[edk2-devel] [PATCH] OvmfPkg/README: HTTPS Boot: describe host-side TLS cipher suites forwarding

Laszlo Ersek lersek at redhat.com
Wed Sep 16 07:35:47 UTC 2020 

On 09/15/20 19:09, Philippe Mathieu-Daudé wrote:
> Hi Laszlo,
> 
> On 9/10/20 8:02 AM, Laszlo Ersek wrote:
>> On 09/09/20 18:21, Philippe Mathieu-Daudé wrote:
>>> On 9/7/20 6:18 PM, Laszlo Ersek wrote:
>>>> In QEMU commit range 4abf70a661a5..69699f3055a5, Phil implemented a QEMU
>>>> facility for exposing the host-side TLS cipher suite configuration to
>>>> OVMF. The purpose is to control the permitted ciphers in the guest's UEFI
>>>> HTTPS boot. This complements the forwarding of the host-side crypto policy
>>>> from the host to the guest -- the other facet was the set of CA
>>>> certificates (for which p11-kit patches had been upstreamed, on the host
>>>> side).
>>>>
>>>> Mention the new command line options in "OvmfPkg/README".
>>>>
>>>> Cc: Ard Biesheuvel <ard.biesheuvel at arm.com>
>>>> Cc: Gary Lin <glin at suse.com>
>>>> Cc: Jordan Justen <jordan.l.justen at intel.com>
>>>> Cc: Philippe Mathieu-Daudé <philmd at redhat.com>
>>>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2852
>>>
>>> Thanks for addressing this BZ for me...
>>>
>>>> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
>>>> ---
>>>>  OvmfPkg/README | 24 ++++++++++++--------
>>>>  1 file changed, 15 insertions(+), 9 deletions(-)
>>>>
>>>> diff --git a/OvmfPkg/README b/OvmfPkg/README
>>>> index 3dd28474ead4..2009d9d29796 100644
>>>> --- a/OvmfPkg/README
>>>> +++ b/OvmfPkg/README
>>>> @@ -294,67 +294,73 @@ and encrypted connection.
>>>>  
>>>>    You can also append a certificate to the existing list with the following
>>>>    command:
>>>>  
>>>>    efisiglist -i <old certdb> -a <cert file> -o <new certdb>
>>>>  
>>>>    NOTE: You may need the patch to make efisiglist generate the correct header.
>>>>    (https://github.com/rhboot/pesign/pull/40)
>>>>  
>>>>  * Besides the trusted certificates, it's also possible to configure the trusted
>>>>    cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.
>>>>  
>>>> -  -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>
>>>> -
>>>>    OVMF expects a binary UINT16 array which comprises the cipher suites HEX
>>>>    IDs(*4). If the cipher suite list is given, OVMF will choose the cipher
>>>>    suite from the intersection of the given list and the built-in cipher
>>>>    suites. Otherwise, OVMF just chooses whatever proper cipher suites from the
>>>>    built-in ones.
>>>>  
>>>> -  While the tool(*5) to create the cipher suite array is still under
>>>> -  development, the array can be generated with the following script:
>>>> +  Using QEMU 5.1 or later, QEMU can expose the ordered list of permitted TLS
>>>> +  cipher suites from the host side to OVMF:
>>>> +
>>>> +  -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \
>>>> +  -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0
>>>> +
>>>> +  (Refer to the QEMU manual and to
>>>> +  <https://gnutls.org/manual/html_node/Priority-Strings.html> for more
>>>> +  information on the "priority" property.)
>>>> +
>>>> +  Using QEMU 5.0 or earlier, the array has to be passed from a file:
>>>
>>> What about using a '-' to list each "Using QEMU ..." and make the
>>> separation clearer?
>>
>> I can do that, yes. There are three possibilities:
>>
>> - prefix just one line (in each affected paragraph) with the hyphen,
>>
>> - prefix the first line of each paragraph with the hyphen, plus indent
>> the rest of the *same paragraph* by 2 spaces.
> 
> I'd go with this possibility. Clear and easy.
> 
>>
>> - prefix the first line of each paragraph with the hyphen, plus indent
>> the rest of the *text* that applies to the QEMU versions being discussed.
> 
> (Note that would be my *visual* preference, but I don't think it's
> worth it, I prefer we keep the diff short and easy to review).

Agreed on both counts :)

Thanks!
Laszlo


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65310): https://edk2.groups.io/g/devel/message/65310
Mute This Topic: https://groups.io/mt/76689975/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

More information about the edk2-devel-archive mailing list