Re: [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform TLS policy

["Chang, Abner via groups.io" <abner.chang=amd.com@groups.io>]

[AMD Official Use Only - General]

> -----Original Message-----
> From: Michael Brown <mcb30@ipxe.org>
> Sent: Wednesday, December 27, 2023 11:55 PM
> To: devel@edk2.groups.io; Chang, Abner <Abner.Chang@amd.com>
> Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>; Zachary Clark-williams
> <zachary.clark-williams@intel.com>; Nickle Wang <nicklew@nvidia.com>; Igor
> Kulchytskyy <igork@ami.com>
> Subject: Re: [edk2-devel] [RFC][PATCH 0/2] Introduce HTTPS Platform TLS
> policy
>
> Caution: This message originated from an External Source. Use proper caution
> when opening attachments, clicking links, or responding.
>
>
> On 26/12/2023 11:28, Chang, Abner via groups.io wrote:
> > For the HTTPS connetion that doesn't require TLS peer verification,
> > EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL is introduced to platform
> > developer to provide the TLS configure data that is different than
> > the default TLS configuration. The use case such as Redfish service
> > connction which doesn't require the TLS peer verification on the
> > cetificate, especially to the Redfish service connection through
> > the in-band network interface.
> >
> > Platform developer can provide this protoocl to EFI HTTP driver to
> > configure TLS using TLS conifg data provided by
> > EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL for the specific HTTP
> > protocol handle. How to distinguish the correct HTTP protocol
> > handle for the platform TLS policy is outside the scope of this
> > change. For Redfish, we will provide this protocol in EFI Redfish
> > REST EX driver.
>
> This looks messy to me.
>
> Did you try my suggestion of using RegisterProtocolNotify() in order to
> register a callback that will be called for any new instances of
> EFI_TLS_PROTOCOL?
>
> This would be functionally equivalent to your patch, but with zero lines
> of additional code required in HttpDxe.

I think you suggest to hook/replace the EFI_TLS_PROTOCOL for the specific HTTP handle?
EFI_TLS_PROTOCOL is installed implicitly when the first time HTTPs request is performed. There is no connection between HTTP handle and EFI TLS protocol instance besides the HTTP driver internal structure.
Listen to the installation of EFI_TLS_PROTOCOL has no way to distinguish the dedicated HTTP handle, for example the HTTP handle created by Redfish REST EX driver.
I don’t see the chance to provide the flexibility to TLS config with using RegisterProtocolNotify for EFI_TLS_PROTOCO unless we add one line to install the same TLS_PTOTOCOL on the given HTTP instance.  Or something I missed?

Thanks
Abner

>
> (My apologies if you did try it and already found a reason why it would
> not work - I have not been able to keep up with all EDK2 list messages.)
>
> Thanks,
>
> Michael



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112937): https://edk2.groups.io/g/devel/message/112937
Mute This Topic: https://groups.io/mt/103368438/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-