OvmfPkg/README: HTTPS Boot: describe host-side TLS cipher suites forwarding

In QEMU commit range 4abf70a661a5..69699f3055a5 (later fixed up in QEMU
commit 4318432ccd3f), Phil implemented a QEMU facility for exposing the
host-side TLS cipher suite configuration to OVMF. The purpose is to
control the permitted ciphers in the guest's UEFI HTTPS boot. This
complements the forwarding of the host-side crypto policy from the host to
the guest -- the other facet was the set of CA certificates (for which
p11-kit patches had been upstreamed, on the host side).

Mention the new command line options in "OvmfPkg/README".

Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Gary Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2852
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gary Lin <glin@suse.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200922091827.12617-1-lersek@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>

diff --git a/OvmfPkg/README b/OvmfPkg/README
index 3dd28474ead4f6cb79f407c174c2e0dac2ee0a6f..70f0c4152686d0ecfdfd99e405917a3d3416e46c 100644 (file)
--- a/OvmfPkg/README
+++ b/OvmfPkg/README
@@ -303,16 +303,27 @@ and encrypted connection.
 * Besides the trusted certificates, it's also possible to configure the trusted\r
   cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/ciphers.\r
 \r
-  -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
-\r
   OVMF expects a binary UINT16 array which comprises the cipher suites HEX\r
   IDs(*4). If the cipher suite list is given, OVMF will choose the cipher\r
   suite from the intersection of the given list and the built-in cipher\r
   suites. Otherwise, OVMF just chooses whatever proper cipher suites from the\r
   built-in ones.\r
 \r
-  While the tool(*5) to create the cipher suite array is still under\r
-  development, the array can be generated with the following script:\r
+  - Using QEMU 5.2 or later, QEMU can expose the ordered list of permitted TLS\r
+    cipher suites from the host side to OVMF:\r
+\r
+  -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \\r
+  -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0\r
+\r
+  (Refer to the QEMU manual and to\r
+  <https://gnutls.org/manual/html_node/Priority-Strings.html> for more\r
+  information on the "priority" property.)\r
+\r
+  - Using QEMU 5.1 or earlier, the array has to be passed from a file:\r
+\r
+  -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites>\r
+\r
+  whose contents can be generated with the following script, for example:\r
 \r
   export LC_ALL=C\r
   openssl ciphers -V \\r
@@ -337,15 +348,10 @@ and encrypted connection.
      -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \\r
   | xargs -r -- printf -- '%b' > ciphers.bin\r
 \r
-* In the future (after release 2.12), QEMU should populate both above fw_cfg\r
-  files automatically from the local host configuration, and enable the user\r
-  to override either with dedicated options or properties.\r
-\r
 (*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.\r
 (*2) p11-kit: https://github.com/p11-glue/p11-kit/\r
 (*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisiglist.c\r
 (*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_correspondence_table\r
-(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypto-policies\r
 \r
 === OVMF Flash Layout ===\r
 \r