From: "Fu, Siyuan" <siyuan.fu@intel.com>
To: "Wu, Jiaxin" <jiaxin.wu@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: Palmer Thomas <thomas.palmer@hpe.com>,
"Ye, Ting" <ting.ye@intel.com>, "Long, Qin" <qin.long@intel.com>,
"Li, Ruth" <ruth.li@intel.com>,
"Zimmer, Vincent" <vincent.zimmer@intel.com>
Subject: Re: [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope
Date: Fri, 25 Nov 2016 03:58:35 +0000 [thread overview]
Message-ID: <B1FF2E9001CE9041BD10B825821D5BC58A8554A1@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <1480046269-133288-1-git-send-email-jiaxin.wu@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Friday, November 25, 2016 11:58 AM
> To: edk2-devel@lists.01.org
> Cc: Palmer Thomas <thomas.palmer@hpe.com>; Ye, Ting <ting.ye@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Long, Qin <qin.long@intel.com>; Li, Ruth
> <ruth.li@intel.com>; Zimmer, Vincent <vincent.zimmer@intel.com>; Wu,
> Jiaxin <jiaxin.wu@intel.com>
> Subject: [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support
> scope
>
> This patch is used to add the feature support scope to indicate
> the feature completeness criteria, and some contents are also
> updated/refined, e.g. Timeline and Feature Verification section.
>
> Cc: Palmer Thomas <thomas.palmer@hpe.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Cc: Li Ruth <ruth.li@intel.com>
> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
> Readme.MD | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/Readme.MD b/Readme.MD
> index a69a2f1..d16eb4c 100644
> --- a/Readme.MD
> +++ b/Readme.MD
> @@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> ```
>
> #### HTTPS Authentication
> TLS supports three authentication modes
> ([RFC5246](https://tools.ietf.org/html/rfc5246)):
> ```
> -1. Total anonymity: the server and client won’t authenticate each other.
> +1. Total anonymity: the server and client will not authenticate each
> other.
> 2. One-way authentication: server authentication with an unauthenticated
> client.
> 3. Two-way authentication: authentication of both parties.
> ```
> Currently, HTTPS boot feature only support server authentication with an
> unauthenticated client mode. Others are not in our current feature support
> scope. To support one-way authentication mode, server CA certificate is
> required by Client. Private variable is used to configure this CA
> certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In
> sum, the Server CA certificate must be configured first to enable HTTPS
> boot feature. The variable name and GUID are defined as below.
> ```
> @@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server
> authentication with an unauthe
> | Time | Event | Related Module |
> |:----:|:-----:|:--------------:|
> | 2015.12 | Initial implementation for HTTPS boot feature by leveraging
> OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe |
> | 2016.3 | Provided an UI configured driver to support TLS server
> authentication. | TlsAuthConfigDxe |
> | 2016.4-7 | Hotfix and code refine according community feedback. |
> Tls1.h, TlsLib, HttpDxe |
> +| 2016.8 | Prevent the CA certificates from the runtime phase attack. |
> TlsAuthConfigDxe |
> | 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe |
> |...|...|...|
>
> +## Feature Support Scope
> +* Feature usage: Load the specified file from the remote HTTPS server
> successfully and steadily.
> +* UEFI Arch: IA32 and X64 platform.
> +* TLS version: TLS1.0/1.1/1.2, version negotiation.
> +* HTTPS authentication mode: One-way authentication.
> +* CA certificates management: Private variable, prevent runtime phase
> attack.
> +
> ## Feature Verification
> -Tomcat and IIS8 are selected as the HTTPS server to verifiy the result,
> Detiled see below table.
> +Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the
> result of loading the UEFI shell boot file (Shell.efi), detailed see below
> table.
>
> | HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 |
> |:------------:|:-------:|:-------:|:------:|
> |Tomcat | Pass |Pass | Pass |
> -|IIS8 | Pass | Pass | Failure |
> +|IIS 8 | Pass | Pass | Failure |
> +|Apache2 | Pass | Pass | Pass |
>
> ### NOTES
> TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT
> collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To
> make the UEFI HTTPS client in staging works properly, we have to disable
> TLS version 1.2 in windows server 2012 R2 by the below PowerShell script:
> ```
> New-Item
> 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protoco
> ls\TLS 1.2\Server' -Force | Out-Null
> --
> 1.9.5.msysgit.1
next prev parent reply other threads:[~2016-11-25 3:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-25 3:57 [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope Jiaxin Wu
2016-11-25 3:58 ` Fu, Siyuan [this message]
2016-11-25 7:42 ` Ye, Ting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B1FF2E9001CE9041BD10B825821D5BC58A8554A1@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox