[edk2-devel] [PATCH 0/5] Support HTTP application TLS configuration protocol

[edk2-devel] [PATCH 0/5] Support HTTP application TLS configuration protocol

[Chang, Abner via groups.io]

From: Abner Chang <abner.chang@amd.com>

For the HTTPS connetion that doesn't require TLS peer verification,
EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL is introduced to HTTP application
to provide its own TLS configure data that replaces the default value
initiated by HTTP DXE driver. The use case such as Redfish service
connction which doesn't require the TLS peer verification on the
cetificate, especially to the Redfish service connection through
the in-band network interface.
The root cause we are fixing is the TLS config data is hardcoded
for any TLS child in HttpSupport.c. With this hardcoded code, HTTP
application has no way to give the proper TLS config data when TLS
session is initiated.

In the previous conversation with Michael, we agreed to refactor
TlsCreateChild and install TLS on the given HTTP handle. Upper HTTP
application like Redfish can listen to TLS installation and hook
TLS SetSessionData function. However, the code is not simple and
the solution also gives burdens to application to hack TLS function
which is not ideal.
(Refer to https://github.com/tianocore/edk2/commit/823a6f86829a12c5b7447f59e36c4a35c226b96f)

Comapre to the above solution and th one I sent for review before, this
pacth is much simple and architected to fix the hardcoded TLS configuration
data in HTTP DXE driver.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>

Abner Chang (2):
  NetworkPkg/HttpDxe: Refactor TlsCreateChild function
  RedfishPkg/RedfishRestExDxe: Update the Supported function

abnchang (3):
  NetworkPkg: Introduce HttpsTlsConfigDataProtocol
  NetworkPkg/HttpDxe: Use HttpsTlsConfigDataProtocol
  RedfishPkg/RedfishRestExDxe: Produce EdkiiHttpsTlsConfigData protocol

 NetworkPkg/NetworkPkg.dec                     |   3 +
 RedfishPkg/RedfishPkg.dec                     |   5 +
 NetworkPkg/HttpDxe/HttpDxe.inf                |   1 +
 .../RedfishRestExDxe/RedfishRestExDxe.inf     |   2 +
 NetworkPkg/HttpDxe/HttpDriver.h               |   1 +
 NetworkPkg/HttpDxe/HttpProto.h                |  10 +-
 NetworkPkg/HttpDxe/HttpsSupport.h             |  17 +-
 .../Protocol/HttpsTlsConfigDataProtocol.h     |  48 +++++
 .../RedfishRestExDxe/RedfishRestExDriver.h    |  23 ++-
 NetworkPkg/HttpDxe/HttpImpl.c                 |  20 +-
 NetworkPkg/HttpDxe/HttpsSupport.c             | 172 ++++++++++++------
 .../RedfishRestExDxe/RedfishRestExDriver.c    |  94 +++++++++-
 12 files changed, 302 insertions(+), 94 deletions(-)
 create mode 100644 NetworkPkg/Include/Protocol/HttpsTlsConfigDataProtocol.h

-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113004): https://edk2.groups.io/g/devel/message/113004
Mute This Topic: https://groups.io/mt/103430429/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 1/5] NetworkPkg/HttpDxe: Refactor TlsCreateChild function

[Chang, Abner via groups.io]

From: Abner Chang <abner.chang@amd.com>

- Use HTTP instance as the parameter for TlsCreateChild function.
- Install TLS protocol on the HTTP instance that creates TLS child.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
 NetworkPkg/HttpDxe/HttpsSupport.h | 17 +++----
 NetworkPkg/HttpDxe/HttpImpl.c     | 20 ++-------
 NetworkPkg/HttpDxe/HttpsSupport.c | 75 +++++++++++++++++--------------
 3 files changed, 52 insertions(+), 60 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpsSupport.h b/NetworkPkg/HttpDxe/HttpsSupport.h
index 3c70825e8c3..326a4e50120 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.h
+++ b/NetworkPkg/HttpDxe/HttpsSupport.h
@@ -30,21 +30,18 @@ IsHttpsUrl (
 /**
   Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
 
-  @param[in]  ImageHandle           The firmware allocated handle for the UEFI image.
-  @param[out] TlsSb                 Pointer to the TLS SERVICE_BINDING_PROTOCOL.
-  @param[out] TlsProto              Pointer to the EFI_TLS_PROTOCOL instance.
-  @param[out] TlsConfiguration      Pointer to the EFI_TLS_CONFIGURATION_PROTOCOL instance.
+  @param[in]  HttpInstance  Pointer to HTTP_PROTOCOL structure.
 
-  @return  The child handle with opened EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
+  @return  EFI_SUCCESS        TLS child handle is returned in HttpInstance->TlsChildHandle
+                              with opened EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
+           EFI_DEVICE_ERROR   TLS service binding protocol is not found.
+           Otherwise          Fail to create TLS chile handle.
 
 **/
-EFI_HANDLE
+EFI_STATUS
 EFIAPI
 TlsCreateChild (
-  IN  EFI_HANDLE                      ImageHandle,
-  OUT EFI_SERVICE_BINDING_PROTOCOL    **TlsSb,
-  OUT EFI_TLS_PROTOCOL                **TlsProto,
-  OUT EFI_TLS_CONFIGURATION_PROTOCOL  **TlsConfiguration
+  IN  HTTP_PROTOCOL  *HttpInstance
   );
 
 /**
diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c
index 7c5c925cf78..aa4efedbf6b 100644
--- a/NetworkPkg/HttpDxe/HttpImpl.c
+++ b/NetworkPkg/HttpDxe/HttpImpl.c
@@ -248,7 +248,6 @@ EfiHttpRequest (
   HTTP_TOKEN_WRAP        *Wrap;
   CHAR8                  *FileUrl;
   UINTN                  RequestMsgSize;
-  EFI_HANDLE             ImageHandle;
 
   //
   // Initializations
@@ -372,22 +371,9 @@ EfiHttpRequest (
     // Check whether we need to create Tls child and open the TLS protocol.
     //
     if (HttpInstance->UseHttps && (HttpInstance->TlsChildHandle == NULL)) {
-      //
-      // Use TlsSb to create Tls child and open the TLS protocol.
-      //
-      if (HttpInstance->LocalAddressIsIPv6) {
-        ImageHandle = HttpInstance->Service->Ip6DriverBindingHandle;
-      } else {
-        ImageHandle = HttpInstance->Service->Ip4DriverBindingHandle;
-      }
-
-      HttpInstance->TlsChildHandle = TlsCreateChild (
-                                       ImageHandle,
-                                       &(HttpInstance->TlsSb),
-                                       &(HttpInstance->Tls),
-                                       &(HttpInstance->TlsConfiguration)
-                                       );
-      if (HttpInstance->TlsChildHandle == NULL) {
+      // Create TLS child for this HTTP instance.
+      Status = TlsCreateChild (HttpInstance);
+      if (EFI_ERROR (Status)) {
         return EFI_DEVICE_ERROR;
       }
 
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7330be42c00..fb7c1ea59f2 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -134,27 +134,31 @@ IsHttpsUrl (
 /**
   Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
 
-  @param[in]  ImageHandle           The firmware allocated handle for the UEFI image.
-  @param[out] TlsSb                 Pointer to the TLS SERVICE_BINDING_PROTOCOL.
-  @param[out] TlsProto              Pointer to the EFI_TLS_PROTOCOL instance.
-  @param[out] TlsConfiguration      Pointer to the EFI_TLS_CONFIGURATION_PROTOCOL instance.
+  @param[in]  HttpInstance  Pointer to HTTP_PROTOCOL structure.
 
-  @return  The child handle with opened EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
+  @return  EFI_SUCCESS        TLS child handle is returned in HttpInstance->TlsChildHandle
+                              with opened EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
+           EFI_DEVICE_ERROR   TLS service binding protocol is not found.
+           Otherwise          Fail to create TLS chile handle.
 
 **/
-EFI_HANDLE
+EFI_STATUS
 EFIAPI
 TlsCreateChild (
-  IN  EFI_HANDLE                      ImageHandle,
-  OUT EFI_SERVICE_BINDING_PROTOCOL    **TlsSb,
-  OUT EFI_TLS_PROTOCOL                **TlsProto,
-  OUT EFI_TLS_CONFIGURATION_PROTOCOL  **TlsConfiguration
+  IN  HTTP_PROTOCOL  *HttpInstance
   )
 {
+  EFI_HANDLE  ImageHandle;
   EFI_STATUS  Status;
-  EFI_HANDLE  TlsChildHandle;
 
-  TlsChildHandle = 0;
+  //
+  // Use TlsSb to create Tls child and open the TLS protocol.
+  //
+  if (HttpInstance->LocalAddressIsIPv6) {
+    ImageHandle = HttpInstance->Service->Ip6DriverBindingHandle;
+  } else {
+    ImageHandle = HttpInstance->Service->Ip4DriverBindingHandle;
+  }
 
   //
   // Locate TlsServiceBinding protocol.
@@ -162,44 +166,49 @@ TlsCreateChild (
   gBS->LocateProtocol (
          &gEfiTlsServiceBindingProtocolGuid,
          NULL,
-         (VOID **)TlsSb
+         (VOID **)&HttpInstance->TlsSb
          );
-  if (*TlsSb == NULL) {
-    return NULL;
+  if (HttpInstance->TlsSb == NULL) {
+    return EFI_DEVICE_ERROR;
   }
 
-  Status = (*TlsSb)->CreateChild (*TlsSb, &TlsChildHandle);
+  //
+  // Create TLS protocol on HTTP handle, this creates the association between HTTP and TLS
+  // for HTTP driver external usages.
+  //
+  Status = HttpInstance->TlsSb->CreateChild (HttpInstance->TlsSb, &HttpInstance->Handle);
   if (EFI_ERROR (Status)) {
-    return NULL;
+    return Status;
   }
 
-  Status = gBS->OpenProtocol (
-                  TlsChildHandle,
-                  &gEfiTlsProtocolGuid,
-                  (VOID **)TlsProto,
-                  ImageHandle,
-                  TlsChildHandle,
-                  EFI_OPEN_PROTOCOL_GET_PROTOCOL
-                  );
+  HttpInstance->TlsChildHandle = HttpInstance->Handle;
+  Status                       = gBS->OpenProtocol (
+                                        HttpInstance->TlsChildHandle,
+                                        &gEfiTlsProtocolGuid,
+                                        (VOID **)&HttpInstance->Tls,
+                                        ImageHandle,
+                                        HttpInstance->TlsChildHandle,
+                                        EFI_OPEN_PROTOCOL_GET_PROTOCOL
+                                        );
   if (EFI_ERROR (Status)) {
-    (*TlsSb)->DestroyChild (*TlsSb, TlsChildHandle);
-    return NULL;
+    HttpInstance->TlsSb->DestroyChild (HttpInstance->TlsSb, HttpInstance->TlsChildHandle);
+    return Status;
   }
 
   Status = gBS->OpenProtocol (
-                  TlsChildHandle,
+                  HttpInstance->TlsChildHandle,
                   &gEfiTlsConfigurationProtocolGuid,
-                  (VOID **)TlsConfiguration,
+                  (VOID **)&HttpInstance->TlsConfiguration,
                   ImageHandle,
-                  TlsChildHandle,
+                  HttpInstance->TlsChildHandle,
                   EFI_OPEN_PROTOCOL_GET_PROTOCOL
                   );
   if (EFI_ERROR (Status)) {
-    (*TlsSb)->DestroyChild (*TlsSb, TlsChildHandle);
-    return NULL;
+    HttpInstance->TlsSb->DestroyChild (HttpInstance->TlsSb, HttpInstance->TlsChildHandle);
+    return Status;
   }
 
-  return TlsChildHandle;
+  return EFI_SUCCESS;
 }
 
 /**
-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113005): https://edk2.groups.io/g/devel/message/113005
Mute This Topic: https://groups.io/mt/103430430/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 2/5] NetworkPkg: Introduce HttpsTlsConfigDataProtocol

[Chang, Abner via groups.io]

From: abnchang <abnchang@amd.com>

Introduce HttpsTlsConfigDataProtocol the HTTP application
can install it on the HTTP protocol handle to provide its
own TLS configuration data.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
 NetworkPkg/NetworkPkg.dec                     |  3 ++
 .../Protocol/HttpsTlsConfigDataProtocol.h     | 48 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 NetworkPkg/Include/Protocol/HttpsTlsConfigDataProtocol.h

diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec
index e06f35e7747..17473464d1e 100644
--- a/NetworkPkg/NetworkPkg.dec
+++ b/NetworkPkg/NetworkPkg.dec
@@ -94,6 +94,9 @@
   ## Include/Protocol/WiFiProfileSyncProtocol.h
   gEdkiiWiFiProfileSyncProtocolGuid = {0x399a2b8a, 0xc267, 0x44aa, {0x9a, 0xb4, 0x30, 0x58, 0x8c, 0xd2, 0x2d, 0xcc}}
 
+  ## Include/Protocol/HttpsTlsConfigDataProtocol.h
+  gEdkiiHttpsTlsConfigDataProtocolGuid = {0xbfe8e3e3, 0xb884, 0x4a6f, {0xae, 0xd3, 0xb8, 0xdb, 0xeb, 0xc5, 0x58, 0xc0}}
+
 [PcdsFixedAtBuild]
   ## The max attempt number will be created by iSCSI driver.
   # @Prompt Max attempt number.
diff --git a/NetworkPkg/Include/Protocol/HttpsTlsConfigDataProtocol.h b/NetworkPkg/Include/Protocol/HttpsTlsConfigDataProtocol.h
new file mode 100644
index 00000000000..ec429d9ed38
--- /dev/null
+++ b/NetworkPkg/Include/Protocol/HttpsTlsConfigDataProtocol.h
@@ -0,0 +1,48 @@
+/** @file
+  This file defines the EDKII HTTPS TLS Config Data Protocol
+
+  Copyright (C) 2023 Advanced Micro Devices, Inc. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL_H_
+#define EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL_H_
+
+#include <Protocol/Http.h>
+#include <Protocol/Tls.h>
+
+#define EEDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL_GUID \
+  { \
+    0xbfe8e3e3, 0xb884, 0x4a6f, {0xae, 0xd3, 0xb8, 0xdb, 0xeb, 0xc5, 0x58, 0xc0} \
+  }
+
+///
+/// HTTP TLS configuration structure version that  manages
+/// structure format of EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL.
+///
+typedef struct {
+  UINT8    Major;
+  UINT8    Minor;
+} EDKII_HTTPS_TLS_CONFIG_DATA_VERSION;
+
+///
+/// HTTPS TLS configuration data structure.
+///
+typedef struct {
+  EFI_TLS_VERSION           Version;
+  EFI_TLS_CONNECTION_END    ConnectionEnd;
+  EFI_TLS_VERIFY            VerifyMethod;
+  EFI_TLS_VERIFY_HOST       VerifyHost;
+  EFI_TLS_SESSION_STATE     SessionState;
+} HTTPS_TLS_CONFIG_DATA;
+
+typedef struct {
+  EDKII_HTTPS_TLS_CONFIG_DATA_VERSION    Version;
+  ///
+  /// EDKII_PLATFORM_HTTPS_TLS_CONFIG_DATA_VERSION V1.0
+  ///
+  HTTPS_TLS_CONFIG_DATA                  HttpsTlsConfigData;
+} EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL;
+
+extern EFI_GUID  gEdkiiHttpsTlsConfigDataProtocolGuid;
+#endif // EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL_H_
-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113006): https://edk2.groups.io/g/devel/message/113006
Mute This Topic: https://groups.io/mt/103430431/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 3/5] NetworkPkg/HttpDxe: Use HttpsTlsConfigDataProtocol

[Chang, Abner via groups.io]

From: abnchang <abnchang@amd.com>

Consume HttpsTlsConfigDataProtocol protocol installed
on the HTTP protocol handle to override the default TLS
configuration data.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
 NetworkPkg/HttpDxe/HttpDxe.inf    |  1 +
 NetworkPkg/HttpDxe/HttpDriver.h   |  1 +
 NetworkPkg/HttpDxe/HttpProto.h    | 10 +---
 NetworkPkg/HttpDxe/HttpsSupport.c | 97 ++++++++++++++++++++++++-------
 4 files changed, 80 insertions(+), 29 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index c9502d0bb6d..ec58677c3f1 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -66,6 +66,7 @@
   gEfiTlsProtocolGuid                              ## SOMETIMES_CONSUMES
   gEfiTlsConfigurationProtocolGuid                 ## SOMETIMES_CONSUMES
   gEdkiiHttpCallbackProtocolGuid                   ## SOMETIMES_CONSUMES
+  gEdkiiHttpsTlsConfigDataProtocolGuid             ## SOMETIMES_CONSUMES
 
 [Guids]
   gEfiTlsCaCertificateGuid                         ## SOMETIMES_CONSUMES  ## Variable:L"TlsCaCertificate"
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 01a6bb7f4b7..66c924e3030 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -48,6 +48,7 @@
 #include <Protocol/Tls.h>
 #include <Protocol/TlsConfig.h>
 #include <Protocol/HttpCallback.h>
+#include <Protocol/HttpsTlsConfigDataProtocol.h>
 
 #include <Guid/ImageAuthentication.h>
 //
diff --git a/NetworkPkg/HttpDxe/HttpProto.h b/NetworkPkg/HttpDxe/HttpProto.h
index 012f1f4b467..fbccffa8e71 100644
--- a/NetworkPkg/HttpDxe/HttpProto.h
+++ b/NetworkPkg/HttpDxe/HttpProto.h
@@ -76,14 +76,6 @@ typedef struct {
   EFI_HTTP_METHOD           Method;
 } HTTP_TCP_TOKEN_WRAP;
 
-typedef struct {
-  EFI_TLS_VERSION           Version;
-  EFI_TLS_CONNECTION_END    ConnectionEnd;
-  EFI_TLS_VERIFY            VerifyMethod;
-  EFI_TLS_VERIFY_HOST       VerifyHost;
-  EFI_TLS_SESSION_STATE     SessionState;
-} TLS_CONFIG_DATA;
-
 //
 // Callback data for HTTP_PARSER_CALLBACK()
 //
@@ -172,7 +164,7 @@ typedef struct _HTTP_PROTOCOL {
 
   EFI_SERVICE_BINDING_PROTOCOL      *TlsSb;
   EFI_HANDLE                        TlsChildHandle; /// Tls ChildHandle
-  TLS_CONFIG_DATA                   TlsConfigData;
+  HTTPS_TLS_CONFIG_DATA             TlsConfigData;
   EFI_TLS_PROTOCOL                  *Tls;
   EFI_TLS_CONFIGURATION_PROTOCOL    *TlsConfiguration;
   EFI_TLS_SESSION_STATE             TlsSessionState;
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c b/NetworkPkg/HttpDxe/HttpsSupport.c
index fb7c1ea59f2..96ecdd1d848 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -131,6 +131,58 @@ IsHttpsUrl (
   return FALSE;
 }
 
+/**
+  Get application HTTP TLS configuration data from HTTP handle.
+
+  @param[in]  HttpInstance  The HTTP protocol handle instance.
+
+  @retval  EFI_SUCCESS      Application HTTP TLS configuration data is
+                            loaded in HttpInstance->TlsConfigData.
+  @retval  EFI_UNSUPPORTED  No application HTTP TLS configuration data
+
+**/
+EFI_STATUS
+GetHttpsTlsConfigData (
+  IN HTTP_PROTOCOL  *HttpInstance
+  )
+{
+  EFI_STATUS                            Status;
+  EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL  *HttpsTlsConfigData;
+
+  Status = gBS->HandleProtocol (
+                  HttpInstance->Handle,
+                  &gEdkiiHttpsTlsConfigDataProtocolGuid,
+                  (VOID **)&HttpsTlsConfigData
+                  );
+  if (EFI_ERROR (Status)) {
+    return EFI_UNSUPPORTED;
+  }
+
+  if (HttpsTlsConfigData->Version.Major >= 1) {
+    HttpInstance->TlsConfigData.ConnectionEnd = HttpsTlsConfigData->HttpsTlsConfigData.ConnectionEnd;
+    HttpInstance->TlsConfigData.SessionState  = HttpsTlsConfigData->HttpsTlsConfigData.SessionState;
+    HttpInstance->TlsConfigData.VerifyHost    = HttpsTlsConfigData->HttpsTlsConfigData.VerifyHost;
+    HttpInstance->TlsConfigData.VerifyMethod  = HttpsTlsConfigData->HttpsTlsConfigData.VerifyMethod;
+  } else {
+    DEBUG ((
+      DEBUG_ERROR,
+      "%a: Unsupported version of EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL - %d.%d.\n",
+      __func__,
+      HttpsTlsConfigData->Version.Major,
+      HttpsTlsConfigData->Version.Minor
+      ));
+    return EFI_UNSUPPORTED;
+  }
+
+  DEBUG ((
+    DEBUG_VERBOSE,
+    "%a: There is a EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL installed on HTTP handle:0x%x.\n",
+    __func__,
+    HttpInstance->Handle
+    ));
+  return EFI_SUCCESS;
+}
+
 /**
   Creates a Tls child handle, open EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.
 
@@ -208,6 +260,13 @@ TlsCreateChild (
     return Status;
   }
 
+  // Initial default TLS configuration data.
+  HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
+  HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
+  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
+  HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
+  HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
+
   return EFI_SUCCESS;
 }
 
@@ -650,14 +709,8 @@ TlsConfigureSession (
 {
   EFI_STATUS  Status;
 
-  //
-  // TlsConfigData initialization
-  //
-  HttpInstance->TlsConfigData.ConnectionEnd       = EfiTlsClient;
-  HttpInstance->TlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_PEER;
-  HttpInstance->TlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
-  HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
-  HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
+  // Get applciation TLS configuration data.
+  GetHttpsTlsConfigData (HttpInstance);
 
   //
   // EfiTlsConnectionEnd,
@@ -685,14 +738,16 @@ TlsConfigureSession (
     return Status;
   }
 
-  Status = HttpInstance->Tls->SetSessionData (
-                                HttpInstance->Tls,
-                                EfiTlsVerifyHost,
-                                &HttpInstance->TlsConfigData.VerifyHost,
-                                sizeof (EFI_TLS_VERIFY_HOST)
-                                );
-  if (EFI_ERROR (Status)) {
-    return Status;
+  if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+    Status = HttpInstance->Tls->SetSessionData (
+                                  HttpInstance->Tls,
+                                  EfiTlsVerifyHost,
+                                  &HttpInstance->TlsConfigData.VerifyHost,
+                                  sizeof (EFI_TLS_VERIFY_HOST)
+                                  );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
   }
 
   Status = HttpInstance->Tls->SetSessionData (
@@ -717,10 +772,12 @@ TlsConfigureSession (
   //
   // Tls Config Certificate
   //
-  Status = TlsConfigCertificate (HttpInstance);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
-    return Status;
+  if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+    Status = TlsConfigCertificate (HttpInstance);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+      return Status;
+    }
   }
 
   //
-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113007): https://edk2.groups.io/g/devel/message/113007
Mute This Topic: https://groups.io/mt/103430432/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 4/5] RedfishPkg/RedfishRestExDxe: Produce EdkiiHttpsTlsConfigData protocol

[Chang, Abner via groups.io]

From: abnchang <abnchang@amd.com>

Produce EdkiiHttpsTlsConfigData protocol to provide Redfish
REST EX TLS configuration data.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Cc: Michael Brown <mcb30@ipxe.org>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
 RedfishPkg/RedfishPkg.dec                     |  5 ++
 .../RedfishRestExDxe/RedfishRestExDxe.inf     |  2 +
 .../RedfishRestExDxe/RedfishRestExDriver.h    | 23 +++++-
 .../RedfishRestExDxe/RedfishRestExDriver.c    | 79 ++++++++++++++++++-
 4 files changed, 104 insertions(+), 5 deletions(-)

diff --git a/RedfishPkg/RedfishPkg.dec b/RedfishPkg/RedfishPkg.dec
index 3ea9ff3ef7f..e4aa8b634c8 100644
--- a/RedfishPkg/RedfishPkg.dec
+++ b/RedfishPkg/RedfishPkg.dec
@@ -154,3 +154,8 @@
   # set to EFI_REST_EX_PROTOCOL.
   #
   gEfiRedfishPkgTokenSpaceGuid.PcdRedfishSendReceiveTimeout|5000|UINT32|0x00001009
+  #
+  # This PCD declares whether to provide EDKII_HTTPS_CONFIG_DATA_PROTOCOL
+  # for Resfish REXT EX HTTPS TLS configuration data.
+  #
+  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExHttpsTlsConfigData|TRUE|BOOLEAN|0x00001010
diff --git a/RedfishPkg/RedfishRestExDxe/RedfishRestExDxe.inf b/RedfishPkg/RedfishRestExDxe/RedfishRestExDxe.inf
index 64e6343bfbf..e75f5a87985 100644
--- a/RedfishPkg/RedfishRestExDxe/RedfishRestExDxe.inf
+++ b/RedfishPkg/RedfishRestExDxe/RedfishRestExDxe.inf
@@ -57,11 +57,13 @@
   gEfiHttpServiceBindingProtocolGuid              ## TO_START
   gEfiHttpProtocolGuid                            ## TO_START
   gEfiDevicePathProtocolGuid                      ## TO_START
+  gEdkiiHttpsTlsConfigDataProtocolGuid            ## PRODUCED
 
 [Pcd]
   gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExServiceAccessModeInBand ## CONSUMES
   gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExChunkRequestMode        ## CONSUMES
   gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExAddingExpect            ## CONSUMES
+  gEfiRedfishPkgTokenSpaceGuid.PcdRedfishRestExHttpsTlsConfigData      ## CONSUMES
 
 [UserExtensions.TianoCore."ExtraFiles"]
   RedfishRestExDxeExtra.uni
diff --git a/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.h b/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.h
index 6b94e5814c4..c3a15f1a976 100644
--- a/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.h
+++ b/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.h
@@ -30,8 +30,10 @@
 /// UEFI Driver Model Protocols
 ///
 #include <Protocol/DriverBinding.h>
+#include <Protocol/HttpsTlsConfigDataProtocol.h>
 #include <Protocol/RestEx.h>
 #include <Protocol/ServiceBinding.h>
+#include <Protocol/Tls.h>
 
 ///
 /// Protocol instances
@@ -53,13 +55,19 @@ typedef struct _RESTEX_SERVICE RESTEX_SERVICE;
 ///
 typedef struct _RESTEX_INSTANCE RESTEX_INSTANCE;
 
+///
+/// RestEx HTTP context
+///
+typedef struct _RESTEX_HTTPS_CONTEXT RESTEX_HTTPS_CONTEXT;
+
 ///
 /// Driver Version
 ///
 #define REDFISH_RESTEX_DRIVER_VERSION  0x0100
 
-#define RESTEX_SERVICE_SIGNATURE   SIGNATURE_32 ('R', 'E', 'S', 'S')
-#define RESTEX_INSTANCE_SIGNATURE  SIGNATURE_32 ('R', 'E', 'I', 'S')
+#define RESTEX_SERVICE_SIGNATURE        SIGNATURE_32 ('R', 'E', 'S', 'S')
+#define RESTEX_INSTANCE_SIGNATURE       SIGNATURE_32 ('R', 'E', 'I', 'S')
+#define RESTEX_HTTPS_CONTEXT_SIGNATURE  SIGNATURE_32 ('R', 'H', 'C', 'S')
 
 #define RESTEX_SERVICE_FROM_THIS(a)   \
   CR (a, RESTEX_SERVICE, ServiceBinding, RESTEX_SERVICE_SIGNATURE)
@@ -67,6 +75,9 @@ typedef struct _RESTEX_INSTANCE RESTEX_INSTANCE;
 #define RESTEX_INSTANCE_FROM_THIS(a)  \
   CR (a, RESTEX_INSTANCE, RestEx, RESTEX_INSTANCE_SIGNATURE)
 
+#define REDFISH_HTTPS_CONTEXT_FROM_THIS(a)  \
+  CR (a, RESTEX_HTTPS_CONTEXT, TlsConfigDataProtocol, RESTEX_HTTPS_CONTEXT_SIGNATURE)
+
 #define RESTEX_STATE_UNCONFIGED  0
 #define RESTEX_STATE_CONFIGED    1
 
@@ -93,6 +104,12 @@ struct _RESTEX_SERVICE {
 #define RESTEX_INSTANCE_FLAGS_TLS_RETRY        0x00000001
 #define RESTEX_INSTANCE_FLAGS_TCP_ERROR_RETRY  0x00000002
 
+struct _RESTEX_HTTPS_CONTEXT {
+  UINT32                                  Signature;
+  EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL    TlsConfigDataProtocol;
+  BOOLEAN                                 TlsConfigDataProtocolInstalled;
+};
+
 struct _RESTEX_INSTANCE {
   UINT32                     Signature;
   LIST_ENTRY                 Link;
@@ -107,6 +124,8 @@ struct _RESTEX_INSTANCE {
 
   EFI_REST_EX_CONFIG_DATA    ConfigData;
 
+  RESTEX_HTTPS_CONTEXT       *RestExHttpsContext;
+
   //
   // HTTP_IO to access the HTTP service
   //
diff --git a/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c b/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c
index 7036aed4268..f897248fc44 100644
--- a/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c
+++ b/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c
@@ -76,8 +76,26 @@ RestExDestroyInstance (
   IN RESTEX_INSTANCE  *Instance
   )
 {
-  HttpIoDestroyIo (&(Instance->HttpIo));
+  EFI_STATUS  Status;
 
+  if ((Instance != NULL) &&
+      (Instance->RestExHttpsContext != NULL) &&
+      (Instance->RestExHttpsContext->TlsConfigDataProtocolInstalled)
+      )
+  {
+    Status = gBS->UninstallProtocolInterface (
+                    Instance->HttpIo.Handle,
+                    &gEdkiiHttpsTlsConfigDataProtocolGuid,
+                    (VOID *)&Instance->RestExHttpsContext->TlsConfigDataProtocol
+                    );
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "%a: Fail to uninstall gEdkiiHttpsTlsConfigDataProtocolGuid.\n", __func__));
+    }
+
+    FreePool (Instance->RestExHttpsContext);
+  }
+
+  HttpIoDestroyIo (&(Instance->HttpIo));
   FreePool (Instance);
 }
 
@@ -266,6 +284,56 @@ RestExCreateService (
   return Status;
 }
 
+/**
+  Initial EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL for Redfish REST EX TLS.
+
+  @param[in]  Instance  REST EX internal structure instance.
+
+**/
+VOID
+RedfishHttpsTlsConfigData (
+  IN  RESTEX_INSTANCE  *Instance
+  )
+{
+  EFI_STATUS            Status;
+  RESTEX_HTTPS_CONTEXT  *RestExHttpsContext;
+
+  RestExHttpsContext = AllocateZeroPool (sizeof (RESTEX_HTTPS_CONTEXT));
+  if (RestExHttpsContext == NULL) {
+    DEBUG ((DEBUG_ERROR, "%a: Allocate memory fail for RESTEX_HTTPS_CONTEXT\n", __func__));
+    return;
+  }
+
+  if (Instance->HttpIo.Handle == NULL) {
+    DEBUG ((DEBUG_ERROR, "%a: Invalid HTTP handle.\n", __func__));
+    return;
+  }
+
+  RestExHttpsContext->Signature                                                    = RESTEX_HTTPS_CONTEXT_SIGNATURE;
+  RestExHttpsContext->TlsConfigDataProtocol.Version.Major                          = 1;
+  RestExHttpsContext->TlsConfigDataProtocol.Version.Minor                          = 0;
+  RestExHttpsContext->TlsConfigDataProtocol.HttpsTlsConfigData.ConnectionEnd       = EfiTlsClient;
+  RestExHttpsContext->TlsConfigDataProtocol.HttpsTlsConfigData.VerifyMethod        = EFI_TLS_VERIFY_NONE;
+  RestExHttpsContext->TlsConfigDataProtocol.HttpsTlsConfigData.VerifyHost.Flags    = EFI_TLS_VERIFY_FLAG_NONE;
+  RestExHttpsContext->TlsConfigDataProtocol.HttpsTlsConfigData.VerifyHost.HostName = "Redfish Service";
+
+  // Install EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL;
+  Status = gBS->InstallProtocolInterface (
+                  &Instance->HttpIo.Handle,
+                  &gEdkiiHttpsTlsConfigDataProtocolGuid,
+                  EFI_NATIVE_INTERFACE,
+                  (VOID *)&RestExHttpsContext->TlsConfigDataProtocol
+                  );
+  if (EFI_ERROR (Status)) {
+    FreePool (RestExHttpsContext);
+    DEBUG ((DEBUG_ERROR, "%a: Fail to install EDKII_HTTPS_TLS_CONFIG_DATA_PROTOCOL.\n", __func__));
+    return;
+  }
+
+  RestExHttpsContext->TlsConfigDataProtocolInstalled = TRUE;
+  Instance->RestExHttpsContext                       = RestExHttpsContext;
+}
+
 /**
   This is the declaration of an EFI image entry point. This entry point is
   the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers including
@@ -286,8 +354,6 @@ RedfishRestExDriverEntryPoint (
 {
   EFI_STATUS  Status;
 
-  Status = EFI_SUCCESS;
-
   //
   // Install the RestEx Driver Binding Protocol.
   //
@@ -699,6 +765,13 @@ RedfishRestExServiceBindingCreateChild (
     goto ON_ERROR;
   }
 
+  //
+  // Set Redfish HTTPS TLS configuration data.
+  //
+  if (FixedPcdGetBool (PcdRedfishRestExHttpsTlsConfigData)) {
+    RedfishHttpsTlsConfigData (Instance);
+  }
+
   //
   // Add it to the parent's child list.
   //
-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113008): https://edk2.groups.io/g/devel/message/113008
Mute This Topic: https://groups.io/mt/103430433/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 5/5] RedfishPkg/RedfishRestExDxe: Update the Supported function

[Chang, Abner via groups.io]

From: Abner Chang <abner.chang@amd.com>

Update the Supported function to check if the given
controller handle is already started.

Signed-off-by: Abner Chang <abner.chang@amd.com>
Cc: Nickle Wang <nicklew@nvidia.com>
Cc: Igor Kulchytskyy <igork@ami.com>
---
 RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c b/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c
index f897248fc44..1ac2ea6bcd3 100644
--- a/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c
+++ b/RedfishPkg/RedfishRestExDxe/RedfishRestExDriver.c
@@ -422,6 +422,21 @@ RedfishRestExDriverBindingSupported (
   IN EFI_DEVICE_PATH_PROTOCOL     *RemainingDevicePath OPTIONAL
   )
 {
+  EFI_STATUS  Status;
+  UINT32      *Id;
+
+  Status = gBS->OpenProtocol (
+                  ControllerHandle,
+                  &gEfiCallerIdGuid,
+                  (VOID **)&Id,
+                  This->DriverBindingHandle,
+                  ControllerHandle,
+                  EFI_OPEN_PROTOCOL_GET_PROTOCOL
+                  );
+  if (!EFI_ERROR (Status)) {
+    return EFI_ALREADY_STARTED;
+  }
+
   //
   // Test for the HttpServiceBinding Protocol.
   //
-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113009): https://edk2.groups.io/g/devel/message/113009
Mute This Topic: https://groups.io/mt/103430434/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/5] NetworkPkg/HttpDxe: Refactor TlsCreateChild function

[Michael Brown]

On 30/12/2023 11:29, abner.chang@amd.com wrote:
> +  @return  EFI_SUCCESS        TLS child handle is returned in HttpInstance->TlsChildHandle
> +                              with opened EFI_TLS_PROTOCOL and EFI_TLS_CONFIGURATION_PROTOCOL.

All looks good to me, but do we need to retain 
HttpInstance->TlsChildHandle as a separate EFI_HANDLE field?  Now that 
EFI_TLS_PROTOCOL is installed on the same handle, it seems to function 
solely as a flag to indicate that we have already called 
TlsCreateChild(), in which case an EFI_BOOLEAN might be clearer?

With or without the above suggestion, I'm happy to add

Reviewed-by: Michael Brown <mcb30@ipxe.org>

for this patch.

Thanks,

Michael



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113014): https://edk2.groups.io/g/devel/message/113014
Mute This Topic: https://groups.io/mt/103430430/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/5] NetworkPkg/HttpDxe: Refactor TlsCreateChild function

[Chang, Abner via groups.io]

[AMD Official Use Only - General]

> -----Original Message-----
> From: Michael Brown <mcb30@ipxe.org>
> Sent: Tuesday, January 2, 2024 6:10 AM
> To: Chang, Abner <Abner.Chang@amd.com>; devel@edk2.groups.io
> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>; Zachary Clark-williams
> <zachary.clark-williams@intel.com>; Nickle Wang <nicklew@nvidia.com>; Igor
> Kulchytskyy <igork@ami.com>
> Subject: Re: [PATCH 1/5] NetworkPkg/HttpDxe: Refactor TlsCreateChild
> function
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On 30/12/2023 11:29, abner.chang@amd.com wrote:
> > +  @return  EFI_SUCCESS        TLS child handle is returned in HttpInstance-
> >TlsChildHandle
> > +                              with opened EFI_TLS_PROTOCOL and
> EFI_TLS_CONFIGURATION_PROTOCOL.
>
> All looks good to me, but do we need to retain
> HttpInstance->TlsChildHandle as a separate EFI_HANDLE field?  Now that
> EFI_TLS_PROTOCOL is installed on the same handle, it seems to function
> solely as a flag to indicate that we have already called
> TlsCreateChild(), in which case an EFI_BOOLEAN might be clearer?
>
> With or without the above suggestion, I'm happy to add
That is no problem Michael, I also want to remove TlsChildHandle. Will send out V2 for this change.

>
> Reviewed-by: Michael Brown <mcb30@ipxe.org>
Thanks

Abner

>
> for this patch.
>
> Thanks,
>
> Michael



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113021): https://edk2.groups.io/g/devel/message/113021
Mute This Topic: https://groups.io/mt/103430430/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-