On 09/15/20 19:09, Philippe Mathieu-Daudé wrote: > Hi Laszlo, > > On 9/10/20 8:02 AM, Laszlo Ersek wrote: >> On 09/09/20 18:21, Philippe Mathieu-Daudé wrote: >>> On 9/7/20 6:18 PM, Laszlo Ersek wrote: >>>> In QEMU commit range 4abf70a661a5..69699f3055a5, Phil implemented a QEMU >>>> facility for exposing the host-side TLS cipher suite configuration to >>>> OVMF. The purpose is to control the permitted ciphers in the guest's UEFI >>>> HTTPS boot. This complements the forwarding of the host-side crypto policy >>>> from the host to the guest -- the other facet was the set of CA >>>> certificates (for which p11-kit patches had been upstreamed, on the host >>>> side). >>>> >>>> Mention the new command line options in "OvmfPkg/README". >>>> >>>> Cc: Ard Biesheuvel <ard.biesheu...@arm.com> >>>> Cc: Gary Lin <g...@suse.com> >>>> Cc: Jordan Justen <jordan.l.jus...@intel.com> >>>> Cc: Philippe Mathieu-Daudé <phi...@redhat.com> >>>> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2852 >>> >>> Thanks for addressing this BZ for me... >>> >>>> Signed-off-by: Laszlo Ersek <ler...@redhat.com> >>>> --- >>>> OvmfPkg/README | 24 ++++++++++++-------- >>>> 1 file changed, 15 insertions(+), 9 deletions(-) >>>> >>>> diff --git a/OvmfPkg/README b/OvmfPkg/README >>>> index 3dd28474ead4..2009d9d29796 100644 >>>> --- a/OvmfPkg/README >>>> +++ b/OvmfPkg/README >>>> @@ -294,67 +294,73 @@ and encrypted connection. >>>> >>>> You can also append a certificate to the existing list with the >>>> following >>>> command: >>>> >>>> efisiglist -i <old certdb> -a <cert file> -o <new certdb> >>>> >>>> NOTE: You may need the patch to make efisiglist generate the correct >>>> header. >>>> (https://github.com/rhboot/pesign/pull/40) >>>> >>>> * Besides the trusted certificates, it's also possible to configure the >>>> trusted >>>> cipher suites for HTTPS through another fw_cfg entry: >>>> etc/edk2/https/ciphers. >>>> >>>> - -fw_cfg name=etc/edk2/https/ciphers,file=<cipher suites> >>>> - >>>> OVMF expects a binary UINT16 array which comprises the cipher suites HEX >>>> IDs(*4). If the cipher suite list is given, OVMF will choose the cipher >>>> suite from the intersection of the given list and the built-in cipher >>>> suites. Otherwise, OVMF just chooses whatever proper cipher suites from >>>> the >>>> built-in ones. >>>> >>>> - While the tool(*5) to create the cipher suite array is still under >>>> - development, the array can be generated with the following script: >>>> + Using QEMU 5.1 or later, QEMU can expose the ordered list of permitted >>>> TLS >>>> + cipher suites from the host side to OVMF: >>>> + >>>> + -object tls-cipher-suites,id=mysuite0,priority=@SYSTEM \ >>>> + -fw_cfg name=etc/edk2/https/ciphers,gen_id=mysuite0 >>>> + >>>> + (Refer to the QEMU manual and to >>>> + <https://gnutls.org/manual/html_node/Priority-Strings.html> for more >>>> + information on the "priority" property.) >>>> + >>>> + Using QEMU 5.0 or earlier, the array has to be passed from a file: >>> >>> What about using a '-' to list each "Using QEMU ..." and make the >>> separation clearer? >> >> I can do that, yes. There are three possibilities: >> >> - prefix just one line (in each affected paragraph) with the hyphen, >> >> - prefix the first line of each paragraph with the hyphen, plus indent >> the rest of the *same paragraph* by 2 spaces. > > I'd go with this possibility. Clear and easy. > >> >> - prefix the first line of each paragraph with the hyphen, plus indent >> the rest of the *text* that applies to the QEMU versions being discussed. > > (Note that would be my *visual* preference, but I don't think it's > worth it, I prefer we keep the diff short and easy to review).
Agreed on both counts :) Thanks! Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#65310): https://edk2.groups.io/g/devel/message/65310 Mute This Topic: https://groups.io/mt/76689975/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
