audk/OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf

## @file
#
# A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile
# variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe
# (which is a UEFI_DRIVER) consume them.
#
# Copyright (C) 2013, 2015, 2018, Red Hat, Inc.
# Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials are licensed and made available
# under the terms and conditions of the BSD License which accompanies this
# distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT
# WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##

[Defines]
  INF_VERSION                    = 1.26
  BASE_NAME                      = TlsAuthConfigLib
  FILE_GUID                      = 660AB627-4C5F-4D42-A3B6-BD021E9028BD
  MODULE_TYPE                    = BASE
  VERSION_STRING                 = 1.0
  LIBRARY_CLASS                  = TlsAuthConfigLib|DXE_DRIVER
  CONSTRUCTOR                    = TlsAuthConfigInit

#
# The following information is for reference only and not required by the build
# tools.
#
#  VALID_ARCHITECTURES           = IA32 X64 ARM AARCH64
#

[Sources]
  TlsAuthConfigLib.c

[Packages]
  MdePkg/MdePkg.dec
  NetworkPkg/NetworkPkg.dec
  OvmfPkg/OvmfPkg.dec

[LibraryClasses]
  BaseLib
  DebugLib
  MemoryAllocationLib
  QemuFwCfgLib
  UefiRuntimeServicesTableLib

[Guids]
  gEdkiiHttpTlsCipherListGuid ## PRODUCES ## Variable:L"HttpTlsCipherList"
  gEfiTlsCaCertificateGuid    ## PRODUCES ## Variable:L"TlsCaCertificate"

[Depex]
  gEfiVariableWriteArchProtocolGuid
OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot Introduce TlsAuthConfigLib to read the list of trusted CA certificates from fw_cfg and to store it to EFI_TLS_CA_CERTIFICATE_VARIABLE. The fw_cfg file is formatted by the "p11-kit" and "update-ca-trust" utilities on the host side, so that the host settings take effect in guest HTTPS boot as well. QEMU forwards the file intact to the firmware. The contents are sanity-checked by NetworkPkg/HttpDxe code that was added in commit 0fd13678a681. Link TlsAuthConfigLib via NULL resolution into TlsAuthConfigDxe. This sets EFI_TLS_CA_CERTIFICATE_VARIABLE in time for both NetworkPkg/TlsAuthConfigDxe (for possible HII interaction with the user) and for NetworkPkg/HttpDxe (for the effective TLS configuration). The file formatted by "p11-kit" can be large. On a RHEL-7 host, the the Mozilla CA root certificate bundle -- installed with the "ca-certificates" package -- is processed into a 182KB file. Thus, create EFI_TLS_CA_CERTIFICATE_VARIABLE as a volatile & boot-time only variable. Also, in TLS_ENABLE builds, set the cumulative limit for volatile variables (PcdVariableStoreSize) to 512KB, and the individual limit for the same (PcdMaxVolatileVariableSize) to 256KB. Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Ching-Pang Lin <glin@suse.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Gary Lin <glin@suse.com> Tested-by: Gary Lin <glin@suse.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> 2018-03-28 03:04:06 +02:00			`## @file`
			`#`
			`# A hook-in library for NetworkPkg/TlsAuthConfigDxe, in order to set volatile`
			`# variables related to TLS configuration, before TlsAuthConfigDxe or HttpDxe`
			`# (which is a UEFI_DRIVER) consume them.`
			`#`
			`# Copyright (C) 2013, 2015, 2018, Red Hat, Inc.`
			`# Copyright (c) 2008 - 2012, Intel Corporation. All rights reserved.<BR>`
			`#`
			`# This program and the accompanying materials are licensed and made available`
			`# under the terms and conditions of the BSD License which accompanies this`
			`# distribution. The full text of the license may be found at`
			`# http://opensource.org/licenses/bsd-license.php`
			`#`
			`# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT`
			`# WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.`
			`#`
			`##`

			`[Defines]`
			`INF_VERSION = 1.26`
			`BASE_NAME = TlsAuthConfigLib`
			`FILE_GUID = 660AB627-4C5F-4D42-A3B6-BD021E9028BD`
			`MODULE_TYPE = BASE`
			`VERSION_STRING = 1.0`
			`LIBRARY_CLASS = TlsAuthConfigLib\|DXE_DRIVER`
			`CONSTRUCTOR = TlsAuthConfigInit`

			`#`
			`# The following information is for reference only and not required by the build`
			`# tools.`
			`#`
			`# VALID_ARCHITECTURES = IA32 X64 ARM AARCH64`
			`#`

			`[Sources]`
			`TlsAuthConfigLib.c`

			`[Packages]`
			`MdePkg/MdePkg.dec`
			`NetworkPkg/NetworkPkg.dec`
			`OvmfPkg/OvmfPkg.dec`

			`[LibraryClasses]`
			`BaseLib`
			`DebugLib`
			`MemoryAllocationLib`
			`QemuFwCfgLib`
			`UefiRuntimeServicesTableLib`

			`[Guids]`
OvmfPkg/TlsAuthConfigLib: configure trusted cipher suites for HTTPS boot Read the list of trusted cipher suites from fw_cfg and to store it to EDKII_HTTP_TLS_CIPHER_LIST_VARIABLE. The fw_cfg file will be formatted by the "update-crypto-policies" utility on the host side, so that the host settings take effect in guest HTTPS boot as well. QEMU forwards the file intact to the firmware. The contents are forwarded by NetworkPkg/HttpDxe (in TlsConfigCipherList()) to NetworkPkg/TlsDxe (TlsSetSessionData()) and TlsLib (TlsSetCipherList()). Note: the development of the "update-crypto-policies" feature is underway at this time. Meanwhile the following script can be used to generate the binary file for fw_cfg: export LC_ALL=C openssl ciphers -V \ \| sed -r -n \ -e 's/^ 0x([0-9A-F]{2}),0x([0-9A-F]{2}) - .$/\\\\x\1 \\\\x\2/p' \ \| xargs -r -- printf -- '%b' > ciphers.bin Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Ching-Pang Lin <glin@suse.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Gary Lin <glin@suse.com> Tested-by: Gary Lin <glin@suse.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by: Jiaxin Wu <jiaxin.wu@intel.com> [lersek@redhat.com: update commit msg and add script as requested by Gary] [lersek@redhat.com: update commit msg as requested by Jiaxin] 2018-04-01 01:27:43 +02:00			`gEdkiiHttpTlsCipherListGuid ## PRODUCES ## Variable:L"HttpTlsCipherList"`
			`gEfiTlsCaCertificateGuid ## PRODUCES ## Variable:L"TlsCaCertificate"`
OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot Introduce TlsAuthConfigLib to read the list of trusted CA certificates from fw_cfg and to store it to EFI_TLS_CA_CERTIFICATE_VARIABLE. The fw_cfg file is formatted by the "p11-kit" and "update-ca-trust" utilities on the host side, so that the host settings take effect in guest HTTPS boot as well. QEMU forwards the file intact to the firmware. The contents are sanity-checked by NetworkPkg/HttpDxe code that was added in commit 0fd13678a681. Link TlsAuthConfigLib via NULL resolution into TlsAuthConfigDxe. This sets EFI_TLS_CA_CERTIFICATE_VARIABLE in time for both NetworkPkg/TlsAuthConfigDxe (for possible HII interaction with the user) and for NetworkPkg/HttpDxe (for the effective TLS configuration). The file formatted by "p11-kit" can be large. On a RHEL-7 host, the the Mozilla CA root certificate bundle -- installed with the "ca-certificates" package -- is processed into a 182KB file. Thus, create EFI_TLS_CA_CERTIFICATE_VARIABLE as a volatile & boot-time only variable. Also, in TLS_ENABLE builds, set the cumulative limit for volatile variables (PcdVariableStoreSize) to 512KB, and the individual limit for the same (PcdMaxVolatileVariableSize) to 256KB. Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Gary Ching-Pang Lin <glin@suse.com> Cc: Jordan Justen <jordan.l.justen@intel.com> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Gary Lin <glin@suse.com> Tested-by: Gary Lin <glin@suse.com> Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> 2018-03-28 03:04:06 +02:00
			`[Depex]`
			`gEfiVariableWriteArchProtocolGuid`