From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web11.1797.1577164609553681390 for ; Mon, 23 Dec 2019 21:16:50 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A432082047; Tue, 24 Dec 2019 10:53:57 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9138D82046; Tue, 24 Dec 2019 10:53:57 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Tue, 24 Dec 2019 10:53:57 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Tue, 24 Dec 2019 10:46:45 +0530 From: "Sivaraman Nainar" To: "devel@edk2.groups.io" , "Wu, Jiaxin" , "Fu, Siyuan" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R , Ramesh R. Subject: reg: HTTPS Certificate Validation During Enrollment Thread-Topic: reg: HTTPS Certificate Validation During Enrollment Thread-Index: AdW6GCwZGYQmImgZSdqG4TUNbkHVhg== Date: Tue, 24 Dec 2019 05:16:44 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.84.197] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25122.005 X-TM-AS-Result: No--13.546-5.0-31-10 X-imss-scan-details: No--13.546-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25122.005 X-TMASE-Result: 10--13.545500-10.000000 X-TMASE-MatchedRID: oIksAoV5oL8Jhm6TjE4vNSfa1HFVDArQSWg+u4ir2NP/DuDKkEL9Twuf 3weHX1HzLSepnPcDkUIkTcioMeoiVH//aC4gn5TY/Sl5cYQQGW+YcCnZQnz5PErRZP/NcCCSkDN s4OMoXxKahG/i8Ja1Y7dYFVfIRaXS7zgtUFe2gc5ZwLSBgxghaPngX/aL8PCNI9L0l0rdbj9uBj xDCXijziRX5Ze8FsHwAf/oIhDrMcxcvC4hPS8YXiI9MxSOQ6CSwLaQzTC7PNak7BPGf466/mQyu G8zTQXl+gMue9wk4phpX+8EMeDZS5r8q/DaK2EqngIgpj8eDcBpkajQR5gb3qbyPFGTn+O4UUU0 +9x4QK/JzqAJgIs7jrI7zVffJqTzH1QIty8mOoDSzq51J59p5Ykt8pdhOtkm4LOo+/tx1aMcVQc HJ1sHd5Yu8q483clP2QQtk6LgyPD92hgkbrJh1HUkBQY2KPBP X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE59FEEVENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE59FEEVENUS1inmegat_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello all: Right now the HTTPS Certificates are getting validated during TlsConfigCert= ificate()by HTTPDxe Driver. But during enrollment of certificate via TLSDXE driver, it does not have an= y validation and it keep appending the TLSCaCert variable with the certific= ate provided. Assume an invalid certificate keep loaded via TLS Auth configuration page, = the NVRAM would be filled with garbage. Is there any plan to have certificate validation during Enrollment? -Siva --_000_B4DE137BDB63634BAC03BD9DE765F197029AE59FEEVENUS1inmegat_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello all:

 

Right now the HTTPS Certificates are getting validat= ed during TlsConfigCertificate()by HTTPDxe Driver.

 

But during enrollment of certificate via TLSDXE driv= er, it does not have any validation and it keep appending the TLSCaCert var= iable with the certificate provided.

 

Assume an invalid certificate keep loaded via TLS Au= th configuration page, the NVRAM would be filled with garbage.

 

Is there any plan to have certificate validation dur= ing Enrollment?

 

-Siva

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE59FEEVENUS1inmegat_-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by mx.groups.io with SMTP id smtpd.web09.663.1577174385422455537 for ; Mon, 23 Dec 2019 23:59:45 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.115, mailfrom: siyuan.fu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Dec 2019 23:59:45 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,350,1571727600"; d="scan'208,217";a="219723283" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by orsmga003.jf.intel.com with ESMTP; 23 Dec 2019 23:59:44 -0800 Received: from fmsmsx101.amr.corp.intel.com (10.18.124.199) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 23 Dec 2019 23:59:44 -0800 Received: from shsmsx154.ccr.corp.intel.com (10.239.6.54) by fmsmsx101.amr.corp.intel.com (10.18.124.199) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 23 Dec 2019 23:59:43 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.29]) by SHSMSX154.ccr.corp.intel.com ([169.254.7.71]) with mapi id 14.03.0439.000; Tue, 24 Dec 2019 15:59:42 +0800 From: "Siyuan, Fu" To: Sivaraman Nainar , "devel@edk2.groups.io" , "Wu, Jiaxin" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R , Ramesh R. Subject: Re: HTTPS Certificate Validation During Enrollment Thread-Topic: HTTPS Certificate Validation During Enrollment Thread-Index: AdW6GCwZGYQmImgZSdqG4TUNbkHVhgAFvg6g Date: Tue, 24 Dec 2019 07:59:41 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYmY4YmM2M2MtODg2My00ZjVjLThmNDUtYTc5YWE4MDUxNmMzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiVlhWWTB2RytKXC9iYXE2Wis4WGQ2alZ6VEt2Snl4VjdacFJFSmlMdXNQcnFJcjQ4MDArVDY1QzNEbEhqVVhydVEifQ== dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: siyuan.fu@intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B1FF2E9001CE9041BD10B825821D5BC58B919729SHSMSX103ccrcor_" --_000_B1FF2E9001CE9041BD10B825821D5BC58B919729SHSMSX103ccrcor_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 SGksIFNpdmENCg0KV2UgZG9uoa90IHRoaW5rIHRoaXMgaXMgYSByZWFsIHByb2JsZW0uIFRoZSBj ZXJ0IGlzIHNhdmVkIGFzIE5WIHZhcmlhYmxlIGp1c3QgbGlrZSBhbnkgb3RoZXIgRUZJIHZhcmlh YmxlcywgdGhlcmUgYXJlIHNvbWUgYmFzaWMgY2hlY2tzIGxpa2UgdmVyaWZ5IGl0oa9zIGEgdmFs aWQgREVSLWVuY29kZWQgY2VydGlmaWNhdGUgYmVmb3JlIHNhdmluZyB0aGUgY2VydGlmaWNhdGUs IGFuZCBUTFMgY29uZmlnIGRyaXZlciBhbHNvIHByb3ZpZGVzIGEgcGFnZSB0byBhbGxvdyB1c2Vy IHRvIGRlbGV0ZSB1bnVzZWQgY2VydCBmcm9tIHN5c3RlbS4NCg0KSWYgc29tZW9uZSB3YW50IHRv IGZpbGwgdGhlIE5WIHZhcmlhYmxlIHN0b3JhZ2UgZnVsbCB3aXRoIGdhcmJhZ2UsIHRoZXkgY2Fu IHNpbXBseSB1c2UgU2V0VmFyYWlibGUgc2VydmljZSwgbm90IG5lY2Vzc2FyeSB0byB1c2UgdGhp cyBwYWdlLg0KDQpCZXN0IFJlZ2FyZHMNClNpeXVhbg0KDQpGcm9tOiBTaXZhcmFtYW4gTmFpbmFy IDxzaXZhcmFtYW5uQGFtaWluZGlhLmNvLmluPg0KU2VudDogMjAxOcTqMTLUwjI0yNUgMTM6MTcN ClRvOiBkZXZlbEBlZGsyLmdyb3Vwcy5pbzsgV3UsIEppYXhpbiA8amlheGluLnd1QGludGVsLmNv bT47IEZ1LCBTaXl1YW4gPHNpeXVhbi5mdUBpbnRlbC5jb20+DQpDYzogTWFkaGFuIEIuIFNhbnRo YXJhbSA8bWFkaGFuc0BhbWkuY29tPjsgQXJ1biBTdWJyYW1hbmlhbiBCIDxhcnVuc3VicmFtYW5p YW5iQGFtaS5jb20+OyBBcnVuIFN1cmEgU291bmRhcmEgUGFuZGlhbiA8YXJ1bnN1cmFzQGFtaWlu ZGlhLmNvLmluPjsgQmh1dmFuZXNod2FyaSBNIFIgPGJodXZhbmVzaHdhcmltckBhbWlpbmRpYS5j by5pbj47IFJhbWVzaCBSLiA8cmFtZXNockBhbWkuY29tPg0KU3ViamVjdDogcmVnOiBIVFRQUyBD ZXJ0aWZpY2F0ZSBWYWxpZGF0aW9uIER1cmluZyBFbnJvbGxtZW50DQoNCkhlbGxvIGFsbDoNCg0K UmlnaHQgbm93IHRoZSBIVFRQUyBDZXJ0aWZpY2F0ZXMgYXJlIGdldHRpbmcgdmFsaWRhdGVkIGR1 cmluZyBUbHNDb25maWdDZXJ0aWZpY2F0ZSgpYnkgSFRUUER4ZSBEcml2ZXIuDQoNCkJ1dCBkdXJp bmcgZW5yb2xsbWVudCBvZiBjZXJ0aWZpY2F0ZSB2aWEgVExTRFhFIGRyaXZlciwgaXQgZG9lcyBu b3QgaGF2ZSBhbnkgdmFsaWRhdGlvbiBhbmQgaXQga2VlcCBhcHBlbmRpbmcgdGhlIFRMU0NhQ2Vy dCB2YXJpYWJsZSB3aXRoIHRoZSBjZXJ0aWZpY2F0ZSBwcm92aWRlZC4NCg0KQXNzdW1lIGFuIGlu dmFsaWQgY2VydGlmaWNhdGUga2VlcCBsb2FkZWQgdmlhIFRMUyBBdXRoIGNvbmZpZ3VyYXRpb24g cGFnZSwgdGhlIE5WUkFNIHdvdWxkIGJlIGZpbGxlZCB3aXRoIGdhcmJhZ2UuDQoNCklzIHRoZXJl IGFueSBwbGFuIHRvIGhhdmUgY2VydGlmaWNhdGUgdmFsaWRhdGlvbiBkdXJpbmcgRW5yb2xsbWVu dD8NCg0KLVNpdmENCg== --_000_B1FF2E9001CE9041BD10B825821D5BC58B919729SHSMSX103ccrcor_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

Hi, Siva

 

We don=A1=AFt think this is a real problem. The cert= is saved as NV variable just like any other EFI variables, there are some = basic checks like verify it=A1=AFs a valid DER-encoded certificate before s= aving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.=

 

If someone want to fill the NV variable storage full= with garbage, they can simply use SetVaraible service, not necessary to us= e this page.

 

Best Regards

Siyuan

 

From: Siv= araman Nainar <sivaramann@amiindia.co.in>
Sent: 2019=C4=EA12=D4=C224=C8=D5 13:17
To: devel@edk2.groups.io; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu= , Siyuan <siyuan.fu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B = <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@= amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>= ;; Ramesh R. <rameshr@ami.com>
Subject: reg: HTTPS Certificate Validation During Enrollment

 

Hello all:

 

Right now the HTTPS Certificates are getting validat= ed during TlsConfigCertificate()by HTTPDxe Driver.

 

But during enrollment of certificate via TLSDXE driv= er, it does not have any validation and it keep appending the TLSCaCert var= iable with the certificate provided.

 

Assume an invalid certificate keep loaded via TLS Au= th configuration page, the NVRAM would be filled with garbage.

 

Is there any plan to have certificate validation dur= ing Enrollment?

 

-Siva

--_000_B1FF2E9001CE9041BD10B825821D5BC58B919729SHSMSX103ccrcor_-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [14.98.235.2]) by mx.groups.io with SMTP id smtpd.web10.28868.1577431597012817134 for ; Thu, 26 Dec 2019 23:26:37 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=SPF record not found (domain: amiindia.co.in, ip: 14.98.235.2, mailfrom: sivaramann@amiindia.co.in) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0DE8D82047; Fri, 27 Dec 2019 13:03:43 +0530 (IST) Received: from IMSVA.IN.MEGATRENDS.COM (IMSVA.IN.MEGATRENDS.COM [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DF07782046; Fri, 27 Dec 2019 13:03:42 +0530 (IST) Received: from webmail.amiindia.co.in (venus2.in.megatrends.com [10.0.0.7]) by IMSVA.IN.MEGATRENDS.COM (Postfix) with ESMTPS; Fri, 27 Dec 2019 13:03:42 +0530 (IST) Received: from VENUS1.in.megatrends.com ([fe80::951:7975:6ecf:eae5]) by Venus2.in.megatrends.com ([fe80::2002:4a07:4f17:c09b%14]) with mapi id 14.03.0248.002; Fri, 27 Dec 2019 12:56:28 +0530 From: "Sivaraman Nainar" To: "Fu, Siyuan" , "devel@edk2.groups.io" , "Wu, Jiaxin" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R , Ramesh R. Subject: Re: HTTPS Certificate Validation During Enrollment Thread-Topic: HTTPS Certificate Validation During Enrollment Thread-Index: AQHVujAf5hMCPToMiEuoF3oElxaXQKfNmUYQ Date: Fri, 27 Dec 2019 07:26:28 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.0.84.197] MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-TM-AS-Product-Ver: IMSVA-9.1.0.1817-8.5.0.1020-25130.001 X-TM-AS-Result: No--20.424-5.0-31-10 X-imss-scan-details: No--20.424-5.0-31-10 X-TMASE-Version: IMSVA-9.1.0.1817-8.5.1020-25130.001 X-TMASE-Result: 10--20.423800-10.000000 X-TMASE-MatchedRID: dL10VBB8yofTi04NASO/NUhwlOfYeSqxItpoBuaLs/xScXQMxepe+yPT yo5Y6UW7tFD2rOIklhLyNJ7OroLG4vtT+mdK1/CBu6cTLrgJBGpwbyuQg4BU6bV5fSMRD1zq2hu dWC5jyTMbILjeD67+fa/B2qdX0IwX/8TykoC75C30VCHd+VQiHqNeL/tbjwkHHWtVZN0asTh0I3 2NgqhePL3bwgo3is2hb2s/Bd16DhWHWAZx0LGJkUOTmmhJhc2XzhWjmy90rdsv4fVTr0+gIDWLX jPF1x3xFH8qAkSW20C1DDl5/wf923fxmyp6rwRIwbRQ2Bpmlioay+BQxgCfhQsFkS6ogv1Kk72Z AbHiMLdJruLhYwZjAX/ZKyBTyPI1bu8QqMQjwvKA3KVVsj8QDKgJ/sh288AnOtbatF9N8at69EB 7k/xH3rnnY96UEu4mexFu2ndtjxcMRVPkzQcfhXpruoeiWYa5mRKFhwukYf2WeXclzJNLEj+4Ay 4hLf9XjyXC7yPnZ4inRlHozcupenZH581LXAeZqYZNDK2MDCVbD9LQcHt6gxuYmISDRdMb5GpAD FtYP37i8zVgXoAltuSU/Kg0ZdIPWBy1qPIV5k07AFczfjr/7AKHodx+mGMxhBqAiLDnqOX4jN21 m8K9sgKpcmx/xBpyhvZcDZcgyHI= X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B4DE137BDB63634BAC03BD9DE765F197029AE5C979VENUS1inmegat_" --_000_B4DE137BDB63634BAC03BD9DE765F197029AE5C979VENUS1inmegat_ Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable Siyuan: I agree. The basic check whatever we are doing here is the file extension o= nly. Do you mean that could be enough and TLS will take care of validating = the certificate during the connection State? -Siva From: Fu, Siyuan [mailto:siyuan.fu@intel.com] Sent: Tuesday, December 24, 2019 1:30 PM To: Sivaraman Nainar; devel@edk2.groups.io; Wu, Jiaxin Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pandian; Bh= uvaneshwari M R; Ramesh R. Subject: RE: HTTPS Certificate Validation During Enrollment Hi, Siva We don=1B$B!G=1B(Bt think this is a real problem. The cert is saved as NV v= ariable just like any other EFI variables, there are some basic checks like= verify it=1B$B!G=1B(Bs a valid DER-encoded certificate before saving the c= ertificate, and TLS config driver also provides a page to allow user to del= ete unused cert from system. If someone want to fill the NV variable storage full with garbage, they can= simply use SetVaraible service, not necessary to use this page. Best Regards Siyuan From: Sivaraman Nainar > Sent: 2019=1B$BG/=1B(B12=1B$B7n=1B(B24=1B$BF|=1B(B 13:17 To: devel@edk2.groups.io; Wu, Jiaxin >; Fu, Siyuan > Cc: Madhan B. Santharam >; Arun Sub= ramanian B >; Aru= n Sura Soundara Pandian >; Bhuvaneshwari M R >; Ramesh R. > Subject: reg: HTTPS Certificate Validation During Enrollment Hello all: Right now the HTTPS Certificates are getting validated during TlsConfigCert= ificate()by HTTPDxe Driver. But during enrollment of certificate via TLSDXE driver, it does not have an= y validation and it keep appending the TLSCaCert variable with the certific= ate provided. Assume an invalid certificate keep loaded via TLS Auth configuration page, = the NVRAM would be filled with garbage. Is there any plan to have certificate validation during Enrollment? -Siva --_000_B4DE137BDB63634BAC03BD9DE765F197029AE5C979VENUS1inmegat_ Content-Type: text/html; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable

Siyuan:

 

I agree. The basic check whatever we are doing here is the file extens= ion only. Do you mean that could be enough and TLS will take care of valida= ting the certificate during the connection State?

 

-Siva

From: Fu, Siyuan [mailto:siyuan.fu@intel.com]=
Sent: Tuesday, December 24, 2019 1:30 PM
To: Sivaraman Nainar; devel@edk2.groups.io; Wu, Jiaxin
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pand= ian; Bhuvaneshwari M R; Ramesh R.
Subject: RE: HTTPS Certificate Validation During Enrollment

 

Hi, Siva

 

We don=1B$B!G=1B(Bt think this is a real problem. Th= e cert is saved as NV variable just like any other EFI variables, there are= some basic checks like verify it=1B$B!G=1B(Bs a valid DER-encoded certific= ate before saving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.=

 

If someone want to fill the NV variable storage full= with garbage, they can simply use SetVaraible service, not necessary to us= e this page.

 

Best Regards

Siyuan

 

From: Siv= araman Nainar <sivaramann@a= miindia.co.in>
Sent: 2019=1B$BG/=1B(B12=1B$B7n=1B(B24=1B$BF|=1B(B 13:17
To: devel@edk2.groups.io= ; Wu, Jiaxin <jiaxin.wu@intel.com= >; Fu, Siyuan <siyuan.fu@i= ntel.com>
Cc: Madhan B. Santharam <madha= ns@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian &l= t;arunsuras@amiindia.co.in&= gt;; Bhuvaneshwari M R <bh= uvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>
Subject: reg: HTTPS Certificate Validation During Enrollment

 

Hello all:

 

Right now the HTTPS Certificates are getting validat= ed during TlsConfigCertificate()by HTTPDxe Driver.

 

But during enrollment of certificate via TLSDXE driv= er, it does not have any validation and it keep appending the TLSCaCert var= iable with the certificate provided.

 

Assume an invalid certificate keep loaded via TLS Au= th configuration page, the NVRAM would be filled with garbage.

 

Is there any plan to have certificate validation dur= ing Enrollment?

 

-Siva

--_000_B4DE137BDB63634BAC03BD9DE765F197029AE5C979VENUS1inmegat_-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web11.28971.1577432803767343872 for ; Thu, 26 Dec 2019 23:46:43 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: siyuan.fu@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Dec 2019 23:46:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,362,1571727600"; d="scan'208,217";a="419654282" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by fmsmga006.fm.intel.com with ESMTP; 26 Dec 2019 23:46:38 -0800 Received: from fmsmsx115.amr.corp.intel.com (10.18.116.19) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 26 Dec 2019 23:46:37 -0800 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx115.amr.corp.intel.com (10.18.116.19) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 26 Dec 2019 23:46:37 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.29]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.222]) with mapi id 14.03.0439.000; Fri, 27 Dec 2019 15:46:35 +0800 From: "Siyuan, Fu" To: Sivaraman Nainar , "devel@edk2.groups.io" , "Wu, Jiaxin" CC: "Madhan B. Santharam" , "Arun Subramanian B" , Arun Sura Soundara Pandian , Bhuvaneshwari M R , Ramesh R. Subject: Re: HTTPS Certificate Validation During Enrollment Thread-Topic: HTTPS Certificate Validation During Enrollment Thread-Index: AdW6GCwZGYQmImgZSdqG4TUNbkHVhgAFvg6gAIUwWQAAEXaEEA== Date: Fri, 27 Dec 2019 07:46:34 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZTI2YTA5YzAtYzEyMC00YTg0LWE0NjYtOWEwZjIyNTM3NWE4IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiV1pBRjhydHNTZ1NtM1N4c3dQY0xjVEJPK1R2SUt2Z0dnYk9QWTI0a210ZU85SDVVU1NuNVhydHFrNlNSbHRvNCJ9 dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: siyuan.fu@intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_B1FF2E9001CE9041BD10B825821D5BC58B91A9ADSHSMSX103ccrcor_" --_000_B1FF2E9001CE9041BD10B825821D5BC58B91A9ADSHSMSX103ccrcor_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 WWVzDQoNCkJlc3QgUmVnYXJkcw0KU2l5dWFuDQoNCkZyb206IFNpdmFyYW1hbiBOYWluYXIgPHNp dmFyYW1hbm5AYW1paW5kaWEuY28uaW4+DQpTZW50OiAyMDE5xOoxMtTCMjfI1SAxNToyNg0KVG86 IEZ1LCBTaXl1YW4gPHNpeXVhbi5mdUBpbnRlbC5jb20+OyBkZXZlbEBlZGsyLmdyb3Vwcy5pbzsg V3UsIEppYXhpbiA8amlheGluLnd1QGludGVsLmNvbT4NCkNjOiBNYWRoYW4gQi4gU2FudGhhcmFt IDxtYWRoYW5zQGFtaS5jb20+OyBBcnVuIFN1YnJhbWFuaWFuIEIgPGFydW5zdWJyYW1hbmlhbmJA YW1pLmNvbT47IEFydW4gU3VyYSBTb3VuZGFyYSBQYW5kaWFuIDxhcnVuc3VyYXNAYW1paW5kaWEu Y28uaW4+OyBCaHV2YW5lc2h3YXJpIE0gUiA8Ymh1dmFuZXNod2FyaW1yQGFtaWluZGlhLmNvLmlu PjsgUmFtZXNoIFIuIDxyYW1lc2hyQGFtaS5jb20+DQpTdWJqZWN0OiBSRTogSFRUUFMgQ2VydGlm aWNhdGUgVmFsaWRhdGlvbiBEdXJpbmcgRW5yb2xsbWVudA0KDQpTaXl1YW46DQoNCkkgYWdyZWUu IFRoZSBiYXNpYyBjaGVjayB3aGF0ZXZlciB3ZSBhcmUgZG9pbmcgaGVyZSBpcyB0aGUgZmlsZSBl eHRlbnNpb24gb25seS4gRG8geW91IG1lYW4gdGhhdCBjb3VsZCBiZSBlbm91Z2ggYW5kIFRMUyB3 aWxsIHRha2UgY2FyZSBvZiB2YWxpZGF0aW5nIHRoZSBjZXJ0aWZpY2F0ZSBkdXJpbmcgdGhlIGNv