From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jiaxin.wu@intel.com>
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
 client-ip=134.134.136.24; helo=mga09.intel.com;
 envelope-from=jiaxin.wu@intel.com; receiver=edk2-devel@lists.01.org 
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id DDD5C226EAC70
 for <edk2-devel@lists.01.org>; Thu, 12 Apr 2018 00:28:50 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
 by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 12 Apr 2018 00:28:50 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.48,440,1517904000"; d="scan'208";a="50158598"
Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203])
 by orsmga002.jf.intel.com with ESMTP; 12 Apr 2018 00:28:50 -0700
Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by
 FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS)
 id 14.3.319.2; Thu, 12 Apr 2018 00:28:49 -0700
Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.151]) by
 SHSMSX101.ccr.corp.intel.com ([169.254.1.43]) with mapi id 14.03.0319.002;
 Thu, 12 Apr 2018 15:28:47 +0800
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>, "edk2-devel@lists.01.org"
 <edk2-devel@lists.01.org>
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>, Gary Ching-Pang Lin
 <glin@suse.com>, "Justen, Jordan L" <jordan.l.justen@intel.com>, "Gao,
 Liming" <liming.gao@intel.com>, "Kinney, Michael D"
 <michael.d.kinney@intel.com>, "Long, Qin" <qin.long@intel.com>, "Fu, Siyuan"
 <siyuan.fu@intel.com>, "Ye, Ting" <ting.ye@intel.com>
Thread-Topic: [PATCH v2 0/9] {Ovmf,Mde,Network,Crypto}Pkg: fixes+features
 for setting HTTPS cipher suites
Thread-Index: AQHT0YHanRsCBxVhE0avoTBPTuSPoKP8vIyQ
Date: Thu, 12 Apr 2018 07:28:46 +0000
Message-ID: <895558F6EA4E3B41AC93A00D163B7274163B687D@SHSMSX103.ccr.corp.intel.com>
References: <20180411104247.3758-1-lersek@redhat.com>
In-Reply-To: <20180411104247.3758-1-lersek@redhat.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMzkzODFjZDAtYzQ0ZS00MDE1LWFiYzQtMmQwOGYxOGE2NTc0IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE2LjUuOS4zIiwiVHJ1c3RlZExhYmVsSGFzaCI6InlNY2tHbytuZUNNY1dMSHpwWnlHOEM5UWJQTE1KeEhibTlWNk11dGtJbm89In0=
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.0.116
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Subject: Re: [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 07:28:51 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi Laszlo,

In the commit log of patch 0001,  "EFI_TLS_CA_CERTIFICATE_VARIABLE"  should=
 be "EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE".

Others  looks good to me.

Series Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>


Thanks,
Jiaxin

> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Wednesday, April 11, 2018 6:43 PM
> To: edk2-devel@lists.01.org
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>; Gary Ching-Pang Lin
> <glin@suse.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Gao, Liming <liming.gao@intel.com>; Kinney,
> Michael D <michael.d.kinney@intel.com>; Long, Qin <qin.long@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Ye, Ting <ting.ye@intel.com>
> Subject: [PATCH v2 0/9] {Ovmf,Mde,Network,Crypto}Pkg: fixes+features for
> setting HTTPS cipher suites
>=20
> Repo:   https://github.com/lersek/edk2.git
> Branch: tls_ciphers_v2
>=20
> This is version 2 of the series posted earlier at
>=20
>   http://mid.mail-archive.com/20180403145149.8925-1-lersek@redhat.com
>   https://lists.01.org/pipermail/edk2-devel/2018-April/023402.html
>=20
> Changes are noted per patch. One important change cannot be highlighted
> that way however, because it involves the dropping of the following two
> patches from v1:
>=20
>   [edk2] [PATCH 08/13] CryptoPkg/TlsLib: add the "TlsMappingTable.sh"
>                        POSIX shell script
>=20
>   [edk2] [PATCH 09/13] CryptoPkg/TlsLib: extend "TlsCipherMappingTable"
>=20
> I retested HTTPS boot with this series; it succeeded. The TLS cipher
> suite preference list came from the system-wide configuration on my
> RHEL-7 laptop; basically the binary CipherId array from the command
> "openssl ciphers -V". The relevant lines from the OVMF log were:
>=20
> > TlsAuthConfigDxe:SetCipherSuites: stored list of cipher suites (190 byt=
e(s))
> > [...]
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC030
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02C
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC028
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC024
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC014
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00A
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A5
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A3
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A1
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009F
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x006A
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0038
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0088
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0087
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0086
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0085
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC032
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02E
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02A
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC026
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00F
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC005
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009D
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0084
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008D
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02F
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02B
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC027
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC023
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC013
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC009
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A4
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A2
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A0
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009E
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0040
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0032
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009A
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0099
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0098
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0097
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0045
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0044
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0043
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0042
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC031
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02D
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC029
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC025
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00E
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC004
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009C
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0096
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0041
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008C
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC012
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC008
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0013
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0010
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x000D
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00D
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC003
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0007
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008B
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0021
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x001F
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0025
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0023
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC011
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC007
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00C
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC002
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008A
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0020
> > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0024
> > TlsDxe:TlsSetCipherList: CipherString=3D{
> > DHE-RSA-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-
> SHA256:DHE-RSA-AES256-
> > SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:AES256-SHA256:AES256-
> SHA:DHE-RSA-AES128
> > -SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-
> AES128-SHA:DH-RSA-AES
> > 128-SHA:DH-DSS-AES128-SHA:AES128-SHA256:AES128-SHA:DHE-RSA-DES-
> CBC3-SHA:DES-CBC
> > 3-SHA:RC4-SHA:RC4-MD5
> > }
>=20
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Gary Ching-Pang Lin <glin@suse.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Qin Long <qin.long@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>
>=20
> Thanks,
> Laszlo
>=20
> Laszlo Ersek (9):
>   OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS
>     boot
>   MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC
>   NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList
>   NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList
>   CryptoPkg/TlsLib: replace TlsGetCipherString() with
>     TlsGetCipherMapping()
>   CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping()
>     function
>   CryptoPkg/TlsLib: pre-compute OpensslCipherLength in
>     TlsCipherMappingTable
>   CryptoPkg/TlsLib: sanitize lib classes in internal header and INF
>   CryptoPkg/TlsLib: rewrite TlsSetCipherList()
>=20
>  CryptoPkg/Include/Library/TlsLib.h                    |   9 +-
>  CryptoPkg/Library/TlsLib/InternalTlsLib.h             |   4 +
>  CryptoPkg/Library/TlsLib/TlsConfig.c                  | 279 ++++++++++++=
+++-----
>  CryptoPkg/Library/TlsLib/TlsLib.inf                   |   9 +-
>  MdePkg/Include/Protocol/Tls.h                         |  10 +
>  NetworkPkg/TlsDxe/TlsProtocol.c                       |  17 +-
>  OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c   |  98 +++++++
>  OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf |   3 +-
>  8 files changed, 353 insertions(+), 76 deletions(-)
>=20
> --
> 2.14.1.3.gb7cf6e02401b