From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) by mx.groups.io with SMTP id smtpd.web09.39052.1661529793456187904 for ; Fri, 26 Aug 2022 09:03:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@apple.com header.s=20180706 header.b=ALF+wCUN; spf=pass (domain: apple.com, ip: 17.171.2.72, mailfrom: afish@apple.com) Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 27QFtGw4063009; Fri, 26 Aug 2022 09:03:12 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : content-type : mime-version : subject : date : references : to : in-reply-to : message-id; s=20180706; bh=bX0KEcWmyeI1/k2WF3QSYI4XC4Pc8o6qYVhpobNI/QE=; b=ALF+wCUNizGGP5AeLVD5UN5KiPVGDp0p3LpozGn5Va2MOJQzvyumwF9sUKKuy/lhZ7bL H5E6Oi5evFoGhqE3/A/QcFbGDACxSufH0n5uM1o8FxejLLuq9Spck3IwGwm4mxSAwoCK Ggk3LMjpEn6ICPeu/Gxgk3r4XEvTtuCoUl3j9rSXOyyKrwJmVXFvUB7heIMxla+VB3GI oQuPkcWcotm76HDEqf+1mWUxA8Yz7LNg1rEAEDS5Jaox5Rk6c2kN9p+RCHtBpX6VtHkk EPLZecI2ua5mGwIbZ2vTEoa2C6YZZDQ0H/pmZuYwpGxoqMzqr/eWua4qA/p3I4aiJTBQ fg== Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 3j2xkx7ynw-16 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 26 Aug 2022 09:03:12 -0700 Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPS id <0RH800MX7CLAG7G0@rn-mailsvcp-mta-lapp02.rno.apple.com>; Fri, 26 Aug 2022 09:03:11 -0700 (PDT) Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) id <0RH800900CGGL400@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Fri, 26 Aug 2022 09:03:10 -0700 (PDT) X-Va-A: X-Va-T-CD: 002aff7a926344b612618fc9b00a4b48 X-Va-E-CD: f9f594022e898c75ffa045eef65f6341 X-Va-R-CD: 232d68eee13447862645a352f7862195 X-Va-CD: 0 X-Va-ID: ad9662fb-6701-44be-ae37-cb0e232d59ab X-V-A: X-V-T-CD: 002aff7a926344b612618fc9b00a4b48 X-V-E-CD: f9f594022e898c75ffa045eef65f6341 X-V-R-CD: 232d68eee13447862645a352f7862195 X-V-CD: 0 X-V-ID: 10f83173-c1c7-47a4-89f8-7526e9e0cbe6 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517,18.0.895 definitions=2022-08-26_08:2022-08-25,2022-08-26 signatures=0 Received: from smtpclient.apple (unknown [17.235.57.215]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.19.20220711 64bit (built Jul 11 2022)) with ESMTPSA id <0RH8010ZDCL9HP00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Fri, 26 Aug 2022 09:03:10 -0700 (PDT) From: "Andrew Fish" MIME-version: 1.0 (Mac OS X Mail 16.0 \(3731.200.22\)) Subject: Re: [edk2-devel] How to restrict HTTPS boot to a single address Date: Fri, 26 Aug 2022 09:02:57 -0700 References: To: edk2-devel-groups-io , rafaelrodrigues.machado@gmail.com In-reply-to: Message-id: <412CC19B-A5E2-489A-99FF-E1E4C81C2863@apple.com> X-Mailer: Apple Mail (2.3731.200.22) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517,18.0.895 definitions=2022-08-26_08:2022-08-25,2022-08-26 signatures=0 Content-type: multipart/alternative; boundary="Apple-Mail=_0D08D095-C6D4-4CD6-82B6-D8F827833BF4" --Apple-Mail=_0D08D095-C6D4-4CD6-82B6-D8F827833BF4 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Rafael, I=E2=80=99m not sure this matches exactly what you are looking for, but the= OVMF (Virtual Machine) has some configuration options around HTTPS boot [1= ]. That might be a good place to start.=20 [1] https://github.com/tianocore/edk2/blob/master/OvmfPkg/README#L232 Thanks, Andrew Fish > On Aug 26, 2022, at 7:15 AM, Rafael Machado wrote: >=20 > Hello everyone. >=20 > Quick question for the ones that understand better the HTTPBoot architect= ure at the edk2 structure. >=20 > Suppose I have to restrict HTTPS boot to accept only the download of imag= es from a specific url. > For example, instead of allowing the download of images from any valid CA= certificate address, I would like to restrict HTTPSBoot to allow only down= loads from some specific domain I have. >=20 > Probably filtering some information, CN or something like that, from the = url certificate. >=20 > What is the best way to do that? > In which driver/library should this logic be added? >=20 > Thanks > Rafael >=20 --Apple-Mail=_0D08D095-C6D4-4CD6-82B6-D8F827833BF4 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Rafael,

=
I=E2=80=99m not sure this matches exactly what you are looking for, bu= t the OVMF (Virtual Machine) has some configuration options around HTTPS bo= ot [1]. That might be a good place to start. 

[1]&= nbsp;https://github.com/tianocore/edk2/blob/master/OvmfPkg/README#L232

Thanks,

Andrew Fish
=
On Aug 26, 2022, at 7:15 AM, Rafael Mach= ado <rafaelrodrigues.machado@gmail.com> wrote:

Hello everyone.

=
Quick question for the ones that understand better the HTTPBoot archit= ecture at the edk2 structure.

Suppose I have to re= strict HTTPS boot to accept only the download of images from a specific url= .
For example, instead of allowing the download of images from an= y valid CA certificate address, I would like to restrict HTTPSBoot to allow= only downloads from some specific domain I have.

= Probably filtering some information, CN or something like that, from the ur= l certificate.

What is the best way to do that?
In which driver/library should this logic be added?

<= /div>
Thanks
Rafael
=20

--Apple-Mail=_0D08D095-C6D4-4CD6-82B6-D8F827833BF4--