[Patch] Readme.MD: Add the feature support scope

[Patch] Readme.MD: Add the feature support scope

[Jiaxin Wu]

This patch is used to add the feature support scope to indicate
the feature completeness criteria, and some contents are also 
updated/refined, e.g. Timeline and Feature Verification section.

Cc: Palmer Thomas <thomas.palmer@hpe.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Li Ruth <ruth.li@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 Readme.MD | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/Readme.MD b/Readme.MD
index a69a2f1..d16eb4c 100644
--- a/Readme.MD
+++ b/Readme.MD
@@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
 ```
 
 #### HTTPS Authentication
 TLS supports three authentication modes ([RFC5246](https://tools.ietf.org/html/rfc5246)):
 ```
-1. Total anonymity: the server and client won’t authenticate each other.
+1. Total anonymity: the server and client will not authenticate each other.
 2. One-way authentication: server authentication with an unauthenticated client.
 3. Two-way authentication: authentication of both parties.
 ```
 Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode. Others are not in our current feature support scope. To support one-way authentication mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below.
 ```
@@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server authentication with an unauthe
 | Time | Event | Related Module |
 |:----:|:-----:|:--------------:|
 | 2015.12 | Initial implementation for HTTPS boot feature by leveraging OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe |
 | 2016.3 | Provided an UI configured driver to support TLS server authentication. | TlsAuthConfigDxe |
 | 2016.4-7 | Hotfix and code refine according community feedback. | Tls1.h, TlsLib, HttpDxe |
+| 2016.8 | Prevent the CA certificates from the runtime phase attack. | TlsAuthConfigDxe |
 | 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe |
 |...|...|...|
 
+## Feature Support Scope
+*	Feature usage: Load the specified file from the remote HTTPS server successfully and steadily.
+* UEFI Arch: IA32 and X64 platform.
+*	TLS version: TLS1.0/1.1/1.2, version negotiation.
+*	HTTPS authentication mode: One-way authentication.
+*	CA certificates management: Private variable, prevent runtime phase attack.
+
 ## Feature Verification
-Tomcat and IIS8 are selected as the HTTPS server to verifiy the result, Detiled see below table.
+Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the result of loading the UEFI shell boot file (Shell.efi), detailed see below table.
 
 | HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 |
 |:------------:|:-------:|:-------:|:------:|
 |Tomcat | Pass |Pass | Pass |
-|IIS8 | Pass | Pass | Failure |
+|IIS 8 | Pass | Pass | Failure |
+|Apache2 | Pass | Pass | Pass |
 
 ### NOTES
 TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To make the UEFI HTTPS client in staging works properly, we have to disable TLS version 1.2 in windows server 2012 R2 by the below PowerShell script:
 ```
 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
-- 
1.9.5.msysgit.1

Re: [Patch] Readme.MD: Add the feature support scope

[Wu, Jiaxin]

Please ignore this patch since the subject prefix is incorrect ([staging/HTTPS-TLS][PATCH]). 

Thanks,
Jiaxin

> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Friday, November 25, 2016 11:53 AM
> To: edk2-devel@lists.01.org
> Cc: Palmer Thomas <thomas.palmer@hpe.com>; Ye, Ting
> <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Long, Qin
> <qin.long@intel.com>; Li, Ruth <ruth.li@intel.com>; Zimmer, Vincent
> <vincent.zimmer@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
> Subject: [Patch] Readme.MD: Add the feature support scope
> 
> This patch is used to add the feature support scope to indicate the feature
> completeness criteria, and some contents are also updated/refined, e.g.
> Timeline and Feature Verification section.
> 
> Cc: Palmer Thomas <thomas.palmer@hpe.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Cc: Li Ruth <ruth.li@intel.com>
> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
>  Readme.MD | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/Readme.MD b/Readme.MD
> index a69a2f1..d16eb4c 100644
> --- a/Readme.MD
> +++ b/Readme.MD
> @@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>  ```
> 
>  #### HTTPS Authentication
>  TLS supports three authentication modes
> ([RFC5246](https://tools.ietf.org/html/rfc5246)):
>  ```
> -1. Total anonymity: the server and client won’t authenticate each other.
> +1. Total anonymity: the server and client will not authenticate each other.
>  2. One-way authentication: server authentication with an unauthenticated
> client.
>  3. Two-way authentication: authentication of both parties.
>  ```
>  Currently, HTTPS boot feature only support server authentication with an
> unauthenticated client mode. Others are not in our current feature support
> scope. To support one-way authentication mode, server CA certificate is
> required by Client. Private variable is used to configure this CA certificate.
> **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server
> CA certificate must be configured first to enable HTTPS boot feature. The
> variable name and GUID are defined as below.
>  ```
> @@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server
> authentication with an unauthe  | Time | Event | Related Module |  |:----:|:--
> ---:|:--------------:|  | 2015.12 | Initial implementation for HTTPS boot feature
> by leveraging OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe |  | 2016.3 |
> Provided an UI configured driver to support TLS server authentication. |
> TlsAuthConfigDxe |  | 2016.4-7 | Hotfix and code refine according community
> feedback. | Tls1.h, TlsLib, HttpDxe |
> +| 2016.8 | Prevent the CA certificates from the runtime phase attack. |
> +| TlsAuthConfigDxe |
>  | 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe |  |...|...|...|
> 
> +## Feature Support Scope
> +*	Feature usage: Load the specified file from the remote HTTPS server
> successfully and steadily.
> +* UEFI Arch: IA32 and X64 platform.
> +*	TLS version: TLS1.0/1.1/1.2, version negotiation.
> +*	HTTPS authentication mode: One-way authentication.
> +*	CA certificates management: Private variable, prevent runtime phase
> attack.
> +
>  ## Feature Verification
> -Tomcat and IIS8 are selected as the HTTPS server to verifiy the result,
> Detiled see below table.
> +Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the
> result of loading the UEFI shell boot file (Shell.efi), detailed see below table.
> 
>  | HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 |  |:------------:|:-------:|:-------:|:---
> ---:|
>  |Tomcat | Pass |Pass | Pass |
> -|IIS8 | Pass | Pass | Failure |
> +|IIS 8 | Pass | Pass | Failure |
> +|Apache2 | Pass | Pass | Pass |
> 
>  ### NOTES
>  TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT
> collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To make
> the UEFI HTTPS client in staging works properly, we have to disable TLS
> version 1.2 in windows server 2012 R2 by the below PowerShell script:
>  ```
>  New-Item
> 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Pr
> otocols\TLS 1.2\Server' -Force | Out-Null
> --
> 1.9.5.msysgit.1