From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 6C09E81E0E for ; Tue, 17 Jan 2017 18:16:09 -0800 (PST) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga105.jf.intel.com with ESMTP; 17 Jan 2017 18:16:09 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,247,1477983600"; d="scan'208";a="810151931" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by FMSMGA003.fm.intel.com with ESMTP; 17 Jan 2017 18:16:09 -0800 Received: from fmsmsx116.amr.corp.intel.com (10.18.116.20) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 17 Jan 2017 18:16:09 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by fmsmsx116.amr.corp.intel.com (10.18.116.20) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 17 Jan 2017 18:16:09 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.204]) with mapi id 14.03.0248.002; Wed, 18 Jan 2017 10:16:05 +0800 From: "Wu, Jiaxin" To: Laszlo Ersek , "edk2-devel@ml01.01.org" CC: "Ni, Ruiyu" , "Ye, Ting" , "Kinney, Michael D" , "Fu, Siyuan" , Gary Ching-Pang Lin , "Justen, Jordan L" Thread-Topic: [edk2] [PATCH v2 2/2] Nt32Pkg.dsc: Add flag to control HTTP connections Thread-Index: AQHScHJ5fflRVxVfYU+YjuTUCJopYKE76pCAgAGAUpA= Date: Wed, 18 Jan 2017 02:16:05 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B7274162948A8@SHSMSX103.ccr.corp.intel.com> References: <1484623992-52988-1-git-send-email-jiaxin.wu@intel.com> <1484623992-52988-3-git-send-email-jiaxin.wu@intel.com> <885aab27-f660-768b-59da-4d3e33f099ec@redhat.com> In-Reply-To: <885aab27-f660-768b-59da-4d3e33f099ec@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMmQ2NWNlMDAtZWI5NS00YTNlLWFhMTYtYzE4MjMxMWY5ZjgyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6ImFXWHl5R2Z3MXh4NHNRSEpjbnJ6QkxvQVF3Vk1vNE9iV1l4K2xMQTJoWlE9In0= x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 2/2] Nt32Pkg.dsc: Add flag to control HTTP connections X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2017 02:16:09 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > Subject: Re: [edk2] [PATCH v2 2/2] Nt32Pkg.dsc: Add flag to control HTTP > connections >=20 > CC Jordan and Gary >=20 > On 01/17/17 04:33, Jiaxin Wu wrote: > > v2: > > * Rename the flag. > > > > This flag is used to overwrite the PcdAllowHttpConnections > > value, then the platform can make a decision whether to allow > > HTTP connections or not. > > > > Cc: Ye Ting > > Cc: Fu Siyuan > > Cc: Ruiyu Ni > > Cc: Laszlo Ersek > > Cc: Kinney Michael D > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Wu Jiaxin > > --- > > Nt32Pkg/Nt32Pkg.dsc | 18 ++++++++++++++++-- > > 1 file changed, 16 insertions(+), 2 deletions(-) > > > > diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc > > index 134afb8..88b1ea9 100644 > > --- a/Nt32Pkg/Nt32Pkg.dsc > > +++ b/Nt32Pkg/Nt32Pkg.dsc > > @@ -2,11 +2,11 @@ > > # EFI/Framework Emulation Platform with UEFI HII interface supported. > > # > > # The Emulation Platform can be used to debug individual modules, prio= r to > creating > > # a real platform. This also provides an example for how an DSC is = created. > > # > > -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved. > > +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved. > > # Copyright (c) 2015, Hewlett-Packard Development Company, L.P.
> > # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> > # > > # This program and the accompanying materials > > # are licensed and made available under the terms and conditions of= the > BSD License > > @@ -57,11 +57,21 @@ > > # > > # Note: TLS feature highly depends on the OpenSSL building. To enabl= e this > > # feature, please follow the instructions found in the file "P= atch- > HOWTO.txt" > > # located in CryptoPkg\Library\OpensslLib to enable the OpenSS= L > building first. > > # > > - DEFINE TLS_ENABLE =3D FALSE > > + DEFINE TLS_ENABLE =3D FALSE > > + > > + # > > + # Indicates whether HTTP connections (i.e., unsecured) are permitted= or > not. > > + # -D FLAG=3DVALUE > > + # > > + # Note: If ALLOW_HTTP_CONNECTIONS is TRUE, HTTP connections is > allowed. Both > > + # the "https://" and "http://" URI schemes are permitted. Othe= rwise, > HTTP > > + # connections is denied. Only the "https://" URI scheme is per= mitted. > > + # > > + DEFINE ALLOW_HTTP_CONNECTIONS =3D TRUE > > > > > ################################################################ > ################ > > # > > # SKU Identification section - list of all SKU IDs supported by this > > # Platform. > > @@ -252,10 +262,14 @@ > > > gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChan > ge|FALSE > > !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE || $(TLS_ENABLE) =3D=3D TRUE > > gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000 > > !endif > > > > +!if $(ALLOW_HTTP_CONNECTIONS) =3D=3D TRUE > > + gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE > > +!endif > > + > > !ifndef $(USE_OLD_SHELL) > > gEfiIntelFrameworkModulePkgTokenSpaceGuid.PcdShellFile|{ 0x83, 0xA5, > 0x04, 0x7C, 0x3E, 0x9E, 0x1C, 0x4F, 0xAD, 0x65, 0xE0, 0x52, 0x68, 0xD0, 0= xB4, > 0xD1 } > > !endif > > > > !if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > >=20 > Does the following combination make sense? >=20 > TLS_ENABLE=3DFALSE and ALLOW_HTTP_CONNECTIONS=3DFALSE >=20 > In this case, only the https:// scheme would be accepted, however the > TLS facility that underlies HTTPS is missing. I think this would render > the HTTP stack useless. Is that correct? >=20 Laszlo, For my perspective, I think it also make sense since the platform owner mak= e the decision to disable the HTTP connections. In such a case, if TLS is n= ot enabled, HTTP stack should be useless since HTTP connections have been d= isabled. > I'm asking mainly for OVMF's sake. (I have nothing against this patch in > Nt32Pkg.) Namely, in OvmfPkg, I would dislike the additional complexity > of an ALLOW_HTTP_CONNECTIONS build flag. Instead, I think we should set > PcdAllowHttpConnections to TRUE, whenever HTTP_BOOT_ENABLE is defined > (and we shouldn't override the DEC default otherwise). >=20 > This would result in HTTP working with just -D HTTP_BOOT_ENABLE, and > both HTTP and HTTPS working with -D HTTP_BOOT_ENABLE -D TLS_ENABLE. I > don't see any downsides to always permitting HTTP in OVMF. >=20 > Thoughts? >=20 The default value of PcdAllowHttpConnections is crucial to ensure the real = platform security by default. So, we set the default value to FALSE. In order to facilitate control (Just like Nt32), platform owner can define = the flag to make the decision whether allow the HTTP connections. For Nt32 simulation platform, the default value of flag ALLOW_HTTP_CONNECTI= ONS is TRUE. For OVMF, we can also define the flag with the TRUE value, whi= ch would achieve your purpose that HTTP working with just -D HTTP_BOOT_ENAB= LE and both HTTP and HTTPS working with -D HTTP_BOOT_ENABLE -D TLS_ENABLE. > If everyone agrees, then Jiaxin, can you please append a third patch for > OvmfPkg, which sets PcdAllowHttpConnections to TRUE whenever > HTTP_BOOT_ENABLE is TRUE? >=20 Laszlo, As I talked above and according your requirement, we have the below update = choice: 1) The flag definition (ALLOW_HTTP_CONNECTIONS) with TRUE value to allow th= e HTTP connections (the same to NT32). =20 DEFINE ALLOW_HTTP_CONNECTIONS =3D TRUE !if $(ALLOW_HTTP_CONNECTIONS) =3D=3D TRUE gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE !endif 2) Sets PcdAllowHttpConnections to TRUE whenever HTTP_BOOT_ENABLE is TRUE !if $( HTTP_BOOT_ENABLE) =3D=3D TRUE gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE !endif For 1), Flexible control!=20 For 2), we have no way to stop the HTTP connections while HTTPS is allowed.= That means no HTTP connections control switch. I still prefer 1), but that's depends on you since you are the OVMF platfor= m owner:). What's your opinion? Thanks, Jiaxin > (Note that in "OvmfPkgIa32X64.dsc", the setting should likely go under > [PcdsFixedAtBuild.X64].) >=20 > Thanks! > Laszlo