* [PATCH] OvmfPkg: Enable HTTPS for Ovmf
@ 2017-01-16 4:10 Gary Lin
2017-01-16 5:44 ` Wu, Jiaxin
0 siblings, 1 reply; 8+ messages in thread
From: Gary Lin @ 2017-01-16 4:10 UTC (permalink / raw)
To: edk2-devel; +Cc: Laszlo Ersek, Jordan Justen, Jiaxin Wu
This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
When setting the option, the TLS drivers will be included to support
HTTPS.
NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
pointless to enable TLS alone.
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Lin <glin@suse.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
OvmfPkg/OvmfPkgX64.fdf | 4 ++++
6 files changed, 36 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index e97f7f0262..363f143c68 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -38,6 +38,7 @@ [Defines]
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
+ DEFINE TLS_ENABLE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -158,6 +159,9 @@ [LibraryClasses]
!if $(HTTP_BOOT_ENABLE) == TRUE
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
+!if $(TLS_ENABLE) == TRUE
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
!endif
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
@@ -715,6 +719,10 @@ [Components]
NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
NetworkPkg/HttpDxe/HttpDxe.inf
NetworkPkg/HttpBootDxe/HttpBootDxe.inf
+!if $(TLS_ENABLE) == TRUE
+ NetworkPkg/TlsDxe/TlsDxe.inf
+ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
!endif
OvmfPkg/VirtioNetDxe/VirtioNet.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 34d57a6079..30c8800932 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -329,6 +329,10 @@ [FV.DXEFV]
INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
INF NetworkPkg/HttpDxe/HttpDxe.inf
INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
+!if $(TLS_ENABLE) == TRUE
+ INF NetworkPkg/TlsDxe/TlsDxe.inf
+ INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
!endif
INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 8e3e04c135..f22bad309a 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -38,6 +38,7 @@ [Defines]
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
+ DEFINE TLS_ENABLE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -163,6 +164,9 @@ [LibraryClasses]
!if $(HTTP_BOOT_ENABLE) == TRUE
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
+!if $(TLS_ENABLE) == TRUE
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
!endif
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
@@ -724,6 +728,10 @@ [Components.X64]
NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
NetworkPkg/HttpDxe/HttpDxe.inf
NetworkPkg/HttpBootDxe/HttpBootDxe.inf
+!if $(TLS_ENABLE) == TRUE
+ NetworkPkg/TlsDxe/TlsDxe.inf
+ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
!endif
OvmfPkg/VirtioNetDxe/VirtioNet.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index df55c2b210..7bc31d42ba 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -329,6 +329,10 @@ [FV.DXEFV]
INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
INF NetworkPkg/HttpDxe/HttpDxe.inf
INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
+!if $(TLS_ENABLE) == TRUE
+ INF NetworkPkg/TlsDxe/TlsDxe.inf
+ INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
!endif
INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 6ec3fe050d..8eca6fd557 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -38,6 +38,7 @@ [Defines]
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
+ DEFINE TLS_ENABLE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -163,6 +164,9 @@ [LibraryClasses]
!if $(HTTP_BOOT_ENABLE) == TRUE
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
+!if $(TLS_ENABLE) == TRUE
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
!endif
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
@@ -722,6 +726,10 @@ [Components]
NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
NetworkPkg/HttpDxe/HttpDxe.inf
NetworkPkg/HttpBootDxe/HttpBootDxe.inf
+!if $(TLS_ENABLE) == TRUE
+ NetworkPkg/TlsDxe/TlsDxe.inf
+ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
!endif
OvmfPkg/VirtioNetDxe/VirtioNet.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 5e2e1dfaf5..cb7ca131e8 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -329,6 +329,10 @@ [FV.DXEFV]
INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
INF NetworkPkg/HttpDxe/HttpDxe.inf
INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
+!if $(TLS_ENABLE) == TRUE
+ INF NetworkPkg/TlsDxe/TlsDxe.inf
+ INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
!endif
INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
--
2.11.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf
2017-01-16 4:10 [PATCH] OvmfPkg: Enable HTTPS for Ovmf Gary Lin
@ 2017-01-16 5:44 ` Wu, Jiaxin
2017-01-16 6:15 ` Wu, Jiaxin
2017-01-16 6:32 ` Gary Lin
0 siblings, 2 replies; 8+ messages in thread
From: Wu, Jiaxin @ 2017-01-16 5:44 UTC (permalink / raw)
To: Gary Lin, edk2-devel@lists.01.org
Cc: Justen, Jordan L, Laszlo Ersek, Long, Qin
[-- Attachment #1: Type: text/plain, Size: 7137 bytes --]
Hi Gary,
Before we enable the HTTPS/TLS for OVMF, We need remove the 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only the secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not remove that dependency, we must set both SECURE_BOOT_ENABLE and TLS_ENABLE to support TLS feature. That's unreasonable.
Attached patch is to remove the flag control for the CryptoPkg libraries. I suggest to wait that patch commit, then go ahead to enable the HTTPS for OVMF.
Thanks,
Jiaxin
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Gary
> Lin
> Sent: Monday, January 16, 2017 12:10 PM
> To: edk2-devel@lists.01.org
> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Wu, Jiaxin
> <jiaxin.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>
> Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
>
> This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
> When setting the option, the TLS drivers will be included to support
> HTTPS.
>
> NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
> pointless to enable TLS alone.
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
> OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
> OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
> OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
> OvmfPkg/OvmfPkgX64.fdf | 4 ++++
> 6 files changed, 36 insertions(+)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index e97f7f0262..363f143c68 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -158,6 +159,9 @@ [LibraryClasses]
>
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> !endif
>
>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> tLib.inf
> @@ -715,6 +719,10 @@ [Components]
> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> !endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> index 34d57a6079..30c8800932 100644
> --- a/OvmfPkg/OvmfPkgIa32.fdf
> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> @@ -329,6 +329,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> !endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 8e3e04c135..f22bad309a 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -163,6 +164,9 @@ [LibraryClasses]
>
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> !endif
>
>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> tLib.inf
> @@ -724,6 +728,10 @@ [Components.X64]
> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> !endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> index df55c2b210..7bc31d42ba 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> @@ -329,6 +329,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> !endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 6ec3fe050d..8eca6fd557 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -163,6 +164,9 @@ [LibraryClasses]
>
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> !endif
>
>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> tLib.inf
> @@ -722,6 +726,10 @@ [Components]
> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> !endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index 5e2e1dfaf5..cb7ca131e8 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -329,6 +329,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> !endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> --
> 2.11.0
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
[-- Attachment #2: Type: message/rfc822, Size: 11988 bytes --]
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: "edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Justen, Jordan L" <jordan.l.justen@intel.com>, "Long, Qin" <qin.long@intel.com>, Laszlo Ersek <lersek@redhat.com>, "Wu, Jiaxin" <jiaxin.wu@intel.com>, Gary Lin <glin@suse.com>
Subject: [edk2] [Patch] OvmfPkg: Remove the flag control for the CryptoPkg libraries
Date: Mon, 16 Jan 2017 05:43:35 +0000
Message-ID: <1484545415-216816-1-git-send-email-jiaxin.wu@intel.com>
This patch is to remove the 'SECURE_BOOT_ENABLE' flag control for
the CryptoPkg librarie.
Not only the secure boot feature requires the CryptoPkg libraries
(e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS
features. Those modules can be always included since no build performance
impacts if they are not consumed.
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Justen Jordan L <jordan.l.justen@intel.com>
Cc: Gary Lin <glin@suse.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 13 ++++++-------
OvmfPkg/OvmfPkgIa32X64.dsc | 13 ++++++-------
OvmfPkg/OvmfPkgX64.dsc | 13 ++++++-------
3 files changed, 18 insertions(+), 21 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index e97f7f0..65eef22 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -1,9 +1,9 @@
## @file
# EFI/Framework Open Virtual Machine Firmware (OVMF) platform
#
-# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -139,14 +139,15 @@
ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
!if $(NETWORK_IP6_ENABLE) == TRUE
TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
!endif
@@ -164,13 +165,11 @@
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
[LibraryClasses.common]
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-!endif
[LibraryClasses.common.SEC]
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
!ifdef $(DEBUG_ON_SERIAL_PORT)
@@ -256,13 +255,13 @@
DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
!else
DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
!endif
UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
+
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
-!endif
+
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
[LibraryClasses.common.UEFI_DRIVER]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 8e3e04c..00d3e1d 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -1,9 +1,9 @@
## @file
# EFI/Framework Open Virtual Machine Firmware (OVMF) platform
#
-# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -144,14 +144,15 @@
ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
!if $(NETWORK_IP6_ENABLE) == TRUE
TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
!endif
@@ -169,13 +170,11 @@
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
[LibraryClasses.common]
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-!endif
[LibraryClasses.common.SEC]
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
!ifdef $(DEBUG_ON_SERIAL_PORT)
@@ -261,13 +260,13 @@
DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
!else
DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
!endif
UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
+
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
-!endif
+
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
[LibraryClasses.common.UEFI_DRIVER]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 6ec3fe0..472ca30 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -1,9 +1,9 @@
## @file
# EFI/Framework Open Virtual Machine Firmware (OVMF) platform
#
-# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -144,14 +144,15 @@
ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
!if $(NETWORK_IP6_ENABLE) == TRUE
TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
!endif
@@ -169,13 +170,11 @@
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
[LibraryClasses.common]
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-!endif
[LibraryClasses.common.SEC]
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
!ifdef $(DEBUG_ON_SERIAL_PORT)
@@ -261,13 +260,13 @@
DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
!else
DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
!endif
UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
+
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
-!endif
+
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
[LibraryClasses.common.UEFI_DRIVER]
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
--
1.9.5.msysgit.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf
2017-01-16 5:44 ` Wu, Jiaxin
@ 2017-01-16 6:15 ` Wu, Jiaxin
2017-01-16 6:40 ` Gary Lin
2017-01-16 6:32 ` Gary Lin
1 sibling, 1 reply; 8+ messages in thread
From: Wu, Jiaxin @ 2017-01-16 6:15 UTC (permalink / raw)
To: Wu, Jiaxin, Gary Lin, edk2-devel@lists.01.org
Cc: Justen, Jordan L, Laszlo Ersek, Long, Qin
More: TLS feature should not be limit to HTTP(S) feature.
!if $(HTTP_BOOT_ENABLE) == TRUE
!if $(TLS_ENABLE) == TRUE
...
!endif
!endif
Best Regard!
Jiaxin
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Wu,
> Jiaxin
> Sent: Monday, January 16, 2017 1:45 PM
> To: Gary Lin <glin@suse.com>; edk2-devel@lists.01.org
> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> <lersek@redhat.com>; Long, Qin <qin.long@intel.com>
> Subject: Re: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
>
> Hi Gary,
>
> Before we enable the HTTPS/TLS for OVMF, We need remove the
> 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only the
> secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib,
> BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not remove
> that dependency, we must set both SECURE_BOOT_ENABLE and TLS_ENABLE to
> support TLS feature. That's unreasonable.
>
> Attached patch is to remove the flag control for the CryptoPkg libraries. I
> suggest to wait that patch commit, then go ahead to enable the HTTPS for
> OVMF.
>
> Thanks,
> Jiaxin
>
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Gary
> > Lin
> > Sent: Monday, January 16, 2017 12:10 PM
> > To: edk2-devel@lists.01.org
> > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Wu, Jiaxin
> > <jiaxin.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>
> > Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
> >
> > This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
> > When setting the option, the TLS drivers will be included to support
> > HTTPS.
> >
> > NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
> > pointless to enable TLS alone.
> >
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.0
> > Signed-off-by: Gary Lin <glin@suse.com>
> > ---
> > OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
> > OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
> > OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
> > OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
> > OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
> > OvmfPkg/OvmfPkgX64.fdf | 4 ++++
> > 6 files changed, 36 insertions(+)
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> > index e97f7f0262..363f143c68 100644
> > --- a/OvmfPkg/OvmfPkgIa32.dsc
> > +++ b/OvmfPkg/OvmfPkgIa32.dsc
> > @@ -38,6 +38,7 @@ [Defines]
> > DEFINE NETWORK_IP6_ENABLE = FALSE
> > DEFINE HTTP_BOOT_ENABLE = FALSE
> > DEFINE SMM_REQUIRE = FALSE
> > + DEFINE TLS_ENABLE = FALSE
> >
> > [BuildOptions]
> > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > @@ -158,6 +159,9 @@ [LibraryClasses]
> >
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > +!endif
> > !endif
> >
> >
> >
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > tLib.inf
> > @@ -715,6 +719,10 @@ [Components]
> > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > NetworkPkg/HttpDxe/HttpDxe.inf
> > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + NetworkPkg/TlsDxe/TlsDxe.inf
> > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> > index 34d57a6079..30c8800932 100644
> > --- a/OvmfPkg/OvmfPkgIa32.fdf
> > +++ b/OvmfPkg/OvmfPkgIa32.fdf
> > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> > index 8e3e04c135..f22bad309a 100644
> > --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> > @@ -38,6 +38,7 @@ [Defines]
> > DEFINE NETWORK_IP6_ENABLE = FALSE
> > DEFINE HTTP_BOOT_ENABLE = FALSE
> > DEFINE SMM_REQUIRE = FALSE
> > + DEFINE TLS_ENABLE = FALSE
> >
> > [BuildOptions]
> > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > @@ -163,6 +164,9 @@ [LibraryClasses]
> >
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > +!endif
> > !endif
> >
> >
> >
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > tLib.inf
> > @@ -724,6 +728,10 @@ [Components.X64]
> > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > NetworkPkg/HttpDxe/HttpDxe.inf
> > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + NetworkPkg/TlsDxe/TlsDxe.inf
> > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> > index df55c2b210..7bc31d42ba 100644
> > --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> > +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> > index 6ec3fe050d..8eca6fd557 100644
> > --- a/OvmfPkg/OvmfPkgX64.dsc
> > +++ b/OvmfPkg/OvmfPkgX64.dsc
> > @@ -38,6 +38,7 @@ [Defines]
> > DEFINE NETWORK_IP6_ENABLE = FALSE
> > DEFINE HTTP_BOOT_ENABLE = FALSE
> > DEFINE SMM_REQUIRE = FALSE
> > + DEFINE TLS_ENABLE = FALSE
> >
> > [BuildOptions]
> > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > @@ -163,6 +164,9 @@ [LibraryClasses]
> >
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > +!endif
> > !endif
> >
> >
> >
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > tLib.inf
> > @@ -722,6 +726,10 @@ [Components]
> > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > NetworkPkg/HttpDxe/HttpDxe.inf
> > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + NetworkPkg/TlsDxe/TlsDxe.inf
> > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> > index 5e2e1dfaf5..cb7ca131e8 100644
> > --- a/OvmfPkg/OvmfPkgX64.fdf
> > +++ b/OvmfPkg/OvmfPkgX64.fdf
> > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > --
> > 2.11.0
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf
2017-01-16 5:44 ` Wu, Jiaxin
2017-01-16 6:15 ` Wu, Jiaxin
@ 2017-01-16 6:32 ` Gary Lin
2017-01-16 23:01 ` Laszlo Ersek
1 sibling, 1 reply; 8+ messages in thread
From: Gary Lin @ 2017-01-16 6:32 UTC (permalink / raw)
To: Wu, Jiaxin
Cc: edk2-devel@lists.01.org, Justen, Jordan L, Laszlo Ersek,
Long, Qin
On Mon, Jan 16, 2017 at 05:44:49AM +0000, Wu, Jiaxin wrote:
> Hi Gary,
>
> Before we enable the HTTPS/TLS for OVMF, We need remove the 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only the secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not remove that dependency, we must set both SECURE_BOOT_ENABLE and TLS_ENABLE to support TLS feature. That's unreasonable.
>
Ah! Right. I always enable secure boot and forgot the dependency of
CryptoPkg.
> Attached patch is to remove the flag control for the CryptoPkg libraries. I suggest to wait that patch commit, then go ahead to enable the HTTPS for OVMF.
>
Agree. We should free CryptoPkg from Secure Boot or HTTPS first.
Thanks,
Gary Lin
> Thanks,
> Jiaxin
>
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Gary
> > Lin
> > Sent: Monday, January 16, 2017 12:10 PM
> > To: edk2-devel@lists.01.org
> > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Wu, Jiaxin
> > <jiaxin.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>
> > Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
> >
> > This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
> > When setting the option, the TLS drivers will be included to support
> > HTTPS.
> >
> > NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
> > pointless to enable TLS alone.
> >
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.0
> > Signed-off-by: Gary Lin <glin@suse.com>
> > ---
> > OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
> > OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
> > OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
> > OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
> > OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
> > OvmfPkg/OvmfPkgX64.fdf | 4 ++++
> > 6 files changed, 36 insertions(+)
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> > index e97f7f0262..363f143c68 100644
> > --- a/OvmfPkg/OvmfPkgIa32.dsc
> > +++ b/OvmfPkg/OvmfPkgIa32.dsc
> > @@ -38,6 +38,7 @@ [Defines]
> > DEFINE NETWORK_IP6_ENABLE = FALSE
> > DEFINE HTTP_BOOT_ENABLE = FALSE
> > DEFINE SMM_REQUIRE = FALSE
> > + DEFINE TLS_ENABLE = FALSE
> >
> > [BuildOptions]
> > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > @@ -158,6 +159,9 @@ [LibraryClasses]
> >
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > +!endif
> > !endif
> >
> >
> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > tLib.inf
> > @@ -715,6 +719,10 @@ [Components]
> > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > NetworkPkg/HttpDxe/HttpDxe.inf
> > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + NetworkPkg/TlsDxe/TlsDxe.inf
> > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> > index 34d57a6079..30c8800932 100644
> > --- a/OvmfPkg/OvmfPkgIa32.fdf
> > +++ b/OvmfPkg/OvmfPkgIa32.fdf
> > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> > index 8e3e04c135..f22bad309a 100644
> > --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> > @@ -38,6 +38,7 @@ [Defines]
> > DEFINE NETWORK_IP6_ENABLE = FALSE
> > DEFINE HTTP_BOOT_ENABLE = FALSE
> > DEFINE SMM_REQUIRE = FALSE
> > + DEFINE TLS_ENABLE = FALSE
> >
> > [BuildOptions]
> > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > @@ -163,6 +164,9 @@ [LibraryClasses]
> >
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > +!endif
> > !endif
> >
> >
> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > tLib.inf
> > @@ -724,6 +728,10 @@ [Components.X64]
> > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > NetworkPkg/HttpDxe/HttpDxe.inf
> > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + NetworkPkg/TlsDxe/TlsDxe.inf
> > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> > index df55c2b210..7bc31d42ba 100644
> > --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> > +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> > index 6ec3fe050d..8eca6fd557 100644
> > --- a/OvmfPkg/OvmfPkgX64.dsc
> > +++ b/OvmfPkg/OvmfPkgX64.dsc
> > @@ -38,6 +38,7 @@ [Defines]
> > DEFINE NETWORK_IP6_ENABLE = FALSE
> > DEFINE HTTP_BOOT_ENABLE = FALSE
> > DEFINE SMM_REQUIRE = FALSE
> > + DEFINE TLS_ENABLE = FALSE
> >
> > [BuildOptions]
> > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > @@ -163,6 +164,9 @@ [LibraryClasses]
> >
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > +!endif
> > !endif
> >
> >
> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > tLib.inf
> > @@ -722,6 +726,10 @@ [Components]
> > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > NetworkPkg/HttpDxe/HttpDxe.inf
> > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + NetworkPkg/TlsDxe/TlsDxe.inf
> > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> > index 5e2e1dfaf5..cb7ca131e8 100644
> > --- a/OvmfPkg/OvmfPkgX64.fdf
> > +++ b/OvmfPkg/OvmfPkgX64.fdf
> > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > +!if $(TLS_ENABLE) == TRUE
> > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > +!endif
> > !endif
> > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >
> > --
> > 2.11.0
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf
2017-01-16 6:15 ` Wu, Jiaxin
@ 2017-01-16 6:40 ` Gary Lin
2017-01-16 9:15 ` Wu, Jiaxin
0 siblings, 1 reply; 8+ messages in thread
From: Gary Lin @ 2017-01-16 6:40 UTC (permalink / raw)
To: Wu, Jiaxin
Cc: edk2-devel@lists.01.org, Justen, Jordan L, Laszlo Ersek,
Long, Qin
On Mon, Jan 16, 2017 at 06:15:08AM +0000, Wu, Jiaxin wrote:
> More: TLS feature should not be limit to HTTP(S) feature.
>
Is there any other planned usage for TLS?
> !if $(HTTP_BOOT_ENABLE) == TRUE
> !if $(TLS_ENABLE) == TRUE
> ...
> !endif
> !endif
>
I checked my patch again and found it'd be better to include the HTTP and
TLS drivers in this way:
!if $(HTTP_BOOT_ENABLE) == TRUE || $(TLS_ENABLE) == TRUE
<HTTP drivers>
!endif
!if $(TLS_ENABLE) == TRUE
{TLS drivers}
!endif
Therefore, Enabling TLS_ENABLE also means to enable HTTP_BOOT_ENABLE.
Make it less error-prone.
Will send a v2 patch after your patch is merged.
Thanks,
Gary Lin
> Best Regard!
> Jiaxin
>
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Wu,
> > Jiaxin
> > Sent: Monday, January 16, 2017 1:45 PM
> > To: Gary Lin <glin@suse.com>; edk2-devel@lists.01.org
> > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> > <lersek@redhat.com>; Long, Qin <qin.long@intel.com>
> > Subject: Re: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
> >
> > Hi Gary,
> >
> > Before we enable the HTTPS/TLS for OVMF, We need remove the
> > 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only the
> > secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib,
> > BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not remove
> > that dependency, we must set both SECURE_BOOT_ENABLE and TLS_ENABLE to
> > support TLS feature. That's unreasonable.
> >
> > Attached patch is to remove the flag control for the CryptoPkg libraries. I
> > suggest to wait that patch commit, then go ahead to enable the HTTPS for
> > OVMF.
> >
> > Thanks,
> > Jiaxin
> >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Gary
> > > Lin
> > > Sent: Monday, January 16, 2017 12:10 PM
> > > To: edk2-devel@lists.01.org
> > > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Wu, Jiaxin
> > > <jiaxin.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>
> > > Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
> > >
> > > This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
> > > When setting the option, the TLS drivers will be included to support
> > > HTTPS.
> > >
> > > NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
> > > pointless to enable TLS alone.
> > >
> > > Cc: Laszlo Ersek <lersek@redhat.com>
> > > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > > Contributed-under: TianoCore Contribution Agreement 1.0
> > > Signed-off-by: Gary Lin <glin@suse.com>
> > > ---
> > > OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
> > > OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
> > > OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
> > > OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
> > > OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
> > > OvmfPkg/OvmfPkgX64.fdf | 4 ++++
> > > 6 files changed, 36 insertions(+)
> > >
> > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> > > index e97f7f0262..363f143c68 100644
> > > --- a/OvmfPkg/OvmfPkgIa32.dsc
> > > +++ b/OvmfPkg/OvmfPkgIa32.dsc
> > > @@ -38,6 +38,7 @@ [Defines]
> > > DEFINE NETWORK_IP6_ENABLE = FALSE
> > > DEFINE HTTP_BOOT_ENABLE = FALSE
> > > DEFINE SMM_REQUIRE = FALSE
> > > + DEFINE TLS_ENABLE = FALSE
> > >
> > > [BuildOptions]
> > > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > > @@ -158,6 +159,9 @@ [LibraryClasses]
> > >
> > > !if $(HTTP_BOOT_ENABLE) == TRUE
> > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > > +!endif
> > > !endif
> > >
> > >
> > >
> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > > tLib.inf
> > > @@ -715,6 +719,10 @@ [Components]
> > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > NetworkPkg/HttpDxe/HttpDxe.inf
> > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + NetworkPkg/TlsDxe/TlsDxe.inf
> > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > +!endif
> > > !endif
> > > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > >
> > > diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> > > index 34d57a6079..30c8800932 100644
> > > --- a/OvmfPkg/OvmfPkgIa32.fdf
> > > +++ b/OvmfPkg/OvmfPkgIa32.fdf
> > > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > +!endif
> > > !endif
> > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > >
> > > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> > > index 8e3e04c135..f22bad309a 100644
> > > --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> > > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> > > @@ -38,6 +38,7 @@ [Defines]
> > > DEFINE NETWORK_IP6_ENABLE = FALSE
> > > DEFINE HTTP_BOOT_ENABLE = FALSE
> > > DEFINE SMM_REQUIRE = FALSE
> > > + DEFINE TLS_ENABLE = FALSE
> > >
> > > [BuildOptions]
> > > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > > @@ -163,6 +164,9 @@ [LibraryClasses]
> > >
> > > !if $(HTTP_BOOT_ENABLE) == TRUE
> > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > > +!endif
> > > !endif
> > >
> > >
> > >
> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > > tLib.inf
> > > @@ -724,6 +728,10 @@ [Components.X64]
> > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > NetworkPkg/HttpDxe/HttpDxe.inf
> > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + NetworkPkg/TlsDxe/TlsDxe.inf
> > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > +!endif
> > > !endif
> > > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > >
> > > diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> > > index df55c2b210..7bc31d42ba 100644
> > > --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> > > +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> > > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > +!endif
> > > !endif
> > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > >
> > > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> > > index 6ec3fe050d..8eca6fd557 100644
> > > --- a/OvmfPkg/OvmfPkgX64.dsc
> > > +++ b/OvmfPkg/OvmfPkgX64.dsc
> > > @@ -38,6 +38,7 @@ [Defines]
> > > DEFINE NETWORK_IP6_ENABLE = FALSE
> > > DEFINE HTTP_BOOT_ENABLE = FALSE
> > > DEFINE SMM_REQUIRE = FALSE
> > > + DEFINE TLS_ENABLE = FALSE
> > >
> > > [BuildOptions]
> > > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > > @@ -163,6 +164,9 @@ [LibraryClasses]
> > >
> > > !if $(HTTP_BOOT_ENABLE) == TRUE
> > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > > +!endif
> > > !endif
> > >
> > >
> > >
> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > > tLib.inf
> > > @@ -722,6 +726,10 @@ [Components]
> > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > NetworkPkg/HttpDxe/HttpDxe.inf
> > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + NetworkPkg/TlsDxe/TlsDxe.inf
> > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > +!endif
> > > !endif
> > > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > >
> > > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> > > index 5e2e1dfaf5..cb7ca131e8 100644
> > > --- a/OvmfPkg/OvmfPkgX64.fdf
> > > +++ b/OvmfPkg/OvmfPkgX64.fdf
> > > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > +!if $(TLS_ENABLE) == TRUE
> > > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > +!endif
> > > !endif
> > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > >
> > > --
> > > 2.11.0
> > >
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf
2017-01-16 6:40 ` Gary Lin
@ 2017-01-16 9:15 ` Wu, Jiaxin
0 siblings, 0 replies; 8+ messages in thread
From: Wu, Jiaxin @ 2017-01-16 9:15 UTC (permalink / raw)
To: Gary Lin; +Cc: Justen, Jordan L, edk2-devel@lists.01.org, Laszlo Ersek,
Long, Qin
> > More: TLS feature should not be limit to HTTP(S) feature.
> >
> Is there any other planned usage for TLS?
Currently, we only have the HTTP over TLS support, but I think TLS also can be treated as independent module, which can be leveraged by third part drivers/apps (e.g. EAP-TLS).
>
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > !if $(TLS_ENABLE) == TRUE
> > ...
> > !endif
> > !endif
> >
> I checked my patch again and found it'd be better to include the HTTP and
> TLS drivers in this way:
>
> !if $(HTTP_BOOT_ENABLE) == TRUE || $(TLS_ENABLE) == TRUE
> <HTTP drivers>
> !endif
> !if $(TLS_ENABLE) == TRUE
> {TLS drivers}
> !endif
>
> Therefore, Enabling TLS_ENABLE also means to enable HTTP_BOOT_ENABLE.
> Make it less error-prone.
I don't think there is any issue if we only include the TLS drivers or HTTP driver, but only no TLS means no HTTPS (refer to NT32). So, let's keep the logic clean and easy:).
>
> Will send a v2 patch after your patch is merged.
Thanks the contribution.
Jiaxin
>
> Thanks,
>
> Gary Lin
>
> > Best Regard!
> > Jiaxin
> >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Wu,
> > > Jiaxin
> > > Sent: Monday, January 16, 2017 1:45 PM
> > > To: Gary Lin <glin@suse.com>; edk2-devel@lists.01.org
> > > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek
> > > <lersek@redhat.com>; Long, Qin <qin.long@intel.com>
> > > Subject: Re: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
> > >
> > > Hi Gary,
> > >
> > > Before we enable the HTTPS/TLS for OVMF, We need remove the
> > > 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only
> the
> > > secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib,
> > > BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not
> remove
> > > that dependency, we must set both SECURE_BOOT_ENABLE and
> TLS_ENABLE to
> > > support TLS feature. That's unreasonable.
> > >
> > > Attached patch is to remove the flag control for the CryptoPkg libraries. I
> > > suggest to wait that patch commit, then go ahead to enable the HTTPS for
> > > OVMF.
> > >
> > > Thanks,
> > > Jiaxin
> > >
> > > > -----Original Message-----
> > > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > > Gary
> > > > Lin
> > > > Sent: Monday, January 16, 2017 12:10 PM
> > > > To: edk2-devel@lists.01.org
> > > > Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Wu, Jiaxin
> > > > <jiaxin.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>
> > > > Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
> > > >
> > > > This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
> > > > When setting the option, the TLS drivers will be included to support
> > > > HTTPS.
> > > >
> > > > NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
> > > > pointless to enable TLS alone.
> > > >
> > > > Cc: Laszlo Ersek <lersek@redhat.com>
> > > > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > > > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > > > Contributed-under: TianoCore Contribution Agreement 1.0
> > > > Signed-off-by: Gary Lin <glin@suse.com>
> > > > ---
> > > > OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
> > > > OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
> > > > OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
> > > > OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
> > > > OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
> > > > OvmfPkg/OvmfPkgX64.fdf | 4 ++++
> > > > 6 files changed, 36 insertions(+)
> > > >
> > > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> > > > index e97f7f0262..363f143c68 100644
> > > > --- a/OvmfPkg/OvmfPkgIa32.dsc
> > > > +++ b/OvmfPkg/OvmfPkgIa32.dsc
> > > > @@ -38,6 +38,7 @@ [Defines]
> > > > DEFINE NETWORK_IP6_ENABLE = FALSE
> > > > DEFINE HTTP_BOOT_ENABLE = FALSE
> > > > DEFINE SMM_REQUIRE = FALSE
> > > > + DEFINE TLS_ENABLE = FALSE
> > > >
> > > > [BuildOptions]
> > > > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > > > @@ -158,6 +159,9 @@ [LibraryClasses]
> > > >
> > > > !if $(HTTP_BOOT_ENABLE) == TRUE
> > > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > > > +!endif
> > > > !endif
> > > >
> > > >
> > > >
> > >
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > > > tLib.inf
> > > > @@ -715,6 +719,10 @@ [Components]
> > > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > > NetworkPkg/HttpDxe/HttpDxe.inf
> > > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + NetworkPkg/TlsDxe/TlsDxe.inf
> > > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > > +!endif
> > > > !endif
> > > > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > > >
> > > > diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> > > > index 34d57a6079..30c8800932 100644
> > > > --- a/OvmfPkg/OvmfPkgIa32.fdf
> > > > +++ b/OvmfPkg/OvmfPkgIa32.fdf
> > > > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > > +!endif
> > > > !endif
> > > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > > >
> > > > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc
> b/OvmfPkg/OvmfPkgIa32X64.dsc
> > > > index 8e3e04c135..f22bad309a 100644
> > > > --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> > > > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> > > > @@ -38,6 +38,7 @@ [Defines]
> > > > DEFINE NETWORK_IP6_ENABLE = FALSE
> > > > DEFINE HTTP_BOOT_ENABLE = FALSE
> > > > DEFINE SMM_REQUIRE = FALSE
> > > > + DEFINE TLS_ENABLE = FALSE
> > > >
> > > > [BuildOptions]
> > > > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > > > @@ -163,6 +164,9 @@ [LibraryClasses]
> > > >
> > > > !if $(HTTP_BOOT_ENABLE) == TRUE
> > > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > > > +!endif
> > > > !endif
> > > >
> > > >
> > > >
> > >
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > > > tLib.inf
> > > > @@ -724,6 +728,10 @@ [Components.X64]
> > > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > > NetworkPkg/HttpDxe/HttpDxe.inf
> > > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + NetworkPkg/TlsDxe/TlsDxe.inf
> > > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > > +!endif
> > > > !endif
> > > > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > > >
> > > > diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf
> b/OvmfPkg/OvmfPkgIa32X64.fdf
> > > > index df55c2b210..7bc31d42ba 100644
> > > > --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> > > > +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> > > > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > > +!endif
> > > > !endif
> > > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > > >
> > > > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> > > > index 6ec3fe050d..8eca6fd557 100644
> > > > --- a/OvmfPkg/OvmfPkgX64.dsc
> > > > +++ b/OvmfPkg/OvmfPkgX64.dsc
> > > > @@ -38,6 +38,7 @@ [Defines]
> > > > DEFINE NETWORK_IP6_ENABLE = FALSE
> > > > DEFINE HTTP_BOOT_ENABLE = FALSE
> > > > DEFINE SMM_REQUIRE = FALSE
> > > > + DEFINE TLS_ENABLE = FALSE
> > > >
> > > > [BuildOptions]
> > > > GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> > > > @@ -163,6 +164,9 @@ [LibraryClasses]
> > > >
> > > > !if $(HTTP_BOOT_ENABLE) == TRUE
> > > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> > > > +!endif
> > > > !endif
> > > >
> > > >
> > > >
> > >
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> > > > tLib.inf
> > > > @@ -722,6 +726,10 @@ [Components]
> > > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > > NetworkPkg/HttpDxe/HttpDxe.inf
> > > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + NetworkPkg/TlsDxe/TlsDxe.inf
> > > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > > +!endif
> > > > !endif
> > > > OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > > >
> > > > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> > > > index 5e2e1dfaf5..cb7ca131e8 100644
> > > > --- a/OvmfPkg/OvmfPkgX64.fdf
> > > > +++ b/OvmfPkg/OvmfPkgX64.fdf
> > > > @@ -329,6 +329,10 @@ [FV.DXEFV]
> > > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> > > > INF NetworkPkg/HttpDxe/HttpDxe.inf
> > > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> > > > +!if $(TLS_ENABLE) == TRUE
> > > > + INF NetworkPkg/TlsDxe/TlsDxe.inf
> > > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> > > > +!endif
> > > > !endif
> > > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> > > >
> > > > --
> > > > 2.11.0
> > > >
> > > > _______________________________________________
> > > > edk2-devel mailing list
> > > > edk2-devel@lists.01.org
> > > > https://lists.01.org/mailman/listinfo/edk2-devel
> >
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf
2017-01-16 6:32 ` Gary Lin
@ 2017-01-16 23:01 ` Laszlo Ersek
2017-01-17 1:22 ` Wu, Jiaxin
0 siblings, 1 reply; 8+ messages in thread
From: Laszlo Ersek @ 2017-01-16 23:01 UTC (permalink / raw)
To: Gary Lin, Wu, Jiaxin; +Cc: Justen, Jordan L, edk2-devel@lists.01.org, Long, Qin
On 01/16/17 07:32, Gary Lin wrote:
> On Mon, Jan 16, 2017 at 05:44:49AM +0000, Wu, Jiaxin wrote:
>> Hi Gary,
>>
>> Before we enable the HTTPS/TLS for OVMF, We need remove the 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only the secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not remove that dependency, we must set both SECURE_BOOT_ENABLE and TLS_ENABLE to support TLS feature. That's unreasonable.
>>
> Ah! Right. I always enable secure boot and forgot the dependency of
> CryptoPkg.
>
>> Attached patch is to remove the flag control for the CryptoPkg libraries. I suggest to wait that patch commit, then go ahead to enable the HTTPS for OVMF.
>>
> Agree. We should free CryptoPkg from Secure Boot or HTTPS first.
As I indicated in the other thread (Jiaxin's "[PATCH v2] OvmfPkg: Remove
the flag control for the CryptoPkg libraries"), decoupling the OpenSSL
dependency from Secure Boot is a good idea, as there are indeed multiple
users. However, making OpenSSL a hard or default requirement for
building OVMF is wrong, as long as OpenSSL needs to be manually dropped
into CryptoPkg, and patched.
If that's the case, then we should extract the OpenSSL dependency into
its own synthetic (use case-less) build macro (such as OPENSSL_ENABLE),
and work out the dependencies between it and the concrete use cases
(other build macros).
This way the person building OVMF will only have to mess with OpenSSL /
CryptoPkg if they need at least one feature that unconditionally
requires OpenSSL, or they decide to enable OpenSSL for another feature
that optionally benefits from it.
Thanks,
Laszlo
>
> Thanks,
>
> Gary Lin
>
>> Thanks,
>> Jiaxin
>>
>>> -----Original Message-----
>>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Gary
>>> Lin
>>> Sent: Monday, January 16, 2017 12:10 PM
>>> To: edk2-devel@lists.01.org
>>> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Wu, Jiaxin
>>> <jiaxin.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>
>>> Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
>>>
>>> This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
>>> When setting the option, the TLS drivers will be included to support
>>> HTTPS.
>>>
>>> NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
>>> pointless to enable TLS alone.
>>>
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>>> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>> Signed-off-by: Gary Lin <glin@suse.com>
>>> ---
>>> OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
>>> OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
>>> OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
>>> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
>>> OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
>>> OvmfPkg/OvmfPkgX64.fdf | 4 ++++
>>> 6 files changed, 36 insertions(+)
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
>>> index e97f7f0262..363f143c68 100644
>>> --- a/OvmfPkg/OvmfPkgIa32.dsc
>>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
>>> @@ -38,6 +38,7 @@ [Defines]
>>> DEFINE NETWORK_IP6_ENABLE = FALSE
>>> DEFINE HTTP_BOOT_ENABLE = FALSE
>>> DEFINE SMM_REQUIRE = FALSE
>>> + DEFINE TLS_ENABLE = FALSE
>>>
>>> [BuildOptions]
>>> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
>>> @@ -158,6 +159,9 @@ [LibraryClasses]
>>>
>>> !if $(HTTP_BOOT_ENABLE) == TRUE
>>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
>>> +!endif
>>> !endif
>>>
>>>
>>> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
>>> tLib.inf
>>> @@ -715,6 +719,10 @@ [Components]
>>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>> NetworkPkg/HttpDxe/HttpDxe.inf
>>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + NetworkPkg/TlsDxe/TlsDxe.inf
>>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>> !endif
>>> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
>>> index 34d57a6079..30c8800932 100644
>>> --- a/OvmfPkg/OvmfPkgIa32.fdf
>>> +++ b/OvmfPkg/OvmfPkgIa32.fdf
>>> @@ -329,6 +329,10 @@ [FV.DXEFV]
>>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>> INF NetworkPkg/HttpDxe/HttpDxe.inf
>>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + INF NetworkPkg/TlsDxe/TlsDxe.inf
>>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>> !endif
>>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
>>> index 8e3e04c135..f22bad309a 100644
>>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
>>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
>>> @@ -38,6 +38,7 @@ [Defines]
>>> DEFINE NETWORK_IP6_ENABLE = FALSE
>>> DEFINE HTTP_BOOT_ENABLE = FALSE
>>> DEFINE SMM_REQUIRE = FALSE
>>> + DEFINE TLS_ENABLE = FALSE
>>>
>>> [BuildOptions]
>>> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
>>> @@ -163,6 +164,9 @@ [LibraryClasses]
>>>
>>> !if $(HTTP_BOOT_ENABLE) == TRUE
>>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
>>> +!endif
>>> !endif
>>>
>>>
>>> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
>>> tLib.inf
>>> @@ -724,6 +728,10 @@ [Components.X64]
>>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>> NetworkPkg/HttpDxe/HttpDxe.inf
>>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + NetworkPkg/TlsDxe/TlsDxe.inf
>>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>> !endif
>>> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
>>> index df55c2b210..7bc31d42ba 100644
>>> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
>>> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
>>> @@ -329,6 +329,10 @@ [FV.DXEFV]
>>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>> INF NetworkPkg/HttpDxe/HttpDxe.inf
>>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + INF NetworkPkg/TlsDxe/TlsDxe.inf
>>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>> !endif
>>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
>>> index 6ec3fe050d..8eca6fd557 100644
>>> --- a/OvmfPkg/OvmfPkgX64.dsc
>>> +++ b/OvmfPkg/OvmfPkgX64.dsc
>>> @@ -38,6 +38,7 @@ [Defines]
>>> DEFINE NETWORK_IP6_ENABLE = FALSE
>>> DEFINE HTTP_BOOT_ENABLE = FALSE
>>> DEFINE SMM_REQUIRE = FALSE
>>> + DEFINE TLS_ENABLE = FALSE
>>>
>>> [BuildOptions]
>>> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
>>> @@ -163,6 +164,9 @@ [LibraryClasses]
>>>
>>> !if $(HTTP_BOOT_ENABLE) == TRUE
>>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
>>> +!endif
>>> !endif
>>>
>>>
>>> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
>>> tLib.inf
>>> @@ -722,6 +726,10 @@ [Components]
>>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>> NetworkPkg/HttpDxe/HttpDxe.inf
>>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + NetworkPkg/TlsDxe/TlsDxe.inf
>>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>> !endif
>>> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
>>> index 5e2e1dfaf5..cb7ca131e8 100644
>>> --- a/OvmfPkg/OvmfPkgX64.fdf
>>> +++ b/OvmfPkg/OvmfPkgX64.fdf
>>> @@ -329,6 +329,10 @@ [FV.DXEFV]
>>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>> INF NetworkPkg/HttpDxe/HttpDxe.inf
>>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> + INF NetworkPkg/TlsDxe/TlsDxe.inf
>>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>> !endif
>>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> --
>>> 2.11.0
>>>
>>> _______________________________________________
>>> edk2-devel mailing list
>>> edk2-devel@lists.01.org
>>> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf
2017-01-16 23:01 ` Laszlo Ersek
@ 2017-01-17 1:22 ` Wu, Jiaxin
0 siblings, 0 replies; 8+ messages in thread
From: Wu, Jiaxin @ 2017-01-17 1:22 UTC (permalink / raw)
To: Laszlo Ersek, Gary Lin
Cc: Justen, Jordan L, edk2-devel@lists.01.org, Long, Qin
> Subject: Re: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
>
> On 01/16/17 07:32, Gary Lin wrote:
> > On Mon, Jan 16, 2017 at 05:44:49AM +0000, Wu, Jiaxin wrote:
> >> Hi Gary,
> >>
> >> Before we enable the HTTPS/TLS for OVMF, We need remove the
> 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only the
> secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib,
> BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not remove
> that dependency, we must set both SECURE_BOOT_ENABLE and TLS_ENABLE to
> support TLS feature. That's unreasonable.
> >>
> > Ah! Right. I always enable secure boot and forgot the dependency of
> > CryptoPkg.
> >
> >> Attached patch is to remove the flag control for the CryptoPkg libraries. I
> suggest to wait that patch commit, then go ahead to enable the HTTPS for
> OVMF.
> >>
> > Agree. We should free CryptoPkg from Secure Boot or HTTPS first.
>
> As I indicated in the other thread (Jiaxin's "[PATCH v2] OvmfPkg: Remove
> the flag control for the CryptoPkg libraries"), decoupling the OpenSSL
> dependency from Secure Boot is a good idea, as there are indeed multiple
> users. However, making OpenSSL a hard or default requirement for
> building OVMF is wrong, as long as OpenSSL needs to be manually dropped
> into CryptoPkg, and patched.
As I explained previously, OpenSSL is must only when needed.
>
> If that's the case, then we should extract the OpenSSL dependency into
> its own synthetic (use case-less) build macro (such as OPENSSL_ENABLE),
> and work out the dependencies between it and the concrete use cases
> (other build macros).
>
> This way the person building OVMF will only have to mess with OpenSSL /
> CryptoPkg if they need at least one feature that unconditionally
> requires OpenSSL, or they decide to enable OpenSSL for another feature
> that optionally benefits from it.
>
All the feature flag can control the build dependency, we can add some notes for those flags to aware any user for the OpenSSL dependency (refer to NT32):
#
# This flag is to enable or disable TLS feature.
# These can be changed on the command line.
# -D FLAG=VALUE
#
# Note: TLS feature highly depends on the OpenSSL building. To enable this
# feature, please follow the instructions found in the file "Patch-HOWTO.txt"
# located in CryptoPkg\Library\OpensslLib to enable the OpenSSL building first.
#
DEFINE TLS_ENABLE = FALSE
Thanks,
Jiaxin
> Thanks,
> Laszlo
>
> >
> > Thanks,
> >
> > Gary Lin
> >
> >> Thanks,
> >> Jiaxin
> >>
> >>> -----Original Message-----
> >>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Gary
> >>> Lin
> >>> Sent: Monday, January 16, 2017 12:10 PM
> >>> To: edk2-devel@lists.01.org
> >>> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Wu, Jiaxin
> >>> <jiaxin.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>
> >>> Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
> >>>
> >>> This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
> >>> When setting the option, the TLS drivers will be included to support
> >>> HTTPS.
> >>>
> >>> NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
> >>> pointless to enable TLS alone.
> >>>
> >>> Cc: Laszlo Ersek <lersek@redhat.com>
> >>> Cc: Jordan Justen <jordan.l.justen@intel.com>
> >>> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> >>> Contributed-under: TianoCore Contribution Agreement 1.0
> >>> Signed-off-by: Gary Lin <glin@suse.com>
> >>> ---
> >>> OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
> >>> OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
> >>> OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
> >>> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
> >>> OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
> >>> OvmfPkg/OvmfPkgX64.fdf | 4 ++++
> >>> 6 files changed, 36 insertions(+)
> >>>
> >>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> >>> index e97f7f0262..363f143c68 100644
> >>> --- a/OvmfPkg/OvmfPkgIa32.dsc
> >>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> >>> @@ -38,6 +38,7 @@ [Defines]
> >>> DEFINE NETWORK_IP6_ENABLE = FALSE
> >>> DEFINE HTTP_BOOT_ENABLE = FALSE
> >>> DEFINE SMM_REQUIRE = FALSE
> >>> + DEFINE TLS_ENABLE = FALSE
> >>>
> >>> [BuildOptions]
> >>> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> >>> @@ -158,6 +159,9 @@ [LibraryClasses]
> >>>
> >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> >>> +!endif
> >>> !endif
> >>>
> >>>
> >>>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> >>> tLib.inf
> >>> @@ -715,6 +719,10 @@ [Components]
> >>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> >>> NetworkPkg/HttpDxe/HttpDxe.inf
> >>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + NetworkPkg/TlsDxe/TlsDxe.inf
> >>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> >>> +!endif
> >>> !endif
> >>> OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >>>
> >>> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> >>> index 34d57a6079..30c8800932 100644
> >>> --- a/OvmfPkg/OvmfPkgIa32.fdf
> >>> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> >>> @@ -329,6 +329,10 @@ [FV.DXEFV]
> >>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> >>> INF NetworkPkg/HttpDxe/HttpDxe.inf
> >>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> >>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> >>> +!endif
> >>> !endif
> >>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >>>
> >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> >>> index 8e3e04c135..f22bad309a 100644
> >>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> >>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> >>> @@ -38,6 +38,7 @@ [Defines]
> >>> DEFINE NETWORK_IP6_ENABLE = FALSE
> >>> DEFINE HTTP_BOOT_ENABLE = FALSE
> >>> DEFINE SMM_REQUIRE = FALSE
> >>> + DEFINE TLS_ENABLE = FALSE
> >>>
> >>> [BuildOptions]
> >>> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> >>> @@ -163,6 +164,9 @@ [LibraryClasses]
> >>>
> >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> >>> +!endif
> >>> !endif
> >>>
> >>>
> >>>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> >>> tLib.inf
> >>> @@ -724,6 +728,10 @@ [Components.X64]
> >>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> >>> NetworkPkg/HttpDxe/HttpDxe.inf
> >>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + NetworkPkg/TlsDxe/TlsDxe.inf
> >>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> >>> +!endif
> >>> !endif
> >>> OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >>>
> >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> >>> index df55c2b210..7bc31d42ba 100644
> >>> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> >>> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> >>> @@ -329,6 +329,10 @@ [FV.DXEFV]
> >>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> >>> INF NetworkPkg/HttpDxe/HttpDxe.inf
> >>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> >>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> >>> +!endif
> >>> !endif
> >>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >>>
> >>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> >>> index 6ec3fe050d..8eca6fd557 100644
> >>> --- a/OvmfPkg/OvmfPkgX64.dsc
> >>> +++ b/OvmfPkg/OvmfPkgX64.dsc
> >>> @@ -38,6 +38,7 @@ [Defines]
> >>> DEFINE NETWORK_IP6_ENABLE = FALSE
> >>> DEFINE HTTP_BOOT_ENABLE = FALSE
> >>> DEFINE SMM_REQUIRE = FALSE
> >>> + DEFINE TLS_ENABLE = FALSE
> >>>
> >>> [BuildOptions]
> >>> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> >>> @@ -163,6 +164,9 @@ [LibraryClasses]
> >>>
> >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> >>> +!endif
> >>> !endif
> >>>
> >>>
> >>>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> >>> tLib.inf
> >>> @@ -722,6 +726,10 @@ [Components]
> >>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> >>> NetworkPkg/HttpDxe/HttpDxe.inf
> >>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + NetworkPkg/TlsDxe/TlsDxe.inf
> >>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> >>> +!endif
> >>> !endif
> >>> OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >>>
> >>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> >>> index 5e2e1dfaf5..cb7ca131e8 100644
> >>> --- a/OvmfPkg/OvmfPkgX64.fdf
> >>> +++ b/OvmfPkg/OvmfPkgX64.fdf
> >>> @@ -329,6 +329,10 @@ [FV.DXEFV]
> >>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> >>> INF NetworkPkg/HttpDxe/HttpDxe.inf
> >>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> >>> +!if $(TLS_ENABLE) == TRUE
> >>> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> >>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> >>> +!endif
> >>> !endif
> >>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
> >>>
> >>> --
> >>> 2.11.0
> >>>
> >>> _______________________________________________
> >>> edk2-devel mailing list
> >>> edk2-devel@lists.01.org
> >>> https://lists.01.org/mailman/listinfo/edk2-devel
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> >
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-01-17 1:22 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-16 4:10 [PATCH] OvmfPkg: Enable HTTPS for Ovmf Gary Lin
2017-01-16 5:44 ` Wu, Jiaxin
2017-01-16 6:15 ` Wu, Jiaxin
2017-01-16 6:40 ` Gary Lin
2017-01-16 9:15 ` Wu, Jiaxin
2017-01-16 6:32 ` Gary Lin
2017-01-16 23:01 ` Laszlo Ersek
2017-01-17 1:22 ` Wu, Jiaxin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox