From: "Chang, Abner via groups.io" <abner.chang=amd.com@groups.io>
To: <devel@edk2.groups.io>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>,
Zachary Clark-williams <zachary.clark-williams@intel.com>,
Michael Brown <mcb30@ipxe.org>, Nickle Wang <nicklew@nvidia.com>,
Igor Kulchytskyy <igork@ami.com>
Subject: [edk2-devel] [RFC][PATCH 2/2] NetworkPkg: Check platform TLS policy
Date: Tue, 26 Dec 2023 19:28:39 +0800 [thread overview]
Message-ID: <20231226112839.1152-3-abner.chang@amd.com> (raw)
In-Reply-To: <20231226112839.1152-1-abner.chang@amd.com>
From: Abenr Chang <abner.chang@amd.com>
Go through each
EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL protocol
instance to check if platform HTTPS TLS policy is
provided.
Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
NetworkPkg/HttpDxe/HttpDxe.inf | 1 +
NetworkPkg/HttpDxe/HttpDriver.h | 1 +
NetworkPkg/HttpDxe/HttpsSupport.c | 117 +++++++++++++++++++++++++++---
3 files changed, 107 insertions(+), 12 deletions(-)
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index c9502d0bb6d..7699bd9cc17 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -66,6 +66,7 @@
gEfiTlsProtocolGuid ## SOMETIMES_CONSUMES
gEfiTlsConfigurationProtocolGuid ## SOMETIMES_CONSUMES
gEdkiiHttpCallbackProtocolGuid ## SOMETIMES_CONSUMES
+ gEdkiiHttpsTlsPlatformPolicyProtocolGuid ## SOMETIMES_CONSUMES
[Guids]
gEfiTlsCaCertificateGuid ## SOMETIMES_CONSUMES ## Variable:L"TlsCaCertificate"
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 01a6bb7f4b7..5554befad4d 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -48,6 +48,7 @@
#include <Protocol/Tls.h>
#include <Protocol/TlsConfig.h>
#include <Protocol/HttpCallback.h>
+#include <Protocol/HttpsTlsPlatformPolicyProtocol.h>
#include <Guid/ImageAuthentication.h>
//
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7330be42c00..354e5cfc79c 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -131,6 +131,93 @@ IsHttpsUrl (
return FALSE;
}
+/**
+ Locate all EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instances and go through each
+ to check if platform HTTPS TLS policy is provided.
+
+ @param[in] HttpHandle The HTTP protocol handle.
+ @param[in, out] TlsConfigData Pointer to TLS_CONFIG_DATA of this HTTP instance.
+
+**/
+VOID
+HttpsPlatformTlsPolicy (
+ IN EFI_HANDLE HttpHandle,
+ IN OUT TLS_CONFIG_DATA *TlsConfigData
+ )
+{
+ EFI_STATUS Status;
+ UINTN NumHandles;
+ EFI_HANDLE *HandleBuffer;
+ EFI_HANDLE *HandleBufferIndex;
+ EDKII_PLATFORM_HTTPS_TLS_CONFIG_DATA PlatformHttpsTlsPolicy;
+ EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL *ProtocolInterface;
+
+ if ((HttpHandle == NULL) || (TlsConfigData == NULL)) {
+ return;
+ }
+
+ Status = gBS->LocateHandleBuffer (
+ ByProtocol,
+ &gEdkiiHttpsTlsPlatformPolicyProtocolGuid,
+ NULL,
+ &NumHandles,
+ &HandleBuffer
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "%a: There is no EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instance is installed for HTTP this handle:0x%x.\n",
+ __func__,
+ HttpHandle
+ ));
+ return;
+ }
+
+ HandleBufferIndex = HandleBuffer;
+ while (NumHandles != 0) {
+ Status = gBS->HandleProtocol (
+ *HandleBufferIndex,
+ &gEdkiiHttpsTlsPlatformPolicyProtocolGuid,
+ (VOID **)&ProtocolInterface
+ );
+ if (!EFI_ERROR (Status)) {
+ Status = ProtocolInterface->PlatformGetPolicy (
+ *HandleBufferIndex,
+ HttpHandle,
+ &PlatformHttpsTlsPolicy
+ );
+ if (!EFI_ERROR (Status)) {
+ if ((PlatformHttpsTlsPolicy.Version.Major == 1) && (PlatformHttpsTlsPolicy.Version.Minor == 0)) {
+ //
+ // HTTPS platform TLS policy config data version 1.0.
+ //
+ TlsConfigData->ConnectionEnd = PlatformHttpsTlsPolicy.ConnectionEnd;
+ TlsConfigData->VerifyHost = PlatformHttpsTlsPolicy.VerifyHost;
+ TlsConfigData->VerifyMethod = PlatformHttpsTlsPolicy.VerifyMethod;
+ Status = EFI_SUCCESS;
+ break;
+ }
+ }
+ }
+
+ HandleBufferIndex++;
+ NumHandles--;
+ Status = EFI_NOT_FOUND;
+ }
+
+ FreePool ((VOID *)HandleBuffer);
+ if (!EFI_ERROR (Status)) {
+ DEBUG ((
+ DEBUG_INFO,
+ "%a: There is a EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instance installed for this HTTP handle:0x%x.\n",
+ __func__,
+ HttpHandle
+ ));
+ }
+
+ return;
+}
+
/**
Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
@@ -650,6 +737,8 @@ TlsConfigureSession (
HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
HttpInstance->TlsConfigData.SessionState = EfiTlsSessionNotStarted;
+ HttpsPlatformTlsPolicy (HttpInstance->Handle, &HttpInstance->TlsConfigData);
+
//
// EfiTlsConnectionEnd,
// EfiTlsVerifyMethod,
@@ -676,14 +765,16 @@ TlsConfigureSession (
return Status;
}
- Status = HttpInstance->Tls->SetSessionData (
- HttpInstance->Tls,
- EfiTlsVerifyHost,
- &HttpInstance->TlsConfigData.VerifyHost,
- sizeof (EFI_TLS_VERIFY_HOST)
- );
- if (EFI_ERROR (Status)) {
- return Status;
+ if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+ Status = HttpInstance->Tls->SetSessionData (
+ HttpInstance->Tls,
+ EfiTlsVerifyHost,
+ &HttpInstance->TlsConfigData.VerifyHost,
+ sizeof (EFI_TLS_VERIFY_HOST)
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
}
Status = HttpInstance->Tls->SetSessionData (
@@ -708,10 +799,12 @@ TlsConfigureSession (
//
// Tls Config Certificate
//
- Status = TlsConfigCertificate (HttpInstance);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
- return Status;
+ if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+ Status = TlsConfigCertificate (HttpInstance);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+ return Status;
+ }
}
//
--
2.37.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112913): https://edk2.groups.io/g/devel/message/112913
Mute This Topic: https://groups.io/mt/103368439/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-12-26 11:29 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-26 11:28 [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform TLS policy Chang, Abner via groups.io
2023-12-26 11:28 ` [edk2-devel] [RFC][PATCH 1/2] NetworkPkg: EDKII HTTPS platform " Chang, Abner via groups.io
2023-12-26 11:28 ` Chang, Abner via groups.io [this message]
2023-12-27 15:55 ` [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform " Michael Brown
2023-12-28 2:47 ` Chang, Abner via groups.io
2023-12-28 14:16 ` Michael Brown
2023-12-28 15:04 ` Chang, Abner via groups.io
2023-12-28 15:31 ` Michael Brown
2023-12-28 23:37 ` Chang, Abner via groups.io
2023-12-29 0:01 ` Michael Brown
2023-12-29 15:07 ` Chang, Abner via groups.io
2023-12-30 11:31 ` Chang, Abner via groups.io
2024-01-01 23:07 ` Michael Brown
2024-01-02 6:06 ` Chang, Abner via groups.io
2024-01-02 12:42 ` Michael Brown
2024-01-02 16:31 ` Chang, Abner via groups.io
2024-01-02 17:46 ` Michael Brown
2024-01-04 3:13 ` Chang, Abner via groups.io
2024-01-05 8:41 ` Chang, Abner via groups.io
2024-01-05 17:16 ` Michael Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231226112839.1152-3-abner.chang@amd.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox