On 02/01/2024 06:06, Chang, Abner via groups.io wrote:
What do you think about:
- installing TLS on HTTP handle (as you have already implemented)
- using EDKII_HTTP_CALLBACK_PROTOCOL to catch the HttpEventInitSession
and perform whatever calls are needed to SetData() to modify the TLS
configuration?
Leverage HttpNotify is good but still has some problems, as HttpNotify is
designed to notify callback owner about a specific task was done. In order to
keep this HttpNotify nature, we can create a callback point at the end of
TlsCreateChild() with a newly introduced event type says
HttpEventTlsChildCreated. The reason we have to create this notification before
TlsConfigureSession() is because this function uses the default configuration
data to configure TLS. However, it doesn't have to do EfiTlsVerifyHost and
TlsConfigCertificate if there is nothing to verify.
The problem in configuring EfiTlsVerifyHost is It always checks verification
method with EFI_TLS_VERIFY_PEER, while the problem of TlsConfigCertificate is
it considers platform always can provide the certificate. Anyway to configure
TLS after TlsConfigCertificate is to late as the error status already returned
earlier. Furthermore the design of HttpNotify doesn't provide the output
information for caller to determine the different code paths. So with above,
how can we skip configuring TLS again with the default values in HttpSupport.c
even platform code already configured it before TlsConfigureSession()?
I may not have been clear enough: I'm suggesting that we allow
TlsConfigureSession() to perform its normal configuration, and then use
the HttpEventInitSession callback to modify this configuration (e.g.
setting EFI_TLS_VERIFY_NONE).
Yes, this would mean that a tiny amount of unnecessary work is done
(e.g. first setting EFI_TLS_VERIFY_PEER, then later changing it to
EFI_TLS_VERIFY_NONE) but this is a negligible amount of execution time
and allows us to keep the code simple.
The HttpEventInitSession callback is guaranteed to be called before the
calls to HttpGenRequestMessage() and HttpTransmitTcp() (even if running
at TPL_APPLICATION with network polling taking place) and so is
guaranteed to be a safe point at which to perform additional TLS
configuration via SetData().
So, to expand on what I wrote before, I'm suggesting:
- refactor TlsCreateChild() to install the TLS protocols on the HTTP
handle (as you have already implemented).
- (optional) Remove TlsChildHandle and replace with a boolean flag.
- No further changes required to HttpDxe, as far as I can tell.
- In RedfishRestExDxe, install an EDKII_HTTP_CALLBACK_PROTOCOL before
calling EFI_HTTP_PROTOCOL.Request().
- Allow the call to Request() to perform its normal TLS configuration
via TlsConfigureSession(), as though the connection were going to
perform host verification etc as per the platform default policy. This
configuration should succeed, with no error returned.
- In the RedfishRestExDxe callback, check for HttpEventInitSession and
use calls to EFI_TLS_CONFIGURATION_PROTOCOL.SetData() to modify the TLS
configuration to e.g. set EFI_TLS_VERIFY_NONE.
To make the callback implementation easier, you may want to extend
HttpNotify() to take HTTP_PROTOCOL *HttpInstance as its first parameter,
and then pass HttpInstance->Handle as an additional parameter to the
callback method, i.e.:
typedef
VOID
(EFIAPI *EDKII_HTTP_CALLBACK)(
IN EDKII_HTTP_CALLBACK_PROTOCOL *This,
IN EFI_HANDLE HttpHandle,
IN EDKII_HTTP_CALLBACK_EVENT Event,
IN EFI_STATUS EventStatus
);
VOID
HttpNotify (
IN HTTP_PROTOCOL *HttpInstance,
IN EDKII_HTTP_CALLBACK_EVENT Event,
IN EFI_STATUS EventStatus
)
{
...
HttpCallback->Callback (
HttpCallback,
HttpInstance->Handle,
Event,
EventStatus
);
...
}
Since EDKII_HTTP_CALLBACK_PROTOCOL is internal to EDK2 (and not covered
by the UEFI specification), this change should be possible. I've
checked all of the HttpNotify() call sites in the EDK2 repo, and they do
all have an HttpInstance available to use.
Thanks,
Michael
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#113033): https://edk2.groups.io/g/devel/message/113033
Mute This Topic: https://groups.io/mt/103368438/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
