Laszlo,
(First, are you are plugfest? Let's chat.)
Second, what need do you see for having KB worth of CA at UEFI's
disposal? If HTTPS feature is primarily for PXE booting OS's, then it is likely
the IT administrator who setup the PXE server also has a single CA they want
use for PXE. By allowing any and every CA to be installed (instead of having
the user pick only the immediately needed CAs), we inadvertently open HTTPS to
state-backed/well-financed malicious actors who can pay for quality SSL signing
services. (The less CAs then the less that can go wrong).
This is not to prevent your patches going in, but would like to ensure
manufacturers / admins know how to properly use the CA list
Regards,
Thomas Palmer
"I have only made this letter longer because I have not had the time to make it
shorter" - Blaise Pascal
-----Original Message-----
From: edk2-devel [mailto:[email protected]] On Behalf Of Laszlo
Ersek
Sent: Wednesday, March 28, 2018 3:27 PM
To: edk2-devel-01 <[email protected]>
Cc: Ruiyu Ni <[email protected]>; Eric Dong <[email protected]>; Ard
Biesheuvel <[email protected]>; Jordan Justen
<[email protected]>; Gary Ching-Pang Lin <[email protected]>; Anthony
Perard <[email protected]>; Star Zeng <[email protected]>
Subject: [edk2] [PATCH 0/4] MdeModulePkg, OvmfPkg: support large CA cert list
for HTTPS boot
Repo: https://github.com/lersek/edk2.git
Branch: https_cacert_rhbz_1536624
The trusted CA certificates for HTTPS boot can be specified in
EFI_TLS_CA_CERTIFICATE_VARIABLE. The platform may choose to create this
variable as volatile and set it on every boot as appropriate. The OVMF feature
is that the virtualization host passes down an fw_cfg blob that carries the CA
certs trusted on the host side, and the OVMF HTTPS boot will verify web servers
against that certificate bundle. (For (part of) the host side implementation,
refer to
<https://github.com/p11-glue/p11-kit/pull/137.)
The challenge for edk2 is that the CA cert list from the host side is huge; on
my laptop it is 182KB when formatted to the EFI_SIGNATURE_LIST sequence
expected by NetworkPkg/HttpDxe. Storing this in a non-volatile
EFI_TLS_CA_CERTIFICATE_VARIABLE is out of the question, but even when making
EFI_TLS_CA_CERTIFICATE_VARIABLE volatile, there are two limits that need
raising:
(1) the individual limit on volatile variables,
(2) the cumulative limit on volatile variables.
Regarding (1), the edk2 variable driver does not distinguish a limit for
volatile non-auth vs. non-volatile non-auth variables. The first patch
introduces "PcdMaxVolatileVariableSize" for this, in a backwards compatible way
(i.e. platforms that don't care need not learn about it).
The new PCD lets a platform raise the individual limit just for volatile
non-auth variables.
Regarding (2), OvmfPkg/EmuVariableFvbRuntimeDxe has a bug where it abuses the
cumulative limit on volatile variables for the live size of the emulated
non-volatile variable store. The difference is that "volatile variables" are
volatile on the UEFI service API level
(gRT->SetVariable() etc), and the driver stack expects the FVB impls to use the
non-volatile storage PCDs (regardless of the actual FVB backing store). Patch
#2 fixes this (without change in behavior) in OvmfPkg/EmuVariableFvbRuntimeDxe.
Patch #3 adds a bit of documentation to the OVMF DSC files, as a continuation
of patch #2.
Patch #4 implements the feature, raising both limits (liberated in earlier
patches) and populating EFI_TLS_CA_CERTIFICATE_VARIABLE from fw_cfg.
I've done reasonable HTTPS boot testing and regression testing too (including
"-bios" with OVMF and pflash with ArmVirtQemu). Indepdent testing would be
highly appreciated (feature and regression alike).
This email is too long and so are the commit messages, but I'm too tired to
trim them; apologies.
Cc: Anthony Perard <[email protected]>
Cc: Ard Biesheuvel <[email protected]>
Cc: Eric Dong <[email protected]>
Cc: Gary Ching-Pang Lin <[email protected]>
Cc: Jordan Justen <[email protected]>
Cc: Julien Grall <[email protected]>
Cc: Ruiyu Ni <[email protected]>
Cc: Star Zeng <[email protected]>
Thanks,
Laszlo
Laszlo Ersek (4):
MdeModulePkg/Variable/RuntimeDxe: introduce PcdMaxVolatileVariableSize
OvmfPkg/EmuVariableFvbRuntimeDxe: stop using PcdVariableStoreSize
OvmfPkg: annotate "PcdVariableStoreSize :=
PcdFlashNvStorageVariableSize"
OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot
MdeModulePkg/MdeModulePkg.dec | 8 ++
MdeModulePkg/MdeModulePkg.uni | 8 ++
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 50
++++++--
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h | 12 ++
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 1 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c | 2 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 1 +
OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.c | 6 +-
OvmfPkg/EmuVariableFvbRuntimeDxe/Fvb.inf | 3 +-
OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c | 133
++++++++++++++++++++
OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf | 55
++++++++
OvmfPkg/OvmfPkgIa32.dsc | 15 ++-
OvmfPkg/OvmfPkgIa32X64.dsc | 15 ++-
OvmfPkg/OvmfPkgX64.dsc | 15 ++-
14 files changed, 308 insertions(+), 16 deletions(-) create mode 100644
OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c
create mode 100644 OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf
--
2.14.1.3.gb7cf6e02401b
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel
