[Patch 0/2] Enable the HTTP switch

[Patch 0/2] Enable the HTTP switch

[Jiaxin Wu]

If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the
"http://" and "https://" schemes are acceptable. Otherwise, HTTP
is disabled. The "http://" scheme will be denied.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>

Jiaxin Wu (2):
  NetworkPkg: Add PCD to enable the HTTP switch
  Nt32Pkg.dsc: Add HTTP_ENABLE flag

 NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-
 NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81 ++++++++++++++++++++------------
 NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
 NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-
 NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
 NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
 NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
 NetworkPkg/NetworkPkg.dec                |  8 +++-
 Nt32Pkg/Nt32Pkg.dsc                      |  9 ++++
 9 files changed, 173 insertions(+), 37 deletions(-)

-- 
1.9.5.msysgit.1

[Patch 1/2] NetworkPkg: Add PCD to enable the HTTP switch

[Jiaxin Wu]

If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the
"http://" and "https://" schemes are acceptable. Otherwise, HTTP
is disabled. The "http://" scheme will be denied.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-
 NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81 ++++++++++++++++++++------------
 NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
 NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-
 NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
 NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
 NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
 NetworkPkg/NetworkPkg.dec                |  8 +++-
 8 files changed, 164 insertions(+), 37 deletions(-)

diff --git a/NetworkPkg/HttpBootDxe/HttpBootClient.c b/NetworkPkg/HttpBootDxe/HttpBootClient.c
index 916f237..99db3d5 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootClient.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootClient.c
@@ -1,9 +1,9 @@
 /** @file
   Implementation of the boot file download function.
 
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
 This program and the accompanying materials are licensed and made available under 
 the terms and conditions of the BSD License that accompanies this distribution.  
 The full text of the license may be found at
 http://opensource.org/licenses/bsd-license.php.                                          
@@ -190,10 +190,19 @@ HttpBootDhcp4ExtractUriInfo (
     Private->BootFileUriParser = Private->FilePathUriParser;
     Private->BootFileUri = Private->FilePathUri;
   }
 
   //
+  // Check the URI scheme.
+  //
+  Status = HttpBootCheckUriScheme (Private->BootFileUri);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((EFI_D_ERROR, "HttpBootDhcp4ExtractUriInfo: %r.\n", Status));
+    return Status;
+  }
+
+  //
   // Configure the default DNS server if server assigned.
   //
   if ((SelectOffer->OfferType == HttpOfferTypeDhcpNameUriDns) || 
       (SelectOffer->OfferType == HttpOfferTypeDhcpDns) ||
       (SelectOffer->OfferType == HttpOfferTypeDhcpIpUriDns)) {
@@ -293,10 +302,19 @@ HttpBootDhcp6ExtractUriInfo (
     Private->BootFileUriParser = Private->FilePathUriParser;
     Private->BootFileUri = Private->FilePathUri;
   }
 
   //
+  // Check the URI scheme.
+  //
+  Status = HttpBootCheckUriScheme (Private->BootFileUri);
+  if (EFI_ERROR (Status)) {
+    DEBUG ((EFI_D_ERROR, "HttpBootDhcp6ExtractUriInfo: %r.\n", Status));
+    return Status;
+  }
+
+  //
   //  Set the Local station address to IP layer.
   //
   Status = HttpBootSetIp6Address (Private);
   if (EFI_ERROR (Status)) {
     return Status;
diff --git a/NetworkPkg/HttpBootDxe/HttpBootConfig.c b/NetworkPkg/HttpBootDxe/HttpBootConfig.c
index 7c883b8..f32bf18 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootConfig.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootConfig.c
@@ -1,9 +1,9 @@
 /** @file
   Helper functions for configuring or getting the parameters relating to HTTP Boot.
 
-Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2016 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
 http://opensource.org/licenses/bsd-license.php
 
@@ -444,13 +444,20 @@ HttpBootFormCallback (
   IN OUT    EFI_IFR_TYPE_VALUE               *Value,
   OUT       EFI_BROWSER_ACTION_REQUEST       *ActionRequest
   )
 {
   EFI_INPUT_KEY                   Key;
-  UINTN                           Index;
   CHAR16                          *Uri;
+  UINTN                           UriLen;
+  CHAR8                           *AsciiUri;
   HTTP_BOOT_FORM_CALLBACK_INFO    *CallbackInfo;
+  EFI_STATUS                      Status;
+
+  Uri      = NULL;
+  UriLen   = 0;
+  AsciiUri = NULL;
+  Status   = EFI_SUCCESS;
   
   if (This == NULL || Value == NULL) {
     return EFI_INVALID_PARAMETER;
   }
 
@@ -464,53 +471,67 @@ HttpBootFormCallback (
   case KEY_INITIATOR_URI:
     //
     // Get user input URI string
     //
     Uri = HiiGetString (CallbackInfo->RegisteredHandle, Value->string, NULL);
-    if (Uri == NULL) {
-      return EFI_UNSUPPORTED;
-    }
 
     //
-    // Convert the scheme to all lower case.
+    // The URI should be either an empty string (for corporate environment) ,or http(s) for home environment.
+    // Pop up a message box for the unsupported URI.
     //
-    for (Index = 0; Index < StrLen (Uri); Index++) {
-      if (Uri[Index] == L':') {
-        break;
+    if (StrLen (Uri) != 0) {
+      UriLen = StrLen (Uri) + 1;
+      AsciiUri = AllocateZeroPool (UriLen);
+      if (AsciiUri == NULL) {
+        FreePool (Uri);
+        return EFI_OUT_OF_RESOURCES;
       }
-      if (Uri[Index] >= L'A' && Uri[Index] <= L'Z') {
-        Uri[Index] -= (CHAR16)(L'A' - L'a');
+
+      UnicodeStrToAsciiStrS (Uri, AsciiUri, UriLen);
+
+      Status = HttpBootCheckUriScheme (AsciiUri);
+      
+      if (Status == EFI_INVALID_PARAMETER) {
+
+        DEBUG ((EFI_D_ERROR, "HttpBootFormCallback: %r.\n", Status));
+
+        CreatePopUp (
+          EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+          &Key,
+          L"ERROR: Unsupported URI!",
+          L"Only supports HTTP and HTTPS",
+          NULL
+          ); 
+      } else if (Status == EFI_ACCESS_DENIED) {
+      
+        DEBUG ((EFI_D_ERROR, "HttpBootFormCallback: %r.\n", Status));
+      
+        CreatePopUp (
+          EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
+          &Key,
+          L"ERROR: Unsupported URI!",
+          L"HTTP is disabled",
+          NULL
+          );
       }
     }
 
-    //
-    // Set the converted URI string back
-    //
-    HiiSetString (CallbackInfo->RegisteredHandle, Value->string, Uri, NULL);
-
-    //
-    // The URI should be either an empty string (for corporate environment) ,or http(s) for home environment.
-    // Pop up a message box for other unsupported URI.
-    //
-    if ((StrLen (Uri) != 0) && (StrnCmp (Uri, L"http://", 7) != 0) && (StrnCmp (Uri, L"https://", 8) != 0)) {
-      CreatePopUp (
-        EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,
-        &Key,
-        L"ERROR: Unsupported URI!",
-        L"Only supports HTTP and HTTPS",
-        NULL
-        );
+    if (Uri != NULL) {
+      FreePool (Uri);
     }
 
-    FreePool (Uri);
+    if (AsciiUri != NULL) {
+      FreePool (AsciiUri);
+    }   
+    
     break;
 
   default:
     break;
   }
 
-  return EFI_SUCCESS;
+  return Status;
 }
 
 /**
   Initialize the configuration form.
 
diff --git a/NetworkPkg/HttpBootDxe/HttpBootDxe.inf b/NetworkPkg/HttpBootDxe/HttpBootDxe.inf
index e6ce864..5e5f121 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootDxe.inf
+++ b/NetworkPkg/HttpBootDxe/HttpBootDxe.inf
@@ -1,9 +1,9 @@
 ## @file
 #  This modules produce the Load File Protocol for UEFI HTTP boot.
 # 
-#  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution.  The full text of the license may be found at
 #  http://opensource.org/licenses/bsd-license.php
 #  
@@ -92,7 +92,10 @@
   ## SOMETIMES_CONSUMES ## HII
   gHttpBootConfigGuid
   gEfiVirtualCdGuid            ## SOMETIMES_CONSUMES ## GUID
   gEfiVirtualDiskGuid          ## SOMETIMES_CONSUMES ## GUID
 
+[Pcd]
+  gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable       ## CONSUMES  
+
 [UserExtensions.TianoCore."ExtraFiles"]
   HttpBootDxeExtra.uni
diff --git a/NetworkPkg/HttpBootDxe/HttpBootSupport.c b/NetworkPkg/HttpBootDxe/HttpBootSupport.c
index bdb29ae..41acee7 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootSupport.c
+++ b/NetworkPkg/HttpBootDxe/HttpBootSupport.c
@@ -1,9 +1,9 @@
 /** @file
   Support functions implementation for UEFI HTTP boot driver.
 
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
 This program and the accompanying materials are licensed and made available under
 the terms and conditions of the BSD License that accompanies this distribution.
 The full text of the license may be found at
 http://opensource.org/licenses/bsd-license.php.                                          
@@ -987,10 +987,61 @@ HttpIoRecvResponse (
 
   return Status;
 }
 
 /**
+  This function checks the HTTP(S) URI scheme.
+
+  @param[in]    Uri              The pointer to the URI string.
+  
+  @retval EFI_SUCCESS            The URI scheme is valid.
+  @retval EFI_INVALID_PARAMETER  The URI scheme is not HTTP or HTTPS.
+  @retval EFI_ACCESS_DENIED      HTTP is disabled and the URI is HTTP.
+
+**/
+EFI_STATUS
+HttpBootCheckUriScheme (
+  IN      CHAR8                  *Uri
+  )
+{
+  UINTN                Index;
+  EFI_STATUS           Status;
+
+  Status = EFI_SUCCESS;
+
+  //
+  // Convert the scheme to all lower case.
+  //
+  for (Index = 0; Index < AsciiStrLen (Uri); Index++) {
+    if (Uri[Index] == ':') {
+      break;
+    }
+    if (Uri[Index] >= 'A' && Uri[Index] <= 'Z') {
+      Uri[Index] -= (CHAR8)('A' - 'a');
+    }
+  }
+
+  //
+  // Return EFI_INVALID_PARAMETER if the URI is not HTTP or HTTPS.
+  //
+  if ((AsciiStrnCmp (Uri, "http://", 7) != 0) && (AsciiStrnCmp (Uri, "https://", 8) != 0)) {
+    DEBUG ((EFI_D_ERROR, "HttpBootCheckUriScheme: Invalid Uri.\n"));
+    return EFI_INVALID_PARAMETER;
+  }
+  
+  //
+  // HTTP is disabled, return EFI_ACCESS_DENIED if the URI is HTTP.
+  //
+  if (!PcdGetBool (PcdHttpEnable) && (AsciiStrnCmp (Uri, "http://", 7) == 0)) {
+    DEBUG ((EFI_D_ERROR, "HttpBootCheckUriScheme: HTTP is disabled.\n"));
+    return EFI_ACCESS_DENIED;
+  }
+
+  return Status;
+}
+
+/**
   Get the URI address string from the input device path.
 
   Caller need to free the buffer in the UriAddress pointer.
   
   @param[in]   FilePath         Pointer to the device path which contains a URI device path node.
diff --git a/NetworkPkg/HttpBootDxe/HttpBootSupport.h b/NetworkPkg/HttpBootDxe/HttpBootSupport.h
index 4d02427..65302d2 100644
--- a/NetworkPkg/HttpBootDxe/HttpBootSupport.h
+++ b/NetworkPkg/HttpBootDxe/HttpBootSupport.h
@@ -1,9 +1,9 @@
 /** @file
   Support functions declaration for UEFI HTTP boot driver.
 
-Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials are licensed and made available under 
 the terms and conditions of the BSD License that accompanies this distribution.  
 The full text of the license may be found at
 http://opensource.org/licenses/bsd-license.php.                                          
     
@@ -330,10 +330,25 @@ HttpIoRecvResponse (
   IN      BOOLEAN                  RecvMsgHeader,
      OUT  HTTP_IO_RESPONSE_DATA    *ResponseData
   );
 
 /**
+  This function checks the HTTP(S) URI scheme.
+
+  @param[in]    Uri              The pointer to the URI string.
+  
+  @retval EFI_SUCCESS            The URI scheme is valid.
+  @retval EFI_INVALID_PARAMETER  The URI scheme is not HTTP or HTTPS.
+  @retval EFI_ACCESS_DENIED      HTTP is disabled and the URI is HTTP.
+
+**/
+EFI_STATUS
+HttpBootCheckUriScheme (
+  IN      CHAR8                  *Uri
+  );
+
+/**
   Get the URI address string from the input device path.
 
   Caller need to free the buffer in the UriAddress pointer.
   
   @param[in]   FilePath         Pointer to the device path which contains a URI device path node.
diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index 1118181..c62c4e6 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -1,9 +1,9 @@
 ## @file
 #  Implementation of EFI HTTP protocol interfaces.
 #
-#  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
 #
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution. The full text of the license may be found at
 #  http://opensource.org/licenses/bsd-license.php.
@@ -73,7 +73,10 @@
   gEfiTlsConfigurationProtocolGuid                 ## SOMETIMES_CONSUMES
 
 [Guids]
   gEfiTlsCaCertificateGuid                         ## CONSUMES  ## GUID
 
+[Pcd]
+  gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable       ## CONSUMES  
+
 [UserExtensions.TianoCore."ExtraFiles"]
   HttpDxeExtra.uni
\ No newline at end of file
diff --git a/NetworkPkg/HttpDxe/HttpImpl.c b/NetworkPkg/HttpDxe/HttpImpl.c
index d19f733..5b59bf3 100644
--- a/NetworkPkg/HttpDxe/HttpImpl.c
+++ b/NetworkPkg/HttpDxe/HttpImpl.c
@@ -1,9 +1,9 @@
 /** @file
   Implementation of EFI_HTTP_PROTOCOL protocol interfaces.
 
-  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>
   (C) Copyright 2015-2016 Hewlett Packard Enterprise Development LP<BR>
 
   This program and the accompanying materials
   are licensed and made available under the terms and conditions of the BSD License
   which accompanies this distribution.  The full text of the license may be found at
@@ -353,10 +353,20 @@ EfiHttpRequest (
     // be able to determine whether to use http or https.
     //
     HttpInstance->UseHttps = IsHttpsUrl (Url);
 
     //
+    // HTTP is disabled, return directly if the URI is not HTTPS.
+    //
+    if (!PcdGetBool (PcdHttpEnable) && !(HttpInstance->UseHttps)) {
+      
+      DEBUG ((EFI_D_ERROR, "EfiHttpRequest: HTTP is disabled.\n"));
+
+      return EFI_ACCESS_DENIED;
+    }
+
+    //
     // Check whether we need to create Tls child and open the TLS protocol.
     //
     if (HttpInstance->UseHttps && HttpInstance->TlsChildHandle == NULL) {
       //
       // Use TlsSb to create Tls child and open the TLS protocol.
diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec
index 24d45f4..893e9c9 100644
--- a/NetworkPkg/NetworkPkg.dec
+++ b/NetworkPkg/NetworkPkg.dec
@@ -2,11 +2,11 @@
 # Network Package.
 #
 # This package provides network modules that conform to UEFI 2.4 specification.
 #
 # (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
-# Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
 #
 # This program and the accompanying materials are licensed and made available under
 # the terms and conditions of the BSD License which accompanies this distribution.
 # The full text of the license may be found at
 # http://opensource.org/licenses/bsd-license.php
@@ -77,10 +77,16 @@
 
   ## Private Key's size.
   # @Prompt Private Key's size.
   gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize|0x3d5|UINT32|0x00000006
 
+  ## Indicates whether the HTTP is enabled or not.
+  # TRUE  - HTTP is enabled. The "http://" scheme is acceptable.
+  # FALSE - HTTP is disabled. The "http://" scheme will be denied.
+  # @Prompt Indicates whether the HTTP is enabled or not.
+  gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008
+
 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
   ## IPv6 DHCP Unique Identifier (DUID) Type configuration (From RFCs 3315 and 6355).
   # 01 = DUID Based on Link-layer Address Plus Time [DUID-LLT]
   # 04 = UUID-Based DHCPv6 Unique Identifier (DUID-UUID)
   # 02 = DUID Assigned by Vendor Based on Enterprise Number [DUID-EN] (not supported)
-- 
1.9.5.msysgit.1

[Patch 2/2] Nt32Pkg.dsc: Add HTTP_ENABLE flag

[Jiaxin Wu]

This flag is used to overwrite the PcdHttpEnable value,
then the platform can make a decision whether to enable
HTTP.

Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
---
 Nt32Pkg/Nt32Pkg.dsc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc
index 134afb8..86615d4 100644
--- a/Nt32Pkg/Nt32Pkg.dsc
+++ b/Nt32Pkg/Nt32Pkg.dsc
@@ -58,10 +58,15 @@
   # Note: TLS feature highly depends on the OpenSSL building. To enable this 
   #       feature, please follow the instructions found in the file "Patch-HOWTO.txt" 
   #       located in CryptoPkg\Library\OpensslLib to enable the OpenSSL building first.
   #
   DEFINE TLS_ENABLE      = FALSE
+  
+  #
+  # This flag is to enable or disable HTTP feature.  
+  #
+  DEFINE HTTP_ENABLE     = TRUE
 
 ################################################################################
 #
 # SKU Identification section - list of all SKU IDs supported by this
 #                              Platform.
@@ -252,10 +257,14 @@
   gEfiMdeModulePkgTokenSpaceGuid.PcdResetOnMemoryTypeInformationChange|FALSE
 !if $(SECURE_BOOT_ENABLE) == TRUE || $(TLS_ENABLE) == TRUE
   gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
 !endif
 
+!if $(HTTP_ENABLE) == TRUE
+  gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|TRUE
+!endif
+
 !ifndef $(USE_OLD_SHELL)
   gEfiIntelFrameworkModulePkgTokenSpaceGuid.PcdShellFile|{ 0x83, 0xA5, 0x04, 0x7C, 0x3E, 0x9E, 0x1C, 0x4F, 0xAD, 0x65, 0xE0, 0x52, 0x68, 0xD0, 0xB4, 0xD1 }
 !endif
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
-- 
1.9.5.msysgit.1

Re: [Patch 0/2] Enable the HTTP switch

[Laszlo Ersek]

On 01/12/17 09:52, Jiaxin Wu wrote:
> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the
> "http://" and "https://" schemes are acceptable. Otherwise, HTTP
> is disabled. The "http://" scheme will be denied.
> 
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> 
> Jiaxin Wu (2):
>   NetworkPkg: Add PCD to enable the HTTP switch
>   Nt32Pkg.dsc: Add HTTP_ENABLE flag
> 
>  NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-
>  NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81 ++++++++++++++++++++------------
>  NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
>  NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-
>  NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
>  NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
>  NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
>  NetworkPkg/NetworkPkg.dec                |  8 +++-
>  Nt32Pkg/Nt32Pkg.dsc                      |  9 ++++
>  9 files changed, 173 insertions(+), 37 deletions(-)
> 

What is the reasoning behind this change? If a platform doesn't want to
support HTTP booting, it can just exclude the drivers from the build.

Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is
set to FALSE (which is the default)?

I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag, and
it controls the inclusion of all of:

  NetworkPkg/DnsDxe/DnsDxe.inf
  NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
  NetworkPkg/HttpDxe/HttpDxe.inf
  NetworkPkg/HttpBootDxe/HttpBootDxe.inf

So what will this NetworkPkg change mean for OVMF, if OVMF is built with
-D HTTP_BOOT_ENABLE?

Thanks
Laszlo

Re: [Patch 0/2] Enable the HTTP switch

[Fu, Siyuan]

Hi, Laszlo

This PCD is introduced for security consideration, it's not to include/exclude the whole HTTP boot feature, but to allow/deny unsecured HTTP connection. So
	If this PCD is true, both HTTP(http://...) and HTTPS(https://...) are allowed.
	If this PCD is false, only HTTPS connection is allowed, HTTP is forbidden.
The default is false (HTTPS) only.

For you question, if the new PCD is set to false, and OVFM is built with -D HTTP_BOOT_ENABLE. All these drivers will still be included in the FD image, but only HTTPS connection could be establishment. In other words, attempt to boot from a URL like "http://server/boot.efi" will be failed.

Siyuan

-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo Ersek
Sent: 2017年1月12日 18:23
To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Gary Ching-Pang Lin <glin@suse.com>
Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch

On 01/12/17 09:52, Jiaxin Wu wrote:
> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the 
> "http://" and "https://" schemes are acceptable. Otherwise, HTTP is 
> disabled. The "http://" scheme will be denied.
> 
> Cc: Ye Ting <ting.ye@intel.com>
> Cc: Fu Siyuan <siyuan.fu@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> 
> Jiaxin Wu (2):
>   NetworkPkg: Add PCD to enable the HTTP switch
>   Nt32Pkg.dsc: Add HTTP_ENABLE flag
> 
>  NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-  
> NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81 ++++++++++++++++++++------------
>  NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
>  NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-  
> NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
>  NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
>  NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
>  NetworkPkg/NetworkPkg.dec                |  8 +++-
>  Nt32Pkg/Nt32Pkg.dsc                      |  9 ++++
>  9 files changed, 173 insertions(+), 37 deletions(-)
> 

What is the reasoning behind this change? If a platform doesn't want to support HTTP booting, it can just exclude the drivers from the build.

Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is set to FALSE (which is the default)?

I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag, and it controls the inclusion of all of:

  NetworkPkg/DnsDxe/DnsDxe.inf
  NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
  NetworkPkg/HttpDxe/HttpDxe.inf
  NetworkPkg/HttpBootDxe/HttpBootDxe.inf

So what will this NetworkPkg change mean for OVMF, if OVMF is built with -D HTTP_BOOT_ENABLE?

Thanks
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [Patch 0/2] Enable the HTTP switch

[Laszlo Ersek]

On 01/12/17 12:45, Fu, Siyuan wrote:
> Hi, Laszlo
> 

> This PCD is introduced for security consideration, it's not to
> include/exclude the whole HTTP boot feature, but to allow/deny
> unsecured HTTP connection. So
> 	If this PCD is true, both HTTP(http://...) and HTTPS(https://...) are allowed.
> 	If this PCD is false, only HTTPS connection is allowed, HTTP is forbidden.
> The default is false (HTTPS) only.
> 
> For you question, if the new PCD is set to false, and OVFM is built
> with -D HTTP_BOOT_ENABLE. All these drivers will still be included in
> the FD image, but only HTTPS connection could be establishment. In
> other words, attempt to boot from a URL like "http://server/boot.efi"
> will be failed.

Thank you, this makes perfect sense.

But, in this case, I think the PCD description in the .DEC file is not clear enough:

+  ## Indicates whether the HTTP is enabled or not.
+  # TRUE  - HTTP is enabled. The "http://" scheme is acceptable.
+  # FALSE - HTTP is disabled. The "http://" scheme will be denied.
+  # @Prompt Indicates whether the HTTP is enabled or not.
+  gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008

I suggest the following wording instead:

  ## Indicates whether HTTP (i.e., unsecured) connections are permitted or not.
  #  HTTPS connections are always permitted.
  #   TRUE -  Both the "https://" and "http://" URI schemes are permitted.
  #   FALSE - Only the "https://" URI scheme is permitted.
  gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008

Can you please consider this? I think it's clearer.

Thanks!
Laszlo

> 
> Siyuan
> 
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo Ersek
> Sent: 2017年1月12日 18:23
> To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Gary Ching-Pang Lin <glin@suse.com>
> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
> 
> On 01/12/17 09:52, Jiaxin Wu wrote:
>> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the 
>> "http://" and "https://" schemes are acceptable. Otherwise, HTTP is 
>> disabled. The "http://" scheme will be denied.
>>
>> Cc: Ye Ting <ting.ye@intel.com>
>> Cc: Fu Siyuan <siyuan.fu@intel.com>
>> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
>> Contributed-under: TianoCore Contribution Agreement 1.0
>> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
>>
>> Jiaxin Wu (2):
>>   NetworkPkg: Add PCD to enable the HTTP switch
>>   Nt32Pkg.dsc: Add HTTP_ENABLE flag
>>
>>  NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-  
>> NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81 ++++++++++++++++++++------------
>>  NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
>>  NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-  
>> NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
>>  NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
>>  NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
>>  NetworkPkg/NetworkPkg.dec                |  8 +++-
>>  Nt32Pkg/Nt32Pkg.dsc                      |  9 ++++
>>  9 files changed, 173 insertions(+), 37 deletions(-)
>>
> 
> What is the reasoning behind this change? If a platform doesn't want to support HTTP booting, it can just exclude the drivers from the build.
> 
> Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is set to FALSE (which is the default)?
> 
> I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag, and it controls the inclusion of all of:
> 
>   NetworkPkg/DnsDxe/DnsDxe.inf
>   NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>   NetworkPkg/HttpDxe/HttpDxe.inf
>   NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> 
> So what will this NetworkPkg change mean for OVMF, if OVMF is built with -D HTTP_BOOT_ENABLE?
> 
> Thanks
> Laszlo
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
> 

Re: [Patch 0/2] Enable the HTTP switch

[Kinney, Michael D]

Maybe we should also consider a slight PCD name change so
this PCD is not confused with -D HTTP_BOOT_ENABLE.

