Re: [PATCH v2 1/9] OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot

[Laszlo Ersek <lersek@redhat.com>]

On 04/12/18 11:10, Gary Lin wrote:
> On Thu, Apr 12, 2018 at 10:49:15AM +0200, Laszlo Ersek wrote:
>> On 04/12/18 09:08, Gary Lin wrote:
>>> On Wed, Apr 11, 2018 at 12:42:39PM +0200, Laszlo Ersek wrote:
>>>> Read the list of trusted cipher suites from fw_cfg and to store it to
>>>> EFI_TLS_CA_CERTIFICATE_VARIABLE.
>>>>
>>>> The fw_cfg file is formatted by the "update-crypto-policies" utility on
>>>> the host side, so that the host settings take effect in guest HTTPS boot
>>>> as well. QEMU forwards the file intact to the firmware. The contents are
>>>> forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to
>>>> NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()).
>>>>
>>> Hi Laszlo,
>>>
>>> The description mentioned "update-crypto-policies" to format the cipher
>>> list. The command is not available in openSUSE and I downloaded the command
>>> from github repo[*]. However, I didn't find any command in the repo
>>> could create the binary cipher list.
>>
>> Right, that feature is underway, and the Crypto team has agreed to
>> implement it for me. My apologies for being unclear about it. Until
>> then, a small shell script like the following can be used:
>>
>> -----
>> export LC_ALL=C
>>
>> openssl ciphers -V \
>> | sed -r -n \
>>     -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
>> | xargs -r -- printf -- '%b' > ciphers.bin
>> -----
>>
> It would be good to have this script in the description or in the README
> so that the person who doesn't have the updated update-crypto-policies,
> like me, can easily generate the cipher list.

I can include this in the commit message, sure.

If you think OvmfPkg/README would be a better place for it: can you
please submit a patch? ;) It's not just that I'm overloaded (although I
am), but I always welcome documentation contributions with enthusiasm.
If the documentation captures real life "user stories", that's for the best.

You could introduce an "HTTPS Boot" section to the README, between
"Network Support" and "OVMF Flash Layout". You contributed quite a bit
to HTTPS enablement anyway!

It's up to you, of course :) If you don't have the time, I'll add the
script to the commit message.

Thanks,
Laszlo

> 
> Cheers,
> 
> Gary Lin
> 
>>> Anyway, I found you also mentioned
>>> "openssl ciphers -V" in the cover letter, and I managed to convert the
>>> plaintext cipher list to the binary array. Maybe the description can be
>>> improved to avoid the confusion. (Or, I just found the wrong program...)
>>
>> No, you are right; I figured I'd describe the end-state in the commit
>> mesage. I guess I can replace
>>
>>   The fw_cfg file is formatted by the "update-crypto-policies" utility
>>
>> with
>>
>>   The fw_cfg file will be formatted by the "update-crypto-policies"
>>   utility
>>
>> in the commit message.
>>
>>>
>>> BTW, the code looks good and works for me.
>>>
>>> Reviewed-by: Gary Lin <glin@suse.com>
>>> Tested-by: Gary Lin <glin@suse.com>
>>
>> Thanks Gary!
>> Laszlo
>>