From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [62.140.7.102]) by mx.groups.io with SMTP id smtpd.web11.12733.1599536463342451529 for ; Mon, 07 Sep 2020 20:41:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@suse.com header.s=mimecast20200619 header.b=G6Hh6gf4; spf=pass (domain: suse.com, ip: 62.140.7.102, mailfrom: glin@suse.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1599536460; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1MXlwwE9rAgGQOGLpVyMSN7CSi3gwWmlpLCq5Neul74=; b=G6Hh6gf4Iv5vOP59EcsNXfSrGdB6CnKTQHjTEYcjPxvtO+dVq0jurh912Qv6lHUc1ygT3L 2JKb+8N3/8HfrA07/OmJNsvu0pYeMdu8rZlYcO4OoNK4gGYxb/OXHMYGmQg8weMd6Qt8WL Uyt9STS0ekT6RXcrDvcVd7F3NM0pLFM= Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05lp2176.outbound.protection.outlook.com [104.47.17.176]) (Using TLS) by relay.mimecast.com with ESMTP id de-mta-28-mqYs3FfHMHK3htw2svy48Q-1; Tue, 08 Sep 2020 05:40:58 +0200 X-MC-Unique: mqYs3FfHMHK3htw2svy48Q-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DRUwgeiVtNtT8ymuJR1XJXBIX3uNpOu04cezPOMLvtGPxG4rTpVTOG3w5kH5pwpQynMXp+ZqcvrjktSl4CX2nvtw1xD2oabAq8WOtsLViBClzc/detmimFGzq9N3MJ4a4ESxdviwes9cGot3QcPz1qXp788prLD6WsOIUszywS0qeYZWUm/PP07XZRDHQhPfEC+8HS4VJ+rPJrwFvOmGj/R5fiwInLgXXk53QeWE8gkphOLm/VzuHyuFZO3HDtxnM1aIlMMQdn/MT4rdMfLvt28HTd3XC0BJF83/N9nDdoWcQeT5/GROwKK7p9M8bdi1Rx3iWKOamPXDRinoHVd67w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pJYbS9T7YWqmIfsngjJqPCjad0BNoO7MS2PmfcyS9S8=; b=dc9dCFk0ylYCE3+ThzF9fSBUkqWJRYZl7XmhvxqFWRv1kOGXki2+uFnGN2N+NrDIWxV28Vl996HsaxGdAF+FgVe+sOefMEz7K8G9cElfaeqTho+vTbhI8ru3H5Iev93W14zrmWd2SsEHbbdm5fvyP3BVSlDSwXGM0cKsruBptNRUJoEYkQlH9s9ah/BvwxeOUuvje9hvA+z/Q/oHEDjXitDHAFvft4dGFAXXzSjrDMM/FDIMPM7s2jHnn3o2PvuxV3luzqxlwkLFPmTGq3Bz1SfZjdVEbtylZxV8TNQDLVHy4OBiUXOu/F0+bsy+Mr4ATzVW8bP/U1QCxoitqIxQgQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=suse.com; Received: from DB3PR0402MB3641.eurprd04.prod.outlook.com (2603:10a6:8:b::12) by DB6PR0402MB2744.eurprd04.prod.outlook.com (2603:10a6:4:94::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Tue, 8 Sep 2020 03:40:56 +0000 Received: from DB3PR0402MB3641.eurprd04.prod.outlook.com ([fe80::58fb:dc1c:e5ad:2ac8]) by DB3PR0402MB3641.eurprd04.prod.outlook.com ([fe80::58fb:dc1c:e5ad:2ac8%2]) with mapi id 15.20.3348.019; Tue, 8 Sep 2020 03:40:55 +0000 Date: Tue, 8 Sep 2020 11:40:47 +0800 From: "Gary Lin" To: Laszlo Ersek CC: edk2-devel-groups-io , Ard Biesheuvel , Jordan Justen , Philippe =?iso-8859-1?Q?Mathieu-Daud=E9?= Subject: Re: [PATCH] OvmfPkg/README: HTTPS Boot: describe host-side TLS cipher suites forwarding Message-ID: <20200908034047.GE21825@GaryWorkstation> References: <20200907161825.10893-1-lersek@redhat.com> In-Reply-To: <20200907161825.10893-1-lersek@redhat.com> X-ClientProxiedBy: AM0PR01CA0134.eurprd01.prod.exchangelabs.com (2603:10a6:208:168::39) To DB3PR0402MB3641.eurprd04.prod.outlook.com (2603:10a6:8:b::12) Return-Path: glin@suse.com MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from GaryWorkstation (60.251.47.115) by AM0PR01CA0134.eurprd01.prod.exchangelabs.com (2603:10a6:208:168::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15 via Frontend Transport; Tue, 8 Sep 2020 03:40:53 +0000 X-Originating-IP: [60.251.47.115] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4808c03e-a85b-48e4-e0b5-08d853a8fe22 X-MS-TrafficTypeDiagnostic: DB6PR0402MB2744: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4303; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: uCnm68KNjGBgyCUSQoFJnmCDC9tRSnf/AuszTt3q/skKjJpL7TOiUfvI/YpcDLJPyJ7vApyoPQaAsoDimEymlUtV1IfZemwH7J//EiZD2Bd5UbypIVWmKRF8CjbdgTcOf3OuCXThu832oc8/4nMyN8mrvhY0h/gb/WHyYqHwmq1jc4mdhBjlm17iLYAW2VE2EeNV2xWoy7oO9/I1GxCtM3LRO7z8cZrv8ssogbZPyJxDF768pQzfcpPiRA48dPoQcPVD+SRzxtpis09xJVmOkswZfHMRUAofv5gFYBUw+kxey8UichbvAXgKMprCwn80VMBNCA41SCcnijNh6YER7JihRsIKoW+SHUXdWNEfsd91JRJUwbgUQXmfjFUF+BFGH8MA0SE5DVn0K994ZUR9Uw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB3PR0402MB3641.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(39860400002)(136003)(346002)(376002)(396003)(366004)(6916009)(86362001)(4326008)(478600001)(8676002)(316002)(6496006)(52116002)(966005)(8936002)(2906002)(54906003)(9686003)(186003)(1076003)(956004)(55016002)(16526019)(5660300002)(55236004)(6666004)(33716001)(83380400001)(33656002)(66556008)(66476007)(26005)(66946007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: KU42SED2YQuBnT0u0BYxaNSCQMwucOrpSi46shmq+qMaauRKRpuqHXONYvn7gLJZ4Sbjk+O6rEEuXMYtRnE3rBcNT41JKhHYTWHVxqZ7E70x5ajCY4nlLaY8Oecg82qqoQdE11IGvcSBWkRKACWZ7vtVBCyOLNb+8hGAqCmybuxGnkmBavV0NAvtJkqvbCsOXoA4MC+zY76dlEE8wj9pXj3a3Vdn0JTwTv8rU01D5LaY+pNm3EAF7zV3VXM63YXSiNNPNYRoP+lRTj/Q7sz1nUUxRs80jWMakLtvZklYD8LjrpWdoTde5IoOBPPQcz/07wrcZ8oQg83K+JBwJEu6aYqESO80yZvI7lO9ui9v31/VqTuSAQI1W4+j3nrIX9aAGr4a4n7FyvdERhCr3h2oHNs6Qb29ejGQgQPQjlpwq2qKfVIRHLU5Xxpw88Rm6Z0RCGn5ZVFQBByPcQe/EnYbjY8v+Tj4JaNQQjTM+aAjP7OcG8Dk+NzBT0KkQIbvqpWM9if7fHy4GvIwQPVIzrLENIrcn9GkmtIyvKGzO/9mIkkK3JuZVFOLaHILKWLklTPBs/dr9ouzwyXvCSrIqV02uJYumxbIbpN5rZXlrOiSK2dAgKCUXVhQs5ukgUjIRb2zs2H872mZZm6JJzn0jeaD0A== X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4808c03e-a85b-48e4-e0b5-08d853a8fe22 X-MS-Exchange-CrossTenant-AuthSource: DB3PR0402MB3641.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Sep 2020 03:40:55.8503 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: QHP6Dr3qhAC7qpr6rWMX+hNK0S/NkOJFb+hke1Xr9avztID7pwUn8ts7oMAvaEER X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0402MB2744 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 07, 2020 at 06:18:25PM +0200, Laszlo Ersek wrote: > In QEMU commit range 4abf70a661a5..69699f3055a5, Phil implemented a QEMU > facility for exposing the host-side TLS cipher suite configuration to > OVMF. The purpose is to control the permitted ciphers in the guest's UEFI > HTTPS boot. This complements the forwarding of the host-side crypto polic= y > from the host to the guest -- the other facet was the set of CA > certificates (for which p11-kit patches had been upstreamed, on the host > side). >=20 > Mention the new command line options in "OvmfPkg/README". Looks good to me :) Reviewed-by: Gary Lin >=20 > Cc: Ard Biesheuvel > Cc: Gary Lin > Cc: Jordan Justen > Cc: Philippe Mathieu-Daud=E9 > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2852 > Signed-off-by: Laszlo Ersek > --- > OvmfPkg/README | 24 ++++++++++++-------- > 1 file changed, 15 insertions(+), 9 deletions(-) >=20 > diff --git a/OvmfPkg/README b/OvmfPkg/README > index 3dd28474ead4..2009d9d29796 100644 > --- a/OvmfPkg/README > +++ b/OvmfPkg/README > @@ -294,67 +294,73 @@ and encrypted connection. > =20 > You can also append a certificate to the existing list with the follow= ing > command: > =20 > efisiglist -i -a -o > =20 > NOTE: You may need the patch to make efisiglist generate the correct h= eader. > (https://github.com/rhboot/pesign/pull/40) > =20 > * Besides the trusted certificates, it's also possible to configure the = trusted > cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/c= iphers. > =20 > - -fw_cfg name=3Detc/edk2/https/ciphers,file=3D > - > OVMF expects a binary UINT16 array which comprises the cipher suites H= EX > IDs(*4). If the cipher suite list is given, OVMF will choose the ciphe= r > suite from the intersection of the given list and the built-in cipher > suites. Otherwise, OVMF just chooses whatever proper cipher suites fro= m the > built-in ones. > =20 > - While the tool(*5) to create the cipher suite array is still under > - development, the array can be generated with the following script: > + Using QEMU 5.1 or later, QEMU can expose the ordered list of permitted= TLS > + cipher suites from the host side to OVMF: > + > + -object tls-cipher-suites,id=3Dmysuite0,priority=3D@SYSTEM \ > + -fw_cfg name=3Detc/edk2/https/ciphers,gen_id=3Dmysuite0 > + > + (Refer to the QEMU manual and to > + for more > + information on the "priority" property.) > + > + Using QEMU 5.0 or earlier, the array has to be passed from a file: > + > + -fw_cfg name=3Detc/edk2/https/ciphers,file=3D > + > + whose contents can be generated with the following script, for example= : > =20 > export LC_ALL=3DC > openssl ciphers -V \ > | sed -r -n \ > -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ > | xargs -r -- printf -- '%b' > ciphers.bin > =20 > This script creates ciphers.bin that contains all the cipher suite IDs > supported by openssl according to the local host configuration. > =20 > You may want to enable only a limited set of cipher suites. Then, you > should check the validity of your list first: > =20 > openssl ciphers -V > =20 > If all the cipher suites in your list map to the proper HEX IDs, go ah= ead > to modify the script and execute it: > =20 > export LC_ALL=3DC > openssl ciphers -V \ > | sed -r -n \ > -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ > | xargs -r -- printf -- '%b' > ciphers.bin > =20 > -* In the future (after release 2.12), QEMU should populate both above fw= _cfg > - files automatically from the local host configuration, and enable the = user > - to override either with dedicated options or properties. > - > (*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A. > (*2) p11-kit: https://github.com/p11-glue/p11-kit/ > (*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisig= list.c > (*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_corr= espondence_table > -(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-cry= pto-policies > =20 > =3D=3D=3D OVMF Flash Layout =3D=3D=3D > =20 > Like all current IA32/X64 system designs, OVMF's firmware device (rom/fl= ash) > appears in QEMU's physical address space just below 4GB (0x100000000). > =20 > OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files = for the > FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address f= or the > 1MB image in QEMU physical memory is 0xfff00000. The base address for th= e 2MB > image is 0xffe00000. The base address for the 4MB image is 0xffc00000. > =20 > Using the 1MB or 2MB image, the layout of the firmware device in memory = looks > --=20 > 2.19.1.3.g30247aa5d201 >=20