* [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope
@ 2016-11-25 3:57 Jiaxin Wu
2016-11-25 3:58 ` Fu, Siyuan
2016-11-25 7:42 ` Ye, Ting
0 siblings, 2 replies; 3+ messages in thread
From: Jiaxin Wu @ 2016-11-25 3:57 UTC (permalink / raw)
To: edk2-devel
Cc: Palmer Thomas, Ye Ting, Fu Siyuan, Long Qin, Li Ruth,
Zimmer Vincent, Wu Jiaxin
This patch is used to add the feature support scope to indicate
the feature completeness criteria, and some contents are also
updated/refined, e.g. Timeline and Feature Verification section.
Cc: Palmer Thomas <thomas.palmer@hpe.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Li Ruth <ruth.li@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
Readme.MD | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/Readme.MD b/Readme.MD
index a69a2f1..d16eb4c 100644
--- a/Readme.MD
+++ b/Readme.MD
@@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
```
#### HTTPS Authentication
TLS supports three authentication modes ([RFC5246](https://tools.ietf.org/html/rfc5246)):
```
-1. Total anonymity: the server and client won’t authenticate each other.
+1. Total anonymity: the server and client will not authenticate each other.
2. One-way authentication: server authentication with an unauthenticated client.
3. Two-way authentication: authentication of both parties.
```
Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode. Others are not in our current feature support scope. To support one-way authentication mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below.
```
@@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server authentication with an unauthe
| Time | Event | Related Module |
|:----:|:-----:|:--------------:|
| 2015.12 | Initial implementation for HTTPS boot feature by leveraging OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe |
| 2016.3 | Provided an UI configured driver to support TLS server authentication. | TlsAuthConfigDxe |
| 2016.4-7 | Hotfix and code refine according community feedback. | Tls1.h, TlsLib, HttpDxe |
+| 2016.8 | Prevent the CA certificates from the runtime phase attack. | TlsAuthConfigDxe |
| 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe |
|...|...|...|
+## Feature Support Scope
+* Feature usage: Load the specified file from the remote HTTPS server successfully and steadily.
+* UEFI Arch: IA32 and X64 platform.
+* TLS version: TLS1.0/1.1/1.2, version negotiation.
+* HTTPS authentication mode: One-way authentication.
+* CA certificates management: Private variable, prevent runtime phase attack.
+
## Feature Verification
-Tomcat and IIS8 are selected as the HTTPS server to verifiy the result, Detiled see below table.
+Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the result of loading the UEFI shell boot file (Shell.efi), detailed see below table.
| HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 |
|:------------:|:-------:|:-------:|:------:|
|Tomcat | Pass |Pass | Pass |
-|IIS8 | Pass | Pass | Failure |
+|IIS 8 | Pass | Pass | Failure |
+|Apache2 | Pass | Pass | Pass |
### NOTES
TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To make the UEFI HTTPS client in staging works properly, we have to disable TLS version 1.2 in windows server 2012 R2 by the below PowerShell script:
```
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
--
1.9.5.msysgit.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope
2016-11-25 3:57 [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope Jiaxin Wu
@ 2016-11-25 3:58 ` Fu, Siyuan
2016-11-25 7:42 ` Ye, Ting
1 sibling, 0 replies; 3+ messages in thread
From: Fu, Siyuan @ 2016-11-25 3:58 UTC (permalink / raw)
To: Wu, Jiaxin, edk2-devel@lists.01.org
Cc: Palmer Thomas, Ye, Ting, Long, Qin, Li, Ruth, Zimmer, Vincent
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
> -----Original Message-----
> From: Wu, Jiaxin
> Sent: Friday, November 25, 2016 11:58 AM
> To: edk2-devel@lists.01.org
> Cc: Palmer Thomas <thomas.palmer@hpe.com>; Ye, Ting <ting.ye@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Long, Qin <qin.long@intel.com>; Li, Ruth
> <ruth.li@intel.com>; Zimmer, Vincent <vincent.zimmer@intel.com>; Wu,
> Jiaxin <jiaxin.wu@intel.com>
> Subject: [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support
> scope
>
> This patch is used to add the feature support scope to indicate
> the feature completeness criteria, and some contents are also
> updated/refined, e.g. Timeline and Feature Verification section.
>
> Cc: Palmer Thomas <thomas.palmer@hpe.com>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Cc: Li Ruth <ruth.li@intel.com>
> Cc: Zimmer Vincent <vincent.zimmer@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> ---
> Readme.MD | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/Readme.MD b/Readme.MD
> index a69a2f1..d16eb4c 100644
> --- a/Readme.MD
> +++ b/Readme.MD
> @@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> ```
>
> #### HTTPS Authentication
> TLS supports three authentication modes
> ([RFC5246](https://tools.ietf.org/html/rfc5246)):
> ```
> -1. Total anonymity: the server and client won’t authenticate each other.
> +1. Total anonymity: the server and client will not authenticate each
> other.
> 2. One-way authentication: server authentication with an unauthenticated
> client.
> 3. Two-way authentication: authentication of both parties.
> ```
> Currently, HTTPS boot feature only support server authentication with an
> unauthenticated client mode. Others are not in our current feature support
> scope. To support one-way authentication mode, server CA certificate is
> required by Client. Private variable is used to configure this CA
> certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In
> sum, the Server CA certificate must be configured first to enable HTTPS
> boot feature. The variable name and GUID are defined as below.
> ```
> @@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server
> authentication with an unauthe
> | Time | Event | Related Module |
> |:----:|:-----:|:--------------:|
> | 2015.12 | Initial implementation for HTTPS boot feature by leveraging
> OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe |
> | 2016.3 | Provided an UI configured driver to support TLS server
> authentication. | TlsAuthConfigDxe |
> | 2016.4-7 | Hotfix and code refine according community feedback. |
> Tls1.h, TlsLib, HttpDxe |
> +| 2016.8 | Prevent the CA certificates from the runtime phase attack. |
> TlsAuthConfigDxe |
> | 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe |
> |...|...|...|
>
> +## Feature Support Scope
> +* Feature usage: Load the specified file from the remote HTTPS server
> successfully and steadily.
> +* UEFI Arch: IA32 and X64 platform.
> +* TLS version: TLS1.0/1.1/1.2, version negotiation.
> +* HTTPS authentication mode: One-way authentication.
> +* CA certificates management: Private variable, prevent runtime phase
> attack.
> +
> ## Feature Verification
> -Tomcat and IIS8 are selected as the HTTPS server to verifiy the result,
> Detiled see below table.
> +Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the
> result of loading the UEFI shell boot file (Shell.efi), detailed see below
> table.
>
> | HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 |
> |:------------:|:-------:|:-------:|:------:|
> |Tomcat | Pass |Pass | Pass |
> -|IIS8 | Pass | Pass | Failure |
> +|IIS 8 | Pass | Pass | Failure |
> +|Apache2 | Pass | Pass | Pass |
>
> ### NOTES
> TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT
> collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To
> make the UEFI HTTPS client in staging works properly, we have to disable
> TLS version 1.2 in windows server 2012 R2 by the below PowerShell script:
> ```
> New-Item
> 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protoco
> ls\TLS 1.2\Server' -Force | Out-Null
> --
> 1.9.5.msysgit.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope
2016-11-25 3:57 [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope Jiaxin Wu
2016-11-25 3:58 ` Fu, Siyuan
@ 2016-11-25 7:42 ` Ye, Ting
1 sibling, 0 replies; 3+ messages in thread
From: Ye, Ting @ 2016-11-25 7:42 UTC (permalink / raw)
To: Wu, Jiaxin, edk2-devel@lists.01.org
Cc: Palmer Thomas, Fu, Siyuan, Long, Qin, Li, Ruth, Zimmer, Vincent
Reviewed-by: Ye Ting <ting.ye@intel.com>
-----Original Message-----
From: Wu, Jiaxin
Sent: Friday, November 25, 2016 11:58 AM
To: edk2-devel@lists.01.org
Cc: Palmer Thomas <thomas.palmer@hpe.com>; Ye, Ting <ting.ye@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Long, Qin <qin.long@intel.com>; Li, Ruth <ruth.li@intel.com>; Zimmer, Vincent <vincent.zimmer@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>
Subject: [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope
This patch is used to add the feature support scope to indicate the feature completeness criteria, and some contents are also updated/refined, e.g. Timeline and Feature Verification section.
Cc: Palmer Thomas <thomas.palmer@hpe.com>
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Li Ruth <ruth.li@intel.com>
Cc: Zimmer Vincent <vincent.zimmer@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
Readme.MD | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/Readme.MD b/Readme.MD
index a69a2f1..d16eb4c 100644
--- a/Readme.MD
+++ b/Readme.MD
@@ -33,11 +33,11 @@ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
```
#### HTTPS Authentication
TLS supports three authentication modes ([RFC5246](https://tools.ietf.org/html/rfc5246)):
```
-1. Total anonymity: the server and client won’t authenticate each other.
+1. Total anonymity: the server and client will not authenticate each other.
2. One-way authentication: server authentication with an unauthenticated client.
3. Two-way authentication: authentication of both parties.
```
Currently, HTTPS boot feature only support server authentication with an unauthenticated client mode. Others are not in our current feature support scope. To support one-way authentication mode, server CA certificate is required by Client. Private variable is used to configure this CA certificate. **EFI_SIGNATURE_LIST** format is used for this variable. In sum, the Server CA certificate must be configured first to enable HTTPS boot feature. The variable name and GUID are defined as below.
```
@@ -54,20 +54,29 @@ Currently, HTTPS boot feature only support server authentication with an unauthe | Time | Event | Related Module | |:----:|:-----:|:--------------:| | 2015.12 | Initial implementation for HTTPS boot feature by leveraging OpenSSL. | HttpDxe, OpensslTlsLib, TlsLib, TlsDxe | | 2016.3 | Provided an UI configured driver to support TLS server authentication. | TlsAuthConfigDxe | | 2016.4-7 | Hotfix and code refine according community feedback. | Tls1.h, TlsLib, HttpDxe |
+| 2016.8 | Prevent the CA certificates from the runtime phase attack. |
+| TlsAuthConfigDxe |
| 2016.9 | Support TLS Version negotiation. | TlsLib, HttpDxe | |...|...|...|
+## Feature Support Scope
+* Feature usage: Load the specified file from the remote HTTPS server successfully and steadily.
+* UEFI Arch: IA32 and X64 platform.
+* TLS version: TLS1.0/1.1/1.2, version negotiation.
+* HTTPS authentication mode: One-way authentication.
+* CA certificates management: Private variable, prevent runtime phase attack.
+
## Feature Verification
-Tomcat and IIS8 are selected as the HTTPS server to verifiy the result, Detiled see below table.
+Tomcat, IIS 8 and Apache2 are selected as the HTTPS server to verify the result of loading the UEFI shell boot file (Shell.efi), detailed see below table.
| HTTPS Server | TLS 1.0 | TLS 1.1 | TLS1.2 | |:------------:|:-------:|:-------:|:------:|
|Tomcat | Pass |Pass | Pass |
-|IIS8 | Pass | Pass | Failure |
+|IIS 8 | Pass | Pass | Failure |
+|Apache2 | Pass | Pass | Pass |
### NOTES
TLS version 1.2 in windows server 2012 R2 IIS8 (As HTTPS server) CAN NOT collaborate with UEFI HTTPS client while version 1.1/1.0 works well. To make the UEFI HTTPS client in staging works properly, we have to disable TLS version 1.2 in windows server 2012 R2 by the below PowerShell script:
```
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
--
1.9.5.msysgit.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-11-25 7:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-25 3:57 [staging/HTTPS-TLS][PATCH] Readme.MD: Add the feature support scope Jiaxin Wu
2016-11-25 3:58 ` Fu, Siyuan
2016-11-25 7:42 ` Ye, Ting
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox