From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.69]) by mx.groups.io with SMTP id smtpd.web09.58276.1661685946913947910 for ; Sun, 28 Aug 2022 04:25:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@ami.com header.s=selector1 header.b=aSh3sU1B; spf=pass (domain: ami.com, ip: 40.107.220.69, mailfrom: sivaramann@ami.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Git49o5jmFjUgJuDkNDH3UrjBtgXuTE6KC11O5+6xKeqHZ885F/pWsUq9Ew3Sn25plNh5At1fmdEjaJtTKypFNrjIx1NPa8sSUF033C2U0m0cLIoV4v0OA1tJGFFcwXnnVS1hKxDXtv++nk4Mad18K5LH1tWfLbYZfoznTybaXSilMQQLWb6YOtDst0UlzlDPDK+JaGw4FoI5v2YiuZrQoOG/Vhj+0Byl3kgCgYg3Jd8JTafjAOzaj2PGmrfwU+ekqwYtDDb+KWvKg5AOq1g4l70jnorXDG4PkLViynpn9cNs2NAzwc7y0yRegFzMwLDFpVirGZVWWDXD+xXpHlVCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1wGIoEsjN8+KRnLElzcn+IJchxSzM7BYhDf1+9405A8=; b=dLBhtJ/3qw6M15FOA2iFvJyFLmT0PidoHLSN4ScJxe5LR7C4DHkZPl0MUYbcDYTGV+Y3EIBycJ1NoADGr39kNQCr4L13m87tschDJ8BKH1Qi2XceULxXFoAyB9RUoE46My/Lo294Kd2HJoI6Fl9x1TRQOyngJtGad/F27gZ25qwvX57rS98sjQWo0lb/JOrXKnnbaGj+eAz2ZCkjSW4qMutQnWNOGmf/YfRMx/SXPdUePg1C0rz9pEp3RDOTXn1Slta0hGsKUiq9meROTdAnbMXZg6+80u3zGIiJg7FLzehIzeCs27Xh6GJ6nfWulgNu1EI50bi4cg4Zq4mOcl273A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ami.com; dmarc=pass action=none header.from=ami.com; dkim=pass header.d=ami.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ami.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1wGIoEsjN8+KRnLElzcn+IJchxSzM7BYhDf1+9405A8=; b=aSh3sU1Bp1q2/33LsshttUluJg0YB3FthD+eAmI8GGaL3kYSKQFTbBF6JNnO88BH32LEPSZEX3c/W91gfZxbEkM8NyfLbdCiIQeyyL0ANKhDEQ09EYcwODYPdYqJq8eUM6kms16uv2tUW1rLnxF+2WHGZ3cPyzH5BdZnDE2cYNA= Received: from BN0PR10MB4981.namprd10.prod.outlook.com (2603:10b6:408:12d::16) by BN6PR1001MB2099.namprd10.prod.outlook.com (2603:10b6:405:2c::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5566.15; Sun, 28 Aug 2022 11:25:45 +0000 Received: from BN0PR10MB4981.namprd10.prod.outlook.com ([fe80::40d4:6fde:812f:e974]) by BN0PR10MB4981.namprd10.prod.outlook.com ([fe80::40d4:6fde:812f:e974%7]) with mapi id 15.20.5566.021; Sun, 28 Aug 2022 11:25:44 +0000 From: "Sivaraman Nainar" To: "devel@edk2.groups.io" , "rafaelrodrigues.machado@gmail.com" Subject: Re: [edk2-devel] How to restrict HTTPS boot to a single address Thread-Topic: [EXTERNAL] [edk2-devel] How to restrict HTTPS boot to a single address Thread-Index: AQHYuVZhszl+qh6UwUiuAS7qFWFyY63ELt5w Date: Sun, 28 Aug 2022 11:25:44 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ami.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 177aadc4-264f-4127-d901-08da88e80c65 x-ms-traffictypediagnostic: BN6PR1001MB2099:EE_ x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: O91/RXOQ9G6AixzEhY2K2d4vkudu0g1jNi8zyXAe4Kro2xzd0YKyHitPBqKrWRg0ujk6ZB52u4g56wZQLBwd4I4q2ldzn+8cVAX8khwPpPkqdLo+LanX8K49xhP152NZVN5Ilg9kbceWoH6VyqwmlPHDKgHtmW19rPFNCfWZfhID1/S1WYX25d7VgBndpVVAk5+mJMzzlq7ruqwpTzSuzjvb1AKU44k8iceqL1+NmZstlpGoPPVPYBeSVMnB23PM3rIj7lYLZcTVVYk3BN+6YcnVFDh1B/KpU4gzCjAp40Pgf58x5vmWvXFGW7UYhex5IW9mjImuSz6OaL9BNmV0ESHLEJEAs7iRP98RI+thulqPQskHDh/10O5a/VTW7CkuiQS1ECFhdRW4jo1NsxpVZ1zkLhedOYUy/zBNeWRGJHeOc8Se+YI/xKFHzZT54bspwgpKJFHssIjIeKnJB0Pvb3eMIuGn54i4G2j61jCl3e+yjoAK/uFPv1yLVea4VsRt48DfTsz0Cdt4qSSo3JH/1Xvd8BC7ZVtnWykfKvpv/7tYbd/3Vv/IDnxYpNzVeMusn7gxE9OANAQGgeAHsR3cA8MNO29JT0/Iz1/vVMcU0MVARQp7Dz63+EzNGmVB6BGBGX/YPl3hdSdYV93gaH2BUElP8/fNx7DnARW+ORC9E79RK9ZmcFYI9pBGjUOIwYkvlwmHTS+6CiT9yhpTTvet8RU22s3eRdu7/BBTUwB0wThlDRdONv5BrarVtqrHrRdD7iaSbb8DUMhwK/+x/d8bBIMhEbfGFKmjHWY+86LkuZLD7b8WxV+vVGO8eVfG6X/BI05dIZGzVJRSIJ6UfelkLQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0PR10MB4981.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(4636009)(366004)(396003)(39830400003)(376002)(346002)(136003)(55236004)(66556008)(76236004)(110136005)(76116006)(8936002)(64756008)(71200400001)(66476007)(66446008)(66946007)(8676002)(38070700005)(316002)(52536014)(41300700001)(166002)(26005)(7696005)(6506007)(122000001)(83380400001)(5660300002)(86362001)(38100700002)(55016003)(9686003)(53546011)(2906002)(186003)(478600001)(40140700001)(33656002);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?QV62C74Y21F1mJHnAT/WzvGme6Whl1jXldeld1eWrkonpiYlqOk1o4bflpFU?= =?us-ascii?Q?7o7eawV9hhLuh1FO5SefpgFDsS7xcX+2dBLDhNgjmgMkCHO8lLqBnwRTaiQp?= =?us-ascii?Q?iDGSTwwbdiW/82hqT2y5df1DcSWs9MrYGWHyKS/oAukWXHO/aaNrV0A2qlm9?= =?us-ascii?Q?49Ohp+kRDPEYYxB8eIdriZcl12eE1x9D4dJ5UQaKvTU7aD/oE2fv0sKos6Jp?= =?us-ascii?Q?Xzsl5BfnU119j7GsjZUmsSWnflvHb0uiQem3DCVXxchTUA2GDDE+gRXUL8zJ?= =?us-ascii?Q?8HMxMqqA8DvbEaly4KkWpq86i+3vsDtaH0lKt4St6azmLardxJP9LUUofyGJ?= =?us-ascii?Q?eh4F/Bw0J7pO0E2g7PqR6Ch3rP02u81lKFUW8/Lhqh2+RdqhhUBm3b9Qv/pC?= =?us-ascii?Q?TMvVqaFA86qhfh2lIY4SseZOgEDhusH1G6Ei3Mi5t9ukJcas/DRVX6oMDiko?= =?us-ascii?Q?Ig33WucbXWvi8mevDCDewjlpdt6C1r7G0pxy/CGB1fp6Huyqnaos2yHpt0ET?= =?us-ascii?Q?qPN+UbeplzLH1ZE60cVEIyJoz4gBeIenKfgzPIcikrJdriTjlILRV45iRaBp?= =?us-ascii?Q?ppPCl9VKgVfBOEwvF24XLcJyFLMe2sKV9hEHI/kLwQ0WIg5hXclDPZcSaVv4?= =?us-ascii?Q?23mQx71atZJhsAdXJcN5UDtAIOhAkTZOvXKHOtqf2OHUg/YffaAo+Hav8Z0Q?= =?us-ascii?Q?o1Hrfi9esYwB6lUn8x3pgijTe0xCKfJm2fOtnnm5Ukbjh0F1bRApMOi0Y2a/?= =?us-ascii?Q?59KadU0TglfMU2Xw2FzJ30vnjsymXOtmDshHXVct1waaGky7+UUJwHlxgGBL?= =?us-ascii?Q?KVt9fnngJFIOpkxDTFTYFRxUTo14Ch4VVcRpqDL8QTQgPA44+hGkA0jWcq7D?= =?us-ascii?Q?L1hBuvIiS2HJMYYp13qEYOkP439HOc5WAFo/Kn9fywhEdnbtDBV/JiPsPlUp?= =?us-ascii?Q?Ww/I0UxDNPeUjesuOtBTEvxu2aQ+iCWqCvuArPEB+CATbvmma7fDiTNPkjy8?= =?us-ascii?Q?aiSCgBYvu7MAUCkxAcXDzyyenaMzMeR5GO8N52spFC9fAdjaJmqvQQClxPs8?= =?us-ascii?Q?0BCkxIr45cdbFgn/XCmPzxxwKTtP6rx7ibcwM3jCiP+HKAF8biI0EcQKZg8e?= =?us-ascii?Q?JSBavMtHcJRMSIHEle26K2hYTEKLlBUaOR+js0BAURlaSP7ntjsnLUvN2sgv?= =?us-ascii?Q?jSOHOh8lnQvvSvWzRA8L1kUPrCnw6gCFsESB0Ii1xGjVxfMLF3KLHnyRm5TV?= =?us-ascii?Q?B7jTG0LeAvTv2JoOCuxslgifjvKJZUMp7EzkWnsTZ1JCOHtrWDPo42FXoSfG?= =?us-ascii?Q?7+vpcQ5TtQEaT4NeAjPi4asdd7qBjXubvvZu18J4ZkigF/tAqs6XlBfarxRW?= =?us-ascii?Q?gJ5wovLygxB0eX8RnrHI/opIQeThh0yI8ALj2rZgeJ5RT0q4V1w0PyU+5GSw?= =?us-ascii?Q?hL+9RrzV204bIlUaWwnJ8sU6ThuOHfHwDQldxE5fNnrOG08Yh29QipUo2LGN?= =?us-ascii?Q?mvE48WIn4DicKNBrWLC3mrBq+OfjjJLGsBG+9fh6RccBW+Dr4qo+nqdE0E5G?= =?us-ascii?Q?KJ6q7rGgjnxRKEP0+/U78MCPNLsA9BpMn6WTETls?= MIME-Version: 1.0 X-OriginatorOrg: ami.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB4981.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 177aadc4-264f-4127-d901-08da88e80c65 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Aug 2022 11:25:44.7512 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 27e97857-e15f-486c-b58e-86c2b3040f93 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: Nska7E4yz2egR6yVROMTzXP7jsRB1zg4u6B3aCfCC/krjxkHhPg+B2emPcQ9zcbSId5Wp5IspwuQ+7iN8JTuYA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1001MB2099 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_BN0PR10MB498137AB121C5F0AEE9416CEC2779BN0PR10MB4981namp_" --_000_BN0PR10MB498137AB121C5F0AEE9416CEC2779BN0PR10MB4981namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello Rafael. HttpBootCheckUriScheme() in HttpBootDxe\HttpBootSupport.c should be the rig= ht place to filter the URI. Please give a try. -Siva From: devel@edk2.groups.io On Behalf Of Rafael Macha= do via groups.io Sent: Friday, August 26, 2022 7:46 PM To: devel@edk2.groups.io Subject: [EXTERNAL] [edk2-devel] How to restrict HTTPS boot to a single add= ress **CAUTION: The e-mail below is from an external source. Please exercise cau= tion before opening attachments, clicking links, or following guidance.** Hello everyone. Quick question for the ones that understand better the HTTPBoot architectur= e at the edk2 structure. Suppose I have to restrict HTTPS boot to accept only the download of images= from a specific url. For example, instead of allowing the download of images from any valid CA c= ertificate address, I would like to restrict HTTPSBoot to allow only downlo= ads from some specific domain I have. Probably filtering some information, CN or something like that, from the ur= l certificate. What is the best way to do that? In which driver/library should this logic be added? Thanks Rafael -The information contained in this message may be confidential and propriet= ary to American Megatrends (AMI). This communication is intended to be read= only by the individual or entity to whom it is addressed or by their desig= nee. If the reader of this message is not the intended recipient, you are o= n notice that any distribution of this message, in any form, is strictly pr= ohibited. Please promptly notify the sender by reply e-mail or by telephone= at 770-246-8600, and then delete or destroy all copies of the transmission= . --_000_BN0PR10MB498137AB121C5F0AEE9416CEC2779BN0PR10MB4981namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello Rafael.

 

HttpBootCheckUriScheme() in HttpBootDxe\HttpBootSupp= ort.c should be the right place to filter the URI.

 

Please give a try.

 

-Siva

From: devel@edk2.groups.io <devel@edk2.gro= ups.io> On Behalf Of Rafael Machado via groups.io
Sent: Friday, August 26, 2022 7:46 PM
To: devel@edk2.groups.io
Subject: [EXTERNAL] [edk2-devel] How to restrict HTTPS boot to a sin= gle address

 

 

**CAUTION: The e-mail below is from an external source. Please exerc= ise caution before opening attachments, clicking links, or following guidance.**

Hello everyone.

 

Quick question for the ones that understand better t= he HTTPBoot architecture at the edk2 structure.

 

Suppose I have to restrict HTTPS boot to accept only= the download of images from a specific url.

For example, instead of allowing the download of ima= ges from any valid CA certificate address, I would like to restrict HTTPSBo= ot to allow only downloads from some specific domain I have.

 

Probably filtering some information, CN or something= like that, from the url certificate.

 

What is the best way to do that?

In which driver/library should this logic be added?<= o:p>

 

Thanks

Rafael

-The information contained in this message may be confidential and propriet= ary to American Megatrends (AMI). This communication is intended to be read= only by the individual or entity to whom it is addressed or by their desig= nee. If the reader of this message is not the intended recipient, you are on notice that any distribution of = this message, in any form, is strictly prohibited. Please promptly notify t= he sender by reply e-mail or by telephone at 770-246-8600, and then delete = or destroy all copies of the transmission. --_000_BN0PR10MB498137AB121C5F0AEE9416CEC2779BN0PR10MB4981namp_--