git.proxmox.com Git - mirror

author	Laszlo Ersek <lersek@redhat.com>
	Sat, 31 Mar 2018 23:27:43 +0000 (01:27 +0200)
committer	Laszlo Ersek <lersek@redhat.com>
	Fri, 13 Apr 2018 12:05:10 +0000 (14:05 +0200)
commit	ba9c8a8ccbb79697509cba482f9d7b9e8526c7e2
tree	0cb749299b8a7def0233370a6cd06d77397314ba	tree
parent	54ec85dd2902bd5dee39106d5291f71088b7d85a	commit \| diff

OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot

Read the list of trusted cipher suites from fw_cfg and to store it to
EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE.

The fw_cfg file will be formatted by the "update-crypto-policies" utility
on the host side, so that the host settings take effect in guest HTTPS
boot as well. QEMU forwards the file intact to the firmware. The contents
are forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to
NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()).

Note: the development of the "update-crypto-policies" feature is underway
at this time. Meanwhile the following script can be used to generate the
binary file for fw_cfg:

  export LC_ALL=C
  openssl ciphers -V \
  | sed -r -n \
      -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
  | xargs -r -- printf -- '%b' > ciphers.bin

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gary Lin <glin@suse.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com>
[lersek@redhat.com: update commit msg and add script as requested by Gary]
[lersek@redhat.com: update commit msg as requested by Jiaxin]

OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c		diff \| blob \| blame \| history
OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf		diff \| blob \| blame \| history