How to restrict HTTPS boot to a single address

How to restrict HTTPS boot to a single address

[Rafael Machado]

[-- Attachment #1: Type: text/plain, Size: 595 bytes --]

Hello everyone.

Quick question for the ones that understand better the HTTPBoot
architecture at the edk2 structure.

Suppose I have to restrict HTTPS boot to accept only the download of images
from a specific url.
For example, instead of allowing the download of images from any valid CA
certificate address, I would like to restrict HTTPSBoot to allow only
downloads from some specific domain I have.

Probably filtering some information, CN or something like that, from the
url certificate.

What is the best way to do that?
In which driver/library should this logic be added?

Thanks
Rafael

[-- Attachment #2: Type: text/html, Size: 767 bytes --]

Re: [edk2-devel] How to restrict HTTPS boot to a single address

[Andrew Fish]

[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]

Rafael,

I’m not sure this matches exactly what you are looking for, but the OVMF (Virtual Machine) has some configuration options around HTTPS boot [1]. That might be a good place to start. 

[1] https://github.com/tianocore/edk2/blob/master/OvmfPkg/README#L232

Thanks,

Andrew Fish

> On Aug 26, 2022, at 7:15 AM, Rafael Machado <rafaelrodrigues.machado@gmail.com> wrote:
> 
> Hello everyone.
> 
> Quick question for the ones that understand better the HTTPBoot architecture at the edk2 structure.
> 
> Suppose I have to restrict HTTPS boot to accept only the download of images from a specific url.
> For example, instead of allowing the download of images from any valid CA certificate address, I would like to restrict HTTPSBoot to allow only downloads from some specific domain I have.
> 
> Probably filtering some information, CN or something like that, from the url certificate.
> 
> What is the best way to do that?
> In which driver/library should this logic be added?
> 
> Thanks
> Rafael
> 


[-- Attachment #2: Type: text/html, Size: 1661 bytes --]

Re: [edk2-devel] How to restrict HTTPS boot to a single address

[Sivaraman Nainar]

[-- Attachment #1: Type: text/plain, Size: 1684 bytes --]

Hello Rafael.

HttpBootCheckUriScheme() in HttpBootDxe\HttpBootSupport.c should be the right place to filter the URI.

Please give a try.

-Siva
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Rafael Machado via groups.io
Sent: Friday, August 26, 2022 7:46 PM
To: devel@edk2.groups.io
Subject: [EXTERNAL] [edk2-devel] How to restrict HTTPS boot to a single address


**CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.**
Hello everyone.

Quick question for the ones that understand better the HTTPBoot architecture at the edk2 structure.

Suppose I have to restrict HTTPS boot to accept only the download of images from a specific url.
For example, instead of allowing the download of images from any valid CA certificate address, I would like to restrict HTTPSBoot to allow only downloads from some specific domain I have.

Probably filtering some information, CN or something like that, from the url certificate.

What is the best way to do that?
In which driver/library should this logic be added?

Thanks
Rafael

-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.

[-- Attachment #2: Type: text/html, Size: 5077 bytes --]

Re: [edk2-devel] How to restrict HTTPS boot to a single address

[Rafael Machado]

[-- Attachment #1: Type: text/plain, Size: 2075 bytes --]

Thanks Andrew / Sivaraman for the guidance.
Definitely good places for me to start.

Thanks
Rafael


Em dom., 28 de ago. de 2022 às 08:25, Sivaraman Nainar <sivaramann@ami.com>
escreveu:

> Hello Rafael.
>
>
>
> HttpBootCheckUriScheme() in HttpBootDxe\HttpBootSupport.c should be the
> right place to filter the URI.
>
>
>
> Please give a try.
>
>
>
> -Siva
>
> *From:* devel@edk2.groups.io <devel@edk2.groups.io> * On Behalf Of *Rafael
> Machado via groups.io
> *Sent:* Friday, August 26, 2022 7:46 PM
> *To:* devel@edk2.groups.io
> *Subject:* [EXTERNAL] [edk2-devel] How to restrict HTTPS boot to a single
> address
>
>
>
>
>
> ***CAUTION:* The e-mail below is from an external source. Please exercise
> caution before opening attachments, clicking links, or following
> guidance.**
>
> Hello everyone.
>
>
>
> Quick question for the ones that understand better the HTTPBoot
> architecture at the edk2 structure.
>
>
>
> Suppose I have to restrict HTTPS boot to accept only the download of
> images from a specific url.
>
> For example, instead of allowing the download of images from any valid CA
> certificate address, I would like to restrict HTTPSBoot to allow only
> downloads from some specific domain I have.
>
>
>
> Probably filtering some information, CN or something like that, from the
> url certificate.
>
>
>
> What is the best way to do that?
>
> In which driver/library should this logic be added?
>
>
>
> Thanks
>
> Rafael
>
> 
> -The information contained in this message may be confidential and
> proprietary to American Megatrends (AMI). This communication is intended to
> be read only by the individual or entity to whom it is addressed or by
> their designee. If the reader of this message is not the intended
> recipient, you are on notice that any distribution of this message, in any
> form, is strictly prohibited. Please promptly notify the sender by reply
> e-mail or by telephone at 770-246-8600, and then delete or destroy all
> copies of the transmission.
>

[-- Attachment #2: Type: text/html, Size: 4305 bytes --]