From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <thomas.palmer@hpe.com>
Received-SPF: None (no SPF record) identity=mailfrom; client-ip=15.241.48.72;
 helo=g9t5008.houston.hpe.com; envelope-from=thomas.palmer@hpe.com;
 receiver=edk2-devel@lists.01.org 
Received: from g9t5008.houston.hpe.com (g9t5008.houston.hpe.com [15.241.48.72])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 44540224DD159
 for <edk2-devel@lists.01.org>; Wed, 28 Mar 2018 21:50:31 -0700 (PDT)
Received: from G1W8106.americas.hpqcorp.net (g1w8106.austin.hp.com
 [16.193.72.61])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (No client certificate requested)
 by g9t5008.houston.hpe.com (Postfix) with ESMTPS id 6526376;
 Thu, 29 Mar 2018 04:57:09 +0000 (UTC)
Received: from G9W4615.americas.hpqcorp.net (16.220.56.56) by
 G1W8106.americas.hpqcorp.net (16.193.72.61) with Microsoft SMTP Server (TLS)
 id 15.0.1178.4; Thu, 29 Mar 2018 04:56:47 +0000
Received: from G2W6311.americas.hpqcorp.net (16.197.64.53) by
 G9W4615.americas.hpqcorp.net (16.220.56.56) with Microsoft SMTP Server (TLS)
 id 15.0.1178.4; Thu, 29 Mar 2018 04:56:46 +0000
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (15.241.52.12) by
 G2W6311.americas.hpqcorp.net (16.197.64.53) with Microsoft SMTP
 Server (TLS)
 id 15.0.1178.4 via Frontend Transport; Thu, 29 Mar 2018 04:56:47 +0000
Received: from TU4PR8401MB1086.NAMPRD84.PROD.OUTLOOK.COM (10.169.48.9) by
 TU4PR8401MB1295.NAMPRD84.PROD.OUTLOOK.COM (10.169.51.11) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.609.10; Thu, 29 Mar 2018 04:56:44 +0000
Received: from TU4PR8401MB1086.NAMPRD84.PROD.OUTLOOK.COM
 ([fe80::2c7b:349e:b098:30e9]) by TU4PR8401MB1086.NAMPRD84.PROD.OUTLOOK.COM
 ([fe80::2c7b:349e:b098:30e9%17]) with mapi id 15.20.0609.012; Thu, 29 Mar
 2018 04:56:44 +0000
From: "Palmer, Thomas" <thomas.palmer@hpe.com>
To: Laszlo Ersek <lersek@redhat.com>, edk2-devel-01 <edk2-devel@lists.01.org>
CC: Ruiyu Ni <ruiyu.ni@intel.com>, Eric Dong <eric.dong@intel.com>, "Ard
 Biesheuvel" <ard.biesheuvel@linaro.org>, Jordan Justen
 <jordan.l.justen@intel.com>, "Lin, Gary" <GLin@suse.com>, Anthony Perard
 <anthony.perard@citrix.com>, Star Zeng <star.zeng@intel.com>
Thread-Topic: [edk2] [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert
 list for HTTPS boot
Thread-Index: AQHTxtMoGH8rxtpkC0a9WZAypb1YnKPmpOrQ
Date: Thu, 29 Mar 2018 04:56:44 +0000
Message-ID: <TU4PR8401MB10865C140714C6073706CBC4EDA20@TU4PR8401MB1086.NAMPRD84.PROD.OUTLOOK.COM>
References: <20180328202651.1478-1-lersek@redhat.com>
In-Reply-To: <20180328202651.1478-1-lersek@redhat.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=thomas.palmer@hpe.com; 
x-originating-ip: [15.203.227.15]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; TU4PR8401MB1295;
 7:OJu36VQX7est5NQnBUn+nFZncWORdfoOZDgynBW+Cb6t3wkVbDoPswXDXrTFM+rNafbO8siwuMaPIATWy2KOnMfRyCdHg38PgB91C8KpAAR2VBSRuFLSx7NNFKN/TBi4i0FxZF//CJG9gBVWCWsLfyxZzSLpGyfPdUl/60mGGNjaTICYDjSvoN3ihRSAMn7TUDJP6cdAhxPurXjjDfC3+u13sl+r/YyygaL3fHbzemrhPbF+y61RvnPWYxCEJRW1
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 66072403-047b-4eba-8f3d-08d59531785c
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
 RULEID:(7020095)(4652020)(8989060)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(8990040)(2017052603328)(7153060)(7193020);
 SRVR:TU4PR8401MB1295; 
x-ms-traffictypediagnostic: TU4PR8401MB1295:
x-ld-processed: 105b2061-b669-4b31-92ac-24d304d195dc,ExtAddr
x-microsoft-antispam-prvs: <TU4PR8401MB1295517656212118D19DFD64EDA20@TU4PR8401MB1295.NAMPRD84.PROD.OUTLOOK.COM>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(162533806227266)(70601490899591)(228905959029699);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
 RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231221)(944501327)(52105095)(10201501046)(3002001)(93006095)(93001095)(6055026)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(6072148)(201708071742011);
 SRVR:TU4PR8401MB1295; BCL:0; PCL:0; RULEID:; SRVR:TU4PR8401MB1295; 
x-forefront-prvs: 0626C21B10
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10019020)(366004)(346002)(39860400002)(376002)(39380400002)(396003)(199004)(189003)(13464003)(66066001)(105586002)(5660300001)(186003)(25786009)(26005)(478600001)(5250100002)(81156014)(305945005)(81166006)(8936002)(2900100001)(106356001)(229853002)(14454004)(3280700002)(476003)(2906002)(3660700001)(4326008)(966005)(102836004)(74316002)(33656002)(446003)(76176011)(55016002)(6116002)(53546011)(6506007)(316002)(59450400001)(3846002)(6246003)(110136005)(7696005)(54906003)(6436002)(8666007)(9686003)(7736002)(6306002)(11346002)(53936002)(99286004)(68736007)(486005)(97736004)(486005)(8676002)(86362001)(19627235001);
 DIR:OUT; SFP:1102; SCL:1; SRVR:TU4PR8401MB1295;
 H:TU4PR8401MB1086.NAMPRD84.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords;
 A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: hpe.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: OIp0SqbHYuiltOBAaWaYHz8YX6EzqQSwJ8AANGjLvfWMYr6QgITserF2T72GYMB/jxlAK51z8F3tabCdHP63MOkFJ0KKcADyoShxFiA5b/qP6WIspfcrezBAXxUw4iHHsJfqA0gffVoKJEka1cjGbiNt9muasTM8ERVn2oRiyJjIrjEcVkyDX1Dcyeqtp311421k0V/Hwb2vrYcPypg90OTnZkbmqa+AlAdsC5nowKjF5+ycMS/E+H9D0bSzzgCk9jY4w+zriK3L5nyVh88fky9xtsXpzqRA1AWiJNNripiwlT5xQy74tmGwgv+sQiY9gGJfE/2HxI0fmX9wLgTqXg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 66072403-047b-4eba-8f3d-08d59531785c
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Mar 2018 04:56:44.7123 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TU4PR8401MB1295
X-OriginatorOrg: hpe.com
Subject: Re: [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list for HTTPS boot
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2018 04:50:31 -0000
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Laszlo,

	(First, are you are plugfest? Let's chat.)

	Second, what need do you see for having KB worth of CA at UEFI's disposal?=
 If HTTPS feature is primarily for PXE booting OS's, then it is likely the =
IT administrator who setup the PXE server also has a single CA they want us=
e for PXE.   By allowing any and every CA to be installed (instead of havin=
g the user pick only the immediately needed CAs), we inadvertently open HTT=
PS to state-backed/well-financed malicious actors who can pay for quality S=
SL signing services.   (The less CAs then the less that can go wrong).

	This is not to prevent your patches going in, but would like to ensure man=
ufacturers / admins know how to properly use the CA list

=09
Regards,

Thomas Palmer

"I have only made this letter longer because I have not had the time to mak=
e it shorter" - Blaise Pascal


-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Lasz=
lo Ersek
Sent: Wednesday, March 28, 2018 3:27 PM
To: edk2-devel-01 <edk2-devel@lists.01.org>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>; Eric Dong <eric.dong@intel.com>; Ard Bie=
sheuvel <ard.biesheuvel@linaro.org>; Jordan Justen <jordan.l.justen@intel.c=
om>; Gary Ching-Pang Lin <glin@suse.com>; Anthony Perard <anthony.perard@ci=
trix.com>; Star Zeng <star.zeng@intel.com>
Subject: [edk2] [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert li=
st for HTTPS boot

Repo:   https://github.com/lersek/edk2.git
Branch: https_cacert_rhbz_1536624

The trusted CA certificates for HTTPS boot can be specified in EFI_TLS_CA_C=
ERTIFICATE_VARIABLE. The platform may choose to create this variable as vol=
atile and set it on every boot as appropriate. The OVMF feature is that the=
 virtualization host passes down an fw_cfg blob that carries the CA certs t=
rusted on the host side, and the OVMF HTTPS boot will verify web servers ag=
ainst that certificate bundle. (For (part of) the host side implementation,=
 refer to
<https://github.com/p11-glue/p11-kit/pull/137.)

The challenge for edk2 is that the CA cert list from the host side is huge;=
 on my laptop it is 182KB when formatted to the EFI_SIGNATURE_LIST sequence=
 expected by NetworkPkg/HttpDxe. Storing this in a non-volatile EFI_TLS_CA_=
CERTIFICATE_VARIABLE is out of the question, but even when making EFI_TLS_C=
A_CERTIFICATE_VARIABLE volatile, there are two limits that need raising:

(1) the individual limit on volatile variables,
(2) the cumulative limit on volatile variables.

Regarding (1), the edk2 variable driver does not distinguish a limit for vo=
latile non-auth vs. non-volatile non-auth variables. The first patch introd=
uces "PcdMaxVolatileVariableSize" for this, in a backwards compatible way (=
i.e. platforms that don't care need not learn about it).
The new PCD lets a platform raise the individual limit just for volatile no=
n-auth variables.

Regarding (2), OvmfPkg/EmuVariableFvbRuntimeDxe has a bug where it abuses t=
he cumulative limit on volatile variables for the live size of the emulated=
 non-volatile variable store. The difference is that "volatile variables" a=
re volatile on the UEFI service API level
(gRT->SetVariable() etc), and the driver stack expects the FVB impls to use=
 the non-volatile storage PCDs (regardless of the actual FVB backing store)=
. Patch #2 fixes this (without change in behavior) in OvmfPkg/EmuVariableFv=
bRuntimeDxe.

Patch #3 adds a bit of documentation to the OVMF DSC files, as a continuati=
on of patch #2.

Patch #4 implements the feature, raising both limits (liberated in earlier =
patches) and populating EFI_TLS_CA_CERTIFICATE_VARIABLE from fw_cfg.

I've done reasonable HTTPS boot testing and regression testing too (includi=
ng "-bios" with OVMF and pflash with ArmVirtQemu). Indepdent testing would =
be highly appreciated (feature and regression alike).

This email is too long and so are the commit messages, but I'm too tired to=
 trim them; apologies.

Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien.grall@linaro.org>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>

Thanks,
Laszlo

Laszlo Ersek (4):
  MdeModulePkg/Variable/RuntimeDxe: introduce PcdMaxVolatileVariableSize
  OvmfPkg/EmuVariableFvbRuntimeDxe: stop using PcdVariableStoreSize
  OvmfPkg: annotate "PcdVariableStoreSize :=3D
    PcdFlashNvStorageVariableSize"
  OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot

 MdeModulePkg/MdeModulePkg.dec                                     |   8 ++
 MdeModulePkg/MdeModulePkg.uni                                     |   8 ++
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c             |  50 ++=
++++--
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h             |  12 ++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf |   1 +
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c          |   2 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf        |   1 +
 OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c                            |   6 +-
 OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf                          |   3 +-
 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c               | 133 ++=
++++++++++++++++++
 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf             |  55 ++=
++++++
 OvmfPkg/OvmfPkgIa32.dsc                                           |  15 ++=
-
 OvmfPkg/OvmfPkgIa32X64.dsc                                        |  15 ++=
-
 OvmfPkg/OvmfPkgX64.dsc                                            |  15 ++=
-
 14 files changed, 308 insertions(+), 16 deletions(-)  create mode 100644 O=
vmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
 create mode 100644 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf

--
2.14.1.3.gb7cf6e02401b

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel