From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 3F5FE81DCD
 for <edk2-devel@ml01.01.org>; Mon, 16 Jan 2017 15:01:13 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 2EB5D1555E;
 Mon, 16 Jan 2017 23:01:14 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-110.phx2.redhat.com
 [10.3.116.110])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v0GN1C85000437; Mon, 16 Jan 2017 18:01:12 -0500
To: Gary Lin <glin@suse.com>, "Wu, Jiaxin" <jiaxin.wu@intel.com>
References: <20170116041013.31545-1-glin@suse.com>
 <895558F6EA4E3B41AC93A00D163B727416293E11@SHSMSX103.ccr.corp.intel.com>
 <20170116063237.tapblt5ildhgdrrl@GaryWorkstation>
Cc: "Justen, Jordan L" <jordan.l.justen@intel.com>,
 "edk2-devel@lists.01.org" <edk2-devel@ml01.01.org>,
 "Long, Qin" <qin.long@intel.com>
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <a45793ac-12ff-6eb8-b3ec-fa0dda93d70b@redhat.com>
Date: Tue, 17 Jan 2017 00:01:10 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <20170116063237.tapblt5ildhgdrrl@GaryWorkstation>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.29]); Mon, 16 Jan 2017 23:01:14 +0000 (UTC)
Subject: Re: [PATCH] OvmfPkg: Enable HTTPS for Ovmf
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2017 23:01:13 -0000
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit

On 01/16/17 07:32, Gary Lin wrote:
> On Mon, Jan 16, 2017 at 05:44:49AM +0000, Wu, Jiaxin wrote:
>> Hi Gary,
>>
>> Before we enable the HTTPS/TLS for OVMF, We need remove the 'SECURE_BOOT_ENABLE' flag control for the CryptoPkg librarie. Not only the secure boot feature requires the CryptoPkg libraries (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS features. If we not remove that dependency, we must set both SECURE_BOOT_ENABLE and TLS_ENABLE to support TLS feature. That's unreasonable.
>>
> Ah! Right. I always enable secure boot and forgot the dependency of
> CryptoPkg.
> 
>> Attached patch is to remove the flag control for the CryptoPkg libraries. I suggest to wait that patch commit, then go ahead to enable the HTTPS for OVMF.
>>
> Agree. We should free CryptoPkg from Secure Boot or HTTPS first.

As I indicated in the other thread (Jiaxin's "[PATCH v2] OvmfPkg: Remove
the flag control for the CryptoPkg libraries"), decoupling the OpenSSL
dependency from Secure Boot is a good idea, as there are indeed multiple
users. However, making OpenSSL a hard or default requirement for
building OVMF is wrong, as long as OpenSSL needs to be manually dropped
into CryptoPkg, and patched.

If that's the case, then we should extract the OpenSSL dependency into
its own synthetic (use case-less) build macro (such as OPENSSL_ENABLE),
and work out the dependencies between it and the concrete use cases
(other build macros).

This way the person building OVMF will only have to mess with OpenSSL /
CryptoPkg if they need at least one feature that unconditionally
requires OpenSSL, or they decide to enable OpenSSL for another feature
that optionally benefits from it.

Thanks,
Laszlo

> 
> Thanks,
> 
> Gary Lin
> 
>> Thanks,
>> Jiaxin
>>
>>> -----Original Message-----
>>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Gary
>>> Lin
>>> Sent: Monday, January 16, 2017 12:10 PM
>>> To: edk2-devel@lists.01.org
>>> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Wu, Jiaxin
>>> <jiaxin.wu@intel.com>; Laszlo Ersek <lersek@redhat.com>
>>> Subject: [edk2] [PATCH] OvmfPkg: Enable HTTPS for Ovmf
>>>
>>> This commit introduces a new build option to OvmfPkg: TLS_ENABLE.
>>> When setting the option, the TLS drivers will be included to support
>>> HTTPS.
>>>
>>> NOTE: HTTP_BOOT_ENABLE is needed to enable HTTPS support since it's
>>>       pointless to enable TLS alone.
>>>
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>>> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>> Signed-off-by: Gary Lin <glin@suse.com>
>>> ---
>>>  OvmfPkg/OvmfPkgIa32.dsc    | 8 ++++++++
>>>  OvmfPkg/OvmfPkgIa32.fdf    | 4 ++++
>>>  OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
>>>  OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
>>>  OvmfPkg/OvmfPkgX64.dsc     | 8 ++++++++
>>>  OvmfPkg/OvmfPkgX64.fdf     | 4 ++++
>>>  6 files changed, 36 insertions(+)
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
>>> index e97f7f0262..363f143c68 100644
>>> --- a/OvmfPkg/OvmfPkgIa32.dsc
>>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
>>> @@ -38,6 +38,7 @@ [Defines]
>>>    DEFINE NETWORK_IP6_ENABLE      = FALSE
>>>    DEFINE HTTP_BOOT_ENABLE        = FALSE
>>>    DEFINE SMM_REQUIRE             = FALSE
>>> +  DEFINE TLS_ENABLE              = FALSE
>>>
>>>  [BuildOptions]
>>>    GCC:*_UNIXGCC_*_CC_FLAGS             = -DMDEPKG_NDEBUG
>>> @@ -158,6 +159,9 @@ [LibraryClasses]
>>>
>>>  !if $(HTTP_BOOT_ENABLE) == TRUE
>>>    HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
>>> +!endif
>>>  !endif
>>>
>>>
>>> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
>>> tLib.inf
>>> @@ -715,6 +719,10 @@ [Components]
>>>    NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>>    NetworkPkg/HttpDxe/HttpDxe.inf
>>>    NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  NetworkPkg/TlsDxe/TlsDxe.inf
>>> +  NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>>  !endif
>>>    OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
>>> index 34d57a6079..30c8800932 100644
>>> --- a/OvmfPkg/OvmfPkgIa32.fdf
>>> +++ b/OvmfPkg/OvmfPkgIa32.fdf
>>> @@ -329,6 +329,10 @@ [FV.DXEFV]
>>>    INF  NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>>    INF  NetworkPkg/HttpDxe/HttpDxe.inf
>>>    INF  NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  INF  NetworkPkg/TlsDxe/TlsDxe.inf
>>> +  INF  NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>>  !endif
>>>    INF  OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
>>> index 8e3e04c135..f22bad309a 100644
>>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
>>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
>>> @@ -38,6 +38,7 @@ [Defines]
>>>    DEFINE NETWORK_IP6_ENABLE      = FALSE
>>>    DEFINE HTTP_BOOT_ENABLE        = FALSE
>>>    DEFINE SMM_REQUIRE             = FALSE
>>> +  DEFINE TLS_ENABLE              = FALSE
>>>
>>>  [BuildOptions]
>>>    GCC:*_UNIXGCC_*_CC_FLAGS             = -DMDEPKG_NDEBUG
>>> @@ -163,6 +164,9 @@ [LibraryClasses]
>>>
>>>  !if $(HTTP_BOOT_ENABLE) == TRUE
>>>    HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
>>> +!endif
>>>  !endif
>>>
>>>
>>> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
>>> tLib.inf
>>> @@ -724,6 +728,10 @@ [Components.X64]
>>>    NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>>    NetworkPkg/HttpDxe/HttpDxe.inf
>>>    NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  NetworkPkg/TlsDxe/TlsDxe.inf
>>> +  NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>>  !endif
>>>    OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
>>> index df55c2b210..7bc31d42ba 100644
>>> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
>>> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
>>> @@ -329,6 +329,10 @@ [FV.DXEFV]
>>>    INF  NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>>    INF  NetworkPkg/HttpDxe/HttpDxe.inf
>>>    INF  NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  INF  NetworkPkg/TlsDxe/TlsDxe.inf
>>> +  INF  NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>>  !endif
>>>    INF  OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
>>> index 6ec3fe050d..8eca6fd557 100644
>>> --- a/OvmfPkg/OvmfPkgX64.dsc
>>> +++ b/OvmfPkg/OvmfPkgX64.dsc
>>> @@ -38,6 +38,7 @@ [Defines]
>>>    DEFINE NETWORK_IP6_ENABLE      = FALSE
>>>    DEFINE HTTP_BOOT_ENABLE        = FALSE
>>>    DEFINE SMM_REQUIRE             = FALSE
>>> +  DEFINE TLS_ENABLE              = FALSE
>>>
>>>  [BuildOptions]
>>>    GCC:*_UNIXGCC_*_CC_FLAGS             = -DMDEPKG_NDEBUG
>>> @@ -163,6 +164,9 @@ [LibraryClasses]
>>>
>>>  !if $(HTTP_BOOT_ENABLE) == TRUE
>>>    HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
>>> +!endif
>>>  !endif
>>>
>>>
>>> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
>>> tLib.inf
>>> @@ -722,6 +726,10 @@ [Components]
>>>    NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>>    NetworkPkg/HttpDxe/HttpDxe.inf
>>>    NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  NetworkPkg/TlsDxe/TlsDxe.inf
>>> +  NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>>  !endif
>>>    OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
>>> index 5e2e1dfaf5..cb7ca131e8 100644
>>> --- a/OvmfPkg/OvmfPkgX64.fdf
>>> +++ b/OvmfPkg/OvmfPkgX64.fdf
>>> @@ -329,6 +329,10 @@ [FV.DXEFV]
>>>    INF  NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf
>>>    INF  NetworkPkg/HttpDxe/HttpDxe.inf
>>>    INF  NetworkPkg/HttpBootDxe/HttpBootDxe.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>> +  INF  NetworkPkg/TlsDxe/TlsDxe.inf
>>> +  INF  NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
>>> +!endif
>>>  !endif
>>>    INF  OvmfPkg/VirtioNetDxe/VirtioNet.inf
>>>
>>> --
>>> 2.11.0
>>>
>>> _______________________________________________
>>> edk2-devel mailing list
>>> edk2-devel@lists.01.org
>>> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
>