From nobody Sun Apr 28 22:38:54 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12
 as permitted sender) client-ip=66.175.222.12;
 envelope-from=bounce+27952+65433+1787277+3901457@groups.io;
 helo=web01.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+65433+1787277+3901457@groups.io;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1600766321; cv=none;
	d=zohomail.com; s=zohoarc;
	b=GegI6w8o4G4bOe/6QHZpilt/ihuY0eSxkDENtWgM/oQL4aoBONuLGfuie+zh5nlOJmsn3tyFcQhG9x34wYpiby+iWbnYRQueYuEE1f8Pj0rdNwoO3cnMZBiBUc5zst+/pebqyclQd3/QPQRJAzAYvIV9UZHmjrJ9q/fBsr4gw58=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1600766321;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Sender:Subject:To;
	bh=M5k/rGvbYLrTd5qw3qyxhW34ZnPVmq3cvPwg2bIhbG0=;
	b=kwlcr0ncOCa2G6rgLKkfJH0X91q2pVnLOaCksLv3qz4CCO5DdfSbVdxIgE4dwd2abLaLMAPpooSHK9826iQTuYA5dg1XXH9cbUaSFrLxqN5FryphIbfE06rJjS/nFXsnYh/vhcDvPhb4HHo/fni9OqgyxuzYlTJOYR4OExweKvU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as
 permitted sender)
  smtp.mailfrom=bounce+27952+65433+1787277+3901457@groups.io;
	dmarc=fail header.from=<lersek@redhat.com> (p=none dis=none)
 header.from=<lersek@redhat.com>
Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by
 mx.zohomail.com
	with SMTPS id 1600766321867289.61121093405166;
 Tue, 22 Sep 2020 02:18:41 -0700 (PDT)
Return-Path: <bounce+27952+65433+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id 2wO3YY1788612xUqMXg3pCYs;
 Tue, 22 Sep 2020 02:18:41 -0700
X-Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
 by mx.groups.io with SMTP id smtpd.web12.4186.1600766320572064596
 for <devel@edk2.groups.io>;
 Tue, 22 Sep 2020 02:18:40 -0700
X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-337-ZDBTds9mP8K8ky8U5PQxUg-1; Tue, 22 Sep 2020 05:18:31 -0400
X-MC-Unique: ZDBTds9mP8K8ky8U5PQxUg-1
X-Received: from smtp.corp.redhat.com
 (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EBEB81084C9A;
	Tue, 22 Sep 2020 09:18:29 +0000 (UTC)
X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-3.ams2.redhat.com
 [10.36.112.3])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 770F561177;
	Tue, 22 Sep 2020 09:18:28 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
To: edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>,
	Gary Lin <glin@suse.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Subject: [edk2-devel] [PATCH] OvmfPkg/README: HTTPS Boot: describe host-side
 TLS cipher suites forwarding
Date: Tue, 22 Sep 2020 11:18:27 +0200
Message-Id: <20200922091827.12617-1-lersek@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Precedence: Bulk
List-Unsubscribe: <https://edk2.groups.io/g/devel/unsub>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,lersek@redhat.com
X-Gm-Message-State: 82eUsrbXkogyRluFFav0SFURx1787277AA=
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1600766321;
 bh=M5k/rGvbYLrTd5qw3qyxhW34ZnPVmq3cvPwg2bIhbG0=;
 h=Cc:Content-Type:Date:From:Reply-To:Subject:To;
 b=CeYIQNWUcwpm9D/bvz1k6s88OLNA3bvnIJS4ddDd8iuceXj5sjZJWTLC3w8Fk73DLpI
 BAnrDMkiLKDaILoWLBlAcp4pQAKIhh57LkmVHKwVchFlI4uv5wmXXfgjbi8zoCAJMApn0
 RN/9wREm1tbAa6hO7Ef5kbMWdwSI9ZFHbME=
X-ZohoMail-DKIM: pass (identity @groups.io)
Content-Type: text/plain; charset="utf-8"

In QEMU commit range 4abf70a661a5..69699f3055a5 (later fixed up in QEMU
commit 4318432ccd3f), Phil implemented a QEMU facility for exposing the
host-side TLS cipher suite configuration to OVMF. The purpose is to
control the permitted ciphers in the guest's UEFI HTTPS boot. This
complements the forwarding of the host-side crypto policy from the host to
the guest -- the other facet was the set of CA certificates (for which
p11-kit patches had been upstreamed, on the host side).

Mention the new command line options in "OvmfPkg/README".

Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Gary Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2852
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gary Lin <glin@suse.com>
Reviewed-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
---

Notes:
    v2:
   =20
    - Move the feature boundary from between QEMU 5.0 and 5.1 to 5.1<->5.2
      (the necessary upstream QEMU commit 4318432ccd3f will only be released
      as part of 5.2). Update both the README contents and the commit
      message.
   =20
    - Indent the "Using QEMU <version>" list entries, and prefix them with a
      hyphen, for better separation. [Phil]
   =20
    - Pick up Gary's R-b.
   =20
    - Pick up Phil's R-b.
   =20
    - Do not pick up Phil's T-b.
   =20
    Repo:   https://pagure.io/lersek/edk2.git
    Branch: tianocore_2852_v2

 OvmfPkg/README | 24 ++++++++++++--------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/OvmfPkg/README b/OvmfPkg/README
index 3dd28474ead4..70f0c4152686 100644
--- a/OvmfPkg/README
+++ b/OvmfPkg/README
@@ -294,67 +294,73 @@ and encrypted connection.
=20
   You can also append a certificate to the existing list with the following
   command:
=20
   efisiglist -i <old certdb> -a <cert file> -o <new certdb>
=20
   NOTE: You may need the patch to make efisiglist generate the correct hea=
der.
   (https://github.com/rhboot/pesign/pull/40)
=20
 * Besides the trusted certificates, it's also possible to configure the tr=
usted
   cipher suites for HTTPS through another fw_cfg entry: etc/edk2/https/cip=
hers.
=20
-  -fw_cfg name=3Detc/edk2/https/ciphers,file=3D<cipher suites>
-
   OVMF expects a binary UINT16 array which comprises the cipher suites HEX
   IDs(*4). If the cipher suite list is given, OVMF will choose the cipher
   suite from the intersection of the given list and the built-in cipher
   suites. Otherwise, OVMF just chooses whatever proper cipher suites from =
the
   built-in ones.
=20
-  While the tool(*5) to create the cipher suite array is still under
-  development, the array can be generated with the following script:
+  - Using QEMU 5.2 or later, QEMU can expose the ordered list of permitted=
 TLS
+    cipher suites from the host side to OVMF:
+
+  -object tls-cipher-suites,id=3Dmysuite0,priority=3D@SYSTEM \
+  -fw_cfg name=3Detc/edk2/https/ciphers,gen_id=3Dmysuite0
+
+  (Refer to the QEMU manual and to
+  <https://gnutls.org/manual/html_node/Priority-Strings.html> for more
+  information on the "priority" property.)
+
+  - Using QEMU 5.1 or earlier, the array has to be passed from a file:
+
+  -fw_cfg name=3Detc/edk2/https/ciphers,file=3D<cipher suites>
+
+  whose contents can be generated with the following script, for example:
=20
   export LC_ALL=3DC
   openssl ciphers -V \
   | sed -r -n \
      -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
   | xargs -r -- printf -- '%b' > ciphers.bin
=20
   This script creates ciphers.bin that contains all the cipher suite IDs
   supported by openssl according to the local host configuration.
=20
   You may want to enable only a limited set of cipher suites. Then, you
   should check the validity of your list first:
=20
   openssl ciphers -V <cipher list>
=20
   If all the cipher suites in your list map to the proper HEX IDs, go ahead
   to modify the script and execute it:
=20
   export LC_ALL=3DC
   openssl ciphers -V <cipher list> \
   | sed -r -n \
      -e 's/^ *0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .*$/\\\\x\1 \\\\x\2/p' \
   | xargs -r -- printf -- '%b' > ciphers.bin
=20
-* In the future (after release 2.12), QEMU should populate both above fw_c=
fg
-  files automatically from the local host configuration, and enable the us=
er
-  to override either with dedicated options or properties.
-
 (*1) See "31.4.1 Signature Database" in UEFI specification 2.7 errata A.
 (*2) p11-kit: https://github.com/p11-glue/p11-kit/
 (*3) efisiglist: https://github.com/rhboot/pesign/blob/master/src/efisigli=
st.c
 (*4) https://wiki.mozilla.org/Security/Server_Side_TLS#Cipher_names_corres=
pondence_table
-(*5) update-crypto-policies: https://gitlab.com/redhat-crypto/fedora-crypt=
o-policies
=20
 =3D=3D=3D OVMF Flash Layout =3D=3D=3D
=20
 Like all current IA32/X64 system designs, OVMF's firmware device (rom/flas=
h)
 appears in QEMU's physical address space just below 4GB (0x100000000).
=20
 OVMF supports building a 1MB, 2MB or 4MB flash image (see the DSC files fo=
r the
 FD_SIZE_1MB, FD_SIZE_2MB, FD_SIZE_4MB build defines). The base address for=
 the
 1MB image in QEMU physical memory is 0xfff00000. The base address for the =
2MB
 image is 0xffe00000. The base address for the 4MB image is 0xffc00000.
=20
 Using the 1MB or 2MB image, the layout of the firmware device in memory lo=
oks
--=20
2.19.1.3.g30247aa5d201



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#65433): https://edk2.groups.io/g/devel/message/65433
Mute This Topic: https://groups.io/mt/77009601/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-