From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web10.3405.1600793869985856789 for ; Tue, 22 Sep 2020 09:57:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=eZwpoEBk; spf=pass (domain: redhat.com, ip: 63.128.21.124, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1600793869; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tHoHZtKgCLCphjCfMG1vzSGLHnXWYim2BMiuzuKjh6s=; b=eZwpoEBkg6EOO/JGgGGeeUtUYn8Cr5tdzocMf7l5rUfQaVLIiSqokEOvcoH5famAsolNjT xk/xAOEvh44g7EmJlpjEqV3BMv9FPEsWf1v6wHvP9QsWFflRUFPw2bpfFfkPix4oXPQLsn iKn1HK5Hsdb4aoaT18IEB+66XkF0P/o= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-460-EcoIzEdhOFSRHAHDWuGvxw-1; Tue, 22 Sep 2020 12:57:39 -0400 X-MC-Unique: EcoIzEdhOFSRHAHDWuGvxw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7D1AB186DD28; Tue, 22 Sep 2020 16:57:38 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-68.ams2.redhat.com [10.36.113.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3D776614F5; Tue, 22 Sep 2020 16:57:37 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH] OvmfPkg/README: HTTPS Boot: describe host-side TLS cipher suites forwarding To: devel@edk2.groups.io, ard.biesheuvel@arm.com Cc: Gary Lin , Jordan Justen , =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= References: <20200922091827.12617-1-lersek@redhat.com> <2c7043b2-f4ce-3c30-83ff-20f4b43e5662@arm.com> From: "Laszlo Ersek" Message-ID: <93f2f62e-52a1-e83e-9141-340c52aaac6e@redhat.com> Date: Tue, 22 Sep 2020 18:57:36 +0200 MIME-Version: 1.0 In-Reply-To: <2c7043b2-f4ce-3c30-83ff-20f4b43e5662@arm.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lersek@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US On 09/22/20 12:49, Ard Biesheuvel wrote: > On 9/22/20 11:23 AM, Laszlo Ersek wrote: >> On 09/22/20 11:18, Laszlo Ersek wrote: >>> In QEMU commit range 4abf70a661a5..69699f3055a5 (later fixed up in QEMU >>> commit 4318432ccd3f), Phil implemented a QEMU facility for exposing the >>> host-side TLS cipher suite configuration to OVMF. The purpose is to >>> control the permitted ciphers in the guest's UEFI HTTPS boot. This >>> complements the forwarding of the host-side crypto policy from the >>> host to >>> the guest -- the other facet was the set of CA certificates (for which >>> p11-kit patches had been upstreamed, on the host side). >>> >>> Mention the new command line options in "OvmfPkg/README". >>> >>> Cc: Ard Biesheuvel >>> Cc: Gary Lin >>> Cc: Jordan Justen >>> Cc: Philippe Mathieu-Daudé >>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2852 >>> Signed-off-by: Laszlo Ersek >>> Reviewed-by: Gary Lin >>> Reviewed-by: Philippe Mathieu-Daudé > > Acked-by: Ard Biesheuvel Merged as commit 3f3daf893089, via . Thanks all, Laszlo