From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=qin.long@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 04CF3226EAC60 for ; Wed, 11 Apr 2018 23:32:58 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Apr 2018 23:32:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,440,1517904000"; d="scan'208";a="50146560" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga002.jf.intel.com with ESMTP; 11 Apr 2018 23:32:57 -0700 Received: from fmsmsx154.amr.corp.intel.com (10.18.116.70) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 11 Apr 2018 23:32:57 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by FMSMSX154.amr.corp.intel.com (10.18.116.70) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 11 Apr 2018 23:32:57 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.151]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.197]) with mapi id 14.03.0319.002; Thu, 12 Apr 2018 14:32:55 +0800 From: "Long, Qin" To: Laszlo Ersek , "edk2-devel@lists.01.org" CC: Ard Biesheuvel , Gary Ching-Pang Lin , "Wu, Jiaxin" , "Justen, Jordan L" , "Gao, Liming" , "Kinney, Michael D" , "Fu, Siyuan" , "Ye, Ting" Thread-Topic: [PATCH v2 0/9] {Ovmf,Mde,Network,Crypto}Pkg: fixes+features for setting HTTPS cipher suites Thread-Index: AQHT0YHasQaBOzHCP0yeTkW5N4UCaaP8rNvA Date: Thu, 12 Apr 2018 06:32:54 +0000 Message-ID: References: <20180411104247.3758-1-lersek@redhat.com> In-Reply-To: <20180411104247.3758-1-lersek@redhat.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 0/9] {Ovmf, Mde, Network, Crypto}Pkg: fixes+features for setting HTTPS cipher suites X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2018 06:32:59 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, Laszlo, The updated patch series looks good to me. Reviewed-by: Long Qin Best Regards & Thanks, LONG, Qin -----Original Message----- From: Laszlo Ersek [mailto:lersek@redhat.com]=20 Sent: Wednesday, April 11, 2018 6:43 PM To: edk2-devel@lists.01.org Cc: Ard Biesheuvel ; Gary Ching-Pang Lin ; Wu, Jiaxin ; Justen, Jordan L ; Gao, Liming ; Kinney, Michael D ; Long, Qin ; Fu, Siyuan ; Ye, Ting Subject: [PATCH v2 0/9] {Ovmf,Mde,Network,Crypto}Pkg: fixes+features for se= tting HTTPS cipher suites Repo: https://github.com/lersek/edk2.git Branch: tls_ciphers_v2 This is version 2 of the series posted earlier at http://mid.mail-archive.com/20180403145149.8925-1-lersek@redhat.com https://lists.01.org/pipermail/edk2-devel/2018-April/023402.html Changes are noted per patch. One important change cannot be highlighted tha= t way however, because it involves the dropping of the following two patche= s from v1: [edk2] [PATCH 08/13] CryptoPkg/TlsLib: add the "TlsMappingTable.sh" POSIX shell script [edk2] [PATCH 09/13] CryptoPkg/TlsLib: extend "TlsCipherMappingTable" I retested HTTPS boot with this series; it succeeded. The TLS cipher suite = preference list came from the system-wide configuration on my RHEL-7 laptop; basically the binary CipherId array from the command "openss= l ciphers -V". The relevant lines from the OVMF log were: > TlsAuthConfigDxe:SetCipherSuites: stored list of cipher suites (190=20 > byte(s)) [...] > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC030 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02C > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC028 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC024 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC014 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00A > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A5 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A3 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A1 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009F > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x006A > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0038 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0088 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0087 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0086 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0085 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC032 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02E > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02A > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC026 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00F > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC005 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009D > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0084 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008D > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02F > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02B > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC027 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC023 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC013 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC009 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A4 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A2 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x00A0 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009E > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0040 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0032 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009A > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0099 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0098 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0097 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0045 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0044 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0043 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0042 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC031 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC02D > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC029 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC025 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00E > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC004 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x009C > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0096 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0041 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008C > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC012 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC008 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0013 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0010 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x000D > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00D > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC003 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0007 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008B > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0021 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x001F > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0025 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0023 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC011 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC007 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC00C > TlsDxe:TlsSetCipherList: skipping CipherId=3D0xC002 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x008A > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0020 > TlsDxe:TlsSetCipherList: skipping CipherId=3D0x0024 > TlsDxe:TlsSetCipherList: CipherString=3D{ > DHE-RSA-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RS > A-AES256- > SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:AES256-SHA256:AES256-SHA:DHE-R > SA-AES128=20 > -SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:D > H-RSA-AES=20 > 128-SHA:DH-DSS-AES128-SHA:AES128-SHA256:AES128-SHA:DHE-RSA-DES-CBC3-SH > A:DES-CBC > 3-SHA:RC4-SHA:RC4-MD5 > } Cc: Ard Biesheuvel Cc: Gary Ching-Pang Lin Cc: Jiaxin Wu Cc: Jordan Justen Cc: Liming Gao Cc: Michael D Kinney Cc: Qin Long Cc: Siyuan Fu Cc: Ting Ye Thanks, Laszlo Laszlo Ersek (9): OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList CryptoPkg/TlsLib: replace TlsGetCipherString() with TlsGetCipherMapping() CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping() function CryptoPkg/TlsLib: pre-compute OpensslCipherLength in TlsCipherMappingTable CryptoPkg/TlsLib: sanitize lib classes in internal header and INF CryptoPkg/TlsLib: rewrite TlsSetCipherList() CryptoPkg/Include/Library/TlsLib.h | 9 +- CryptoPkg/Library/TlsLib/InternalTlsLib.h | 4 + CryptoPkg/Library/TlsLib/TlsConfig.c | 279 ++++++++++++++= +----- CryptoPkg/Library/TlsLib/TlsLib.inf | 9 +- MdePkg/Include/Protocol/Tls.h | 10 + NetworkPkg/TlsDxe/TlsProtocol.c | 17 +- OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 98 +++++++ OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 3 +- 8 files changed, 353 insertions(+), 76 deletions(-) -- 2.14.1.3.gb7cf6e02401b