Re: [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform TLS policy

["Chang, Abner via groups.io" <abner.chang=amd.com@groups.io>]

[AMD Official Use Only - General]

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Michael
> Brown via groups.io
> Sent: Tuesday, January 2, 2024 7:07 AM
> To: devel@edk2.groups.io; Chang, Abner <Abner.Chang@amd.com>
> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>; Zachary Clark-williams
> <zachary.clark-williams@intel.com>; Nickle Wang <nicklew@nvidia.com>; Igor
> Kulchytskyy <igork@ami.com>
> Subject: Re: [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform TLS
> policy
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On 29/12/2023 15:07, Chang, Abner via groups.io wrote:
> > To locate TLS protocol from the HTTP handle and configure TLS configuration
> data at the return from EfiHttpRequest during that short window of non-
> blocking request is not reliable. It also doesn't make sense to ask upper layer
> application to do this when it first time invokes EfiHttpRequest.
> > I already refactored TlsCreateChild to install TLS protocol on HTTP handle. I
> also implemented the corresponding code in Redfish REST EX to listen the
> installation of TLS protocol and hook the SetSessionData. It works fine on the
> system, however I really don’t like having the upper layer application to do this
> much just for overriding TLS configuration data. The code looked a specific
> implementation to hack the TLS protocol interface. Plus I still have to add few
> code in TlsConfigCertificate to skip configure certificate with checking
> TlsVerifyMethod.
> > We should sit back to consider introducing a new protocol for upper layer
> application to provide their own TLS configuration data, as the root cause is
> that hard coded TLS configuration data in HttpSupport.c. We shouldn't have
> the code like that and add the burdens to application.
> >
> > What my thought is as below and maybe more elegant than the patch a
> sent,
> > - Still install TLS on HTTP handle, then upper layer application can listen to
> the installation of EFI TLS protocol to find the correct HTTP handle.
> > - Move TLS_CONFIG_DATA in a public header file.
> > - Introduce a new protocol called EDKII_HTTP_TLS_CONFIGURATION_DATA
> > - Upper layer application installs this protocol with their own
> TLS_CONFIG_DATA.
> > - TlsConfigureSession locates EDKII_HTTP_TLS_CONFIGURATION_DATA to
> replace the default TLS_CONFIG_DATA.
> >
> > This way we can remove that hardcoded code and fix the root cause, also the
> upper layer application do not have to take the burden.
> > What do you think?
>
> Firstly, thank you very much for taking the time to dig through this and
> work towards a cleaner design - I, for one, really appreciate it.
Thank you.

>
> I think we're completely agreed that installing the TLS protocols on the
> HTTP handle is the right thing to do - that seems to be a clear
> improvement over the status quo where there's no introspectable
> relationship between the two handles.
>
> I'm torn on the use of TLS_CONFIG_DATA.  For better or worse, the
> existing and standardised EFI_TLS_CONFIGURATION_PROTOCOL is verb-
> based,
> using SetData() and GetData() methods.  Adding a noun-based protocol for
> TLS configuration seems to cut across this, with the potential to look
> confusing: a new reader of the code could legitimately wonder why the
> codebase contains two competing solutions to what is essentially the
> same problem.
>
> Given that the verb-based approach of EFI_TLS_CONFIGURATION_PROTOCOL
> has
> made it as far as being standardised and included in the UEFI
> specification, I think we probably need to accept that this is the
> "correct" way to perform TLS configuration within UEFI code.  The
> problem with HttpsSupport.c then becomes that there is no good
> opportunity for a consumer to call SetData(), since (a)
> EFI_TLS_CONFIGURATION_PROTOCOL comes into existence only halfway
> through
> the call to EFI_HTTP_PROTOCOL.Request() and (b) the call to
> TlsConfigureSession() will overwrite the configuration anyway.
>
> Is there a way that TlsConfigureSession() could sensibly provide an
> opportunity for the consumer to make calls to SetData(), so that the
> consumer could cleanly override any default configuration?
>
> Looking through the code, TlsConfigureSession() is called only from
> HttpInitSession(), which in turn is called only from EfiHttpRequest().
> This call is followed immediately by the line:
>
>    HttpNotify (HttpEventInitSession, Status);
>
> which seems to already use an existing EDKII_HTTP_CALLBACK_PROTOCOL to
> notify an arbitrary list of interested consumers that an event has taken
> place (in this case, that a session has just been initialised).
>
> What do you think about:
>
> - installing TLS on HTTP handle (as you have already implemented)
>
> - using EDKII_HTTP_CALLBACK_PROTOCOL to catch the HttpEventInitSession
> and perform whatever calls are needed to SetData() to modify the TLS
> configuration?

Leverage HttpNotify is good but still has some problems, as HttpNotify is designed to notify callback owner about a specific task was done. In order to keep this HttpNotify nature, we can create a callback point at the end of TlsCreateChild() with a newly introduced event type says HttpEventTlsChildCreated. The reason we have to create this notification before TlsConfigureSession() is because this function uses the default configuration data to configure TLS. However, it doesn't have to do EfiTlsVerifyHost and TlsConfigCertificate if there is nothing to verify.
The problem in configuring  EfiTlsVerifyHost is It always checks verification method with EFI_TLS_VERIFY_PEER, while the problem of TlsConfigCertificate is it considers platform always can provide the certificate.  Anyway to configure TLS after TlsConfigCertificate is to late as the error status already returned earlier. Furthermore the design of HttpNotify doesn't provide the output information for caller to determine the different code paths.  So with above, how can we skip configuring TLS again with the default values in HttpSupport.c even platform code already configured it before TlsConfigureSession()?

Another approach is to introduced HttpsTlsConfigureSession notification, callback routine may receive the error in EventStatus when the first time TlsConfigureSession is invoked. In the failure case, the callback function calls Tls->SetSessionData to configure its own TLS configuration data. I do a quick try to set the different configuration after the first time failure. It works fine and seems the TLS library internal state machine is not messed up.  However, it looks not quite intuitive to the upper layer HTTP application. Why upper layer HTTP application has to reconfigure TLS when HttpsTlsConfigureSession is notified with an EFI error status? This approach looks okey to me, acceptable but not perfect. Says this approach is fine to me with a detail comment above the new event type in C header file.
Any better suggestion?

Thanks
Abner

>
> Thanks,
>
> Michael
>
>
>
> 
>



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113028): https://edk2.groups.io/g/devel/message/113028
Mute This Topic: https://groups.io/mt/103368438/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-