From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 06CAA22106DD2 for ; Wed, 28 Mar 2018 03:00:05 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 26B64407020E; Wed, 28 Mar 2018 10:06:43 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-75.rdu2.redhat.com [10.10.120.75]) by smtp.corp.redhat.com (Postfix) with ESMTP id 28CE32026985; Wed, 28 Mar 2018 10:06:42 +0000 (UTC) To: "Zeng, Star" , "Fu, Siyuan" , "Wu, Jiaxin" Cc: edk2-devel-01 , "Daniel P. Berrange" References: <32764418-f00f-2423-216d-24b3f842a3c7@redhat.com> <0C09AFA07DD0434D9E2A0C6AEB0483103BA73C29@shsmsx102.ccr.corp.intel.com> From: Laszlo Ersek Message-ID: <59219fa4-9a1d-5e64-e967-33ce7efa05b2@redhat.com> Date: Wed, 28 Mar 2018 12:06:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <0C09AFA07DD0434D9E2A0C6AEB0483103BA73C29@shsmsx102.ccr.corp.intel.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 28 Mar 2018 10:06:43 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Wed, 28 Mar 2018 10:06:43 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: internal structure of EFI_TLS_CA_CERTIFICATE_VARIABLE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2018 10:00:06 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hi Star, thanks for following up; comments below: On 03/28/18 05:28, Zeng, Star wrote: > Is there a PCD pointers to the siglist? We discussed that earlier, but because HttpDxe -- which consumes the certificate list -- is a UEFI driver, we decided that it should not consume dynamic PCDs. The alternative (specified in the UEFI spec) was variables. The earlier discussion wasn't exactly about the trusted CA cert list. Instead, it was about the trusted cipher algo list. However, both of these knobs pose the same "info channel" questions. So here's the link into the cipher algo list discussion: http://mid.mail-archive.com/895558F6EA4E3B41AC93A00D163B72741637DE9E@SHSMSX103.ccr.corp.intel.com > For adding PcdMaxVolatileVariableSize: non-authenticated, volatile, I think it is acceptable if there are use cases. Thank you for accepting the idea in theory :) Do you think it is a simple change? Or is it intrusive? If it is intrusive, then I'd prefer if one of the variable driver maintainers wrote the patch. It's a complex driver and there can be hidden assumptions and relationships that I might miss. If it's a reasonably simple change then I'm happy to work on it. Thanks! Laszlo