OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot
Introduce TlsAuthConfigLib to read the list of trusted CA certificates
from fw_cfg and to store it to EFI_TLS_CA_CERTIFICATE_VARIABLE.
The fw_cfg file is formatted by the "p11-kit" and "update-ca-trust"
utilities on the host side, so that the host settings take effect in guest
HTTPS boot as well. QEMU forwards the file intact to the firmware. The
contents are sanity-checked by NetworkPkg/HttpDxe code that was added in
commit 0fd13678a6.
Link TlsAuthConfigLib via NULL resolution into TlsAuthConfigDxe. This sets
EFI_TLS_CA_CERTIFICATE_VARIABLE in time for both
NetworkPkg/TlsAuthConfigDxe (for possible HII interaction with the user)
and for NetworkPkg/HttpDxe (for the effective TLS configuration).
The file formatted by "p11-kit" can be large. On a RHEL-7 host, the the
Mozilla CA root certificate bundle -- installed with the "ca-certificates"
package -- is processed into a 182KB file. Thus, create
EFI_TLS_CA_CERTIFICATE_VARIABLE as a volatile & boot-time only variable.
Also, in TLS_ENABLE builds, set the cumulative limit for volatile
variables (PcdVariableStoreSize) to 512KB, and the individual limit for
the same (PcdMaxVolatileVariableSize) to 256KB.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gary Lin <glin@suse.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
This commit is contained in:
Laszlo Ersek
@@ -444,15 +444,23 @@
|
||||
!if ($(FD_SIZE_IN_KB) == 1024) || ($(FD_SIZE_IN_KB) == 2048)
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
|
||||
!if $(TLS_ENABLE) == FALSE
|
||||
# match PcdFlashNvStorageVariableSize purely for convenience
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xe000
|
||||
!endif
|
||||
!endif
|
||||
!if $(FD_SIZE_IN_KB) == 4096
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x8400
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x8400
|
||||
!if $(TLS_ENABLE) == FALSE
|
||||
# match PcdFlashNvStorageVariableSize purely for convenience
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x40000
|
||||
!endif
|
||||
!endif
|
||||
!if $(TLS_ENABLE) == TRUE
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x80000
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000
|
||||
!endif
|
||||
|
||||
gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
|
||||
|
||||
@@ -803,7 +811,10 @@
|
||||
!endif
|
||||
!if $(TLS_ENABLE) == TRUE
|
||||
NetworkPkg/TlsDxe/TlsDxe.inf
|
||||
NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
|
||||
NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf {
|
||||
<LibraryClasses>
|
||||
NULL|OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf
|
||||
}
|
||||
!endif
|
||||
OvmfPkg/VirtioNetDxe/VirtioNet.inf
|
||||
|
||||
|
||||
Reference in New Issue
Block a user