  PcdAllowHttpConnections

Mike

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo
> Ersek
> Sent: Thursday, January 12, 2017 8:22 AM
> To: Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-
> devel@ml01.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Gary Ching-Pang
> Lin <glin@suse.com>
> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
> 
> On 01/12/17 12:45, Fu, Siyuan wrote:
> > Hi, Laszlo
> >
> 
> > This PCD is introduced for security consideration, it's not to
> > include/exclude the whole HTTP boot feature, but to allow/deny
> > unsecured HTTP connection. So
> > 	If this PCD is true, both HTTP(http://...) and HTTPS(https://...) are
> allowed.
> > 	If this PCD is false, only HTTPS connection is allowed, HTTP is forbidden.
> > The default is false (HTTPS) only.
> >
> > For you question, if the new PCD is set to false, and OVFM is built
> > with -D HTTP_BOOT_ENABLE. All these drivers will still be included in
> > the FD image, but only HTTPS connection could be establishment. In
> > other words, attempt to boot from a URL like "http://server/boot.efi"
> > will be failed.
> 
> Thank you, this makes perfect sense.
> 
> But, in this case, I think the PCD description in the .DEC file is not clear
> enough:
> 
> +  ## Indicates whether the HTTP is enabled or not.
> +  # TRUE  - HTTP is enabled. The "http://" scheme is acceptable.
> +  # FALSE - HTTP is disabled. The "http://" scheme will be denied.
> +  # @Prompt Indicates whether the HTTP is enabled or not.
> +  gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008
> 
> I suggest the following wording instead:
> 
>   ## Indicates whether HTTP (i.e., unsecured) connections are permitted or not.
>   #  HTTPS connections are always permitted.
>   #   TRUE -  Both the "https://" and "http://" URI schemes are permitted.
>   #   FALSE - Only the "https://" URI scheme is permitted.
>   gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008
> 
> Can you please consider this? I think it's clearer.
> 
> Thanks!
> Laszlo
> 
> >
> > Siyuan
> >
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo
> Ersek
> > Sent: 2017年1月12日 18:23
> > To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
> > Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan
> <siyuan.fu@intel.com>; Gary Ching-Pang Lin <glin@suse.com>
> > Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
> >
> > On 01/12/17 09:52, Jiaxin Wu wrote:
> >> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the
> >> "http://" and "https://" schemes are acceptable. Otherwise, HTTP is
> >> disabled. The "http://" scheme will be denied.
> >>
> >> Cc: Ye Ting <ting.ye@intel.com>
> >> Cc: Fu Siyuan <siyuan.fu@intel.com>
> >> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> >> Contributed-under: TianoCore Contribution Agreement 1.0
> >> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> >>
> >> Jiaxin Wu (2):
> >>   NetworkPkg: Add PCD to enable the HTTP switch
> >>   Nt32Pkg.dsc: Add HTTP_ENABLE flag
> >>
> >>  NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-
> >> NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81 ++++++++++++++++++++------------
> >>  NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
> >>  NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-
> >> NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
> >>  NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
> >>  NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
> >>  NetworkPkg/NetworkPkg.dec                |  8 +++-
> >>  Nt32Pkg/Nt32Pkg.dsc                      |  9 ++++
> >>  9 files changed, 173 insertions(+), 37 deletions(-)
> >>
> >
> > What is the reasoning behind this change? If a platform doesn't want to support
> HTTP booting, it can just exclude the drivers from the build.
> >
> > Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is set to
> FALSE (which is the default)?
> >
> > I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag, and it
> controls the inclusion of all of:
> >
> >   NetworkPkg/DnsDxe/DnsDxe.inf
> >   NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> >   NetworkPkg/HttpDxe/HttpDxe.inf
> >   NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> >
> > So what will this NetworkPkg change mean for OVMF, if OVMF is built with -D
> HTTP_BOOT_ENABLE?
> >
> > Thanks
> > Laszlo
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> >
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

Re: [Patch 0/2] Enable the HTTP switch

[Laszlo Ersek]

On 01/12/17 17:46, Kinney, Michael D wrote:
> Maybe we should also consider a slight PCD name change so
> this PCD is not confused with -D HTTP_BOOT_ENABLE.
> 
>   PcdAllowHttpConnections

Good point!
Laszlo

> 
> Mike
> 
>> -----Original Message-----
>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo
>> Ersek
>> Sent: Thursday, January 12, 2017 8:22 AM
>> To: Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-
>> devel@ml01.01.org
>> Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Gary Ching-Pang
>> Lin <glin@suse.com>
>> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
>>
>> On 01/12/17 12:45, Fu, Siyuan wrote:
>>> Hi, Laszlo
>>>
>>
>>> This PCD is introduced for security consideration, it's not to
>>> include/exclude the whole HTTP boot feature, but to allow/deny
>>> unsecured HTTP connection. So
>>> 	If this PCD is true, both HTTP(http://...) and HTTPS(https://...) are
>> allowed.
>>> 	If this PCD is false, only HTTPS connection is allowed, HTTP is forbidden.
>>> The default is false (HTTPS) only.
>>>
>>> For you question, if the new PCD is set to false, and OVFM is built
>>> with -D HTTP_BOOT_ENABLE. All these drivers will still be included in
>>> the FD image, but only HTTPS connection could be establishment. In
>>> other words, attempt to boot from a URL like "http://server/boot.efi"
>>> will be failed.
>>
>> Thank you, this makes perfect sense.
>>
>> But, in this case, I think the PCD description in the .DEC file is not clear
>> enough:
>>
>> +  ## Indicates whether the HTTP is enabled or not.
>> +  # TRUE  - HTTP is enabled. The "http://" scheme is acceptable.
>> +  # FALSE - HTTP is disabled. The "http://" scheme will be denied.
>> +  # @Prompt Indicates whether the HTTP is enabled or not.
>> +  gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008
>>
>> I suggest the following wording instead:
>>
>>   ## Indicates whether HTTP (i.e., unsecured) connections are permitted or not.
>>   #  HTTPS connections are always permitted.
>>   #   TRUE -  Both the "https://" and "http://" URI schemes are permitted.
>>   #   FALSE - Only the "https://" URI scheme is permitted.
>>   gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008
>>
>> Can you please consider this? I think it's clearer.
>>
>> Thanks!
>> Laszlo
>>
>>>
>>> Siyuan
>>>
>>> -----Original Message-----
>>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo
>> Ersek
>>> Sent: 2017年1月12日 18:23
>>> To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
>>> Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu, Siyuan
>> <siyuan.fu@intel.com>; Gary Ching-Pang Lin <glin@suse.com>
>>> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
>>>
>>> On 01/12/17 09:52, Jiaxin Wu wrote:
>>>> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the
>>>> "http://" and "https://" schemes are acceptable. Otherwise, HTTP is
>>>> disabled. The "http://" scheme will be denied.
>>>>
>>>> Cc: Ye Ting <ting.ye@intel.com>
>>>> Cc: Fu Siyuan <siyuan.fu@intel.com>
>>>> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
>>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>>> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
>>>>
>>>> Jiaxin Wu (2):
>>>>   NetworkPkg: Add PCD to enable the HTTP switch
>>>>   Nt32Pkg.dsc: Add HTTP_ENABLE flag
>>>>
>>>>  NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-
>>>> NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81 ++++++++++++++++++++------------
>>>>  NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
>>>>  NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++-
>>>> NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
>>>>  NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
>>>>  NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
>>>>  NetworkPkg/NetworkPkg.dec                |  8 +++-
>>>>  Nt32Pkg/Nt32Pkg.dsc                      |  9 ++++
>>>>  9 files changed, 173 insertions(+), 37 deletions(-)
>>>>
>>>
>>> What is the reasoning behind this change? If a platform doesn't want to support
>> HTTP booting, it can just exclude the drivers from the build.
>>>
>>> Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is set to
>> FALSE (which is the default)?
>>>
>>> I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag, and it
>> controls the inclusion of all of:
>>>
>>>   NetworkPkg/DnsDxe/DnsDxe.inf
>>>   NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>>   NetworkPkg/HttpDxe/HttpDxe.inf
>>>   NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>>
>>> So what will this NetworkPkg change mean for OVMF, if OVMF is built with -D
>> HTTP_BOOT_ENABLE?
>>>
>>> Thanks
>>> Laszlo
>>> _______________________________________________
>>> edk2-devel mailing list
>>> edk2-devel@lists.01.org
>>> https://lists.01.org/mailman/listinfo/edk2-devel
>>>
>>
>> _______________________________________________
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel

Re: [Patch 0/2] Enable the HTTP switch

[Wu, Jiaxin]

Hi Laszlo and Mike,

Thanks for your comments, I agree to refine the PCD name and description, another patch will be set out later. 

