From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=209.132.183.28; helo=mx1.redhat.com; envelope-from=lersek@redhat.com;
 receiver=edk2-devel@lists.01.org 
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 7930822344356
 for <edk2-devel@lists.01.org>; Fri, 19 Jan 2018 06:28:11 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 06523C07013A;
 Fri, 19 Jan 2018 14:33:34 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-123-149.rdu2.redhat.com
 [10.10.123.149])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 320CD60CA1;
 Fri, 19 Jan 2018 14:33:33 +0000 (UTC)
To: Jiaxin Wu <jiaxin.wu@intel.com>, "Fu, Siyuan" <siyuan.fu@intel.com>
Cc: edk2-devel-01 <edk2-devel@lists.01.org>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <5307d880-d016-ad91-04f5-6b83eb40f905@redhat.com>
Date: Fri, 19 Jan 2018 15:33:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.2
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.31]); Fri, 19 Jan 2018 14:33:34 +0000 (UTC)
Subject: setting the TLS cipher list for HTTPS booting
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2018 14:28:12 -0000
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

Hello Jiaxin, Siyuan,

it seems that the "preferred set of ciphers" can be controlled at the
TLS session level.

With regard to HTTPS booting, "NetworkPkg/HttpDxe" makes several calls
to EFI_TLS_PROTOCOL.SetSessionData() -- in the file
"NetworkPkg/HttpDxe/HttpsSupport.c", -- but it never passes
"EfiTlsCipherList" as argument for the "DataType" parameter.

Is there a way for platform code to control the list of ciphers?

This is different from other "global" TLS aspects, such as
EFI_TLS_CONFIGURATION_PROTOCOL, because the latter is a singleton
"service" protocol, while EFI_TLS_PROTOCOL instances are created by
clients as-needed, via TLS service binding. So, I think if a platform
wanted to control this on the session level, then it would have to "ask"
HttpDxe somehow.

If you agree -- do you suggest a dynamic PCD, or an extension to the
UEFI spec (at the HTTP level)?

Thanks!
Laszlo