Hi Laszlo,

In the commit log of patch 0001,  "EFI_TLS_CA_CERTIFICATE_VARIABLE"  should be 
"EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE".

Others  looks good to me.

Series Reviewed-by: Jiaxin Wu <jiaxin...@intel.com>


Thanks,
Jiaxin

> -----Original Message-----
> From: Laszlo Ersek [mailto:ler...@redhat.com]
> Sent: Wednesday, April 11, 2018 6:43 PM
> To: edk2-devel@lists.01.org
> Cc: Ard Biesheuvel <ard.biesheu...@linaro.org>; Gary Ching-Pang Lin
> <g...@suse.com>; Wu, Jiaxin <jiaxin...@intel.com>; Justen, Jordan L
> <jordan.l.jus...@intel.com>; Gao, Liming <liming....@intel.com>; Kinney,
> Michael D <michael.d.kin...@intel.com>; Long, Qin <qin.l...@intel.com>;
> Fu, Siyuan <siyuan...@intel.com>; Ye, Ting <ting...@intel.com>
> Subject: [PATCH v2 0/9] {Ovmf,Mde,Network,Crypto}Pkg: fixes+features for
> setting HTTPS cipher suites
> 
> Repo:   https://github.com/lersek/edk2.git
> Branch: tls_ciphers_v2
> 
> This is version 2 of the series posted earlier at
> 
>   20180403145149.8925-1-lersek@redhat.com">http://mid.mail-archive.com/20180403145149.8925-1-lersek@redhat.com
>   https://lists.01.org/pipermail/edk2-devel/2018-April/023402.html
> 
> Changes are noted per patch. One important change cannot be highlighted
> that way however, because it involves the dropping of the following two
> patches from v1:
> 
>   [edk2] [PATCH 08/13] CryptoPkg/TlsLib: add the "TlsMappingTable.sh"
>                        POSIX shell script
> 
>   [edk2] [PATCH 09/13] CryptoPkg/TlsLib: extend "TlsCipherMappingTable"
> 
> I retested HTTPS boot with this series; it succeeded. The TLS cipher
> suite preference list came from the system-wide configuration on my
> RHEL-7 laptop; basically the binary CipherId array from the command
> "openssl ciphers -V". The relevant lines from the OVMF log were:
> 
> > TlsAuthConfigDxe:SetCipherSuites: stored list of cipher suites (190 byte(s))
> > [...]
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC030
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC02C
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC028
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC024
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC014
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC00A
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x00A5
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x00A3
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x00A1
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x009F
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x006A
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0038
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0088
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0087
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0086
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0085
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC032
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC02E
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC02A
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC026
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC00F
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC005
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x009D
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0084
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x008D
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC02F
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC02B
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC027
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC023
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC013
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC009
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x00A4
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x00A2
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x00A0
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x009E
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0040
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0032
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x009A
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0099
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0098
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0097
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0045
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0044
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0043
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0042
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC031
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC02D
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC029
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC025
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC00E
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC004
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x009C
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0096
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0041
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x008C
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC012
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC008
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0013
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0010
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x000D
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC00D
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC003
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0007
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x008B
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0021
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x001F
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0025
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0023
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC011
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC007
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC00C
> > TlsDxe:TlsSetCipherList: skipping CipherId=0xC002
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x008A
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0020
> > TlsDxe:TlsSetCipherList: skipping CipherId=0x0024
> > TlsDxe:TlsSetCipherList: CipherString={
> > DHE-RSA-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-
> SHA256:DHE-RSA-AES256-
> > SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:AES256-SHA256:AES256-
> SHA:DHE-RSA-AES128
> > -SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-
> AES128-SHA:DH-RSA-AES
> > 128-SHA:DH-DSS-AES128-SHA:AES128-SHA256:AES128-SHA:DHE-RSA-DES-
> CBC3-SHA:DES-CBC
> > 3-SHA:RC4-SHA:RC4-MD5
> > }
> 
> Cc: Ard Biesheuvel <ard.biesheu...@linaro.org>
> Cc: Gary Ching-Pang Lin <g...@suse.com>
> Cc: Jiaxin Wu <jiaxin...@intel.com>
> Cc: Jordan Justen <jordan.l.jus...@intel.com>
> Cc: Liming Gao <liming....@intel.com>
> Cc: Michael D Kinney <michael.d.kin...@intel.com>
> Cc: Qin Long <qin.l...@intel.com>
> Cc: Siyuan Fu <siyuan...@intel.com>
> Cc: Ting Ye <ting...@intel.com>
> 
> Thanks,
> Laszlo
> 
> Laszlo Ersek (9):
>   OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS
>     boot
>   MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC
>   NetworkPkg/TlsDxe: verify DataSize for EfiTlsCipherList
>   NetworkPkg/TlsDxe: clean up byte order conversion for EfiTlsCipherList
>   CryptoPkg/TlsLib: replace TlsGetCipherString() with
>     TlsGetCipherMapping()
>   CryptoPkg/TlsLib: use binary search in the TlsGetCipherMapping()
>     function
>   CryptoPkg/TlsLib: pre-compute OpensslCipherLength in
>     TlsCipherMappingTable
>   CryptoPkg/TlsLib: sanitize lib classes in internal header and INF
>   CryptoPkg/TlsLib: rewrite TlsSetCipherList()
> 
>  CryptoPkg/Include/Library/TlsLib.h                    |   9 +-
>  CryptoPkg/Library/TlsLib/InternalTlsLib.h             |   4 +
>  CryptoPkg/Library/TlsLib/TlsConfig.c                  | 279 
> +++++++++++++++-----
>  CryptoPkg/Library/TlsLib/TlsLib.inf                   |   9 +-
>  MdePkg/Include/Protocol/Tls.h                         |  10 +
>  NetworkPkg/TlsDxe/TlsProtocol.c                       |  17 +-
>  OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.c   |  98 +++++++
>  OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf |   3 +-
>  8 files changed, 353 insertions(+), 76 deletions(-)
> 
> --
> 2.14.1.3.gb7cf6e02401b

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to