Thanks,
Jiaxin

> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Friday, January 13, 2017 12:53 AM
> To: Kinney, Michael D <michael.d.kinney@intel.com>; Fu, Siyuan
> <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-
> devel@ml01.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Gary Ching-
> Pang Lin <glin@suse.com>
> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
> 
> On 01/12/17 17:46, Kinney, Michael D wrote:
> > Maybe we should also consider a slight PCD name change so
> > this PCD is not confused with -D HTTP_BOOT_ENABLE.
> >
> >   PcdAllowHttpConnections
> 
> Good point!
> Laszlo
> 
> >
> > Mike
> >
> >> -----Original Message-----
> >> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Laszlo
> >> Ersek
> >> Sent: Thursday, January 12, 2017 8:22 AM
> >> To: Fu, Siyuan <siyuan.fu@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>;
> edk2-
> >> devel@ml01.01.org
> >> Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Gary
> Ching-Pang
> >> Lin <glin@suse.com>
> >> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
> >>
> >> On 01/12/17 12:45, Fu, Siyuan wrote:
> >>> Hi, Laszlo
> >>>
> >>
> >>> This PCD is introduced for security consideration, it's not to
> >>> include/exclude the whole HTTP boot feature, but to allow/deny
> >>> unsecured HTTP connection. So
> >>> 	If this PCD is true, both HTTP(http://...) and HTTPS(https://...) are
> >> allowed.
> >>> 	If this PCD is false, only HTTPS connection is allowed, HTTP is forbidden.
> >>> The default is false (HTTPS) only.
> >>>
> >>> For you question, if the new PCD is set to false, and OVFM is built
> >>> with -D HTTP_BOOT_ENABLE. All these drivers will still be included in
> >>> the FD image, but only HTTPS connection could be establishment. In
> >>> other words, attempt to boot from a URL like "http://server/boot.efi"
> >>> will be failed.
> >>
> >> Thank you, this makes perfect sense.
> >>
> >> But, in this case, I think the PCD description in the .DEC file is not clear
> >> enough:
> >>
> >> +  ## Indicates whether the HTTP is enabled or not.
> >> +  # TRUE  - HTTP is enabled. The "http://" scheme is acceptable.
> >> +  # FALSE - HTTP is disabled. The "http://" scheme will be denied.
> >> +  # @Prompt Indicates whether the HTTP is enabled or not.
> >> +
> gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008
> >>
> >> I suggest the following wording instead:
> >>
> >>   ## Indicates whether HTTP (i.e., unsecured) connections are permitted or
> not.
> >>   #  HTTPS connections are always permitted.
> >>   #   TRUE -  Both the "https://" and "http://" URI schemes are permitted.
> >>   #   FALSE - Only the "https://" URI scheme is permitted.
> >>
> gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008
> >>
> >> Can you please consider this? I think it's clearer.
> >>
> >> Thanks!
> >> Laszlo
> >>
> >>>
> >>> Siyuan
> >>>
> >>> -----Original Message-----
> >>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Laszlo
> >> Ersek
> >>> Sent: 2017年1月12日 18:23
> >>> To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
> >>> Cc: Ye, Ting <ting.ye@intel.com>; Ni, Ruiyu <ruiyu.ni@intel.com>; Fu,
> Siyuan
> >> <siyuan.fu@intel.com>; Gary Ching-Pang Lin <glin@suse.com>
> >>> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch
> >>>
> >>> On 01/12/17 09:52, Jiaxin Wu wrote:
> >>>> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the
> >>>> "http://" and "https://" schemes are acceptable. Otherwise, HTTP is
> >>>> disabled. The "http://" scheme will be denied.
> >>>>
> >>>> Cc: Ye Ting <ting.ye@intel.com>
> >>>> Cc: Fu Siyuan <siyuan.fu@intel.com>
> >>>> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> >>>> Contributed-under: TianoCore Contribution Agreement 1.0
> >>>> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> >>>>
> >>>> Jiaxin Wu (2):
> >>>>   NetworkPkg: Add PCD to enable the HTTP switch
> >>>>   Nt32Pkg.dsc: Add HTTP_ENABLE flag
> >>>>
> >>>>  NetworkPkg/HttpBootDxe/HttpBootClient.c  | 20 +++++++-
> >>>> NetworkPkg/HttpBootDxe/HttpBootConfig.c  | 81
> ++++++++++++++++++++------------
> >>>>  NetworkPkg/HttpBootDxe/HttpBootDxe.inf   |  5 +-
> >>>>  NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53
> ++++++++++++++++++++-
> >>>> NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++-
> >>>>  NetworkPkg/HttpDxe/HttpDxe.inf           |  5 +-
> >>>>  NetworkPkg/HttpDxe/HttpImpl.c            | 12 ++++-
> >>>>  NetworkPkg/NetworkPkg.dec                |  8 +++-
> >>>>  Nt32Pkg/Nt32Pkg.dsc                      |  9 ++++
> >>>>  9 files changed, 173 insertions(+), 37 deletions(-)
> >>>>
> >>>
> >>> What is the reasoning behind this change? If a platform doesn't want to
> support
> >> HTTP booting, it can just exclude the drivers from the build.
> >>>
> >>> Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is
> set to
> >> FALSE (which is the default)?
> >>>
> >>> I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag,
> and it
> >> controls the inclusion of all of:
> >>>
> >>>   NetworkPkg/DnsDxe/DnsDxe.inf
> >>>   NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
> >>>   NetworkPkg/HttpDxe/HttpDxe.inf
> >>>   NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> >>>
> >>> So what will this NetworkPkg change mean for OVMF, if OVMF is built with
> -D
> >> HTTP_BOOT_ENABLE?
> >>>
> >>> Thanks
> >>> Laszlo
> >>> _______________________________________________
> >>> edk2-devel mailing list
> >>> edk2-devel@lists.01.org
> >>> https://lists.01.org/mailman/listinfo/edk2-devel
> >>>
> >>
> >> _______________________________________________
> >> edk2-devel mailing list
> >> edk2-devel@lists.01.org
> >> https://lists.01.org/mailman/listinfo/edk2-devel