On 01/12/17 17:46, Kinney, Michael D wrote: > Maybe we should also consider a slight PCD name change so > this PCD is not confused with -D HTTP_BOOT_ENABLE. > > PcdAllowHttpConnections
Good point! Laszlo > > Mike > >> -----Original Message----- >> From: edk2-devel [mailto:[email protected]] On Behalf Of Laszlo >> Ersek >> Sent: Thursday, January 12, 2017 8:22 AM >> To: Fu, Siyuan <[email protected]>; Wu, Jiaxin <[email protected]>; edk2- >> [email protected] >> Cc: Ye, Ting <[email protected]>; Ni, Ruiyu <[email protected]>; Gary >> Ching-Pang >> Lin <[email protected]> >> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch >> >> On 01/12/17 12:45, Fu, Siyuan wrote: >>> Hi, Laszlo >>> >> >>> This PCD is introduced for security consideration, it's not to >>> include/exclude the whole HTTP boot feature, but to allow/deny >>> unsecured HTTP connection. So >>> If this PCD is true, both HTTP(http://...) and HTTPS(https://...) are >> allowed. >>> If this PCD is false, only HTTPS connection is allowed, HTTP is >>> forbidden. >>> The default is false (HTTPS) only. >>> >>> For you question, if the new PCD is set to false, and OVFM is built >>> with -D HTTP_BOOT_ENABLE. All these drivers will still be included in >>> the FD image, but only HTTPS connection could be establishment. In >>> other words, attempt to boot from a URL like "http://server/boot.efi"; >>> will be failed. >> >> Thank you, this makes perfect sense. >> >> But, in this case, I think the PCD description in the .DEC file is not clear >> enough: >> >> + ## Indicates whether the HTTP is enabled or not. >> + # TRUE - HTTP is enabled. The "http://"; scheme is acceptable. >> + # FALSE - HTTP is disabled. The "http://"; scheme will be denied. >> + # @Prompt Indicates whether the HTTP is enabled or not. >> + gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008 >> >> I suggest the following wording instead: >> >> ## Indicates whether HTTP (i.e., unsecured) connections are permitted or >> not. >> # HTTPS connections are always permitted. >> # TRUE - Both the "https://"; and "http://"; URI schemes are permitted. >> # FALSE - Only the "https://"; URI scheme is permitted. >> gEfiNetworkPkgTokenSpaceGuid.PcdHttpEnable|FALSE|BOOLEAN|0x00000008 >> >> Can you please consider this? I think it's clearer. >> >> Thanks! >> Laszlo >> >>> >>> Siyuan >>> >>> -----Original Message----- >>> From: edk2-devel [mailto:[email protected]] On Behalf Of >>> Laszlo >> Ersek >>> Sent: 2017年1月12日 18:23 >>> To: Wu, Jiaxin <[email protected]>; [email protected] >>> Cc: Ye, Ting <[email protected]>; Ni, Ruiyu <[email protected]>; Fu, Siyuan >> <[email protected]>; Gary Ching-Pang Lin <[email protected]> >>> Subject: Re: [edk2] [Patch 0/2] Enable the HTTP switch >>> >>> On 01/12/17 09:52, Jiaxin Wu wrote: >>>> If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the >>>> "http://"; and "https://"; schemes are acceptable. Otherwise, HTTP is >>>> disabled. The "http://"; scheme will be denied. >>>> >>>> Cc: Ye Ting <[email protected]> >>>> Cc: Fu Siyuan <[email protected]> >>>> Cc: Ruiyu Ni <[email protected]> >>>> Contributed-under: TianoCore Contribution Agreement 1.0 >>>> Signed-off-by: Wu Jiaxin <[email protected]> >>>> >>>> Jiaxin Wu (2): >>>> NetworkPkg: Add PCD to enable the HTTP switch >>>> Nt32Pkg.dsc: Add HTTP_ENABLE flag >>>> >>>> NetworkPkg/HttpBootDxe/HttpBootClient.c | 20 +++++++- >>>> NetworkPkg/HttpBootDxe/HttpBootConfig.c | 81 >>>> ++++++++++++++++++++------------ >>>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf | 5 +- >>>> NetworkPkg/HttpBootDxe/HttpBootSupport.c | 53 ++++++++++++++++++++- >>>> NetworkPkg/HttpBootDxe/HttpBootSupport.h | 17 ++++++- >>>> NetworkPkg/HttpDxe/HttpDxe.inf | 5 +- >>>> NetworkPkg/HttpDxe/HttpImpl.c | 12 ++++- >>>> NetworkPkg/NetworkPkg.dec | 8 +++- >>>> Nt32Pkg/Nt32Pkg.dsc | 9 ++++ >>>> 9 files changed, 173 insertions(+), 37 deletions(-) >>>> >>> >>> What is the reasoning behind this change? If a platform doesn't want to >>> support >> HTTP booting, it can just exclude the drivers from the build. >>> >>> Put differently, what use do HttpBootDxe and HttpDxe have if the PCD is set >>> to >> FALSE (which is the default)? >>> >>> I'm asking because OVMF already has a HTTP_BOOT_ENABLE build flag, and it >> controls the inclusion of all of: >>> >>> NetworkPkg/DnsDxe/DnsDxe.inf >>> NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf >>> NetworkPkg/HttpDxe/HttpDxe.inf >>> NetworkPkg/HttpBootDxe/HttpBootDxe.inf >>> >>> So what will this NetworkPkg change mean for OVMF, if OVMF is built with -D >> HTTP_BOOT_ENABLE? >>> >>> Thanks >>> Laszlo >>> _______________________________________________ >>> edk2-devel mailing list >>> [email protected] >>> https://lists.01.org/mailman/listinfo/edk2-devel >>> >> >> _______________________________________________ >> edk2-devel mailing list >> [email protected] >> https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
