ard Biesheuvel , Guillaume GARDET , Julien Grall Subject: Re: [PATCH] ArmVirtPkg: handle NETWORK_TLS_ENABLE in ArmVirtQemu* Thread-Topic: [PATCH] ArmVirtPkg: handle NETWORK_TLS_ENABLE in ArmVirtQemu* Thread-Index: AQHVLWkEq+B05mikvkKlRXCwM9zIoKawfpEA Date: Fri, 28 Jun 2019 04:48:25 +0000 Message-ID: <20190628044813.GB6000@GaryWorkstation> References: <20190624191336.31611-1-lersek@redhat.com> In-Reply-To: <20190624191336.31611-1-lersek@redhat.com> Accept-Language: zh-TW, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: DB6PR0301CA0062.eurprd03.prod.outlook.com (2603:10a6:4:54::30) To MN2PR18MB2495.namprd18.prod.outlook.com (2603:10b6:208:107::25) authentication-results: spf=none (sender IP is ) smtp.mailfrom=GLin@suse.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [202.47.205.198] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e780c905-736e-462e-ecc1-08d6fb83db39 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:MN2PR18MB3312; x-ms-traffictypediagnostic: MN2PR18MB3312: x-ms-exchange-purlcount: 2 x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-forefront-prvs: 00826B6158 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916004)(4636009)(136003)(376002)(346002)(39860400002)(366004)(396003)(189003)(199004)(446003)(71190400001)(71200400001)(476003)(1076003)(6246003)(7736002)(305945005)(54906003)(229853002)(68736007)(8676002)(99286004)(26005)(81166006)(478600001)(256004)(81156014)(486006)(80792005)(11346002)(8936002)(966005)(5660300002)(316002)(102836004)(14454004)(6486002)(25786009)(2906002)(6116002)(386003)(66946007)(66066001)(66556008)(6512007)(73956011)(66476007)(86362001)(9686003)(53936002)(33716001)(4326008)(6436002)(33656002)(6306002)(52116002)(6506007)(3846002)(186003)(76176011)(6916009)(64756008)(72206003)(66446008);DIR:OUT;SFP:1102;SCL:1;SRVR:MN2PR18MB3312;H:MN2PR18MB2495.namprd18.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: suse.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: T14iQhsvdIVhAL6aMwQLb0TIzzRpdA4uHC4kaUIJ7cuzvdhdYalV0DonYyaiXgBMEjM/P8DYQWP92X0OdQD9zEXcL3bNWM/vfmIRN56pBG1oL9eJTpWWi/TWTK6sLcIaQVpCil3BYjYCLS6fbfD6tEVNP5emQRmbF1X54t8N4cmwHRl+Fjl2GTKZpVjY8RwgmOqgMkan1c/mVHKgJjvCVZVvDICx7SXpg3w5jy24cSrY6oPw9602FVrgF12gJF661ob4awjifRzO4xr+X0cS5xXhtNsHf41hIAeSncGokX4VAz1+9PvvKwJUkBoGXPrHENCUTBtEuDamU4vuUk7uIkyJ0WPn20BA74XoA65kxG/Lv1ixYB5MEzYMV5Rd7s9HG3KfNgO5qlHMcTWKISVb9kchhX6VC0OXLxG3TOFe/b8= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: e780c905-736e-462e-ecc1-08d6fb83db39 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2019 04:48:25.9846 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 856b813c-16e5-49a5-85ec-6f081e13b527 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: GLin@suse.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR18MB3312 Return-Path: GLin@suse.com X-OriginatorOrg: suse.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable On Mon, Jun 24, 2019 at 09:13:36PM +0200, Laszlo Ersek wrote: > Port the [LibraryClasses], [PcdsFixedAtBuild] and [Components] settings > that are related to NETWORK_TLS_ENABLE from OvmfPkg to ArmVirtPkg. > ArmVirtXen is not modified because it doesn't include the edk2 network > stack. >=20 > (This change is now simpler than it would have been when TianoCore#1009 > was originally filed, due to ArmVirtPkg consuming the NetworkPkg include > fragments meanwhile, from TianoCore#1293 / commit 157a3b1aa50f.) >=20 > The usage hints from "OvmfPkg/README", section "HTTPS Boot", apply. >=20 I tested both HTTPS IPv4 and IPv6, and it worked as expected. The bootloader was loaded after enrolling the correct certificate, and the firmware rejected the connection when enrolling the wrong certificate. Tested-by: Gary Lin > Cc: Ard Biesheuvel > Cc: Gary Lin > Cc: Guillaume GARDET > Cc: Julien Grall > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1009 > Signed-off-by: Laszlo Ersek > --- >=20 > Notes: > Repo: https://github.com/lersek/edk2.git > Branch: armvirt_tls_bz1009 >=20 > ArmVirtPkg/ArmVirt.dsc.inc | 7 +++++++ > ArmVirtPkg/ArmVirtQemu.dsc | 18 ++++++++++++++---- > ArmVirtPkg/ArmVirtQemuKernel.dsc | 18 ++++++++++++++---- > 3 files changed, 35 insertions(+), 8 deletions(-) >=20 > diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc > index 20bf011617a1..a4ae25d982a2 100644 > --- a/ArmVirtPkg/ArmVirt.dsc.inc > +++ b/ArmVirtPkg/ArmVirt.dsc.inc > @@ -71,6 +71,9 @@ [LibraryClasses.common] > =20 > # Networking Requirements > !include NetworkPkg/NetworkLibs.dsc.inc > +!if $(NETWORK_TLS_ENABLE) =3D=3D TRUE > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf > +!endif > =20 > =20 > # > @@ -136,7 +139,11 @@ [LibraryClasses.common] > # CryptoPkg libraries needed by multiple firmware features > # > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > +!if $(NETWORK_TLS_ENABLE) =3D=3D TRUE > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > +!else > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > +!endif > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > =20 > # > diff --git a/ArmVirtPkg/ArmVirtQemu.dsc b/ArmVirtPkg/ArmVirtQemu.dsc > index cf28478977e1..7ae6702ac1f0 100644 > --- a/ArmVirtPkg/ArmVirtQemu.dsc > +++ b/ArmVirtPkg/ArmVirtQemu.dsc > @@ -43,10 +43,6 @@ [Defines] > !error "NETWORK_SNP_ENABLE is IA32/X64/EBC only" > !endif > =20 > -!if $(NETWORK_TLS_ENABLE) =3D=3D TRUE > - !error "NETWORK_TLS_ENABLE is tracked at " > -!endif > - > !include NetworkPkg/NetworkDefines.dsc.inc > =20 > !include ArmVirtPkg/ArmVirt.dsc.inc > @@ -113,6 +109,14 @@ [PcdsFixedAtBuild.common] > gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize|0x4000 > gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > +!if $(NETWORK_TLS_ENABLE) =3D=3D TRUE > + # > + # The cumulative and individual VOLATILE variable size limits should b= e set > + # high enough for accommodating several and/or large CA certificates. > + # > + gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x80000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000 > +!endif > =20 > # Size of the region used by UEFI in permanent memory (Reserved 64MB) > gArmPlatformTokenSpaceGuid.PcdSystemMemoryUefiRegionSize|0x04000000 > @@ -372,6 +376,12 @@ [Components.common] > # Networking stack > # > !include NetworkPkg/NetworkComponents.dsc.inc > +!if $(NETWORK_TLS_ENABLE) =3D=3D TRUE > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf { > + > + NULL|OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf > + } > +!endif > =20 > # > # SCSI Bus and Disk Driver > diff --git a/ArmVirtPkg/ArmVirtQemuKernel.dsc b/ArmVirtPkg/ArmVirtQemuKer= nel.dsc > index 596e59739cab..3b0f04967a4b 100644 > --- a/ArmVirtPkg/ArmVirtQemuKernel.dsc > +++ b/ArmVirtPkg/ArmVirtQemuKernel.dsc > @@ -43,10 +43,6 @@ [Defines] > !error "NETWORK_SNP_ENABLE is IA32/X64/EBC only" > !endif > =20 > -!if $(NETWORK_TLS_ENABLE) =3D=3D TRUE > - !error "NETWORK_TLS_ENABLE is tracked at " > -!endif > - > !include NetworkPkg/NetworkDefines.dsc.inc > =20 > !include ArmVirtPkg/ArmVirt.dsc.inc > @@ -118,6 +114,14 @@ [PcdsFixedAtBuild.common] > gArmPlatformTokenSpaceGuid.PcdCPUCorePrimaryStackSize|0x4000 > gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800 > +!if $(NETWORK_TLS_ENABLE) =3D=3D TRUE > + # > + # The cumulative and individual VOLATILE variable size limits should b= e set > + # high enough for accommodating several and/or large CA certificates. > + # > + gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x80000 > + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000 > +!endif > =20 > # Size of the region used by UEFI in permanent memory (Reserved 64MB) > gArmPlatformTokenSpaceGuid.PcdSystemMemoryUefiRegionSize|0x04000000 > @@ -356,6 +360,12 @@ [Components.common] > # Networking stack > # > !include NetworkPkg/NetworkComponents.dsc.inc > +!if $(NETWORK_TLS_ENABLE) =3D=3D TRUE > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf { > + > + NULL|OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf > + } > +!endif > =20 > # > # SCSI Bus and Disk Driver > --=20 > 2.19.1.3.g30247aa5d201 >=20 >=20