public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Siyuan, Fu" <siyuan.fu@intel.com>
To: Sivaraman Nainar <sivaramann@amiindia.co.in>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>,
	"Wu, Jiaxin" <jiaxin.wu@intel.com>
Cc: "Madhan B. Santharam" <madhans@ami.com>,
	"Arun Subramanian  B" <arunsubramanianb@ami.com>,
	Arun Sura Soundara Pandian <arunsuras@amiindia.co.in>,
	Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>,
	Ramesh R. <rameshr@ami.com>
Subject: Re: HTTPS Certificate Validation During Enrollment
Date: Tue, 24 Dec 2019 07:59:41 +0000	[thread overview]
Message-ID: <B1FF2E9001CE9041BD10B825821D5BC58B919729@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <B4DE137BDB63634BAC03BD9DE765F197029AE59FEE@VENUS1.in.megatrends.com>

[-- Attachment #1: Type: text/plain, Size: 1438 bytes --]

Hi, Siva

We don’t think this is a real problem. The cert is saved as NV variable just like any other EFI variables, there are some basic checks like verify it’s a valid DER-encoded certificate before saving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.

If someone want to fill the NV variable storage full with garbage, they can simply use SetVaraible service, not necessary to use this page.

Best Regards
Siyuan

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: 2019年12月24日 13:17
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>
Subject: reg: HTTPS Certificate Validation During Enrollment

Hello all:

Right now the HTTPS Certificates are getting validated during TlsConfigCertificate()by HTTPDxe Driver.

But during enrollment of certificate via TLSDXE driver, it does not have any validation and it keep appending the TLSCaCert variable with the certificate provided.

Assume an invalid certificate keep loaded via TLS Auth configuration page, the NVRAM would be filled with garbage.

Is there any plan to have certificate validation during Enrollment?

-Siva

[-- Attachment #2: Type: text/html, Size: 5533 bytes --]

  reply	other threads:[~2019-12-24  7:59 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-24  5:16 reg: HTTPS Certificate Validation During Enrollment Sivaraman Nainar
2019-12-24  7:59 ` Siyuan, Fu [this message]
2019-12-27  7:26   ` Sivaraman Nainar
2019-12-27  7:46     ` Siyuan, Fu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=B1FF2E9001CE9041BD10B825821D5BC58B919729@SHSMSX103.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox