Re: [PATCH v2 2/2] Nt32Pkg.dsc: Add flag to control HTTP connections

From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: Gary Lin <glin@suse.com>, Laszlo Ersek <lersek@redhat.com>
Cc: "Ni, Ruiyu" <ruiyu.ni@intel.com>, "Ye, Ting" <ting.ye@intel.com>,
	"Justen, Jordan L" <jordan.l.justen@intel.com>,
	"edk2-devel@ml01.01.org" <edk2-devel@ml01.01.org>,
	"Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Fu, Siyuan" <siyuan.fu@intel.com>
Subject: Re: [PATCH v2 2/2] Nt32Pkg.dsc: Add flag to control HTTP connections
Date: Thu, 19 Jan 2017 03:19:24 +0000	[thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B727416294F1F@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <20170118092742.n3vp6moruovgtzkl@GaryWorkstation>

> > >> If everyone agrees, then Jiaxin, can you please append a third patch for
> > >> OvmfPkg, which sets PcdAllowHttpConnections to TRUE whenever
> > >> HTTP_BOOT_ENABLE is TRUE?
> > >>
> > >
> > > Laszlo,
> > >
> > > As I talked above and according your requirement, we have the below
> update choice:
> > >
> > > 1) The flag definition (ALLOW_HTTP_CONNECTIONS) with TRUE value to
> allow the HTTP connections (the same to NT32).
> > >
> > >     DEFINE ALLOW_HTTP_CONNECTIONS = TRUE
> > >     !if $(ALLOW_HTTP_CONNECTIONS) == TRUE
> > >        gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
> > >     !endif
> > >
> > > 2) Sets PcdAllowHttpConnections to TRUE whenever HTTP_BOOT_ENABLE is
> TRUE
> > >     !if $( HTTP_BOOT_ENABLE) == TRUE
> > >        gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
> > >     !endif
> > >
> > > For 1), Flexible control!
> > > For 2), we have no way to stop the HTTP connections while HTTPS is allowed.
> That means no HTTP connections control switch.
> > >
> > > I still prefer 1), but that's depends on you since you are the OVMF platform
> owner:).
> > >
> > > What's your opinion?
> >
> > I agree that for a security-oriented approach, for a production
> > firmware, both the DEC default *and* the separate
> ALLOW_HTTP_CONNECTIONS
> > buid flag make sense.
> >
> > For the default -D HTTP_BOOT_ENABLE build of upstream OVMF however, I
> > think ease of use is more important. In a home or company or team
> > intranet setting, booting virtual machines from plain HTTP is
> > acceptable, I think; forcing users to set up HTTPS on the server side,
> > and mess with keys, would be an inconvenience, in my opionion.
> >
> > I guess we could introduce ALLOW_HTTP_CONNECTIONS with a TRUE default,
> > but in general I try to minimize the number of different build flags
> > (same way as MdeModulePkg seeks to minimize new PCDs); I think they
> > quickly become confusing.
> >
> > Serious users (like distros shipping OVMF) can flip the PCD in the DSC
> > files anyway.
> >
> > So, I prefer (2). Jordan, Gary, what do you guys think?
> >
> (2) sounds reasonable to me. Maybe we can also explain the PCD in the
> comment or README to help the user to make the decision.
> 

Ok, I will append a third patch for OVMF with solution (2) but keep the ALLOW_HTTP_CONNECTIONS only for Nt32Pkg.

    !if $( HTTP_BOOT_ENABLE) == TRUE
       gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
    !endif

Thanks all of your comments.

Jiaxin

> Thanks,
> 
> Gary Lin
> 
> > Thanks!
> > Laszlo
> >
> > >
> > >> (Note that in "OvmfPkgIa32X64.dsc", the setting should likely go under
> > >> [PcdsFixedAtBuild.X64].)
> > >>
> > >> Thanks!
> > >> Laszlo
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> >
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel