From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+112912+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id D6EBAD8081E
	for <rebecca@openfw.io>; Tue, 26 Dec 2023 11:29:05 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=UkRN6OZuDV+XWfK/YPL+jkktgKCkurmK1ciOzSxpFV4=;
 c=relaxed/simple; d=groups.io;
 h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:Received-SPF:From:To:CC:Subject:Date:Message-ID:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type;
 s=20140610; t=1703590144; v=1;
 b=lJpvZdbGBmXU/yTq+namNC/XVRJrXLFa/gjTX3jIs1WBkpFGZ3mVc364KDVA1E/Y6JhEFfru
 /CC2+Qapy8IBwfsF5+BriNMtHC2BVLAMfGL50agMN5ySFP9fYBv/J4BNq87BNGZKfkfJRbtapCR
 jWh7VfacZue9n/YobRH//tvg=
X-Received: by 127.0.0.2 with SMTP id ePblYY7687511x6BacVfMTqA; Tue, 26 Dec 2023 03:29:04 -0800
X-Received: from NAM11-BN8-obe.outbound.protection.outlook.com (NAM11-BN8-obe.outbound.protection.outlook.com [40.107.236.41])
 by mx.groups.io with SMTP id smtpd.web10.80562.1703590143571649159
 for <devel@edk2.groups.io>;
 Tue, 26 Dec 2023 03:29:03 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=mZyYWWeOwXZcUDJZjtPWk8FgQb+4R7vKTmvRUCyc+9JSDsOkgTKKCTBioUXxl9Vn3Qlzyq8bIg2WVy+RwynYKRMqiSxOVfKGDWVTaX8mRxu0N3hIIuKnOWZo6BHpasyJno1Hk55KQcNVROQYkRthQKIe0q9iCkT2gq4Th5+8Z3p+Gvg2Tv3SuzM4rjN1OmUKCv/Ss8pGsygw4sZmIwG7rNLoGje4wu75oZRV6gi1d3CYQcF2byFHTvWvvmknGM6DQ5yY3iclfNp7WkQoqqFwsITb/RKhjcdBSGe0THNcJLqDyfy6w2QWDuUAIMgyI+qc3eewFb8heMoDkqM0tbLMZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=zLpph8wB3sIHydOi3eFhrX4Ggt9a7L0qz6onPqZTm90=;
 b=kPU459XWND5RKutO0QKnLzL5M5w2RHKl7lwWRCONdRMa5wdQQZYTMlPjq6TG3VrVIoJggvMQ4g2ipqS5ZlAaM+xTLYm+3o+Vbf0bE18ESkd5wPt8G7znuTvX8ez58o1Anf3LRjsfQ0jK53oF992Bi2tObgVPjGd876qOFilcvIvdrrvzmSWr0W6Ma4WaKv1HhXKZIq37PJKXVXqCBZoTwTwdYHd4gyHwGOyI0gJIFsOl7G1txU0hAxVB0qNkW6yV/FcBWDIkWwfKiVg3X2/USb69l92w2jfPVb8+GVQpk7gE6fmXmPmwXbEN485T15MdoVtygiJZpFwoIbC2GAZiJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 165.204.84.17) smtp.rcpttodomain=edk2.groups.io smtp.mailfrom=amd.com;
 dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
 header.from=amd.com; dkim=none (message not signed); arc=none (0)
X-Received: from DS7PR07CA0004.namprd07.prod.outlook.com (2603:10b6:5:3af::13)
 by PH7PR12MB6419.namprd12.prod.outlook.com (2603:10b6:510:1fd::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.18; Tue, 26 Dec
 2023 11:28:59 +0000
X-Received: from DS1PEPF00017090.namprd03.prod.outlook.com
 (2603:10b6:5:3af:cafe::db) by DS7PR07CA0004.outlook.office365.com
 (2603:10b6:5:3af::13) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.27 via Frontend
 Transport; Tue, 26 Dec 2023 11:28:59 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
 smtp.mailfrom=amd.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
 165.204.84.17 as permitted sender) receiver=protection.outlook.com;
 client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
X-Received: from SATLEXMB04.amd.com (165.204.84.17) by
 DS1PEPF00017090.mail.protection.outlook.com (10.167.17.132) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.20.7135.14 via Frontend Transport; Tue, 26 Dec 2023 11:28:58 +0000
X-Received: from TPE-L1-ABNCHANG.amd.com (10.180.168.240) by SATLEXMB04.amd.com
 (10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34; Tue, 26 Dec
 2023 05:28:56 -0600
From: "Chang, Abner via groups.io" <abner.chang=amd.com@groups.io>
To: <devel@edk2.groups.io>
CC: Saloni Kasbekar <saloni.kasbekar@intel.com>, Zachary Clark-williams
	<zachary.clark-williams@intel.com>, Michael Brown <mcb30@ipxe.org>, Nickle
 Wang <nicklew@nvidia.com>, Igor Kulchytskyy <igork@ami.com>
Subject: [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform TLS policy
Date: Tue, 26 Dec 2023 19:28:37 +0800
Message-ID: <20231226112839.1152-1-abner.chang@amd.com>
MIME-Version: 1.0
X-Originating-IP: [10.180.168.240]
X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com
 (10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS1PEPF00017090:EE_|PH7PR12MB6419:EE_
X-MS-Office365-Filtering-Correlation-Id: feb97697-f8ca-457b-3e7a-08dc0605da65
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Message-Info: 
	JtZT1U2LJew8e3QH0U0VgEasUoi0bCvOJzxoPec8M0qGpL62eR90c0HiSWubwK/umLPKpdEMCuq4Xc2PCy70E3jfcimdPeTk/0a1/x3ixn2LxFeWrGZvHM4hOtYeMUedPLaMSSi+YilQdFwInzE3Ru4nFGu3QUbiP0SpKdZ85BVxfgG3fjfnzUWP9M9TWL4wshsoR1vqjmEVjQ7x0Zr16qDEndI9sFDgbyeokhuGEiMdU9VRA2CT3JEx8F+5grBHLvjljqHdMHXNoOjXcRRCYQlBF5A/DChbkNi1XGTWlBS3YHK2TgQM8zk0cnUpLNuw1XHFpWRzBL/BPSJ2KgFnAUZ40DY3+DFCOAO+OzQnWfPMWUOoj/eeq0kv5bxyOK/1HvVAQGruLWUZUdPfOiYX/QaT0v1oMLecjs7ebFCwZGmWH5W/W8FRY262/1eB2U6i1UJ5CeFklSOS+Ps2/8rUKeHcbm06GmP0CKyu5COcDKbma3fWxeJMBM31+/xvtwnbPICigXKgSe5OlqPJk3N9OGbsXcGUE2yeXEggF+CxdpHRftL4MY79N4Bv5J2XoXoERon9SSuuCJ3EINWESjDu3RHfTqcfGw4ImmpjAuT1vE76hjsY+ZSc9ShQ3Wnmf+wrhh4dYEd7KuabVXWOc7FULDxO0BGVvMxPd4VEoahkzQp2vbIKJBAo6LIpGuiI++5rfGXN654vI0WAGYKjeFxw/vEnH4QMjWNmyXmu31S5Q7ihoOGiAFmwO+Q9xL/ExnI4mSKbZkzU6dnml91jVOz3lw==
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Dec 2023 11:28:58.7657
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: feb97697-f8ca-457b-3e7a-08dc0605da65
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DS1PEPF00017090.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR12MB6419
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,abner.chang@amd.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: o2b3GCDxkDee7XTpnF5YNtqdx7686176AA=
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=lJpvZdbG;
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io;
	dmarc=none;
	arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}")

From: Abner Chang <abner.chang@amd.com>

For the HTTPS connetion that doesn't require TLS peer verification,
EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL is introduced to platform
developer to provide the TLS configure data that is different than
the default TLS configuration. The use case such as Redfish service
connction which doesn't require the TLS peer verification on the
cetificate, especially to the Redfish service connection through
the in-band network interface.

Platform developer can provide this protoocl to EFI HTTP driver to
configure TLS using TLS conifg data provided by
EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL for the specific HTTP
protocol handle. How to distinguish the correct HTTP protocol
handle for the platform TLS policy is outside the scope of this
change. For Redfish, we will provide this protocol in EFI Redfish
REST EX driver.

Question:
Do we need the version control of platform TLS configuration
data structure for the flexibility in future?

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>

Abenr Chang (1):
  NetworkPkg: Check platform TLS policy

Abner Chang (1):
  NetworkPkg: EDKII HTTPS platform TLS policy

 NetworkPkg/NetworkPkg.dec                     |   3 +
 NetworkPkg/HttpDxe/HttpDxe.inf                |   1 +
 NetworkPkg/HttpDxe/HttpDriver.h               |   1 +
 .../Protocol/HttpsTlsPlatformPolicyProtocol.h |  72 +++++++++++
 NetworkPkg/HttpDxe/HttpsSupport.c             | 117 ++++++++++++++++--
 5 files changed, 182 insertions(+), 12 deletions(-)
 create mode 100644 NetworkPkg/Include/Protocol/HttpsTlsPlatformPolicyProto=
col.h

--=20
2.37.1.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112912): https://edk2.groups.io/g/devel/message/112912
Mute This Topic: https://groups.io/mt/103368438/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-