* Besides the trusted certificates, it's also possible to configure the trusted\r
cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.\r
\r
- -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
-\r
OVMF expects a binary UINT16 array which comprises the cipher suites HEX\r
IDs(*4). If the cipher suite list is given, OVMF will choose the cipher\r
suite from the intersection of the given list and the built-in cipher\r
suites. Otherwise, OVMF just chooses whatever proper cipher suites from the\r
built-in ones.\r
\r
- While the tool(*5) to create the cipher suite array is still under\r
- development, the array can be generated with the following script:\r
+ - Using QEMU 5.2 or later, QEMU can expose the ordered list of permitted TLS\r
+ cipher suites from the host side to OVMF:\r
+\r
+ -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \\r
+ -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0\r
+\r
+ (Refer to the QEMU manual and to\r
+ <https://gnutls.org/manual/html_node/Priority-Strings.html> for more\r
+ information on the "priority" property.)\r
+\r
+ - Using QEMU 5.1 or earlier, the array has to be passed from a file:\r
+\r
+ -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
+\r
+ whose contents can be generated with the following script, for example:\r
\r
export LC_ALL=C\r
openssl ciphers -V \\r
-e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
| xargs -r -- printf -- '%b' > ciphers.bin\r
\r
-* In the future (after release 2.12), QEMU should populate both above fw_cfg\r
- files automatically from the local host configuration, and enable the user\r
- to override either with dedicated options or properties.\r
-\r
(*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.\r
(*2) p11-kit: https://github.com/p11-glue/p11-kit/\r
(*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c\r
(*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table\r
-(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies\r
\r
=== OVMF Flash Layout ===\r
\r