with a HTTPS server so the firmware can download the images through a trusted\r
and encrypted connection.\r
\r
-* To enable HTTPS Boot, you have to build OVMF with -D HTTP_BOOT_ENABLE and\r
- -D TLS_ENABLE. The former brings in the HTTP stack from NetworkPkg while\r
- the latter enables TLS support in both NetworkPkg and CryptoPkg.\r
+* To enable HTTPS Boot, you have to build OVMF with -D NETWORK_HTTP_BOOT_ENABLE\r
+ and -D NETWORK_TLS_ENABLE. The former brings in the HTTP stack from\r
+ NetworkPkg while the latter enables TLS support in both NetworkPkg and\r
+ CryptoPkg.\r
+\r
+ If you want to exclude the unsecured HTTP connection completely, OVMF has to\r
+ be built with -D NETWORK_ALLOW_HTTP_CONNECTIONS=FALSE so that only the HTTPS\r
+ connections will be accepted.\r
\r
* By default, there is no trusted certificate. The user has to import the\r
certificates either manually with "Tls Auth Configuration" utility in the\r
* Besides the trusted certificates, it's also possible to configure the trusted\r
cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.\r
\r
- -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
-\r
OVMF expects a binary UINT16 array which comprises the cipher suites HEX\r
IDs(*4). If the cipher suite list is given, OVMF will choose the cipher\r
suite from the intersection of the given list and the built-in cipher\r
suites. Otherwise, OVMF just chooses whatever proper cipher suites from the\r
built-in ones.\r
\r
- While the tool(*5) to create the cipher suite array is still under\r
- development, the array can be generated with the following script:\r
+ - Using QEMU 5.2 or later, QEMU can expose the ordered list of permitted TLS\r
+ cipher suites from the host side to OVMF:\r
+\r
+ -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \\r
+ -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0\r
+\r
+ (Refer to the QEMU manual and to\r
+ <https://gnutls.org/manual/html_node/Priority-Strings.html> for more\r
+ information on the "priority" property.)\r
+\r
+ - Using QEMU 5.1 or earlier, the array has to be passed from a file:\r
+\r
+ -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
+\r
+ whose contents can be generated with the following script, for example:\r
\r
export LC_ALL=C\r
openssl ciphers -V \\r
-e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
| xargs -r -- printf -- '%b' > ciphers.bin\r
\r
-* In the future (after release 2.12), QEMU should populate both above fw_cfg\r
- files automatically from the local host configuration, and enable the user\r
- to override either with dedicated options or properties.\r
-\r
(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.\r
(*2) p11-kit: https://github.com/p11-glue/p11-kit/\r
(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c\r
(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table\r
-(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies\r
\r
=== OVMF Flash Layout ===\r
\r