bm5lY3Rpb24gU3RhdGU/DQoNCi1TaXZhDQpGcm9tOiBGdSwgU2l5dWFuIFttYWlsdG86c2l5dWFu LmZ1QGludGVsLmNvbV0NClNlbnQ6IFR1ZXNkYXksIERlY2VtYmVyIDI0LCAyMDE5IDE6MzAgUE0N ClRvOiBTaXZhcmFtYW4gTmFpbmFyOyBkZXZlbEBlZGsyLmdyb3Vwcy5pbzxtYWlsdG86ZGV2ZWxA ZWRrMi5ncm91cHMuaW8+OyBXdSwgSmlheGluDQpDYzogTWFkaGFuIEIuIFNhbnRoYXJhbTsgQXJ1 biBTdWJyYW1hbmlhbiBCOyBBcnVuIFN1cmEgU291bmRhcmEgUGFuZGlhbjsgQmh1dmFuZXNod2Fy aSBNIFI7IFJhbWVzaCBSLg0KU3ViamVjdDogUkU6IEhUVFBTIENlcnRpZmljYXRlIFZhbGlkYXRp b24gRHVyaW5nIEVucm9sbG1lbnQNCg0KSGksIFNpdmENCg0KV2UgZG9uoa90IHRoaW5rIHRoaXMg aXMgYSByZWFsIHByb2JsZW0uIFRoZSBjZXJ0IGlzIHNhdmVkIGFzIE5WIHZhcmlhYmxlIGp1c3Qg bGlrZSBhbnkgb3RoZXIgRUZJIHZhcmlhYmxlcywgdGhlcmUgYXJlIHNvbWUgYmFzaWMgY2hlY2tz IGxpa2UgdmVyaWZ5IGl0oa9zIGEgdmFsaWQgREVSLWVuY29kZWQgY2VydGlmaWNhdGUgYmVmb3Jl IHNhdmluZyB0aGUgY2VydGlmaWNhdGUsIGFuZCBUTFMgY29uZmlnIGRyaXZlciBhbHNvIHByb3Zp ZGVzIGEgcGFnZSB0byBhbGxvdyB1c2VyIHRvIGRlbGV0ZSB1bnVzZWQgY2VydCBmcm9tIHN5c3Rl bS4NCg0KSWYgc29tZW9uZSB3YW50IHRvIGZpbGwgdGhlIE5WIHZhcmlhYmxlIHN0b3JhZ2UgZnVs bCB3aXRoIGdhcmJhZ2UsIHRoZXkgY2FuIHNpbXBseSB1c2UgU2V0VmFyYWlibGUgc2VydmljZSwg bm90IG5lY2Vzc2FyeSB0byB1c2UgdGhpcyBwYWdlLg0KDQpCZXN0IFJlZ2FyZHMNClNpeXVhbg0K DQpGcm9tOiBTaXZhcmFtYW4gTmFpbmFyIDxzaXZhcmFtYW5uQGFtaWluZGlhLmNvLmluPG1haWx0 bzpzaXZhcmFtYW5uQGFtaWluZGlhLmNvLmluPj4NClNlbnQ6IDIwMTnE6jEy1MIyNMjVIDEzOjE3 DQpUbzogZGV2ZWxAZWRrMi5ncm91cHMuaW88bWFpbHRvOmRldmVsQGVkazIuZ3JvdXBzLmlvPjsg V3UsIEppYXhpbiA8amlheGluLnd1QGludGVsLmNvbTxtYWlsdG86amlheGluLnd1QGludGVsLmNv bT4+OyBGdSwgU2l5dWFuIDxzaXl1YW4uZnVAaW50ZWwuY29tPG1haWx0bzpzaXl1YW4uZnVAaW50 ZWwuY29tPj4NCkNjOiBNYWRoYW4gQi4gU2FudGhhcmFtIDxtYWRoYW5zQGFtaS5jb208bWFpbHRv Om1hZGhhbnNAYW1pLmNvbT4+OyBBcnVuIFN1YnJhbWFuaWFuIEIgPGFydW5zdWJyYW1hbmlhbmJA YW1pLmNvbTxtYWlsdG86YXJ1bnN1YnJhbWFuaWFuYkBhbWkuY29tPj47IEFydW4gU3VyYSBTb3Vu ZGFyYSBQYW5kaWFuIDxhcnVuc3VyYXNAYW1paW5kaWEuY28uaW48bWFpbHRvOmFydW5zdXJhc0Bh bWlpbmRpYS5jby5pbj4+OyBCaHV2YW5lc2h3YXJpIE0gUiA8Ymh1dmFuZXNod2FyaW1yQGFtaWlu ZGlhLmNvLmluPG1haWx0bzpiaHV2YW5lc2h3YXJpbXJAYW1paW5kaWEuY28uaW4+PjsgUmFtZXNo IFIuIDxyYW1lc2hyQGFtaS5jb208bWFpbHRvOnJhbWVzaHJAYW1pLmNvbT4+DQpTdWJqZWN0OiBy ZWc6IEhUVFBTIENlcnRpZmljYXRlIFZhbGlkYXRpb24gRHVyaW5nIEVucm9sbG1lbnQNCg0KSGVs bG8gYWxsOg0KDQpSaWdodCBub3cgdGhlIEhUVFBTIENlcnRpZmljYXRlcyBhcmUgZ2V0dGluZyB2 YWxpZGF0ZWQgZHVyaW5nIFRsc0NvbmZpZ0NlcnRpZmljYXRlKClieSBIVFRQRHhlIERyaXZlci4N Cg0KQnV0IGR1cmluZyBlbnJvbGxtZW50IG9mIGNlcnRpZmljYXRlIHZpYSBUTFNEWEUgZHJpdmVy LCBpdCBkb2VzIG5vdCBoYXZlIGFueSB2YWxpZGF0aW9uIGFuZCBpdCBrZWVwIGFwcGVuZGluZyB0 aGUgVExTQ2FDZXJ0IHZhcmlhYmxlIHdpdGggdGhlIGNlcnRpZmljYXRlIHByb3ZpZGVkLg0KDQpB c3N1bWUgYW4gaW52YWxpZCBjZXJ0aWZpY2F0ZSBrZWVwIGxvYWRlZCB2aWEgVExTIEF1dGggY29u ZmlndXJhdGlvbiBwYWdlLCB0aGUgTlZSQU0gd291bGQgYmUgZmlsbGVkIHdpdGggZ2FyYmFnZS4N Cg0KSXMgdGhlcmUgYW55IHBsYW4gdG8gaGF2ZSBjZXJ0aWZpY2F0ZSB2YWxpZGF0aW9uIGR1cmlu ZyBFbnJvbGxtZW50Pw0KDQotU2l2YQ0K --_000_B1FF2E9001CE9041BD10B825821D5BC58B91A9ADSHSMSX103ccrcor_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

Yes

 

Best Regards

Siyuan

 

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: 2019=C4=EA12=D4=C227=C8=D5 15:26
To: Fu, Siyuan <siyuan.fu@intel.com>; devel@edk2.groups.io; Wu= , Jiaxin <jiaxin.wu@intel.com>
Cc: Madhan B. Santharam <madhans@ami.com>; Arun Subramanian B = <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian <arunsuras@= amiindia.co.in>; Bhuvaneshwari M R <bhuvaneshwarimr@amiindia.co.in>= ;; Ramesh R. <rameshr@ami.com>
Subject: RE: HTTPS Certificate Validation During Enrollment

 

Siyuan:

 

I agree. The basic check whatever we are doing here is the file extens= ion only. Do you mean that could be enough and TLS will take care of valida= ting the certificate during the connection State?

 

-Siva

From: Fu, Siyuan [mailto:siyuan.fu@intel.com]
Sent: Tuesday, December 24, 2019 1:30 PM
To: Sivaraman Nainar; devel@= edk2.groups.io; Wu, Jiaxin
Cc: Madhan B. Santharam; Arun Subramanian B; Arun Sura Soundara Pand= ian; Bhuvaneshwari M R; Ramesh R.
Subject: RE: HTTPS Certificate Validation During Enrollment

 

Hi, Siva

 

We don=A1=AFt think this is a real problem. The cert= is saved as NV variable just like any other EFI variables, there are some = basic checks like verify it=A1=AFs a valid DER-encoded certificate before s= aving the certificate, and TLS config driver also provides a page to allow user to delete unused cert from system.=

 

If someone want to fill the NV variable storage full= with garbage, they can simply use SetVaraible service, not necessary to us= e this page.

 

Best Regards

Siyuan

 

From: Sivaraman Nainar <sivaramann@amiindia.co.in>
Sent: 2019=C4=EA12=D4=C224=C8=D5 13:17
To: devel@edk2.groups.io= ; Wu, Jiaxin <jiaxin.wu@intel.com= >; Fu, Siyuan <siyuan.fu@i= ntel.com>
Cc: Madhan B. Santharam <madha= ns@ami.com>; Arun Subramanian B <arunsubramanianb@ami.com>; Arun Sura Soundara Pandian &l= t;arunsuras@amiindia.co.in&= gt;; Bhuvaneshwari M R <bh= uvaneshwarimr@amiindia.co.in>; Ramesh R. <rameshr@ami.com>
Subject: reg: HTTPS Certificate Validation During Enrollment

 

Hello all:

 

Right now the HTTPS Certificates are getting validat= ed during TlsConfigCertificate()by HTTPDxe Driver.

 

But during enrollment of certificate via TLSDXE driv= er, it does not have any validation and it keep appending the TLSCaCert var= iable with the certificate provided.

 

Assume an invalid certificate keep loaded via TLS Au= th configuration page, the NVRAM would be filled with garbage.

 

Is there any plan to have certificate validation dur= ing Enrollment?

 

-Siva

--_000_B1FF2E9001CE9041BD10B825821D5BC58B91A9ADSHSMSX103ccrcor_--