[edk2-devel] [RFC][PATCH 2/2] NetworkPkg: Check platform TLS policy

Chang, Abner via groups.io Tue, 26 Dec 2023 03:29:10 -0800

From: Abenr Chang <abner.ch...@amd.com>

Go through each
EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL protocol
instance to check if platform HTTPS TLS policy is
provided.


Signed-off-by: Abner Chang <abner.ch...@amd.com>
Cc: Saloni Kasbekar <saloni.kasbe...@intel.com>
Cc: Zachary Clark-williams <zachary.clark-willi...@intel.com>
Cc: Michael Brown <mc...@ipxe.org>
Cc: Nickle Wang <nick...@nvidia.com>
Cc: Igor Kulchytskyy <ig...@ami.com>
---
 NetworkPkg/HttpDxe/HttpDxe.inf    |   1 +
 NetworkPkg/HttpDxe/HttpDriver.h   |   1 +
 NetworkPkg/HttpDxe/HttpsSupport.c | 117 +++++++++++++++++++++++++++---
 3 files changed, 107 insertions(+), 12 deletions(-)

diff --git a/NetworkPkg/HttpDxe/HttpDxe.inf b/NetworkPkg/HttpDxe/HttpDxe.inf
index c9502d0bb6d..7699bd9cc17 100644
--- a/NetworkPkg/HttpDxe/HttpDxe.inf
+++ b/NetworkPkg/HttpDxe/HttpDxe.inf
@@ -66,6 +66,7 @@
   gEfiTlsProtocolGuid                              ## SOMETIMES_CONSUMES
   gEfiTlsConfigurationProtocolGuid                 ## SOMETIMES_CONSUMES
   gEdkiiHttpCallbackProtocolGuid                   ## SOMETIMES_CONSUMES
+  gEdkiiHttpsTlsPlatformPolicyProtocolGuid         ## SOMETIMES_CONSUMES
 
 [Guids]
   gEfiTlsCaCertificateGuid                         ## SOMETIMES_CONSUMES  ## 
Variable:L"TlsCaCertificate"
diff --git a/NetworkPkg/HttpDxe/HttpDriver.h b/NetworkPkg/HttpDxe/HttpDriver.h
index 01a6bb7f4b7..5554befad4d 100644
--- a/NetworkPkg/HttpDxe/HttpDriver.h
+++ b/NetworkPkg/HttpDxe/HttpDriver.h
@@ -48,6 +48,7 @@
 #include <Protocol/Tls.h>
 #include <Protocol/TlsConfig.h>
 #include <Protocol/HttpCallback.h>
+#include <Protocol/HttpsTlsPlatformPolicyProtocol.h>
 
 #include <Guid/ImageAuthentication.h>
 //
diff --git a/NetworkPkg/HttpDxe/HttpsSupport.c 
b/NetworkPkg/HttpDxe/HttpsSupport.c
index 7330be42c00..354e5cfc79c 100644
--- a/NetworkPkg/HttpDxe/HttpsSupport.c
+++ b/NetworkPkg/HttpDxe/HttpsSupport.c
@@ -131,6 +131,93 @@ IsHttpsUrl (
   return FALSE;
 }
 
+/**
+  Locate all EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instances and go through 
each
+  to check if platform HTTPS TLS policy is provided.
+
+  @param[in]       HttpHandle         The HTTP protocol handle.
+  @param[in, out]  TlsConfigData      Pointer to TLS_CONFIG_DATA of this HTTP 
instance.
+
+**/
+VOID
+HttpsPlatformTlsPolicy (
+  IN EFI_HANDLE           HttpHandle,
+  IN OUT TLS_CONFIG_DATA  *TlsConfigData
+  )
+{
+  EFI_STATUS                                Status;
+  UINTN                                     NumHandles;
+  EFI_HANDLE                                *HandleBuffer;
+  EFI_HANDLE                                *HandleBufferIndex;
+  EDKII_PLATFORM_HTTPS_TLS_CONFIG_DATA      PlatformHttpsTlsPolicy;
+  EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL  *ProtocolInterface;
+
+  if ((HttpHandle == NULL) || (TlsConfigData == NULL)) {
+    return;
+  }
+
+  Status = gBS->LocateHandleBuffer (
+                  ByProtocol,
+                  &gEdkiiHttpsTlsPlatformPolicyProtocolGuid,
+                  NULL,
+                  &NumHandles,
+                  &HandleBuffer
+                  );
+  if (EFI_ERROR (Status)) {
+    DEBUG ((
+      DEBUG_INFO,
+      "%a: There is no EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instance is 
installed for HTTP this handle:0x%x.\n",
+      __func__,
+      HttpHandle
+      ));
+    return;
+  }
+
+  HandleBufferIndex = HandleBuffer;
+  while (NumHandles != 0) {
+    Status = gBS->HandleProtocol (
+                    *HandleBufferIndex,
+                    &gEdkiiHttpsTlsPlatformPolicyProtocolGuid,
+                    (VOID **)&ProtocolInterface
+                    );
+    if (!EFI_ERROR (Status)) {
+      Status = ProtocolInterface->PlatformGetPolicy (
+                                    *HandleBufferIndex,
+                                    HttpHandle,
+                                    &PlatformHttpsTlsPolicy
+                                    );
+      if (!EFI_ERROR (Status)) {
+        if ((PlatformHttpsTlsPolicy.Version.Major == 1) && 
(PlatformHttpsTlsPolicy.Version.Minor == 0)) {
+          //
+          // HTTPS platform TLS policy config data version 1.0.
+          //
+          TlsConfigData->ConnectionEnd = PlatformHttpsTlsPolicy.ConnectionEnd;
+          TlsConfigData->VerifyHost    = PlatformHttpsTlsPolicy.VerifyHost;
+          TlsConfigData->VerifyMethod  = PlatformHttpsTlsPolicy.VerifyMethod;
+          Status                       = EFI_SUCCESS;
+          break;
+        }
+      }
+    }
+
+    HandleBufferIndex++;
+    NumHandles--;
+    Status = EFI_NOT_FOUND;
+  }
+
+  FreePool ((VOID *)HandleBuffer);
+  if (!EFI_ERROR (Status)) {
+    DEBUG ((
+      DEBUG_INFO,
+      "%a: There is a EDKII_HTTPS_TLS_PLATFORM_POLICY_PROTOCOL instance 
installed for this HTTP handle:0x%x.\n",
+      __func__,
+      HttpHandle
+      ));
+  }
+
+  return;
+}
+
 /**
   Creates a Tls child handle, open EFI_TLS_PROTOCOL and 
EFI_TLS_CONFIGURATION_PROTOCOL.
 
@@ -650,6 +737,8 @@ TlsConfigureSession (
   HttpInstance->TlsConfigData.VerifyHost.HostName = HttpInstance->RemoteHost;
   HttpInstance->TlsConfigData.SessionState        = EfiTlsSessionNotStarted;
 
+  HttpsPlatformTlsPolicy (HttpInstance->Handle, &HttpInstance->TlsConfigData);
+
   //
   // EfiTlsConnectionEnd,
   // EfiTlsVerifyMethod,
@@ -676,14 +765,16 @@ TlsConfigureSession (
     return Status;
   }
 
-  Status = HttpInstance->Tls->SetSessionData (
-                                HttpInstance->Tls,
-                                EfiTlsVerifyHost,
-                                &HttpInstance->TlsConfigData.VerifyHost,
-                                sizeof (EFI_TLS_VERIFY_HOST)
-                                );
-  if (EFI_ERROR (Status)) {
-    return Status;
+  if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+    Status = HttpInstance->Tls->SetSessionData (
+                                  HttpInstance->Tls,
+                                  EfiTlsVerifyHost,
+                                  &HttpInstance->TlsConfigData.VerifyHost,
+                                  sizeof (EFI_TLS_VERIFY_HOST)
+                                  );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
   }
 
   Status = HttpInstance->Tls->SetSessionData (
@@ -708,10 +799,12 @@ TlsConfigureSession (
   //
   // Tls Config Certificate
   //
-  Status = TlsConfigCertificate (HttpInstance);
-  if (EFI_ERROR (Status)) {
-    DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
-    return Status;
+  if (HttpInstance->TlsConfigData.VerifyMethod != EFI_TLS_VERIFY_NONE) {
+    Status = TlsConfigCertificate (HttpInstance);
+    if (EFI_ERROR (Status)) {
+      DEBUG ((DEBUG_ERROR, "TLS Certificate Config Error!\n"));
+      return Status;
+    }
   }
 
   //
-- 
2.37.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#112913): https://edk2.groups.io/g/devel/message/112913
Mute This Topic: https://groups.io/mt/103368439/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [RFC][PATCH 2/2] NetworkPkg: Check platform TLS policy

Reply via email to