From: "Fu, Siyuan" <siyuan.fu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
"Wu, Jiaxin" <jiaxin.wu@intel.com>,
"edk2-devel@ml01.01.org" <edk2-devel@ml01.01.org>
Cc: "Ye, Ting" <ting.ye@intel.com>, "Ni, Ruiyu" <ruiyu.ni@intel.com>,
"Gary Ching-Pang Lin" <glin@suse.com>
Subject: Re: [Patch 0/2] Enable the HTTP switch
Date: Thu, 12 Jan 2017 11:45:24 +0000 [thread overview]
Message-ID: <B1FF2E9001CE9041BD10B825821D5BC58A8CFF6C@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <ae5ad23f-d9e1-20d6-c8bf-b2423bc98c5d@redhat.com>
Hi, Laszlo
This PCD is introduced for security consideration, it's not to include/exclude the whole HTTP boot feature, but to allow/deny unsecured HTTP connection. So
If this PCD is true, both HTTP(http://...) and HTTPS(https://...) are allowed.
If this PCD is false, only HTTPS connection is allowed, HTTP is forbidden.
The default is false (HTTPS) only.
For you question, if the new PCD is set to false, and OVFM is built with -D HTTP_BOOT_ENABLE. All these drivers will still be included in the FD image, but only HTTPS connection could be establishment. In other words, attempt to boot from a URL like "http://server/boot.efi" will be failed.
Siyuan
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo Ersek
Sent: 2017年1月12日 18:23
To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Gary Ching-Pang Lin <glin@suse.com>
Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
On 01/12/17 09:52, Jiaxin Wu wrote:
> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the
> "http://" and "https://" schemes are acceptable. Otherwise, HTTP is
> disabled. The "http://" scheme will be denied.
>
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
>
> Jiaxin Wu (2):
> NetworkPkg: Add PCD to enable the HTTP switch
> Nt32Pkg.dsc: Add HTTP_ENABLE flag
>
> NetworkPkg/HttpBootDxe/HttpBootClient.c | 20 +++++++-
> NetworkPkg/HttpBootDxe/HttpBootConfig.c | 81 ++++++++++++++++++++------------
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf | 5 +-
> NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-
> NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
> NetworkPkg/HttpDxe/HttpDxe.inf | 5 +-
> NetworkPkg/HttpDxe/HttpImpl.c | 12 ++++-
> NetworkPkg/NetworkPkg.dec | 8 +++-
> Nt32Pkg/Nt32Pkg.dsc | 9 ++++
> 9 files changed, 173 insertions(+), 37 deletions(-)
>
What is the reasoning behind this change? If a platform doesn't want to support HTTP booting, it can just exclude the drivers from the build.
Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is set to FALSE (which is the default)?
I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag, and it controls the inclusion of all of:
NetworkPkg/DnsDxe/DnsDxe.inf
NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
NetworkPkg/HttpDxe/HttpDxe.inf
NetworkPkg/HttpBootDxe/HttpBootDxe.inf
So what will this NetworkPkg change mean for OVMF, if OVMF is built with -D HTTP_BOOT_ENABLE?
Thanks
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2017-01-12 11:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-12 8:52 [Patch 0/2] Enable the HTTP switch Jiaxin Wu
2017-01-12 8:52 ` [Patch 1/2] NetworkPkg: Add PCD to enable " Jiaxin Wu
2017-01-12 8:52 ` [Patch 2/2] Nt32Pkg.dsc: Add HTTP_ENABLE flag Jiaxin Wu
2017-01-12 10:23 ` [Patch 0/2] Enable the HTTP switch Laszlo Ersek
2017-01-12 11:45 ` Fu, Siyuan [this message]
2017-01-12 16:22 ` Laszlo Ersek
2017-01-12 16:46 ` Kinney, Michael D
2017-01-12 16:52 ` Laszlo Ersek
2017-01-13 1:01 ` Wu, Jiaxin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=B1FF2E9001CE9041BD10B825821D5BC58A8CFF6C@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox