From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A3B622041B285 for ; Tue, 24 Apr 2018 03:38:50 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B93DE81A88D6; Tue, 24 Apr 2018 10:38:49 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-175.rdu2.redhat.com [10.10.120.175]) by smtp.corp.redhat.com (Postfix) with ESMTP id E81551C722; Tue, 24 Apr 2018 10:38:48 +0000 (UTC) To: Gary Lin Cc: edk2-devel@lists.01.org, Jordan Justen , Ard Biesheuvel References: <20180424083544.6614-1-glin@suse.com> From: Laszlo Ersek Message-ID: <8e7e6fe1-723f-a64b-ebd4-a5a664642f1e@redhat.com> Date: Tue, 24 Apr 2018 12:38:48 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180424083544.6614-1-glin@suse.com> X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 24 Apr 2018 10:38:49 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Tue, 24 Apr 2018 10:38:49 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [PATCH v2 1/1] OvmfPkg/README: add HTTPS Boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2018 10:38:50 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 04/24/18 10:35, Gary Lin wrote: > Add the new section for HTTPS Boot. > > Changes in v2: > - Fixed the typos > - Added the command for p11-kit based on Laszlo's suggestion > - Also added the efisiglist command > - Elaborated how to create the customized cipher suite list > - Mentioned the changes in QEMU in the future based on Laszlo's > suggestion > > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Laszlo Ersek > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Gary Lin > --- > OvmfPkg/README | 88 ++++++++++++++++++++ > 1 file changed, 88 insertions(+) Reviewed-by: Laszlo Ersek [lersek@redhat.com: trivial typo fixes; update-crypto-policies URL fix] Such as: > diff --git a/OvmfPkg/README b/OvmfPkg/README > index 60545ebccfad..7415419d2dd7 100644 > --- a/OvmfPkg/README > +++ b/OvmfPkg/README > @@ -287,7 +287,7 @@ and encrypted connection. > > Please note that the certificate has to be in the DER format. > > - You can also append a certificate to the existed list with the following > + You can also append a certificate to the existing list with the following > command: > > efisiglist -i -a -o > @@ -334,13 +334,13 @@ and encrypted connection. > > * In the future (after release 2.12), QEMU should populate both above fw_cfg > files automatically from the local host configuration, and enable the user > - to override either with dedicated options or properties > + to override either with dedicated options or properties. > > (*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A. > (*2) p11-kit: https://github.com/p11-glue/p11-kit/ > (*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c > (*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table > -(*5) update-crypto-policies: https://github.com/nmav/fedora-crypto-policies > +(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies > > === OVMF Flash Layout === > Commit d3180516f31b. Thank you! Laszlo