From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [62.140.7.102])
 by mx.groups.io with SMTP id smtpd.web11.12733.1599536463342451529
 for <devel@edk2.groups.io>;
 Mon, 07 Sep 2020 20:41:04 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@suse.com header.s=mimecast20200619 header.b=G6Hh6gf4;
 spf=pass (domain: suse.com, ip: 62.140.7.102, mailfrom: glin@suse.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619;
	t=1599536460;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=1MXlwwE9rAgGQOGLpVyMSN7CSi3gwWmlpLCq5Neul74=;
	b=G6Hh6gf4Iv5vOP59EcsNXfSrGdB6CnKTQHjTEYcjPxvtO+dVq0jurh912Qv6lHUc1ygT3L
	2JKb+8N3/8HfrA07/OmJNsvu0pYeMdu8rZlYcO4OoNK4gGYxb/OXHMYGmQg8weMd6Qt8WL
	Uyt9STS0ekT6RXcrDvcVd7F3NM0pLFM=
Received: from EUR05-VI1-obe.outbound.protection.outlook.com
 (mail-vi1eur05lp2176.outbound.protection.outlook.com [104.47.17.176])
 (Using TLS) by relay.mimecast.com with ESMTP id
 de-mta-28-mqYs3FfHMHK3htw2svy48Q-1; Tue, 08 Sep 2020 05:40:58 +0200
X-MC-Unique: mqYs3FfHMHK3htw2svy48Q-1
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=DRUwgeiVtNtT8ymuJR1XJXBIX3uNpOu04cezPOMLvtGPxG4rTpVTOG3w5kH5pwpQynMXp+ZqcvrjktSl4CX2nvtw1xD2oabAq8WOtsLViBClzc/detmimFGzq9N3MJ4a4ESxdviwes9cGot3QcPz1qXp788prLD6WsOIUszywS0qeYZWUm/PP07XZRDHQhPfEC+8HS4VJ+rPJrwFvOmGj/R5fiwInLgXXk53QeWE8gkphOLm/VzuHyuFZO3HDtxnM1aIlMMQdn/MT4rdMfLvt28HTd3XC0BJF83/N9nDdoWcQeT5/GROwKK7p9M8bdi1Rx3iWKOamPXDRinoHVd67w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=pJYbS9T7YWqmIfsngjJqPCjad0BNoO7MS2PmfcyS9S8=;
 b=dc9dCFk0ylYCE3+ThzF9fSBUkqWJRYZl7XmhvxqFWRv1kOGXki2+uFnGN2N+NrDIWxV28Vl996HsaxGdAF+FgVe+sOefMEz7K8G9cElfaeqTho+vTbhI8ru3H5Iev93W14zrmWd2SsEHbbdm5fvyP3BVSlDSwXGM0cKsruBptNRUJoEYkQlH9s9ah/BvwxeOUuvje9hvA+z/Q/oHEDjXitDHAFvft4dGFAXXzSjrDMM/FDIMPM7s2jHnn3o2PvuxV3luzqxlwkLFPmTGq3Bz1SfZjdVEbtylZxV8TNQDLVHy4OBiUXOu/F0+bsy+Mr4ATzVW8bP/U1QCxoitqIxQgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com;
 dkim=pass header.d=suse.com; arc=none
Authentication-Results: redhat.com; dkim=none (message not signed)
 header.d=none;redhat.com; dmarc=none action=none header.from=suse.com;
Received: from DB3PR0402MB3641.eurprd04.prod.outlook.com (2603:10a6:8:b::12)
 by DB6PR0402MB2744.eurprd04.prod.outlook.com (2603:10a6:4:94::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Tue, 8 Sep
 2020 03:40:56 +0000
Received: from DB3PR0402MB3641.eurprd04.prod.outlook.com
 ([fe80::58fb:dc1c:e5ad:2ac8]) by DB3PR0402MB3641.eurprd04.prod.outlook.com
 ([fe80::58fb:dc1c:e5ad:2ac8%2]) with mapi id 15.20.3348.019; Tue, 8 Sep 2020
 03:40:55 +0000
Date: Tue, 8 Sep 2020 11:40:47 +0800
From: "Gary Lin" <glin@suse.com>
To: Laszlo Ersek <lersek@redhat.com>
CC: edk2-devel-groups-io <devel@edk2.groups.io>,
	Ard Biesheuvel <ard.biesheuvel@arm.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Philippe =?iso-8859-1?Q?Mathieu-Daud=E9?= <philmd@redhat.com>
Subject: Re: [PATCH] OvmfPkg/README: HTTPS Boot: describe host-side TLS cipher suites forwarding
Message-ID: <20200908034047.GE21825@GaryWorkstation>
References: <20200907161825.10893-1-lersek@redhat.com>
In-Reply-To: <20200907161825.10893-1-lersek@redhat.com>
X-ClientProxiedBy: AM0PR01CA0134.eurprd01.prod.exchangelabs.com
 (2603:10a6:208:168::39) To DB3PR0402MB3641.eurprd04.prod.outlook.com
 (2603:10a6:8:b::12)
Return-Path: glin@suse.com
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from GaryWorkstation (60.251.47.115) by AM0PR01CA0134.eurprd01.prod.exchangelabs.com (2603:10a6:208:168::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15 via Frontend Transport; Tue, 8 Sep 2020 03:40:53 +0000
X-Originating-IP: [60.251.47.115]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4808c03e-a85b-48e4-e0b5-08d853a8fe22
X-MS-TrafficTypeDiagnostic: DB6PR0402MB2744:
X-Microsoft-Antispam-PRVS: 
	<DB6PR0402MB2744686650B62798C8BBB481A9290@DB6PR0402MB2744.eurprd04.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:4303;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	uCnm68KNjGBgyCUSQoFJnmCDC9tRSnf/AuszTt3q/skKjJpL7TOiUfvI/YpcDLJPyJ7vApyoPQaAsoDimEymlUtV1IfZemwH7J//EiZD2Bd5UbypIVWmKRF8CjbdgTcOf3OuCXThu832oc8/4nMyN8mrvhY0h/gb/WHyYqHwmq1jc4mdhBjlm17iLYAW2VE2EeNV2xWoy7oO9/I1GxCtM3LRO7z8cZrv8ssogbZPyJxDF768pQzfcpPiRA48dPoQcPVD+SRzxtpis09xJVmOkswZfHMRUAofv5gFYBUw+kxey8UichbvAXgKMprCwn80VMBNCA41SCcnijNh6YER7JihRsIKoW+SHUXdWNEfsd91JRJUwbgUQXmfjFUF+BFGH8MA0SE5DVn0K994ZUR9Uw==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB3PR0402MB3641.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(346002)(376002)(396003)(366004)(6916009)(86362001)(4326008)(478600001)(8676002)(316002)(6496006)(52116002)(966005)(8936002)(2906002)(54906003)(9686003)(186003)(1076003)(956004)(55016002)(16526019)(5660300002)(55236004)(6666004)(33716001)(83380400001)(33656002)(66556008)(66476007)(26005)(66946007);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 
	KU42SED2YQuBnT0u0BYxaNSCQMwucOrpSi46shmq+qMaauRKRpuqHXONYvn7gLJZ4Sbjk+O6rEEuXMYtRnE3rBcNT41JKhHYTWHVxqZ7E70x5ajCY4nlLaY8Oecg82qqoQdE11IGvcSBWkRKACWZ7vtVBCyOLNb+8hGAqCmybuxGnkmBavV0NAvtJkqvbCsOXoA4MC+zY76dlEE8wj9pXj3a3Vdn0JTwTv8rU01D5LaY+pNm3EAF7zV3VXM63YXSiNNPNYRoP+lRTj/Q7sz1nUUxRs80jWMakLtvZklYD8LjrpWdoTde5IoOBPPQcz/07wrcZ8oQg83K+JBwJEu6aYqESO80yZvI7lO9ui9v31/VqTuSAQI1W4+j3nrIX9aAGr4a4n7FyvdERhCr3h2oHNs6Qb29ejGQgQPQjlpwq2qKfVIRHLU5Xxpw88Rm6Z0RCGn5ZVFQBByPcQe/EnYbjY8v+Tj4JaNQQjTM+aAjP7OcG8Dk+NzBT0KkQIbvqpWM9if7fHy4GvIwQPVIzrLENIrcn9GkmtIyvKGzO/9mIkkK3JuZVFOLaHILKWLklTPBs/dr9ouzwyXvCSrIqV02uJYumxbIbpN5rZXlrOiSK2dAgKCUXVhQs5ukgUjIRb2zs2H872mZZm6JJzn0jeaD0A==
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4808c03e-a85b-48e4-e0b5-08d853a8fe22
X-MS-Exchange-CrossTenant-AuthSource: DB3PR0402MB3641.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Sep 2020 03:40:55.8503
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: QHP6Dr3qhAC7qpr6rWMX+hNK0S/NkOJFb+hke1Xr9avztID7pwUn8ts7oMAvaEER
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0402MB2744
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 07, 2020 at 06:18:25PM +0200, Laszlo Ersek wrote:
> In QEMU commit range 4abf70a661a5..69699f3055a5, Phil implemented a QEMU
> facility for exposing the host-side TLS cipher suite configuration to
> OVMF. The purpose is to control the permitted ciphers in the guest's UEFI
> HTTPS boot. This complements the forwarding of the host-side crypto polic=
y
> from the host to the guest -- the other facet was the set of CA
> certificates (for which p11-kit patches had been upstreamed, on the host
> side).
>=20
> Mention the new command line options in "OvmfPkg/README".

Looks good to me :)

Reviewed-by: Gary Lin <glin@suse.com>

>=20
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Gary Lin <glin@suse.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Philippe Mathieu-Daud=E9 <philmd@redhat.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2852
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
>  OvmfPkg/README | 24 ++++++++++++--------
>  1 file changed, 15 insertions(+), 9 deletions(-)
>=20
> diff --git a/OvmfPkg/README b/OvmfPkg/README
> index 3dd28474ead4..2009d9d29796 100644
> --- a/OvmfPkg/README
> +++ b/OvmfPkg/README
> @@ -294,67 +294,73 @@ and encrypted connection.
> =20
>    You can also append a certificate to the existing list with the follow=
ing
>    command:
> =20
>    efisiglist -i <old certdb> -a <cert file> -o <new certdb>
> =20
>    NOTE: You may need the patch to make efisiglist generate the correct h=
eader.
>    (https://github.com/rhboot/pesign/pull/40)
> =20
>  * Besides the trusted certificates, it's also possible to configure the =
trusted
>    cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/c=
iphers.
> =20
> -  -fw_cfg name=3Detc/edk2/https/ciphers,file=3D<cipher suites>
> -
>    OVMF expects a binary UINT16 array which comprises the cipher suites H=
EX
>    IDs(*4). If the cipher suite list is given, OVMF will choose the ciphe=
r
>    suite from the intersection of the given list and the built-in cipher
>    suites. Otherwise, OVMF just chooses whatever proper cipher suites fro=
m the
>    built-in ones.
> =20
> -  While the tool(*5) to create the cipher suite array is still under
> -  development, the array can be generated with the following script:
> +  Using QEMU 5.1 or later, QEMU can expose the ordered list of permitted=
 TLS
> +  cipher suites from the host side to OVMF:
> +
> +  -object tls-cipher-suites,id=3Dmysuite0,priority=3D@SYSTEM \
> +  -fw_cfg name=3Detc/edk2/https/ciphers,gen_id=3Dmysuite0
> +
> +  (Refer to the QEMU manual and to
> +  <https://gnutls.org/manual/html_node/Priority-Strings.html> for more
> +  information on the "priority" property.)
> +
> +  Using QEMU 5.0 or earlier, the array has to be passed from a file:
> +
> +  -fw_cfg name=3Detc/edk2/https/ciphers,file=3D<cipher suites>
> +
> +  whose contents can be generated with the following script, for example=
:
> =20
>    export LC_ALL=3DC
>    openssl ciphers -V \
>    | sed -r -n \
>       -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
>    | xargs -r -- printf -- '%b' > ciphers.bin
> =20
>    This script creates ciphers.bin that contains all the cipher suite IDs
>    supported by openssl according to the local host configuration.
> =20
>    You may want to enable only a limited set of cipher suites. Then, you
>    should check the validity of your list first:
> =20
>    openssl ciphers -V <cipher list>
> =20
>    If all the cipher suites in your list map to the proper HEX IDs, go ah=
ead
>    to modify the script and execute it:
> =20
>    export LC_ALL=3DC
>    openssl ciphers -V <cipher list> \
>    | sed -r -n \
>       -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
>    | xargs -r -- printf -- '%b' > ciphers.bin
> =20
> -* In the future (after release 2.12), QEMU should populate both above fw=
_cfg
> -  files automatically from the local host configuration, and enable the =
user
> -  to override either with dedicated options or properties.
> -
>  (*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.
>  (*2) p11-kit: https://github.com/p11-glue/p11-kit/
>  (*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisig=
list.c
>  (*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_corr=
espondence_table
> -(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-cry=
pto-policies
> =20
>  =3D=3D=3D OVMF Flash Layout =3D=3D=3D
> =20
>  Like all current IA32/X64 system designs, OVMF's firmware device (rom/fl=
ash)
>  appears in QEMU's physical address space just below 4GB (0x100000000).
> =20
>  OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files =
for the
>  FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address f=
or the
>  1MB image in QEMU physical memory is 0xfff00000. The base address for th=
e 2MB
>  image is 0xffe00000. The base address for the 4MB image is 0xffc00000.
> =20
>  Using the 1MB or 2MB image, the layout of the firmware device in memory =
looks
> --=20
> 2.19.1.3.g30247aa5d201
>=20