public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* How to restrict HTTPS boot to a single address
@ 2022-08-26 14:15 Rafael Machado
  2022-08-26 16:02 ` [edk2-devel] " Andrew Fish
  2022-08-28 11:25 ` Sivaraman Nainar
  0 siblings, 2 replies; 4+ messages in thread
From: Rafael Machado @ 2022-08-26 14:15 UTC (permalink / raw)
  To: devel

[-- Attachment #1: Type: text/plain, Size: 595 bytes --]

Hello everyone.

Quick question for the ones that understand better the HTTPBoot
architecture at the edk2 structure.

Suppose I have to restrict HTTPS boot to accept only the download of images
from a specific url.
For example, instead of allowing the download of images from any valid CA
certificate address, I would like to restrict HTTPSBoot to allow only
downloads from some specific domain I have.

Probably filtering some information, CN or something like that, from the
url certificate.

What is the best way to do that?
In which driver/library should this logic be added?

Thanks
Rafael

[-- Attachment #2: Type: text/html, Size: 767 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [edk2-devel] How to restrict HTTPS boot to a single address
  2022-08-26 14:15 How to restrict HTTPS boot to a single address Rafael Machado
@ 2022-08-26 16:02 ` Andrew Fish
  2022-08-28 11:25 ` Sivaraman Nainar
  1 sibling, 0 replies; 4+ messages in thread
From: Andrew Fish @ 2022-08-26 16:02 UTC (permalink / raw)
  To: edk2-devel-groups-io, rafaelrodrigues.machado

[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]

Rafael,

I’m not sure this matches exactly what you are looking for, but the OVMF (Virtual Machine) has some configuration options around HTTPS boot [1]. That might be a good place to start. 

[1] https://github.com/tianocore/edk2/blob/master/OvmfPkg/README#L232

Thanks,

Andrew Fish

> On Aug 26, 2022, at 7:15 AM, Rafael Machado <rafaelrodrigues.machado@gmail.com> wrote:
> 
> Hello everyone.
> 
> Quick question for the ones that understand better the HTTPBoot architecture at the edk2 structure.
> 
> Suppose I have to restrict HTTPS boot to accept only the download of images from a specific url.
> For example, instead of allowing the download of images from any valid CA certificate address, I would like to restrict HTTPSBoot to allow only downloads from some specific domain I have.
> 
> Probably filtering some information, CN or something like that, from the url certificate.
> 
> What is the best way to do that?
> In which driver/library should this logic be added?
> 
> Thanks
> Rafael
> 


[-- Attachment #2: Type: text/html, Size: 1661 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [edk2-devel] How to restrict HTTPS boot to a single address
  2022-08-26 14:15 How to restrict HTTPS boot to a single address Rafael Machado
  2022-08-26 16:02 ` [edk2-devel] " Andrew Fish
@ 2022-08-28 11:25 ` Sivaraman Nainar
  2022-08-29 13:21   ` Rafael Machado
  1 sibling, 1 reply; 4+ messages in thread
From: Sivaraman Nainar @ 2022-08-28 11:25 UTC (permalink / raw)
  To: devel@edk2.groups.io, rafaelrodrigues.machado@gmail.com

[-- Attachment #1: Type: text/plain, Size: 1684 bytes --]

Hello Rafael.

HttpBootCheckUriScheme() in HttpBootDxe\HttpBootSupport.c should be the right place to filter the URI.

Please give a try.

-Siva
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Rafael Machado via groups.io
Sent: Friday, August 26, 2022 7:46 PM
To: devel@edk2.groups.io
Subject: [EXTERNAL] [edk2-devel] How to restrict HTTPS boot to a single address


**CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.**
Hello everyone.

Quick question for the ones that understand better the HTTPBoot architecture at the edk2 structure.

Suppose I have to restrict HTTPS boot to accept only the download of images from a specific url.
For example, instead of allowing the download of images from any valid CA certificate address, I would like to restrict HTTPSBoot to allow only downloads from some specific domain I have.

Probably filtering some information, CN or something like that, from the url certificate.

What is the best way to do that?
In which driver/library should this logic be added?

Thanks
Rafael

-The information contained in this message may be confidential and proprietary to American Megatrends (AMI). This communication is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. Please promptly notify the sender by reply e-mail or by telephone at 770-246-8600, and then delete or destroy all copies of the transmission.

[-- Attachment #2: Type: text/html, Size: 5077 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [edk2-devel] How to restrict HTTPS boot to a single address
  2022-08-28 11:25 ` Sivaraman Nainar
@ 2022-08-29 13:21   ` Rafael Machado
  0 siblings, 0 replies; 4+ messages in thread
From: Rafael Machado @ 2022-08-29 13:21 UTC (permalink / raw)
  To: Sivaraman Nainar; +Cc: devel@edk2.groups.io

[-- Attachment #1: Type: text/plain, Size: 2075 bytes --]

Thanks Andrew / Sivaraman for the guidance.
Definitely good places for me to start.

Thanks
Rafael


Em dom., 28 de ago. de 2022 às 08:25, Sivaraman Nainar <sivaramann@ami.com>
escreveu:

> Hello Rafael.
>
>
>
> HttpBootCheckUriScheme() in HttpBootDxe\HttpBootSupport.c should be the
> right place to filter the URI.
>
>
>
> Please give a try.
>
>
>
> -Siva
>
> *From:* devel@edk2.groups.io <devel@edk2.groups.io> * On Behalf Of *Rafael
> Machado via groups.io
> *Sent:* Friday, August 26, 2022 7:46 PM
> *To:* devel@edk2.groups.io
> *Subject:* [EXTERNAL] [edk2-devel] How to restrict HTTPS boot to a single
> address
>
>
>
>
>
> ***CAUTION:* The e-mail below is from an external source. Please exercise
> caution before opening attachments, clicking links, or following
> guidance.**
>
> Hello everyone.
>
>
>
> Quick question for the ones that understand better the HTTPBoot
> architecture at the edk2 structure.
>
>
>
> Suppose I have to restrict HTTPS boot to accept only the download of
> images from a specific url.
>
> For example, instead of allowing the download of images from any valid CA
> certificate address, I would like to restrict HTTPSBoot to allow only
> downloads from some specific domain I have.
>
>
>
> Probably filtering some information, CN or something like that, from the
> url certificate.
>
>
>
> What is the best way to do that?
>
> In which driver/library should this logic be added?
>
>
>
> Thanks
>
> Rafael
>
> 
> -The information contained in this message may be confidential and
> proprietary to American Megatrends (AMI). This communication is intended to
> be read only by the individual or entity to whom it is addressed or by
> their designee. If the reader of this message is not the intended
> recipient, you are on notice that any distribution of this message, in any
> form, is strictly prohibited. Please promptly notify the sender by reply
> e-mail or by telephone at 770-246-8600, and then delete or destroy all
> copies of the transmission.
>

[-- Attachment #2: Type: text/html, Size: 4305 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-08-29 13:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-26 14:15 How to restrict HTTPS boot to a single address Rafael Machado
2022-08-26 16:02 ` [edk2-devel] " Andrew Fish
2022-08-28 11:25 ` Sivaraman Nainar
2022-08-29 13:21   ` Rafael Machado

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox