From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.28971.1577432803767343872 for ; Thu, 26 Dec 2019 23:46:43 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: siyuan.fu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Dec 2019 23:46:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,362,1571727600"; d="scan'208,217";a="419654282" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by fmsmga006.fm.intel.com with ESMTP; 26 Dec 2019 23:46:38 -0800 Received: from fmsmsx115.amr.corp.intel.com (10.18.116.19) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 26 Dec 2019 23:46:37 -0800 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx115.amr.corp.intel.com (10.18.116.19) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 26 Dec 2019 23:46:37 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.29]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.222]) with mapi id 14.03.0439.000; Fri, 27 Dec 2019 15:46:35 +0800 From: "Siyuan, Fu" To: Sivaraman Nainar , "devel@edk2.groups.io" , "Wu, Jiaxin" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R , Ramesh R. Subject: Re: HTTPS Certificate Validation During Enrollment Thread-Topic: HTTPS Certificate Validation During Enrollment Thread-Index: AdW6GCwZGYQmImgZSdqG4TUNbkHVhgAFvg6gAIUwWQAAEXaEEA== Date: Fri, 27 Dec 2019 07:46:34 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZTI2YTA5YzAtYzEyMC00YTg0LWE0NjYtOWEwZjIyNTM3NWE4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiV1pBRjhydHNTZ1NtM1N4c3dQY0xjVEJPK1R2SUt2Z0dnYk9QWTI0a210ZU85SDVVU1NuNVhydHFrNlNSbHRvNCJ9 dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: siyuan.fu@intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B1FF2E9001CE9041BD10B825821D5BC58B91A9ADSHSMSX103ccrcor_" --_000_B1FF2E9001CE9041BD10B825821D5BC58B91A9ADSHSMSX103ccrcor_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 WWVzDQoNCkJlc3QgUmVnYXJkcw0KU2l5dWFuDQoNCkZyb206IFNpdmFyYW1hbiBOYWluYXIgPHNp dmFyYW1hbm5AYW1paW5kaWEuY28uaW4+DQpTZW50OiAyMDE5xOoxMtTCMjfI1SAxNToyNg0KVG86 IEZ1LCBTaXl1YW4gPHNpeXVhbi5mdUBpbnRlbC5jb20+OyBkZXZlbEBlZGsyLmdyb3Vwcy5pbzsg V3UsIEppYXhpbiA8amlheGluLnd1QGludGVsLmNvbT4NCkNjOiBNYWRoYW4gQi4gU2FudGhhcmFt IDxtYWRoYW5zQGFtaS5jb20+OyBBcnVuIFN1YnJhbWFuaWFuIEIgPGFydW5zdWJyYW1hbmlhbmJA YW1pLmNvbT47IEFydW4gU3VyYSBTb3VuZGFyYSBQYW5kaWFuIDxhcnVuc3VyYXNAYW1paW5kaWEu Y28uaW4+OyBCaHV2YW5lc2h3YXJpIE0gUiA8Ymh1dmFuZXNod2FyaW1yQGFtaWluZGlhLmNvLmlu PjsgUmFtZXNoIFIuIDxyYW1lc2hyQGFtaS5jb20+DQpTdWJqZWN0OiBSRTogSFRUUFMgQ2VydGlm aWNhdGUgVmFsaWRhdGlvbiBEdXJpbmcgRW5yb2xsbWVudA0KDQpTaXl1YW46DQoNCkkgYWdyZWUu IFRoZSBiYXNpYyBjaGVjayB3aGF0ZXZlciB3ZSBhcmUgZG9pbmcgaGVyZSBpcyB0aGUgZmlsZSBl eHRlbnNpb24gb25seS4gRG8geW91IG1lYW4gdGhhdCBjb3VsZCBiZSBlbm91Z2ggYW5kIFRMUyB3 aWxsIHRha2UgY2FyZSBvZiB2YWxpZGF0aW5nIHRoZSBjZXJ0aWZpY2F0ZSBkdXJpbmcgdGhlIGNv bm5lY3Rpb24gU3RhdGU/DQoNCi1TaXZhDQpGcm9tOiBGdSwgU2l5dWFuIFttYWlsdG86c2l5dWFu LmZ1QGludGVsLmNvbV0NClNlbnQ6IFR1ZXNkYXksIERlY2VtYmVyIDI0LCAyMDE5IDE6MzAgUE0N ClRvOiBTaXZhcmFtYW4gTmFpbmFyOyBkZXZlbEBlZGsyLmdyb3Vwcy5pbzxtYWlsdG86ZGV2ZWxA ZWRrMi5ncm91cHMuaW8+OyBXdSwgSmlheGluDQpDYzogTWFkaGFuIEIuIFNhbnRoYXJhbTsgQXJ1 biBTdWJyYW1hbmlhbiBCOyBBcnVuIFN1cmEgU291bmRhcmEgUGFuZGlhbjsgQmh1dmFuZXNod2Fy aSBNIFI7IFJhbWVzaCBSLg0KU3ViamVjdDogUkU6IEhUVFBTIENlcnRpZmljYXRlIFZhbGlkYXRp b24gRHVyaW5nIEVucm9sbG1lbnQNCg0KSGksIFNpdmENCg0KV2UgZG9uoa90IHRoaW5rIHRoaXMg aXMgYSByZWFsIHByb2JsZW0uIFRoZSBjZXJ0IGlzIHNhdmVkIGFzIE5WIHZhcmlhYmxlIGp1c3Qg bGlrZSBhbnkgb3RoZXIgRUZJIHZhcmlhYmxlcywgdGhlcmUgYXJlIHNvbWUgYmFzaWMgY2hlY2tz IGxpa2UgdmVyaWZ5IGl0oa9zIGEgdmFsaWQgREVSLWVuY29kZWQgY2VydGlmaWNhdGUgYmVmb3Jl IHNhdmluZyB0aGUgY2VydGlmaWNhdGUsIGFuZCBUTFMgY29uZmlnIGRyaXZlciBhbHNvIHByb3Zp ZGVzIGEgcGFnZSB0byBhbGxvdyB1c2VyIHRvIGRlbGV0ZSB1bnVzZWQgY2VydCBmcm9tIHN5c3Rl bS4NCg0KSWYgc29tZW9uZSB3YW50IHRvIGZpbGwgdGhlIE5WIHZhcmlhYmxlIHN0b3JhZ2UgZnVs bCB3aXRoIGdhcmJhZ2UsIHRoZXkgY2FuIHNpbXBseSB1c2UgU2V0VmFyYWlibGUgc2VydmljZSwg bm90IG5lY2Vzc2FyeSB0byB1c2UgdGhpcyBwYWdlLg0KDQpCZXN0IFJlZ2FyZHMNClNpeXVhbg0K DQpGcm9tOiBTaXZhcmFtYW4gTmFpbmFyIDxzaXZhcmFtYW5uQGFtaWluZGlhLmNvLmluPG1haWx0 bzpzaXZhcmFtYW5uQGFtaWluZGlhLmNvLmluPj4NClNlbnQ6IDIwMTnE6jEy1MIyNMjVIDEzOjE3 DQpUbzogZGV2ZWxAZWRrMi5ncm91cHMuaW88bWFpbHRvOmRldmVsQGVkazIuZ3JvdXBzLmlvPjsg V3UsIEppYXhpbiA8amlheGluLnd1QGludGVsLmNvbTxtYWlsdG86amlheGluLnd1QGludGVsLmNv bT4+OyBGdSwgU2l5dWFuIDxzaXl1YW4uZnVAaW50ZWwuY29tPG1haWx0bzpzaXl1YW4uZnVAaW50 ZWwuY29tPj4NCkNjOiBNYWRoYW4gQi4gU2FudGhhcmFtIDxtYWRoYW5zQGFtaS5jb208bWFpbHRv Om1hZGhhbnNAYW1pLmNvbT4+OyBBcnVuIFN1YnJhbWFuaWFuIEIgPGFydW5zdWJyYW1hbmlhbmJA YW1pLmNvbTxtYWlsdG86YXJ1bnN1YnJhbWFuaWFuYkBhbWkuY29tPj47IEFydW4gU3VyYSBTb3Vu ZGFyYSBQYW5kaWFuIDxhcnVuc3VyYXNAYW1paW5kaWEuY28uaW48bWFpbHRvOmFydW5zdXJhc0Bh bWlpbmRpYS5jby5pbj4+OyBCaHV2YW5lc2h3YXJpIE0gUiA8Ymh1dmFuZXNod2FyaW1yQGFtaWlu ZGlhLmNvLmluPG1haWx0bzpiaHV2YW5lc2h3YXJpbXJAYW1paW5kaWEuY28uaW4+PjsgUmFtZXNo IFIuIDxyYW1lc2hyQGFtaS5jb208bWFpbHRvOnJhbWVzaHJAYW1pLmNvbT4+DQpTdWJqZWN0OiBy ZWc6IEhUVFBTIENlcnRpZmljYXRlIFZhbGlkYXRpb24gRHVyaW5nIEVucm9sbG1lbnQNCg0KSGVs bG8gYWxsOg0KDQpSaWdodCBub3cgdGhlIEhUVFBTIENlcnRpZmljYXRlcyBhcmUgZ2V0dGluZyB2 YWxpZGF0ZWQgZHVyaW5nIFRsc0NvbmZpZ0NlcnRpZmljYXRlKClieSBIVFRQRHhlIERyaXZlci4N Cg0KQnV0IGR1cmluZyBlbnJvbGxtZW50IG9mIGNlcnRpZmljYXRlIHZpYSBUTFNEWEUgZHJpdmVy LCBpdCBkb2VzIG5vdCBoYXZlIGFueSB2YWxpZGF0aW9uIGFuZCBpdCBrZWVwIGFwcGVuZGluZyB0 aGUgVExTQ2FDZXJ0IHZhcmlhYmxlIHdpdGggdGhlIGNlcnRpZmljYXRlIHByb3ZpZGVkLg0KDQpB c3N1bWUgYW4gaW52YWxpZCBjZXJ0aWZpY2F0ZSBrZWVwIGxvYWRlZCB2aWEgVExTIEF1dGggY29u ZmlndXJhdGlvbiBwYWdlLCB0aGUgTlZSQU0gd291bGQgYmUgZmlsbGVkIHdpdGggZ2FyYmFnZS4N Cg0KSXMgdGhlcmUgYW55IHBsYW4gdG8gaGF2ZSBjZXJ0aWZpY2F0ZSB2YWxpZGF0aW9uIGR1cmlu ZyBFbnJvbGxtZW50Pw0KDQotU2l2YQ0K --_000_B1FF2E9001CE9041BD10B825821D5BC58B91A9ADSHSMSX103ccrcor_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

Yes

 

Best Regards

Siyuan

 

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: 2019=C4=EA12=D4=C227=C8=D5 15:26
To: Fu, Siyuan <siyuan.fu@intel.com>; devel@edk2.groups.io; Wu= , Jiaxin <jiaxin.wu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B = <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@= amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>= ;; Ramesh R. <rameshr@ami.com>
Subject: RE: HTTPS Certificate Validation During Enrollment

 

Siyuan:

 

I agree. The basic check whatever we are doing here is the file extens= ion only. Do you mean that could be enough and TLS will take care of valida= ting the certificate during the connection State?

 

-Siva

From: Fu, Siyuan [mailto:siyuan.fu@intel.com]
Sent: Tuesday, December 24, 2019 1:30 PM
To: Sivaraman Nainar; devel@= edk2.groups.io; Wu, Jiaxin
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pand= ian; Bhuvaneshwari M R; Ramesh R.
Subject: RE: HTTPS Certificate Validation During Enrollment

 

Hi, Siva

 

We don=A1=AFt think this is a real problem. The cert= is saved as NV variable just like any other EFI variables, there are some = basic checks like verify it=A1=AFs a valid DER-encoded certificate before s= aving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.=

 

If someone want to fill the NV variable storage full= with garbage, they can simply use SetVaraible service, not necessary to us= e this page.

 

Best Regards

Siyuan

 

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: 2019=C4=EA12=D4=C224=C8=D5 13:17
To: devel@edk2.groups.io= ; Wu, Jiaxin <jiaxin.wu@intel.com= >; Fu, Siyuan <siyuan.fu@i= ntel.com>
Cc: Madhan B. Santharam <madha= ns@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian &l= t;arunsuras@amiindia.co.in&= gt;; Bhuvaneshwari M R <bh= uvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>
Subject: reg: HTTPS Certificate Validation During Enrollment

 

Hello all:

 

Right now the HTTPS Certificates are getting validat= ed during TlsConfigCertificate()by HTTPDxe Driver.

 

But during enrollment of certificate via TLSDXE driv= er, it does not have any validation and it keep appending the TLSCaCert var= iable with the certificate provided.

 

Assume an invalid certificate keep loaded via TLS Au= th configuration page, the NVRAM would be filled with garbage.

 

Is there any plan to have certificate validation dur= ing Enrollment?

 

-Siva

--_000_B1FF2E9001CE9041BD10B825821D5BC58B91A9ADSHSMSX103ccrcor_--