On 04/19/18 11:55, Gary Lin wrote:
> Add the new section for HTTPS Boot.
>
> Cc: Ard Biesheuvel <ard.biesheu...@linaro.org>
> Cc: Jordan Justen <jordan.l.jus...@intel.com>
> Cc: Laszlo Ersek <ler...@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Gary Lin <g...@suse.com>
> ---
> OvmfPkg/README | 50 ++++++++++++++++++++
> 1 file changed, 50 insertions(+)
>
> diff --git a/OvmfPkg/README b/OvmfPkg/README
> index 00fb71848200..a84b6a30aaed 100644
> --- a/OvmfPkg/README
> +++ b/OvmfPkg/README
> @@ -254,6 +254,56 @@ longer.)
> VirtioNetDxe | x
> Intel BootUtil (X64) | x
>
> +=== HTTPS Boot ===
> +
> +HTTPS Boot is an alternative solution to PXE. It replaces the tftp server
> +with a HTTPS server so the firmware can download the images through a trusted
> +and encrypted connection.
> +
> +* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and
> + -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while
> the
> + the later enables TLS support in both NetworkPkg and CryptPkg.
Two typos here: "the the later" should be "the latter" (with double
"t"). And CryptPkg should be CryptoPkg.
> +
> +* By default, there is no trusted certificate. The user has to import the
> + certificates either manually with "Tls Auth Configuration" utility in the
> + firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts.
> +
> + -fw_cfg name=etc/edk2/https/cacerts,file=<sigdb>
> +
> + The blob for etc/edk2/https/cacerts has to be in the format of Signature
> + Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the
> + certificate list.
This looks great. I suggest adding the command line for p11-kit (I
should have included that earlier in a commit message or a blurb -- sorry!):
p11-kit extract --format=edk2-cacerts --filter=ca-anchors \
--overwrite --purpose=server-auth <certdb>
> +
> +* Bsides the trusted certificates, it's also possible to configure the
> trusted
Typo: "Bsides".
> + cipher suites for HTTPS through another fw_cfg entry:
> etc/edk2/https/ciphers.
> +
> + -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>
> +
> + OVMF expects a binary UINT16 array which is compirsed of the cipher suites
- s/is compirsed of/comprises/
or else
- s/is compirsed of/consists of/
> + HEX IDs(*4). If the cipher suite list is given, OVMF will choose the cipher
> + suite from the intersection of the given list and the built-in cipher
> + suites. Otherwise, OVMF just chooses whatever proper cipher suites from the
> + built-in ones.
> +
> + While the tool(*5) to create the cipher suite array is still under
> + development, the array can be generated with the following script:
> +
> + export LC_ALL=C
> + openssl ciphers -V \
> + | sed -r -n \
> + -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
> + | xargs -r -- printf -- '%b' > ciphers.bin
> +
> + This script creates ciphers.bin that contains all the cipher suite IDs
> + supported by openssl.
Please insert here, "according to the local host configuration".
> Of course, you can append your own list to
> + "openssl ciphers -V" in the script to limit the supported cipher suites.
This last sentence is a bit unclear. If we append another list, then the
cipher suite set gets (possibly) extended, not limited.
Furthermore, please add another sentence here: "In the future (after
release 2.12), QEMU should populate both above fw_cfg files
automatically from the local host configuration, and enable the user to
override either with dedicated options or properties".
> +
> +(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.
> +(*2) p11-kit: https://github.com/p11-glue/p11-kit/
> +(*3) efisiglist:
> https://github.com/rhboot/pesign/blob/master/src/efisiglist.c
> +(*4)
> https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table
> +(*5) update-crypto-policies: https://github.com/nmav/fedora-crypto-policies
To my knowledge the right URL for (*5) is:
https://gitlab.com/redhat-crypto/fedora-crypto-policies
> +
> === OVMF Flash Layout ===
>
> Like all current IA32/X64 system designs, OVMF's firmware device (rom/flash)
>
Thank you Gary for doing this!
Laszlo
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
