On Fri, Apr 20, 2018 at 01:07:17PM +0200, Laszlo Ersek wrote: > On 04/19/18 11:55, Gary Lin wrote: > > Add the new section for HTTPS Boot. > > > > Cc: Ard Biesheuvel <ard.biesheu...@linaro.org> > > Cc: Jordan Justen <jordan.l.jus...@intel.com> > > Cc: Laszlo Ersek <ler...@redhat.com> > > Contributed-under: TianoCore Contribution Agreement 1.1 > > Signed-off-by: Gary Lin <g...@suse.com> > > --- > > OvmfPkg/README | 50 ++++++++++++++++++++ > > 1 file changed, 50 insertions(+) > > > > diff --git a/OvmfPkg/README b/OvmfPkg/README > > index 00fb71848200..a84b6a30aaed 100644 > > --- a/OvmfPkg/README > > +++ b/OvmfPkg/README > > @@ -254,6 +254,56 @@ longer.) > > VirtioNetDxe | x > > Intel BootUtil (X64) | x > > > > +=== HTTPS Boot === > > + > > +HTTPS Boot is an alternative solution to PXE. It replaces the tftp server > > +with a HTTPS server so the firmware can download the images through a > > trusted > > +and encrypted connection. > > + > > +* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and > > + -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while > > the > > + the later enables TLS support in both NetworkPkg and CryptPkg. > > Two typos here: "the the later" should be "the latter" (with double > "t"). And CryptPkg should be CryptoPkg. > Oops. Will fix it.
> > + > > +* By default, there is no trusted certificate. The user has to import the > > + certificates either manually with "Tls Auth Configuration" utility in the > > + firmware UI or through the fw_cfg entry, etc/edk2/https/cacerts. > > + > > + -fw_cfg name=etc/edk2/https/cacerts,file=<sigdb> > > + > > + The blob for etc/edk2/https/cacerts has to be in the format of Signature > > + Database(*1). You can use p11-kit(*2) or efisiglit(*3) to create the > > + certificate list. > > This looks great. I suggest adding the command line for p11-kit (I > should have included that earlier in a commit message or a blurb -- sorry!): > > p11-kit extract --format=edk2-cacerts --filter=ca-anchors \ > --overwrite --purpose=server-auth <certdb> > I'll also add the efisiglit command :) > > + > > +* Bsides the trusted certificates, it's also possible to configure the > > trusted > > Typo: "Bsides". Will fix it. > > > + cipher suites for HTTPS through another fw_cfg entry: > > etc/edk2/https/ciphers. > > + > > + -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites> > > + > > + OVMF expects a binary UINT16 array which is compirsed of the cipher > > suites > > - s/is compirsed of/comprises/ > > or else > > - s/is compirsed of/consists of/ > Will fix it. > > + HEX IDs(*4). If the cipher suite list is given, OVMF will choose the > > cipher > > + suite from the intersection of the given list and the built-in cipher > > + suites. Otherwise, OVMF just chooses whatever proper cipher suites from > > the > > + built-in ones. > > + > > + While the tool(*5) to create the cipher suite array is still under > > + development, the array can be generated with the following script: > > + > > + export LC_ALL=C > > + openssl ciphers -V \ > > + | sed -r -n \ > > + -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \ > > + | xargs -r -- printf -- '%b' > ciphers.bin > > + > > + This script creates ciphers.bin that contains all the cipher suite IDs > > + supported by openssl. > > Please insert here, "according to the local host configuration". > Ok. > > Of course, you can append your own list to > > + "openssl ciphers -V" in the script to limit the supported cipher suites. > > This last sentence is a bit unclear. If we append another list, then the > cipher suite set gets (possibly) extended, not limited. > My idea is to state that it's possible to provide a limited set of cipher suites instead of including all of them. Will change the wording to make it clear. > Furthermore, please add another sentence here: "In the future (after > release 2.12), QEMU should populate both above fw_cfg files > automatically from the local host configuration, and enable the user to > override either with dedicated options or properties". > Ok. > > + > > +(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A. > > +(*2) p11-kit: https://github.com/p11-glue/p11-kit/ > > +(*3) efisiglist: > > https://github.com/rhboot/pesign/blob/master/src/efisiglist.c > > +(*4) > > https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table > > +(*5) update-crypto-policies: https://github.com/nmav/fedora-crypto-policies > > To my knowledge the right URL for (*5) is: > > https://gitlab.com/redhat-crypto/fedora-crypto-policies > Ah, I didn't notice the link. Thanks for pointing it out. > > + > > === OVMF Flash Layout === > > > > Like all current IA32/X64 system designs, OVMF's firmware device > > (rom/flash) > > > > Thank you Gary for doing this! No problem :) I'll send a V2 later. Gary Lin _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel