From nobody Wed Apr 24 19:44:38 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+65088+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+65088+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1599495521; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Nlp6q9ad34YLBo2jynN9OAPgo5xIFrBX33uEkOtoIbaxHXHpns7EoCIWpvRZQqoKRUmqo+R4qfLsd/62Jun3nZop4aFxpDt1YrJcxgX86GkG4jHDDP0PfoQoNtm25ptgzM5LDAZu4zfh4ELWDnG8cxK2kJp3QKjI5hjetiN4DEw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1599495521;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To;
	bh=vfis9EGn8naI2PKPSbXRftb7Ep1Oz73O+2+jLq+q82A=;
	b=ViSXXoylXFTP8mhsB/Zr7fgnLJ7V65NnnCVMx4EpPK1p46IN3lkXMY9Plfw/H+ZEuIa5iZciqJ9i4f92aJ0Mm2ekw4lB6D9X6c59AN4eHU7wfeXpTbW5zekB+O1i5ZESoUMTlwdrSd5B9LsQVCO5MQNtKAs/j0VpDMA5pZc5xvk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+65088+1787277+3901457@groups.io;
	dmarc=fail header.from=<lersek@redhat.com> (p=none dis=none)
 header.from=<lersek@redhat.com>
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1599495521030444.07782192415686;
 Mon, 7 Sep 2020 09:18:41 -0700 (PDT)
Return-Path: <bounce+27952+65088+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id myNtYY1788612xwD08ypPevs;
 Mon, 07 Sep 2020 09:18:40 -0700
X-Received: from us-smtp-delivery-1.mimecast.com
 (us-smtp-delivery-1.mimecast.com [207.211.31.81])
 by mx.groups.io with SMTP id smtpd.web12.739.1599495519886553933
 for <devel@edk2.groups.io>;
 Mon, 07 Sep 2020 09:18:40 -0700
X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-179-XA-38HnBOxafjh_qXBcYvA-1; Mon, 07 Sep 2020 12:18:30 -0400
X-MC-Unique: XA-38HnBOxafjh_qXBcYvA-1
X-Received: from smtp.corp.redhat.com
 (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0C5AF18B9ED9;
	Mon,  7 Sep 2020 16:18:29 +0000 (UTC)
X-Received: from lacos-laptop-7.usersys.redhat.com
 (ovpn-115-56.ams2.redhat.com [10.36.115.56])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 7133082460;
	Mon,  7 Sep 2020 16:18:27 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>,
	Gary Lin <glin@suse.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Subject: [edk2-devel] [PATCH] OvmfPkg/README: HTTPS Boot: describe host-side
 TLS cipher suites forwarding
Date: Mon,  7 Sep 2020 18:18:25 +0200
Message-Id: <20200907161825.10893-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Mimecast-Spam-Score: 0.002
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,lersek@redhat.com
X-Gm-Message-State: pTYCdppckNcOR27ChyRZKJUfx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1599495520;
 bh=vfis9EGn8naI2PKPSbXRftb7Ep1Oz73O+2+jLq+q82A=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=hwTwnGaueYiCWcDMwfMmbNAIAso/rxeqSukYmOPWuHsZS3DhFyev2oUU0yw9NpGagEO
 452g19OglX+oP4xqVUnxmysNFt+08BAvQnomr84r2B7qcur3Ncv8dj7rR2wEA6TPd6pPO
 kOGkDDkAbqGN1egiH70/dNBMACJGWvvCCJk=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

In QEMU commit range 4abf70a661a5..69699f3055a5, Phil implemented a QEMU
facility for exposing the host-side TLS cipher suite configuration to
OVMF. The purpose is to control the permitted ciphers in the guest's UEFI
HTTPS boot. This complements the forwarding of the host-side crypto policy
from the host to the guest -- the other facet was the set of CA
certificates (for which p11-kit patches had been upstreamed, on the host
side).

Mention the new command line options in "OvmfPkg/README".

Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Gary Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2852
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gary Lin <glin@suse.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daude <philmd@redhat.com>
---
 OvmfPkg/README | 24 ++++++++++++--------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/OvmfPkg/README b/OvmfPkg/README
index 3dd28474ead4..2009d9d29796 100644
--- a/OvmfPkg/README
+++ b/OvmfPkg/README
@@ -294,67 +294,73 @@ and encrypted connection.
=20
   You can also append a certificate to the existing list with the following
   command:
=20
   efisiglist -i <old certdb> -a <cert file> -o <new certdb>
=20
   NOTE: You may need the patch to make efisiglist generate the correct hea=
der.
   (https://github.com/rhboot/pesign/pull/40)
=20
 * Besides the trusted certificates, it's also possible to configure the tr=
usted
   cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/cip=
hers.
=20
-  -fw_cfg name=3Detc/edk2/https/ciphers,file=3D<cipher suites>
-
   OVMF expects a binary UINT16 array which comprises the cipher suites HEX
   IDs(*4). If the cipher suite list is given, OVMF will choose the cipher
   suite from the intersection of the given list and the built-in cipher
   suites. Otherwise, OVMF just chooses whatever proper cipher suites from =
the
   built-in ones.
=20
-  While the tool(*5) to create the cipher suite array is still under
-  development, the array can be generated with the following script:
+  Using QEMU 5.1 or later, QEMU can expose the ordered list of permitted T=
LS
+  cipher suites from the host side to OVMF:
+
+  -object tls-cipher-suites,id=3Dmysuite0,priority=3D@SYSTEM \
+  -fw_cfg name=3Detc/edk2/https/ciphers,gen_id=3Dmysuite0
+
+  (Refer to the QEMU manual and to
+  <https://gnutls.org/manual/html_node/Priority-Strings.html> for more
+  information on the "priority" property.)
+
+  Using QEMU 5.0 or earlier, the array has to be passed from a file:
+
+  -fw_cfg name=3Detc/edk2/https/ciphers,file=3D<cipher suites>
+
+  whose contents can be generated with the following script, for example:
=20
   export LC_ALL=3DC
   openssl ciphers -V \
   | sed -r -n \
      -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
   | xargs -r -- printf -- '%b' > ciphers.bin
=20
   This script creates ciphers.bin that contains all the cipher suite IDs
   supported by openssl according to the local host configuration.
=20
   You may want to enable only a limited set of cipher suites. Then, you
   should check the validity of your list first:
=20
   openssl ciphers -V <cipher list>
=20
   If all the cipher suites in your list map to the proper HEX IDs, go ahead
   to modify the script and execute it:
=20
   export LC_ALL=3DC
   openssl ciphers -V <cipher list> \
   | sed -r -n \
      -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
   | xargs -r -- printf -- '%b' > ciphers.bin
=20
-* In the future (after release 2.12), QEMU should populate both above fw_c=
fg
-  files automatically from the local host configuration, and enable the us=
er
-  to override either with dedicated options or properties.
-
 (*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.
 (*2) p11-kit: https://github.com/p11-glue/p11-kit/
 (*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisigli=
st.c
 (*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_corres=
pondence_table
-(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypt=
o-policies
=20
 =3D=3D=3D OVMF Flash Layout =3D=3D=3D
=20
 Like all current IA32/X64 system designs, OVMF's firmware device (rom/flas=
h)
 appears in QEMU's physical address space just below 4GB (0x100000000).
=20
 OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files fo=
r the
 FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address for=
 the
 1MB image in QEMU physical memory is 0xfff00000. The base address for the =
2MB
 image is 0xffe00000. The base address for the 4MB image is 0xffc00000.
=20
 Using the 1MB or 2MB image, the layout of the firmware device in memory lo=
oks
--=20
2.19.1.3.g30247aa5d201


-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#65088): https://edk2.groups.io/g/devel/message/65088
Mute This Topic: https://groups.io/mt/76689975/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-