From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web12.528.1604330088953451344 for ; Mon, 02 Nov 2020 07:14:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=RtoiwtG0; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1604330088; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BrFP5Jyd9uG2Bp4zpT2BA98PeELlq4yj3rz2ZrVslO4=; b=RtoiwtG07fjzHlhbxAQfI8QrTkbaX7shUQBWaMaTpXj9bAyt65tKMvWTevrs7/9/HLkULu Ny1wuDx4+MbwtWZlFlTs9ULDOh9PUIFREO4qlRBZqoQYtRjbrH0gv5oFRsoKadd0I2eDWx /iOjyQv/eqvSWOOam+Id+AiXJzuHp/U= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-424-Xr0nSH2_PoKl2WlZiJH5ag-1; Mon, 02 Nov 2020 10:14:44 -0500 X-MC-Unique: Xr0nSH2_PoKl2WlZiJH5ag-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 48AF98015FD; Mon, 2 Nov 2020 15:14:41 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-126.ams2.redhat.com [10.36.112.126]) by smtp.corp.redhat.com (Postfix) with ESMTP id E74BD7512C; Mon, 2 Nov 2020 15:14:36 +0000 (UTC) Subject: Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default To: "Gao, Zhichao" , "devel@edk2.groups.io" Cc: "Justen, Jordan L" , Ard Biesheuvel , Sami Mujawar , Leif Lindholm , "Yao, Jiewen" , "Wang, Jian J" , "Lu, XiaoyuX" , "Jiang, Guomin" , "Kinney, Michael D" , "Steele, Kelly" , "Sun, Zailiang" , "Qian, Yi" , Liming Gao , Maciej Rabeda , "Wu, Jiaxin" , "Fu, Siyuan" References: <20201027024300.21100-1-zhichao.gao@intel.com> <20201027024300.21100-2-zhichao.gao@intel.com> <852bdcca-3c6f-cecc-fc51-46e4d3192a7a@redhat.com> From: "Laszlo Ersek" Message-ID: <3d937c01-3d4d-dd09-0079-9c01dd4e3185@redhat.com> Date: Mon, 2 Nov 2020 16:14:35 +0100 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 10/29/20 03:34, Gao, Zhichao wrote: > Sure. I would do it. I am thinking using Network.dsc.inc instead of others inc's combination. But there may be a question: the default Network.dsc.inc would only cover below build: > Components.IA32, Components.X64, Components.ARM, Components.AARCH64, Components.RISCV64 > I am not sure if the above would match ArmVirt and Ovmf's requirements. Indeed, modifying just "Network.dsc.inc" is insufficient. "Network.dsc.inc" is convenient when it is applicable, but for some platforms, it is not flexible enough. That's why we have the separate DSC include files under NetworkPkg that do not contain the section headers themselves (such as [LibraryClasses], [Components] etc). This lets platforms decide *where* they include those snippets. "Network.dsc.inc" is not used by either ArmVirtPkg or OvmfPkg platforms. The platform DSC files in those package directories reference "NetworkDefines.dsc.inc" and "NetworkComponents.dsc.inc" instead. Thanks, Laszlo >> -----Original Message----- >> From: Laszlo Ersek >> Sent: Tuesday, October 27, 2020 6:48 PM >> To: Gao, Zhichao ; devel@edk2.groups.io >> Cc: Justen, Jordan L ; Ard Biesheuvel >> ; Sami Mujawar ; Leif >> Lindholm ; Yao, Jiewen ; Wang, Jian >> J ; Lu, XiaoyuX ; Jiang, Guomin >> ; Kinney, Michael D ; >> Steele, Kelly ; Sun, Zailiang ; >> Qian, Yi ; Liming Gao ; Maciej >> Rabeda ; Wu, Jiaxin ; Fu, >> Siyuan >> Subject: Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default >> >> Hi Zhichao, >> >> thanks for the CC, I appreciate it. Please see my comments below. >> >> On 10/27/20 03:42, Zhichao Gao wrote: >>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003 >>> >>> iSCSI is using the undeprecated function MD5. It is better to make the >>> default setting secure. If the platforms want to use the iSCSI, they >>> should enable it in the platforms' >>> dsc file and be aware they are using an unsafe function. >>> >>> Cc: Jordan Justen >>> Cc: Laszlo Ersek >>> Cc: Ard Biesheuvel >>> Cc: Sami Mujawar >>> Cc: Leif Lindholm >>> Cc: Jiewen Yao >>> Cc: Jian J Wang >>> Cc: Xiaoyu Lu >>> Cc: Guomin Jiang >>> Cc: Michael D Kinney >>> Cc: Kelly Steele >>> Cc: Zailiang Sun >>> Cc: Yi Qian >>> Cc: Liming Gao >>> Cc: Maciej Rabeda >>> Cc: Jiaxin Wu >>> Cc: Siyuan Fu >>> Signed-off-by: Zhichao Gao >>> --- >>> NetworkPkg/NetworkDefines.dsc.inc | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/NetworkPkg/NetworkDefines.dsc.inc >>> b/NetworkPkg/NetworkDefines.dsc.inc >>> index a442d1b157..18921d81f6 100644 >>> --- a/NetworkPkg/NetworkDefines.dsc.inc >>> +++ b/NetworkPkg/NetworkDefines.dsc.inc >>> @@ -17,7 +17,7 @@ >>> # DEFINE NETWORK_TLS_ENABLE = TRUE >>> # DEFINE NETWORK_HTTP_BOOT_ENABLE = TRUE >>> # DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE >>> -# DEFINE NETWORK_ISCSI_ENABLE = TRUE >>> +# DEFINE NETWORK_ISCSI_ENABLE = FALSE >>> # DEFINE NETWORK_VLAN_ENABLE = TRUE >>> # >>> # Copyright (c) 2019, Intel Corporation. All rights reserved.
@@ >>> -101,7 +101,7 @@ >>> # Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used >>> # since libssl is not required for iSCSI. >>> # >>> - DEFINE NETWORK_ISCSI_ENABLE = TRUE >>> + DEFINE NETWORK_ISCSI_ENABLE = FALSE >>> !endif >>> >>> !if $(NETWORK_ENABLE) == TRUE >>> >> >> I know of people that use iSCSI with the ArmVirtQemu and OVMF platforms. >> >> Please prepend two patches to this series (that is, the v3 series should begin with >> these two patches below): >> >> (1) locate "NETWORK_ALLOW_HTTP_CONNECTIONS" in the files: >> >> - ArmVirtPkg/ArmVirtQemu.dsc >> - ArmVirtPkg/ArmVirtQemuKernel.dsc >> >> and explicitly enable NETWORK_ISCSI_ENABLE in the same place. >> >> (2) Please do the same for the following files, in a separate patch: >> >> - OvmfPkg/Bhyve/BhyveX64.dsc >> - OvmfPkg/OvmfPkgIa32.dsc >> - OvmfPkg/OvmfPkgIa32X64.dsc >> - OvmfPkg/OvmfPkgX64.dsc >> - OvmfPkg/OvmfXen.dsc >> >> Thanks! >> Laszlo >