Re: [Patch 0/2] Enable the HTTP switch

From: "Fu, Siyuan" <siyuan.fu@intel.com>
To: Laszlo Ersek <lersek@redhat.com>,
	"Wu, Jiaxin" <jiaxin.wu@intel.com>,
	"edk2-devel@ml01.01.org" <edk2-devel@ml01.01.org>
Cc: "Ye, Ting" <ting.ye@intel.com>, "Ni, Ruiyu" <ruiyu.ni@intel.com>,
	"Gary Ching-Pang Lin" <glin@suse.com>
Subject: Re: [Patch 0/2] Enable the HTTP switch
Date: Thu, 12 Jan 2017 11:45:24 +0000	[thread overview]
Message-ID: <B1FF2E9001CE9041BD10B825821D5BC58A8CFF6C@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <ae5ad23f-d9e1-20d6-c8bf-b2423bc98c5d@redhat.com>

Hi, Laszlo

This PCD is introduced for security consideration, it's not to include/exclude the whole HTTP boot feature, but to allow/deny unsecured HTTP connection. So
	If this PCD is true, both HTTP(http://...) and HTTPS(https://...) are allowed.
	If this PCD is false, only HTTPS connection is allowed, HTTP is forbidden.
The default is false (HTTPS) only.

For you question, if the new PCD is set to false, and OVFM is built with -D HTTP_BOOT_ENABLE. All these drivers will still be included in the FD image, but only HTTPS connection could be establishment. In other words, attempt to boot from a URL like "http://server/boot.efi" will be failed.

Siyuan

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo Ersek
Sent: 2017年1月12日 18:23
To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Gary Ching-Pang Lin <glin@suse.com>
Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch

On 01/12/17 09:52, Jiaxin Wu wrote:
> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the 
> "http://" and "https://" schemes are acceptable. Otherwise, HTTP is 
> disabled. The "http://" scheme will be denied.
> 
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> 
> Jiaxin Wu (2):
>   NetworkPkg: Add PCD to enable the HTTP switch
>   Nt32Pkg.dsc: Add HTTP_ENABLE flag
> 
>  NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-  
> NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81 ++++++++++++++++++++------------
>  NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
>  NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-  
> NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
>  NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
>  NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
>  NetworkPkg/NetworkPkg.dec                |  8 +++-
>  Nt32Pkg/Nt32Pkg.dsc                      |  9 ++++
>  9 files changed, 173 insertions(+), 37 deletions(-)
> 

What is the reasoning behind this change? If a platform doesn't want to support HTTP booting, it can just exclude the drivers from the build.

Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is set to FALSE (which is the default)?

I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag, and it controls the inclusion of all of:

  NetworkPkg/DnsDxe/DnsDxe.inf
  NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
  NetworkPkg/HttpDxe/HttpDxe.inf
  NetworkPkg/HttpBootDxe/HttpBootDxe.inf

So what will this NetworkPkg change mean for OVMF, if OVMF is built with -D HTTP_BOOT_ENABLE?

Thanks
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel