From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Liu, Zhiguang" <zhiguang.liu@intel.com>,
"Huang, Matthew (HPS SW)" <chao-jui.huang@hpe.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Wei, Kent (HPS SW)" <kent.wei@hpe.com>,
"Lin, Derek (HPS SW)" <derek.lin2@hpe.com>,
"Wang, Nickle (HPS SW)" <nickle.wang@hpe.com>,
"Wang, Sunny (HPS SW)" <sunnywang@hpe.com>,
"vladimir.olovyannikov@broadcom.com"
<vladimir.olovyannikov@broadcom.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Wang, Jian J" <jian.j.wang@intel.com>
Subject: Re: [edk2-devel] Propose on enabling TLSv1.3
Date: Mon, 7 Sep 2020 05:29:26 +0000 [thread overview]
Message-ID: <CY4PR11MB12888C237A3FF903272DFF6C8C280@CY4PR11MB1288.namprd11.prod.outlook.com> (raw)
In-Reply-To: <CY4PR11MB1687110352B836E98BBEA12F90280@CY4PR11MB1687.namprd11.prod.outlook.com>
[-- Attachment #1: Type: text/plain, Size: 9126 bytes --]
adding a nasm file to implement allmul fuction in CryptoPkg\Library\IntrinsicLib\Ia32\
Acked-by: Jiewen Yao <Jiewen.yao@intel.com>
From: Liu, Zhiguang <zhiguang.liu@intel.com>
Sent: Monday, September 7, 2020 10:37 AM
To: Huang, Matthew (HPS SW) <chao-jui.huang@hpe.com>; devel@edk2.groups.io
Cc: Wei, Kent (HPS SW) <kent.wei@hpe.com>; Lin, Derek (HPS SW) <derek.lin2@hpe.com>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com>; Wang, Sunny (HPS SW) <sunnywang@hpe.com>; vladimir.olovyannikov@broadcom.com; Liming Gao <gaoliming@byosoft.com.cn>; Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
Subject: RE: [edk2-devel] Propose on enabling TLSv1.3
Hi Matthew,
When compiling in IA32 architecture using VS2017, build error happens:
OpensslLib.lib(curve25519.obj) : error LNK2001: unresolved external symbol __allmul
I think this is because there is multiplication of int64 in curve25519, which is a new added algorithm for tls 1.3.
I suggest adding a nasm file to implement allmul fuction in CryptoPkg\Library\IntrinsicLib\Ia32\
Including CryptoPkg and MdePkg maintainers to give more comments.
Thanks
Zhiguang
From: Liu, Zhiguang
Sent: Friday, September 4, 2020 10:32 AM
To: Huang, Matthew (HPS SW) <chao-jui.huang@hpe.com<mailto:chao-jui.huang@hpe.com>>; devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Wei, Kent (HPS SW) <kent.wei@hpe.com<mailto:kent.wei@hpe.com>>; Lin, Derek (HPS SW) <derek.lin2@hpe.com<mailto:derek.lin2@hpe.com>>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com<mailto:nickle.wang@hpe.com>>; Wang, Sunny (HPS SW) <sunnywang@hpe.com<mailto:sunnywang@hpe.com>>; vladimir.olovyannikov@broadcom.com<mailto:vladimir.olovyannikov@broadcom.com>
Subject: RE: [edk2-devel] Propose on enabling TLSv1.3
Hi Matthew,
Thanks for your patience. I have established a test environment these days.
With your tls 1.3 patch and Vladimir’s patch about http shell command, ovmf can download a html file from a https server that only allows tls 1.3.
This test proves that the basic functionality is good.
However, I still need time to investigate the impact to security, image size and other aspects.
I will let you know if any progress from my side.
Thanks for your contribution 😊
Thanks
Zhiguang
From: Huang, Matthew (HPS SW) <chao-jui.huang@hpe.com<mailto:chao-jui.huang@hpe.com>>
Sent: Thursday, August 20, 2020 7:16 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Huang, Matthew (HPS SW) <chao-jui.huang@hpe.com<mailto:chao-jui.huang@hpe.com>>; Liu, Zhiguang <zhiguang.liu@intel.com<mailto:zhiguang.liu@intel.com>>
Cc: Wei, Kent (HPS SW) <kent.wei@hpe.com<mailto:kent.wei@hpe.com>>; Lin, Derek (HPS SW) <derek.lin2@hpe.com<mailto:derek.lin2@hpe.com>>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com<mailto:nickle.wang@hpe.com>>; Wang, Sunny (HPS SW) <sunnywang@hpe.com<mailto:sunnywang@hpe.com>>
Subject: 回覆: [edk2-devel] Propose on enabling TLSv1.3
Hi Zhiguang:
Any comments on these patches?
Matthew.
寄件者: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> 代理 Huang, Matthew (HPS SW)
寄件日期: Wednesday, August 12, 2020 7:13 PM
收件者: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Huang, Matthew (HPS SW) <chao-jui.huang@hpe.com<mailto:chao-jui.huang@hpe.com>>; zhiguang.liu@intel.com<mailto:zhiguang.liu@intel.com>
副本: Wei, Kent (HPS SW) <kent.wei@hpe.com<mailto:kent.wei@hpe.com>>; Lin, Derek (HPS SW) <derek.lin2@hpe.com<mailto:derek.lin2@hpe.com>>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com<mailto:nickle.wang@hpe.com>>; Wang, Sunny (HPS SW) <sunnywang@hpe.com<mailto:sunnywang@hpe.com>>
主旨: 回覆: [edk2-devel] Propose on enabling TLSv1.3
Hi Zhiguang:
Please refer to the attached ‘tlsv13.patch’ based on tianocore/edk2@be01087e07.
As I mentioned, ‘process_files.pl’ is processed with ActivePerl 5.28 Build 0000 (64-bit) and MSYS2 MinGW 64-bit, log is attached as ‘process_openssl.txt’.
The problems are still the same, current OpenSSL has two problems:
1. It will not ignore disabled TLSv1.3 cipher suites, which results in all the TLSv1.3 cipher suites defined in TlsCipherMappingTable will be published no matter what the actual value is in gEdkiiHttpTlsCipherListGuid.HttpTlsCipherList.
2. SSL_set_ciphersuites cannot handle non-TLSv1.3 ciphers, which results in the function fails to set any ciphersuite if there are TLSv1.2 ciphers in the ‘CipherString’ argument.
They are minor ones, but would’ve caused the whole flow acts weird. Those two problems are more or less solved or discussed in the OpenSSL scene, but not included in EDK2 yet. If anyone wants to test TLSv1.3, attachment ‘openssl.patch’ is suggested to be applied for a more reasonable outcome.
Regards,
Matthew.
寄件者: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> 代理 Huang, Matthew (HPS SW)
寄件日期: Monday, August 10, 2020 12:26 PM
收件者: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; zhiguang.liu@intel.com<mailto:zhiguang.liu@intel.com>
副本: Wei, Kent (HPS SW) <kent.wei@hpe.com<mailto:kent.wei@hpe.com>>; Lin, Derek (HPS SW) <derek.lin2@hpe.com<mailto:derek.lin2@hpe.com>>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com<mailto:nickle.wang@hpe.com>>; Wang, Sunny (HPS SW) <sunnywang@hpe.com<mailto:sunnywang@hpe.com>>
主旨: Re: [edk2-devel] Propose on enabling TLSv1.3
Hi Zhiguang:
Sure, I love to. But I’m new to the scene, please give me some time to figure out how to share the snippet properly, thanks.
Regards,
Matthew.
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Zhiguang Liu
Sent: Monday, August 10, 2020 11:00 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Huang, Matthew (HPS SW) <chao-jui.huang@hpe.com<mailto:chao-jui.huang@hpe.com>>
Cc: Wei, Kent (HPS SW) <kent.wei@hpe.com<mailto:kent.wei@hpe.com>>; Lin, Derek (HPS SW) <derek.lin2@hpe.com<mailto:derek.lin2@hpe.com>>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com<mailto:nickle.wang@hpe.com>>; Wang, Sunny (HPS SW) <sunnywang@hpe.com<mailto:sunnywang@hpe.com>>
Subject: Re: [edk2-devel] Propose on enabling TLSv1.3
Hi Matthew,
Can you share the code about implementing tls 1.3 to the community?
We can discuss the problems according to the code.
Thanks
Zhiguang
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Huang, Matthew (HPS SW)
Sent: Monday, August 3, 2020 1:55 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
Cc: Wei, Kent (HPS SW) <kent.wei@hpe.com<mailto:kent.wei@hpe.com>>; Lin, Derek (HPS SW) <derek.lin2@hpe.com<mailto:derek.lin2@hpe.com>>; Wang, Nickle (HPS SW) <nickle.wang@hpe.com<mailto:nickle.wang@hpe.com>>; Wang, Sunny (HPS SW) <sunnywang@hpe.com<mailto:sunnywang@hpe.com>>
Subject: [edk2-devel] Propose on enabling TLSv1.3
Hi:
It’s Matthew from HPE UEFI team. There is no TLSv1.3 support under current EDK2 releases, and I’m working on enabling TLSv1.3 under UEFI and the result looks promising. OpenSSL have already made RFC8446 happens in late 2018, the submodule we’re having on the master branch is more than enough to make the whole thing work.
There are several problems needed to be addressed:'
1. OpenSslLib needs a reconfiguration with “no-ec” option on in process_files.pl, and no off the shelf Perl built with native Windows command prompt could’ve processed the file correctly. But I’ve managed to remove the blockage using Perl MSYS2 build under Windows without any error. Since this is only a one-timer, I don’t think that would’ve caused too much of a trouble. The produced opensslconf.h seems correct, and this is all we need.
2. There are some policies issues caused by OpenSSL, OpenSSL explicitly describes that SSL_set_cipher_list is for TLS version 1.2 and lower, SSL_set_ciphersuites is for TLSv1.3, but these function are tangled to each other and the behavior is not equally fair. In current revision EDK2 included in the OpenSSL submodule, SSL_set_cipher_list can parse v1.3 cipher suites but will not apply them, meanwhile SSL_set_ciphersuites cannot support any cipher lower than v1.3. This will cause a problem that when user applies auto versioning, TLSv1.3 will not be applied even if v1.3 is enabled except setting an empty list using SSL_set_cipher_list.
3. Apart from point 2., SSL_set_ciphersuites in current revision EDK2 included in the OpenSSL submodule, cannot exclude ciphersuites that user disabled, so every cipher suites will be in the list for server to
But I browsed all OpenSSL github PRs or merge-pending patches, both point 2 and 3 have somewhat one or more solutions going on, I’ve applied them for testing and the result is fairly satisfying.
If there’s a chance we discuss this in code? It will be easier this way, I have a working patch we can start with, thanks.
Regards,
Matthew
[-- Attachment #2: Type: text/html, Size: 29866 bytes --]
next prev parent reply other threads:[~2020-09-07 5:29 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-03 5:54 Propose on enabling TLSv1.3 Huang, Matthew (HPS SW)
2020-08-03 22:06 ` Michael D Kinney
2020-08-10 2:59 ` Zhiguang Liu
2020-08-10 4:26 ` [edk2-devel] " Huang, Matthew (HPS SW)
2020-11-19 17:09 ` Matthew Carlson
[not found] ` <1629CD946C53C473.23035@groups.io>
2020-08-12 11:12 ` 回覆: " Huang, Matthew (HPS SW)
[not found] ` <162A80E91C03CB2F.12108@groups.io>
2020-08-19 23:16 ` Huang, Matthew (HPS SW)
2020-08-20 0:50 ` Zhiguang Liu
2020-09-04 2:32 ` Zhiguang Liu
2020-09-07 2:37 ` Zhiguang Liu
2020-09-07 5:29 ` Yao, Jiewen [this message]
2020-09-07 5:39 ` Huang, Matthew (HPS SW)
2020-11-19 2:07 ` Zhiguang Liu
2020-11-19 9:34 ` Laszlo Ersek
2020-11-25 5:12 ` Huang, Matthew (HPS SW)
2020-11-25 7:27 ` Zhiguang Liu
2020-12-03 0:24 ` Huang, Matthew (HPS SW)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CY4PR11MB12888C237A3FF903272DFF6C8C280@CY4PR11MB1288.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox