From: "Laszlo Ersek" <lersek@redhat.com>
To: Zhichao Gao <zhichao.gao@intel.com>, devel@edk2.groups.io
Cc: Jordan Justen <jordan.l.justen@intel.com>,
Ard Biesheuvel <ard.biesheuvel@arm.com>,
Sami Mujawar <sami.mujawar@arm.com>,
Leif Lindholm <leif@nuviainc.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>,
Xiaoyu Lu <xiaoyux.lu@intel.com>,
Guomin Jiang <guomin.jiang@intel.com>,
Michael D Kinney <michael.d.kinney@intel.com>,
Kelly Steele <kelly.steele@intel.com>,
Zailiang Sun <zailiang.sun@intel.com>,
Yi Qian <yi.qian@intel.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
Maciej Rabeda <maciej.rabeda@linux.intel.com>,
Jiaxin Wu <jiaxin.wu@intel.com>, Siyuan Fu <siyuan.fu@intel.com>
Subject: Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default
Date: Tue, 27 Oct 2020 11:47:35 +0100 [thread overview]
Message-ID: <852bdcca-3c6f-cecc-fc51-46e4d3192a7a@redhat.com> (raw)
In-Reply-To: <20201027024300.21100-2-zhichao.gao@intel.com>
Hi Zhichao,
thanks for the CC, I appreciate it. Please see my comments below.
On 10/27/20 03:42, Zhichao Gao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
>
> iSCSI is using the undeprecated function MD5. It is
> better to make the default setting secure. If the platforms
> want to use the iSCSI, they should enable it in the platforms'
> dsc file and be aware they are using an unsafe function.
>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Kelly Steele <kelly.steele@intel.com>
> Cc: Zailiang Sun <zailiang.sun@intel.com>
> Cc: Yi Qian <yi.qian@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
> NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.dsc.inc
> index a442d1b157..18921d81f6 100644
> --- a/NetworkPkg/NetworkDefines.dsc.inc
> +++ b/NetworkPkg/NetworkDefines.dsc.inc
> @@ -17,7 +17,7 @@
> # DEFINE NETWORK_TLS_ENABLE = TRUE
> # DEFINE NETWORK_HTTP_BOOT_ENABLE = TRUE
> # DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
> -# DEFINE NETWORK_ISCSI_ENABLE = TRUE
> +# DEFINE NETWORK_ISCSI_ENABLE = FALSE
> # DEFINE NETWORK_VLAN_ENABLE = TRUE
> #
> # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> @@ -101,7 +101,7 @@
> # Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
> # since libssl is not required for iSCSI.
> #
> - DEFINE NETWORK_ISCSI_ENABLE = TRUE
> + DEFINE NETWORK_ISCSI_ENABLE = FALSE
> !endif
>
> !if $(NETWORK_ENABLE) == TRUE
>
I know of people that use iSCSI with the ArmVirtQemu and OVMF platforms.
Please prepend two patches to this series (that is, the v3 series should
begin with these two patches below):
(1) locate "NETWORK_ALLOW_HTTP_CONNECTIONS" in the files:
- ArmVirtPkg/ArmVirtQemu.dsc
- ArmVirtPkg/ArmVirtQemuKernel.dsc
and explicitly enable NETWORK_ISCSI_ENABLE in the same place.
(2) Please do the same for the following files, in a separate patch:
- OvmfPkg/Bhyve/BhyveX64.dsc
- OvmfPkg/OvmfPkgIa32.dsc
- OvmfPkg/OvmfPkgIa32X64.dsc
- OvmfPkg/OvmfPkgX64.dsc
- OvmfPkg/OvmfXen.dsc
Thanks!
Laszlo
next prev parent reply other threads:[~2020-10-27 10:47 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-27 2:42 [PATCH V2 0/7] Disable the deprecated MD5 and SHA1 support Gao, Zhichao
2020-10-27 2:42 ` [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default Gao, Zhichao
2020-10-27 10:47 ` Laszlo Ersek [this message]
2020-10-29 2:34 ` Gao, Zhichao
2020-11-02 15:14 ` Laszlo Ersek
2020-10-27 2:42 ` [PATCH V2 2/7] NetworkPkg: Enable MD5 while enable iSCSI Gao, Zhichao
2020-10-27 2:42 ` [PATCH V2 3/7] SecurityPkg/Hash2DxeCrypto: Remove MD5 support Gao, Zhichao
2020-10-27 2:53 ` Yao, Jiewen
2020-10-27 2:42 ` [PATCH V2 4/7] MdePkg/dec: Remove the MD5 GUID Gao, Zhichao
2020-10-30 1:20 ` 回复: [edk2-devel] " gaoliming
2020-10-27 2:42 ` [PATCH V2 5/7] SecurityPkg/Hash2DxeCrypto: Remove SHA1 support Gao, Zhichao
2020-10-27 2:53 ` Yao, Jiewen
2020-10-27 2:42 ` [PATCH V2 6/7] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5 Gao, Zhichao
2020-10-27 2:53 ` Yao, Jiewen
2020-10-27 2:43 ` [PATCH V2 7/7] CryptoPkg: Make the MD5 disable as default for security Gao, Zhichao
2020-10-27 2:53 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=852bdcca-3c6f-cecc-fc51-46e4d3192a7a@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox