From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124])
 by mx.groups.io with SMTP id smtpd.web11.12194.1603795671509055049
 for <devel@edk2.groups.io>;
 Tue, 27 Oct 2020 03:47:52 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=H3mYfi18;
 spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1603795670;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=syKKRo+RkCeapenVJOWpEvPnOdEYvJs5mg3ALuCwX5U=;
	b=H3mYfi18mYLuvWhxyPz18cLnqLomD9UbCI1Qm0j1gAYVoOEroWdOIvXwcoW+IIogILGwiZ
	8eUU/FsBB1ODASh+ADtPDbd2pbNfnbHycqWBotqPvi9M79e3w4mvTtuR6HxAznGniM+SMg
	2dwAKciAQn6jA4ORR9pXjpXASvfpPBc=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-196-mCQfjFcPNq6NvdRJ70JWlQ-1; Tue, 27 Oct 2020 06:47:44 -0400
X-MC-Unique: mCQfjFcPNq6NvdRJ70JWlQ-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id F09CD59;
	Tue, 27 Oct 2020 10:47:41 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-132.ams2.redhat.com [10.36.114.132])
	by smtp.corp.redhat.com (Postfix) with ESMTP id C048719D6C;
	Tue, 27 Oct 2020 10:47:36 +0000 (UTC)
Subject: Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default
To: Zhichao Gao <zhichao.gao@intel.com>, devel@edk2.groups.io
Cc: Jordan Justen <jordan.l.justen@intel.com>,
 Ard Biesheuvel <ard.biesheuvel@arm.com>, Sami Mujawar
 <sami.mujawar@arm.com>, Leif Lindholm <leif@nuviainc.com>,
 Jiewen Yao <jiewen.yao@intel.com>, Jian J Wang <jian.j.wang@intel.com>,
 Xiaoyu Lu <xiaoyux.lu@intel.com>, Guomin Jiang <guomin.jiang@intel.com>,
 Michael D Kinney <michael.d.kinney@intel.com>,
 Kelly Steele <kelly.steele@intel.com>, Zailiang Sun
 <zailiang.sun@intel.com>, Yi Qian <yi.qian@intel.com>,
 Liming Gao <gaoliming@byosoft.com.cn>,
 Maciej Rabeda <maciej.rabeda@linux.intel.com>,
 Jiaxin Wu <jiaxin.wu@intel.com>, Siyuan Fu <siyuan.fu@intel.com>
References: <20201027024300.21100-1-zhichao.gao@intel.com>
 <20201027024300.21100-2-zhichao.gao@intel.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <852bdcca-3c6f-cecc-fc51-46e4d3192a7a@redhat.com>
Date: Tue, 27 Oct 2020 11:47:35 +0100
MIME-Version: 1.0
In-Reply-To: <20201027024300.21100-2-zhichao.gao@intel.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit

Hi Zhichao,

thanks for the CC, I appreciate it. Please see my comments below.

On 10/27/20 03:42, Zhichao Gao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> 
> iSCSI is using the undeprecated function MD5. It is
> better to make the default setting secure. If the platforms
> want to use the iSCSI, they should enable it in the platforms'
> dsc file and be aware they are using an unsafe function.
> 
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Kelly Steele <kelly.steele@intel.com>
> Cc: Zailiang Sun <zailiang.sun@intel.com>
> Cc: Yi Qian <yi.qian@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.dsc.inc
> index a442d1b157..18921d81f6 100644
> --- a/NetworkPkg/NetworkDefines.dsc.inc
> +++ b/NetworkPkg/NetworkDefines.dsc.inc
> @@ -17,7 +17,7 @@
>  #   DEFINE NETWORK_TLS_ENABLE             = TRUE
>  #   DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE
>  #   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
> -#   DEFINE NETWORK_ISCSI_ENABLE           = TRUE
> +#   DEFINE NETWORK_ISCSI_ENABLE           = FALSE
>  #   DEFINE NETWORK_VLAN_ENABLE            = TRUE
>  #
>  # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> @@ -101,7 +101,7 @@
>    #       Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
>    #       since libssl is not required for iSCSI.
>    #
> -  DEFINE NETWORK_ISCSI_ENABLE = TRUE
> +  DEFINE NETWORK_ISCSI_ENABLE = FALSE
>  !endif
>  
>  !if $(NETWORK_ENABLE) == TRUE
> 

I know of people that use iSCSI with the ArmVirtQemu and OVMF platforms.

Please prepend two patches to this series (that is, the v3 series should
begin with these two patches below):

(1) locate "NETWORK_ALLOW_HTTP_CONNECTIONS" in the files:

- ArmVirtPkg/ArmVirtQemu.dsc
- ArmVirtPkg/ArmVirtQemuKernel.dsc

and explicitly enable NETWORK_ISCSI_ENABLE in the same place.

(2) Please do the same for the following files, in a separate patch:

- OvmfPkg/Bhyve/BhyveX64.dsc
- OvmfPkg/OvmfPkgIa32.dsc
- OvmfPkg/OvmfPkgIa32X64.dsc
- OvmfPkg/OvmfPkgX64.dsc
- OvmfPkg/OvmfXen.dsc

Thanks!
Laszlo