From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web09.663.1577174385422455537 for ; Mon, 23 Dec 2019 23:59:45 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: siyuan.fu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Dec 2019 23:59:45 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,350,1571727600"; d="scan'208,217";a="219723283" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by orsmga003.jf.intel.com with ESMTP; 23 Dec 2019 23:59:44 -0800 Received: from fmsmsx101.amr.corp.intel.com (10.18.124.199) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 23 Dec 2019 23:59:44 -0800 Received: from shsmsx154.ccr.corp.intel.com (10.239.6.54) by fmsmsx101.amr.corp.intel.com (10.18.124.199) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 23 Dec 2019 23:59:43 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.29]) by SHSMSX154.ccr.corp.intel.com ([169.254.7.71]) with mapi id 14.03.0439.000; Tue, 24 Dec 2019 15:59:42 +0800 From: "Siyuan, Fu" To: Sivaraman Nainar , "devel@edk2.groups.io" , "Wu, Jiaxin" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R , Ramesh R. Subject: Re: HTTPS Certificate Validation During Enrollment Thread-Topic: HTTPS Certificate Validation During Enrollment Thread-Index: AdW6GCwZGYQmImgZSdqG4TUNbkHVhgAFvg6g Date: Tue, 24 Dec 2019 07:59:41 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYmY4YmM2M2MtODg2My00ZjVjLThmNDUtYTc5YWE4MDUxNmMzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiVlhWWTB2RytKXC9iYXE2Wis4WGQ2alZ6VEt2Snl4VjdacFJFSmlMdXNQcnFJcjQ4MDArVDY1QzNEbEhqVVhydVEifQ== dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: siyuan.fu@intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B1FF2E9001CE9041BD10B825821D5BC58B919729SHSMSX103ccrcor_" --_000_B1FF2E9001CE9041BD10B825821D5BC58B919729SHSMSX103ccrcor_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 SGksIFNpdmENCg0KV2UgZG9uoa90IHRoaW5rIHRoaXMgaXMgYSByZWFsIHByb2JsZW0uIFRoZSBj ZXJ0IGlzIHNhdmVkIGFzIE5WIHZhcmlhYmxlIGp1c3QgbGlrZSBhbnkgb3RoZXIgRUZJIHZhcmlh YmxlcywgdGhlcmUgYXJlIHNvbWUgYmFzaWMgY2hlY2tzIGxpa2UgdmVyaWZ5IGl0oa9zIGEgdmFs aWQgREVSLWVuY29kZWQgY2VydGlmaWNhdGUgYmVmb3JlIHNhdmluZyB0aGUgY2VydGlmaWNhdGUs IGFuZCBUTFMgY29uZmlnIGRyaXZlciBhbHNvIHByb3ZpZGVzIGEgcGFnZSB0byBhbGxvdyB1c2Vy IHRvIGRlbGV0ZSB1bnVzZWQgY2VydCBmcm9tIHN5c3RlbS4NCg0KSWYgc29tZW9uZSB3YW50IHRv IGZpbGwgdGhlIE5WIHZhcmlhYmxlIHN0b3JhZ2UgZnVsbCB3aXRoIGdhcmJhZ2UsIHRoZXkgY2Fu IHNpbXBseSB1c2UgU2V0VmFyYWlibGUgc2VydmljZSwgbm90IG5lY2Vzc2FyeSB0byB1c2UgdGhp cyBwYWdlLg0KDQpCZXN0IFJlZ2FyZHMNClNpeXVhbg0KDQpGcm9tOiBTaXZhcmFtYW4gTmFpbmFy IDxzaXZhcmFtYW5uQGFtaWluZGlhLmNvLmluPg0KU2VudDogMjAxOcTqMTLUwjI0yNUgMTM6MTcN ClRvOiBkZXZlbEBlZGsyLmdyb3Vwcy5pbzsgV3UsIEppYXhpbiA8amlheGluLnd1QGludGVsLmNv bT47IEZ1LCBTaXl1YW4gPHNpeXVhbi5mdUBpbnRlbC5jb20+DQpDYzogTWFkaGFuIEIuIFNhbnRo YXJhbSA8bWFkaGFuc0BhbWkuY29tPjsgQXJ1biBTdWJyYW1hbmlhbiBCIDxhcnVuc3VicmFtYW5p YW5iQGFtaS5jb20+OyBBcnVuIFN1cmEgU291bmRhcmEgUGFuZGlhbiA8YXJ1bnN1cmFzQGFtaWlu ZGlhLmNvLmluPjsgQmh1dmFuZXNod2FyaSBNIFIgPGJodXZhbmVzaHdhcmltckBhbWlpbmRpYS5j by5pbj47IFJhbWVzaCBSLiA8cmFtZXNockBhbWkuY29tPg0KU3ViamVjdDogcmVnOiBIVFRQUyBD ZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIER1cmluZyBFbnJvbGxtZW50DQoNCkhlbGxvIGFsbDoNCg0K UmlnaHQgbm93IHRoZSBIVFRQUyBDZXJ0aWZpY2F0ZXMgYXJlIGdldHRpbmcgdmFsaWRhdGVkIGR1 cmluZyBUbHNDb25maWdDZXJ0aWZpY2F0ZSgpYnkgSFRUUER4ZSBEcml2ZXIuDQoNCkJ1dCBkdXJp bmcgZW5yb2xsbWVudCBvZiBjZXJ0aWZpY2F0ZSB2aWEgVExTRFhFIGRyaXZlciwgaXQgZG9lcyBu b3QgaGF2ZSBhbnkgdmFsaWRhdGlvbiBhbmQgaXQga2VlcCBhcHBlbmRpbmcgdGhlIFRMU0NhQ2Vy dCB2YXJpYWJsZSB3aXRoIHRoZSBjZXJ0aWZpY2F0ZSBwcm92aWRlZC4NCg0KQXNzdW1lIGFuIGlu dmFsaWQgY2VydGlmaWNhdGUga2VlcCBsb2FkZWQgdmlhIFRMUyBBdXRoIGNvbmZpZ3VyYXRpb24g cGFnZSwgdGhlIE5WUkFNIHdvdWxkIGJlIGZpbGxlZCB3aXRoIGdhcmJhZ2UuDQoNCklzIHRoZXJl IGFueSBwbGFuIHRvIGhhdmUgY2VydGlmaWNhdGUgdmFsaWRhdGlvbiBkdXJpbmcgRW5yb2xsbWVu dD8NCg0KLVNpdmENCg== --_000_B1FF2E9001CE9041BD10B825821D5BC58B919729SHSMSX103ccrcor_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

Hi, Siva

 

We don=A1=AFt think this is a real problem. The cert= is saved as NV variable just like any other EFI variables, there are some = basic checks like verify it=A1=AFs a valid DER-encoded certificate before s= aving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.=

 

If someone want to fill the NV variable storage full= with garbage, they can simply use SetVaraible service, not necessary to us= e this page.

 

Best Regards

Siyuan

 

From: Siv= araman Nainar <sivaramann@amiindia.co.in>
Sent: 2019=C4=EA12=D4=C224=C8=D5 13:17
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu= , Siyuan <siyuan.fu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B = <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@= amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>= ;; Ramesh R. <rameshr@ami.com>
Subject: reg: HTTPS Certificate Validation During Enrollment

 

Hello all:

 

Right now the HTTPS Certificates are getting validat= ed during TlsConfigCertificate()by HTTPDxe Driver.

 

But during enrollment of certificate via TLSDXE driv= er, it does not have any validation and it keep appending the TLSCaCert var= iable with the certificate provided.

 

Assume an invalid certificate keep loaded via TLS Au= th configuration page, the NVRAM would be filled with garbage.

 

Is there any plan to have certificate validation dur= ing Enrollment?

 

-Siva

--_000_B1FF2E9001CE9041BD10B825821D5BC58B919729SHSMSX103ccrcor_--