From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4FDFF81D8D for ; Mon, 16 Jan 2017 01:15:19 -0800 (PST) Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga101.jf.intel.com with ESMTP; 16 Jan 2017 01:15:19 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,238,1477983600"; d="scan'208";a="53762355" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga005.fm.intel.com with ESMTP; 16 Jan 2017 01:15:17 -0800 Received: from FMSMSX109.amr.corp.intel.com (10.18.116.9) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 16 Jan 2017 01:15:17 -0800 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by fmsmsx109.amr.corp.intel.com (10.18.116.9) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 16 Jan 2017 01:15:17 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by SHSMSX104.ccr.corp.intel.com ([10.239.4.70]) with mapi id 14.03.0248.002; Mon, 16 Jan 2017 17:15:15 +0800 From: "Wu, Jiaxin" To: Gary Lin CC: "Justen, Jordan L" , "edk2-devel@lists.01.org" , Laszlo Ersek , "Long, Qin" Thread-Topic: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf Thread-Index: AQHSb66fEusTISOjy0C6eN1ivRZeEKE6kAFAgAAK+mD//4aIAIAArCCg Date: Mon, 16 Jan 2017 09:15:14 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B727416293FDC@SHSMSX103.ccr.corp.intel.com> References: <20170116041013.31545-1-glin@suse.com> <895558F6EA4E3B41AC93A00D163B727416293E11@SHSMSX103.ccr.corp.intel.com> <895558F6EA4E3B41AC93A00D163B727416293E6F@SHSMSX103.ccr.corp.intel.com> <20170116064058.nieuzoxlozwjqlcv@GaryWorkstation> In-Reply-To: <20170116064058.nieuzoxlozwjqlcv@GaryWorkstation> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMmQyMmYxZDMtYzIwMy00ZWUwLWE3ZTUtNjY2MDdmYzFhNDI5IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6IkxMcVZ6NzZqalpoRDVkYm5aUnZDYm16Z0k3czRcL0ZOZG1vYU9MbXd4N1YwPSJ9 x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2017 09:15:19 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > > More: TLS feature should not be limit to HTTP(S) feature. > > > Is there any other planned usage for TLS? Currently, we only have the HTTP over TLS support, but I think TLS also can= be treated as independent module, which can be leveraged by third part dri= vers/apps (e.g. EAP-TLS).=20 >=20 > > !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > > !if $(TLS_ENABLE) =3D=3D TRUE > > ... > > !endif > > !endif > > > I checked my patch again and found it'd be better to include the HTTP and > TLS drivers in this way: >=20 > !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE || $(TLS_ENABLE) =3D=3D TRUE > > !endif > !if $(TLS_ENABLE) =3D=3D TRUE > {TLS drivers} > !endif >=20 > Therefore, Enabling TLS_ENABLE also means to enable HTTP_BOOT_ENABLE. > Make it less error-prone. I don't think there is any issue if we only include the TLS drivers or HTTP= driver, but only no TLS means no HTTPS (refer to NT32). So, let's keep the= logic clean and easy:).=20 >=20 > Will send a v2 patch after your patch is merged. Thanks the contribution. Jiaxin >=20 > Thanks, >=20 > Gary Lin >=20 > > Best Regard! > > Jiaxin > > > > > -----Original Message----- > > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf O= f > Wu, > > > Jiaxin > > > Sent: Monday, January 16, 2017 1:45 PM > > > To: Gary Lin ; edk2-devel@lists.01.org > > > Cc: Justen, Jordan L ; Laszlo Ersek > > > ; Long, Qin > > > Subject: Re: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf > > > > > > Hi Gary, > > > > > > Before we enable the HTTPS/TLS for OVMF, We need remove the > > > 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not onl= y > the > > > secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib= , > > > BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we no= t > remove > > > that dependency, we must set both SECURE_BOOT_ENABLE and > TLS_ENABLE to > > > support TLS feature. That's unreasonable. > > > > > > Attached patch is to remove the flag control for the CryptoPkg librar= ies. I > > > suggest to wait that patch commit, then go ahead to enable the HTTPS = for > > > OVMF. > > > > > > Thanks, > > > Jiaxin > > > > > > > -----Original Message----- > > > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf= Of > > > Gary > > > > Lin > > > > Sent: Monday, January 16, 2017 12:10 PM > > > > To: edk2-devel@lists.01.org > > > > Cc: Justen, Jordan L ; Wu, Jiaxin > > > > ; Laszlo Ersek > > > > Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf > > > > > > > > This commit introduces a new build option to OvmfPkg: TLS_ENABLE. > > > > When setting the option, the TLS drivers will be included to suppor= t > > > > HTTPS. > > > > > > > > NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's > > > > pointless to enable TLS alone. > > > > > > > > Cc: Laszlo Ersek > > > > Cc: Jordan Justen > > > > Cc: Jiaxin Wu > > > > Contributed-under: TianoCore Contribution Agreement 1.0 > > > > Signed-off-by: Gary Lin > > > > --- > > > > OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++ > > > > OvmfPkg/OvmfPkgIa32.fdf | 4 ++++ > > > > OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++ > > > > OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++ > > > > OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++ > > > > OvmfPkg/OvmfPkgX64.fdf | 4 ++++ > > > > 6 files changed, 36 insertions(+) > > > > > > > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > > > > index e97f7f0262..363f143c68 100644 > > > > --- a/OvmfPkg/OvmfPkgIa32.dsc > > > > +++ b/OvmfPkg/OvmfPkgIa32.dsc > > > > @@ -38,6 +38,7 @@ [Defines] > > > > DEFINE NETWORK_IP6_ENABLE =3D FALSE > > > > DEFINE HTTP_BOOT_ENABLE =3D FALSE > > > > DEFINE SMM_REQUIRE =3D FALSE > > > > + DEFINE TLS_ENABLE =3D FALSE > > > > > > > > [BuildOptions] > > > > GCC:*_UNIXGCC_*_CC_FLAGS =3D -DMDEPKG_NDEBUG > > > > @@ -158,6 +159,9 @@ [LibraryClasses] > > > > > > > > !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > > > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf > > > > +!endif > > > > !endif > > > > > > > > > > > > > > > > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip > > > > tLib.inf > > > > @@ -715,6 +719,10 @@ [Components] > > > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > > > > NetworkPkg/HttpDxe/HttpDxe.inf > > > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + NetworkPkg/TlsDxe/TlsDxe.inf > > > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > > > > +!endif > > > > !endif > > > > OvmfPkg/VirtioNetDxe/VirtioNet.inf > > > > > > > > diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf > > > > index 34d57a6079..30c8800932 100644 > > > > --- a/OvmfPkg/OvmfPkgIa32.fdf > > > > +++ b/OvmfPkg/OvmfPkgIa32.fdf > > > > @@ -329,6 +329,10 @@ [FV.DXEFV] > > > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > > > > INF NetworkPkg/HttpDxe/HttpDxe.inf > > > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + INF NetworkPkg/TlsDxe/TlsDxe.inf > > > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > > > > +!endif > > > > !endif > > > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf > > > > > > > > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc > b/OvmfPkg/OvmfPkgIa32X64.dsc > > > > index 8e3e04c135..f22bad309a 100644 > > > > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > > > > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > > > > @@ -38,6 +38,7 @@ [Defines] > > > > DEFINE NETWORK_IP6_ENABLE =3D FALSE > > > > DEFINE HTTP_BOOT_ENABLE =3D FALSE > > > > DEFINE SMM_REQUIRE =3D FALSE > > > > + DEFINE TLS_ENABLE =3D FALSE > > > > > > > > [BuildOptions] > > > > GCC:*_UNIXGCC_*_CC_FLAGS =3D -DMDEPKG_NDEBUG > > > > @@ -163,6 +164,9 @@ [LibraryClasses] > > > > > > > > !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > > > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf > > > > +!endif > > > > !endif > > > > > > > > > > > > > > > > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip > > > > tLib.inf > > > > @@ -724,6 +728,10 @@ [Components.X64] > > > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > > > > NetworkPkg/HttpDxe/HttpDxe.inf > > > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + NetworkPkg/TlsDxe/TlsDxe.inf > > > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > > > > +!endif > > > > !endif > > > > OvmfPkg/VirtioNetDxe/VirtioNet.inf > > > > > > > > diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf > b/OvmfPkg/OvmfPkgIa32X64.fdf > > > > index df55c2b210..7bc31d42ba 100644 > > > > --- a/OvmfPkg/OvmfPkgIa32X64.fdf > > > > +++ b/OvmfPkg/OvmfPkgIa32X64.fdf > > > > @@ -329,6 +329,10 @@ [FV.DXEFV] > > > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > > > > INF NetworkPkg/HttpDxe/HttpDxe.inf > > > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + INF NetworkPkg/TlsDxe/TlsDxe.inf > > > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > > > > +!endif > > > > !endif > > > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf > > > > > > > > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > > > > index 6ec3fe050d..8eca6fd557 100644 > > > > --- a/OvmfPkg/OvmfPkgX64.dsc > > > > +++ b/OvmfPkg/OvmfPkgX64.dsc > > > > @@ -38,6 +38,7 @@ [Defines] > > > > DEFINE NETWORK_IP6_ENABLE =3D FALSE > > > > DEFINE HTTP_BOOT_ENABLE =3D FALSE > > > > DEFINE SMM_REQUIRE =3D FALSE > > > > + DEFINE TLS_ENABLE =3D FALSE > > > > > > > > [BuildOptions] > > > > GCC:*_UNIXGCC_*_CC_FLAGS =3D -DMDEPKG_NDEBUG > > > > @@ -163,6 +164,9 @@ [LibraryClasses] > > > > > > > > !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > > > > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf > > > > +!endif > > > > !endif > > > > > > > > > > > > > > > > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip > > > > tLib.inf > > > > @@ -722,6 +726,10 @@ [Components] > > > > NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > > > > NetworkPkg/HttpDxe/HttpDxe.inf > > > > NetworkPkg/HttpBootDxe/HttpBootDxe.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + NetworkPkg/TlsDxe/TlsDxe.inf > > > > + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > > > > +!endif > > > > !endif > > > > OvmfPkg/VirtioNetDxe/VirtioNet.inf > > > > > > > > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf > > > > index 5e2e1dfaf5..cb7ca131e8 100644 > > > > --- a/OvmfPkg/OvmfPkgX64.fdf > > > > +++ b/OvmfPkg/OvmfPkgX64.fdf > > > > @@ -329,6 +329,10 @@ [FV.DXEFV] > > > > INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > > > > INF NetworkPkg/HttpDxe/HttpDxe.inf > > > > INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf > > > > +!if $(TLS_ENABLE) =3D=3D TRUE > > > > + INF NetworkPkg/TlsDxe/TlsDxe.inf > > > > + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > > > > +!endif > > > > !endif > > > > INF OvmfPkg/VirtioNetDxe/VirtioNet.inf > > > > > > > > -- > > > > 2.11.0 > > > > > > > > _______________________________________________ > > > > edk2-devel mailing list > > > > edk2-devel@lists.01.org > > > > https://lists.01.org/mailman/listinfo/edk2-devel > > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel