From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.187.233.73; helo=mx1.redhat.com; envelope-from=lersek@redhat.com; receiver=edk2-devel@lists.01.org Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 3AAC42251212F for ; Fri, 20 Apr 2018 04:07:20 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C638E81A88BD; Fri, 20 Apr 2018 11:07:19 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-11.rdu2.redhat.com [10.10.120.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id CEB0E215CDA7; Fri, 20 Apr 2018 11:07:18 +0000 (UTC) To: Gary Lin , edk2-devel@lists.01.org Cc: Ard Biesheuvel , Jordan Justen References: <20180419095543.15548-1-glin@suse.com> From: Laszlo Ersek Message-ID: Date: Fri, 20 Apr 2018 13:07:17 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180419095543.15548-1-glin@suse.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Fri, 20 Apr 2018 11:07:19 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Fri, 20 Apr 2018 11:07:19 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'lersek@redhat.com' RCPT:'' Subject: Re: [PATCH 1/1] OvmfPkg/README: add HTTPS Boot X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Apr 2018 11:07:21 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 04/19/18 11:55, Gary Lin wrote: > Add the new section for HTTPS Boot. > > Cc: Ard Biesheuvel > Cc: Jordan Justen > Cc: Laszlo Ersek > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Gary Lin > --- > OvmfPkg/README | 50 ++++++++++++++++++++ > 1 file changed, 50 insertions(+) > > diff --git a/OvmfPkg/README b/OvmfPkg/README > index 00fb71848200..a84b6a30aaed 100644 > --- a/OvmfPkg/README > +++ b/OvmfPkg/README > @@ -254,6 +254,56 @@ longer.) > VirtioNetDxe | x > Intel BootUtil (X64) | x > > +=== HTTPS Boot === > + > +HTTPS Boot is an alternative solution to PXE. It replaces the tftp server > +with a HTTPS server so the firmware can download the images through a trusted > +and encrypted connection. > + > +* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and > + -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while the > + the later enables TLS support in both NetworkPkg and CryptPkg. Two typos here: "the the later" should be "the latter" (with double "t"). And CryptPkg should be CryptoPkg. > + > +* By default, there is no trusted certificate. The user has to import the > + certificates either manually with "Tls Auth Configuration" utility in the > + firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts. > + > + -fw_cfg name=etc/edk2/https/cacerts,file= > + > + The blob for etc/edk2/https/cacerts has to be in the format of Signature > + Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the > + certificate list. This looks great. I suggest adding the command line for p11-kit (I should have included that earlier in a commit message or a blurb -- sorry!): p11-kit extract --format=edk2-cacerts --filter=ca-anchors \ --overwrite --purpose=server-auth > + > +* Bsides the trusted certificates, it's also possible to configure the trusted Typo: "Bsides". > + cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers. > + > + -fw_cfg name=etc/edk2/https/ciphers,file= > + > + OVMF expects a binary UINT16 array which is compirsed of the cipher suites - s/is compirsed of/comprises/ or else - s/is compirsed of/consists of/ > + HEX IDs(*4). If the cipher suite list is given, OVMF will choose the cipher > + suite from the intersection of the given list and the built-in cipher > + suites. Otherwise, OVMF just chooses whatever proper cipher suites from the > + built-in ones. > + > + While the tool(*5) to create the cipher suite array is still under > + development, the array can be generated with the following script: > + > + export LC_ALL=C > + openssl ciphers -V \ > + | sed -r -n \ > + -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ > + | xargs -r -- printf -- '%b' > ciphers.bin > + > + This script creates ciphers.bin that contains all the cipher suite IDs > + supported by openssl. Please insert here, "according to the local host configuration". > Of course, you can append your own list to > + "openssl ciphers -V" in the script to limit the supported cipher suites. This last sentence is a bit unclear. If we append another list, then the cipher suite set gets (possibly) extended, not limited. Furthermore, please add another sentence here: "In the future (after release 2.12), QEMU should populate both above fw_cfg files automatically from the local host configuration, and enable the user to override either with dedicated options or properties". > + > +(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A. > +(*2) p11-kit: https://github.com/p11-glue/p11-kit/ > +(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c > +(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table > +(*5) update-crypto-policies: https://github.com/nmav/fedora-crypto-policies To my knowledge the right URL for (*5) is: https://gitlab.com/redhat-crypto/fedora-crypto-policies > + > === OVMF Flash Layout === > > Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash) > Thank you Gary for doing this! Laszlo