diff options
| author | Laszlo Ersek <lersek@redhat.com> | 2018-03-28 03:04:06 +0200 |
|---|---|---|
| committer | Laszlo Ersek <lersek@redhat.com> | 2018-03-30 21:18:35 +0200 |
| commit | 9c7d0d499296e444e39e9b6b34d8c121a325b295 (patch) | |
| tree | 2de82670181af4c9748d5e171aa807480e45b42f /OvmfPkg/OvmfPkgX64.dsc | |
| parent | c95e6d0917b05c701587ef70640f11d00eae5985 (diff) | |
| download | edk2-9c7d0d499296e444e39e9b6b34d8c121a325b295.tar.gz edk2-9c7d0d499296e444e39e9b6b34d8c121a325b295.tar.bz2 edk2-9c7d0d499296e444e39e9b6b34d8c121a325b295.zip | |
OvmfPkg/TlsAuthConfigLib: configure trusted CA certs for HTTPS boot
Introduce TlsAuthConfigLib to read the list of trusted CA certificates
from fw_cfg and to store it to EFI_TLS_CA_CERTIFICATE_VARIABLE.
The fw_cfg file is formatted by the "p11-kit" and "update-ca-trust"
utilities on the host side, so that the host settings take effect in guest
HTTPS boot as well. QEMU forwards the file intact to the firmware. The
contents are sanity-checked by NetworkPkg/HttpDxe code that was added in
commit 0fd13678a681.
Link TlsAuthConfigLib via NULL resolution into TlsAuthConfigDxe. This sets
EFI_TLS_CA_CERTIFICATE_VARIABLE in time for both
NetworkPkg/TlsAuthConfigDxe (for possible HII interaction with the user)
and for NetworkPkg/HttpDxe (for the effective TLS configuration).
The file formatted by "p11-kit" can be large. On a RHEL-7 host, the the
Mozilla CA root certificate bundle -- installed with the "ca-certificates"
package -- is processed into a 182KB file. Thus, create
EFI_TLS_CA_CERTIFICATE_VARIABLE as a volatile & boot-time only variable.
Also, in TLS_ENABLE builds, set the cumulative limit for volatile
variables (PcdVariableStoreSize) to 512KB, and the individual limit for
the same (PcdMaxVolatileVariableSize) to 256KB.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Ching-Pang Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gary Lin <glin@suse.com>
Tested-by: Gary Lin <glin@suse.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Diffstat (limited to 'OvmfPkg/OvmfPkgX64.dsc')
| -rw-r--r-- | OvmfPkg/OvmfPkgX64.dsc | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 7197c1984a..8af763ea9e 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -444,15 +444,23 @@ !if ($(FD_SIZE_IN_KB) == 1024) || ($(FD_SIZE_IN_KB) == 2048)
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x2000
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x2800
+!if $(TLS_ENABLE) == FALSE
# match PcdFlashNvStorageVariableSize purely for convenience
gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0xe000
!endif
+!endif
!if $(FD_SIZE_IN_KB) == 4096
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize|0x8400
gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize|0x8400
+!if $(TLS_ENABLE) == FALSE
# match PcdFlashNvStorageVariableSize purely for convenience
gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x40000
!endif
+!endif
+!if $(TLS_ENABLE) == TRUE
+ gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x80000
+ gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000
+!endif
gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
@@ -803,7 +811,10 @@ !endif
!if $(TLS_ENABLE) == TRUE
NetworkPkg/TlsDxe/TlsDxe.inf
- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf {
+ <LibraryClasses>
+ NULL|OvmfPkg/Library/TlsAuthConfigLib/TlsAuthConfigLib.inf
+ }
!endif
OvmfPkg/VirtioNetDxe/VirtioNet.inf
|