From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5A38F81D8D for ; Mon, 16 Jan 2017 17:22:44 -0800 (PST) Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga105.jf.intel.com with ESMTP; 16 Jan 2017 17:22:44 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,242,1477983600"; d="scan'208";a="53762166" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by orsmga005.jf.intel.com with ESMTP; 16 Jan 2017 17:22:42 -0800 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 16 Jan 2017 17:22:37 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.132]) with mapi id 14.03.0248.002; Tue, 17 Jan 2017 09:22:35 +0800 From: "Wu, Jiaxin" To: Laszlo Ersek , Gary Lin CC: "Justen, Jordan L" , "edk2-devel@lists.01.org" , "Long, Qin" Thread-Topic: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf Thread-Index: AQHSb66fEusTISOjy0C6eN1ivRZeEKE6kAFA//+PLYCAARQyAIAAq4Ew Date: Tue, 17 Jan 2017 01:22:35 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B7274162941C1@SHSMSX103.ccr.corp.intel.com> References: <20170116041013.31545-1-glin@suse.com> <895558F6EA4E3B41AC93A00D163B727416293E11@SHSMSX103.ccr.corp.intel.com> <20170116063237.tapblt5ildhgdrrl@GaryWorkstation> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYmYwZjU2YjMtMmE2OS00OGE4LThiZWYtNDk5N2U2MWRmMjUwIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6IjFqN3RcLzBjSG5vZjZMVlpZUHFaNkRpaXhTNXBRSjNrZE4wY0tkQ08raHJzPSJ9 x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 01:22:44 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > Subject: Re: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf >=20 > On 01/16/17 07:32, Gary Lin wrote: > > On Mon, Jan 16, 2017 at 05:44:49AM +0000, Wu, Jiaxin wrote: > >> Hi Gary, > >> > >> Before we enable the HTTPS/TLS for OVMF, We need remove the > 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only th= e > secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib, > BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not re= move > that dependency, we must set both SECURE_BOOT_ENABLE and TLS_ENABLE to > support TLS feature. That's unreasonable. > >> > > Ah! Right. I always enable secure boot and forgot the dependency of > > CryptoPkg. > > > >> Attached patch is to remove the flag control for the CryptoPkg librari= es. I > suggest to wait that patch commit, then go ahead to enable the HTTPS for > OVMF. > >> > > Agree. We should free CryptoPkg from Secure Boot or HTTPS first. >=20 > As I indicated in the other thread (Jiaxin's "[PATCH v2] OvmfPkg: Remove > the flag control for the CryptoPkg libraries"), decoupling the OpenSSL > dependency from Secure Boot is a good idea, as there are indeed multiple > users. However, making OpenSSL a hard or default requirement for > building OVMF is wrong, as long as OpenSSL needs to be manually dropped > into CryptoPkg, and patched. As I explained previously, OpenSSL is must only when needed. >=20 > If that's the case, then we should extract the OpenSSL dependency into > its own synthetic (use case-less) build macro (such as OPENSSL_ENABLE), > and work out the dependencies between it and the concrete use cases > (other build macros). >=20 > This way the person building OVMF will only have to mess with OpenSSL / > CryptoPkg if they need at least one feature that unconditionally > requires OpenSSL, or they decide to enable OpenSSL for another feature > that optionally benefits from it. >=20 All the feature flag can control the build dependency, we can add some note= s for those flags to aware any user for the OpenSSL dependency (refer to NT= 32): # # This flag is to enable or disable TLS feature. =20 # These can be changed on the command line. # -D FLAG=3DVALUE # # Note: TLS feature highly depends on the OpenSSL building. To enable thi= s=20 # feature, please follow the instructions found in the file "Pa= tch-HOWTO.txt"=20 # located in CryptoPkg\Library\OpensslLib to enable the OpenSSL= building first. # DEFINE TLS_ENABLE =3D FALSE Thanks, Jiaxin > Thanks, > Laszlo >=20 > > > > Thanks, > > > > Gary Lin > > > >> Thanks, > >> Jiaxin > >> > >>> -----Original Message----- > >>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf O= f > Gary > >>> Lin > >>> Sent: Monday, January 16, 2017 12:10 PM > >>> To: edk2-devel@lists.01.org > >>> Cc: Justen, Jordan L ; Wu, Jiaxin > >>> ; Laszlo Ersek > >>> Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf > >>> > >>> This commit introduces a new build option to OvmfPkg: TLS_ENABLE. > >>> When setting the option, the TLS drivers will be included to support > >>> HTTPS. > >>> > >>> NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's > >>> pointless to enable TLS alone. > >>> > >>> Cc: Laszlo Ersek > >>> Cc: Jordan Justen > >>> Cc: Jiaxin Wu > >>> Contributed-under: TianoCore Contribution Agreement 1.0 > >>> Signed-off-by: Gary Lin > >>> --- > >>> OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++ > >>> OvmfPkg/OvmfPkgIa32.fdf | 4 ++++ > >>> OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++ > >>> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++ > >>> OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++ > >>> OvmfPkg/OvmfPkgX64.fdf | 4 ++++ > >>> 6 files changed, 36 insertions(+) > >>> > >>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > >>> index e97f7f0262..363f143c68 100644 > >>> --- a/OvmfPkg/OvmfPkgIa32.dsc > >>> +++ b/OvmfPkg/OvmfPkgIa32.dsc > >>> @@ -38,6 +38,7 @@ [Defines] > >>> DEFINE NETWORK_IP6_ENABLE =3D FALSE > >>> DEFINE HTTP_BOOT_ENABLE =3D FALSE > >>> DEFINE SMM_REQUIRE =3D FALSE > >>> + DEFINE TLS_ENABLE =3D FALSE > >>> > >>> [BuildOptions] > >>> GCC:*_UNIXGCC_*_CC_FLAGS =3D -DMDEPKG_NDEBUG > >>> @@ -158,6 +159,9 @@ [LibraryClasses] > >>> > >>> !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf > >>> +!endif > >>> !endif > >>> > >>> > >>> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip > >>> tLib.inf > >>> @@ -715,6 +719,10 @@ [Components] > >>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > >>> NetworkPkg/HttpDxe/HttpDxe.inf > >>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + NetworkPkg/TlsDxe/TlsDxe.inf > >>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > >>> +!endif > >>> !endif > >>> OvmfPkg/VirtioNetDxe/VirtioNet.inf > >>> > >>> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf > >>> index 34d57a6079..30c8800932 100644 > >>> --- a/OvmfPkg/OvmfPkgIa32.fdf > >>> +++ b/OvmfPkg/OvmfPkgIa32.fdf > >>> @@ -329,6 +329,10 @@ [FV.DXEFV] > >>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > >>> INF NetworkPkg/HttpDxe/HttpDxe.inf > >>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + INF NetworkPkg/TlsDxe/TlsDxe.inf > >>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > >>> +!endif > >>> !endif > >>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf > >>> > >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > >>> index 8e3e04c135..f22bad309a 100644 > >>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc > >>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > >>> @@ -38,6 +38,7 @@ [Defines] > >>> DEFINE NETWORK_IP6_ENABLE =3D FALSE > >>> DEFINE HTTP_BOOT_ENABLE =3D FALSE > >>> DEFINE SMM_REQUIRE =3D FALSE > >>> + DEFINE TLS_ENABLE =3D FALSE > >>> > >>> [BuildOptions] > >>> GCC:*_UNIXGCC_*_CC_FLAGS =3D -DMDEPKG_NDEBUG > >>> @@ -163,6 +164,9 @@ [LibraryClasses] > >>> > >>> !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf > >>> +!endif > >>> !endif > >>> > >>> > >>> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip > >>> tLib.inf > >>> @@ -724,6 +728,10 @@ [Components.X64] > >>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > >>> NetworkPkg/HttpDxe/HttpDxe.inf > >>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + NetworkPkg/TlsDxe/TlsDxe.inf > >>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > >>> +!endif > >>> !endif > >>> OvmfPkg/VirtioNetDxe/VirtioNet.inf > >>> > >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf > >>> index df55c2b210..7bc31d42ba 100644 > >>> --- a/OvmfPkg/OvmfPkgIa32X64.fdf > >>> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf > >>> @@ -329,6 +329,10 @@ [FV.DXEFV] > >>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > >>> INF NetworkPkg/HttpDxe/HttpDxe.inf > >>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + INF NetworkPkg/TlsDxe/TlsDxe.inf > >>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > >>> +!endif > >>> !endif > >>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf > >>> > >>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > >>> index 6ec3fe050d..8eca6fd557 100644 > >>> --- a/OvmfPkg/OvmfPkgX64.dsc > >>> +++ b/OvmfPkg/OvmfPkgX64.dsc > >>> @@ -38,6 +38,7 @@ [Defines] > >>> DEFINE NETWORK_IP6_ENABLE =3D FALSE > >>> DEFINE HTTP_BOOT_ENABLE =3D FALSE > >>> DEFINE SMM_REQUIRE =3D FALSE > >>> + DEFINE TLS_ENABLE =3D FALSE > >>> > >>> [BuildOptions] > >>> GCC:*_UNIXGCC_*_CC_FLAGS =3D -DMDEPKG_NDEBUG > >>> @@ -163,6 +164,9 @@ [LibraryClasses] > >>> > >>> !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf > >>> +!endif > >>> !endif > >>> > >>> > >>> > S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip > >>> tLib.inf > >>> @@ -722,6 +726,10 @@ [Components] > >>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > >>> NetworkPkg/HttpDxe/HttpDxe.inf > >>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + NetworkPkg/TlsDxe/TlsDxe.inf > >>> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > >>> +!endif > >>> !endif > >>> OvmfPkg/VirtioNetDxe/VirtioNet.inf > >>> > >>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf > >>> index 5e2e1dfaf5..cb7ca131e8 100644 > >>> --- a/OvmfPkg/OvmfPkgX64.fdf > >>> +++ b/OvmfPkg/OvmfPkgX64.fdf > >>> @@ -329,6 +329,10 @@ [FV.DXEFV] > >>> INF NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf > >>> INF NetworkPkg/HttpDxe/HttpDxe.inf > >>> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf > >>> +!if $(TLS_ENABLE) =3D=3D TRUE > >>> + INF NetworkPkg/TlsDxe/TlsDxe.inf > >>> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > >>> +!endif > >>> !endif > >>> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf > >>> > >>> -- > >>> 2.11.0 > >>> > >>> _______________________________________________ > >>> edk2-devel mailing list > >>> edk2-devel@lists.01.org > >>> https://lists.01.org/mailman/listinfo/edk2-devel > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.01.org > > https://lists.01.org/mailman/listinfo/edk2-devel > >