From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Tue, 11 Jun 2019 08:12:09 -0700 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E0359811D8; Tue, 11 Jun 2019 15:11:57 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-234.ams2.redhat.com [10.36.116.234]) by smtp.corp.redhat.com (Postfix) with ESMTP id E5FC419C70; Tue, 11 Jun 2019 15:11:56 +0000 (UTC) Subject: Re: [PATCH 1/1] OvmfPkg/README: Update the network build flags To: Gary Lin , devel@edk2.groups.io Cc: Jordan Justen , Ard Biesheuvel References: <20190610065509.19573-1-glin@suse.com> From: "Laszlo Ersek" Message-ID: <3eab3506-c8a0-5b96-dd80-c474e2e6c7eb@redhat.com> Date: Tue, 11 Jun 2019 17:11:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20190610065509.19573-1-glin@suse.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Tue, 11 Jun 2019 15:12:06 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 06/10/19 08:55, Gary Lin wrote: > The following network build flags changed due to the inclusion of > NetworkPkg/Network.fdf.inc. > > HTTP_BOOT_ENABLE -> NETWORK_HTTP_BOOT_ENABLE > TLS_ENABLE -> NETWORK_TLS_ENABLE > > This commit also adds NETWORK_ALLOW_HTTP_CONNECTIONS to reflect the > change in OvmfPkg/OvmfPkg*.dsc. > > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1884 > Signed-off-by: Gary Lin > --- > OvmfPkg/README | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/OvmfPkg/README b/OvmfPkg/README > index c014d07bfbdb..3dd28474ead4 100644 > --- a/OvmfPkg/README > +++ b/OvmfPkg/README > @@ -260,9 +260,14 @@ HTTPS Boot is an alternative solution to PXE. It replaces the tftp server > with a HTTPS server so the firmware can download the images through a trusted > and encrypted connection. > > -* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and > - -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while > - the latter enables TLS support in both NetworkPkg and CryptoPkg. > +* To enable HTTPS Boot, you have to build OVMF with -D NETWORK_HTTP_BOOT_ENABLE > + and -D NETWORK_TLS_ENABLE. The former brings in the HTTP stack from > + NetworkPkg while the latter enables TLS support in both NetworkPkg and > + CryptoPkg. > + > + If you want to exclude the unsecured HTTP connection completely, OVMF has to > + be built with -D NETWORK_ALLOW_HTTP_CONNECTIONS=FALSE so that only the HTTPS > + connections will be accepted. > > * By default, there is no trusted certificate. The user has to import the > certificates either manually with "Tls Auth Configuration" utility in the > Reviewed-by: Laszlo Ersek Pushed as commit 1631bb26ae99. Thank you! Laszlo