> > >> If everyone agrees, then Jiaxin, can you please append a third patch for
> > >> OvmfPkg, which sets PcdAllowHttpConnections to TRUE whenever
> > >> HTTP_BOOT_ENABLE is TRUE?
> > >>
> > >
> > > Laszlo,
> > >
> > > As I talked above and according your requirement, we have the below
> update choice:
> > >
> > > 1) The flag definition (ALLOW_HTTP_CONNECTIONS) with TRUE value to
> allow the HTTP connections (the same to NT32).
> > >
> > > DEFINE ALLOW_HTTP_CONNECTIONS = TRUE
> > > !if $(ALLOW_HTTP_CONNECTIONS) == TRUE
> > > gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
> > > !endif
> > >
> > > 2) Sets PcdAllowHttpConnections to TRUE whenever HTTP_BOOT_ENABLE is
> TRUE
> > > !if $( HTTP_BOOT_ENABLE) == TRUE
> > > gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
> > > !endif
> > >
> > > For 1), Flexible control!
> > > For 2), we have no way to stop the HTTP connections while HTTPS is
> > > allowed.
> That means no HTTP connections control switch.
> > >
> > > I still prefer 1), but that's depends on you since you are the OVMF
> > > platform
> owner:).
> > >
> > > What's your opinion?
> >
> > I agree that for a security-oriented approach, for a production
> > firmware, both the DEC default *and* the separate
> ALLOW_HTTP_CONNECTIONS
> > buid flag make sense.
> >
> > For the default -D HTTP_BOOT_ENABLE build of upstream OVMF however, I
> > think ease of use is more important. In a home or company or team
> > intranet setting, booting virtual machines from plain HTTP is
> > acceptable, I think; forcing users to set up HTTPS on the server side,
> > and mess with keys, would be an inconvenience, in my opionion.
> >
> > I guess we could introduce ALLOW_HTTP_CONNECTIONS with a TRUE default,
> > but in general I try to minimize the number of different build flags
> > (same way as MdeModulePkg seeks to minimize new PCDs); I think they
> > quickly become confusing.
> >
> > Serious users (like distros shipping OVMF) can flip the PCD in the DSC
> > files anyway.
> >
> > So, I prefer (2). Jordan, Gary, what do you guys think?
> >
> (2) sounds reasonable to me. Maybe we can also explain the PCD in the
> comment or README to help the user to make the decision.
>
Ok, I will append a third patch for OVMF with solution (2) but keep the
ALLOW_HTTP_CONNECTIONS only for Nt32Pkg.
!if $( HTTP_BOOT_ENABLE) == TRUE
gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|TRUE
!endif
Thanks all of your comments.
Jiaxin
> Thanks,
>
> Gary Lin
>
> > Thanks!
> > Laszlo
> >
> > >
> > >> (Note that in "OvmfPkgIa32X64.dsc", the setting should likely go under
> > >> [PcdsFixedAtBuild.X64].)
> > >>
> > >> Thanks!
> > >> Laszlo
> >
> > _______________________________________________
> > edk2-devel mailing list
> > [email protected]
> > https://lists.01.org/mailman/listinfo/edk2-devel
> >
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel
