86 lines
3.1 KiB
Plaintext
86 lines
3.1 KiB
Plaintext
|
|
TlsDxe with OPENSSL integrate guide.
|
|
|
|
1. To integrate TlsDxe with OPENSSL library source code package.
|
|
Download OPENSSL libaray source package from URL https://github.com/openssl/openssl/tree/fb047ebc87b18bdc4cf9ddee9ee1f5ed93e56aff
|
|
Decompress package to the path InsydeNetworkPkg/Library/OpensslLib/openssl-1.1.1l
|
|
|
|
2. Enable FeaturePCD in Project.dsc
|
|
|
|
gInsydeTokenSpaceGuid.PcdH2ONetworkHttpSupported|TRUE
|
|
gInsydeTokenSpaceGuid.PcdH2ONetworkTlsSupported|TRUE
|
|
|
|
3. Build project BIOS, make sure the TlsDxe has be generated.
|
|
|
|
OPENSSL configuration:
|
|
openssl-1.1.1l/include/openssl/opensslconf.h
|
|
openssl-1.1.1l/include/internal/dso_conf.h
|
|
|
|
|
|
Test TlsDxe with ImportCA.efi and RestTest.efi
|
|
|
|
Get EFI files from InsydeNetworkPkg/Application, the binary files is exist in ImportCA and RestTest folder, please find it as your arch.
|
|
|
|
If you want to build it as DEBUG build, please run build command
|
|
|
|
build -p InsydeNetworkPkg/InsydeNetworkPkg.dsc -a $(YOUR_ARCH) -b DEBUG
|
|
|
|
The EFI files will be generated in $(WORKSPACE)/Build/InsydeNetworkPkg/DEBUG_$(TOOL_CHAIN)/$(ARCH)
|
|
|
|
|
|
Create Certificate file steps.
|
|
|
|
TlsDxe will process the TLS request from driver HttpDxe. It will not process by itself.
|
|
|
|
|
|
Create CA: (Those steps are only for testing, please create CA create steps for project)
|
|
|
|
Prepare CNF first, run the below command in windows command line.
|
|
|
|
1. Create key and CSR file
|
|
openssl req -new -newkey rsa:2048 -nodes -out httpboot_local.csr -keyout httpboot_local.key -subj "/C=TW/ST=Taipei/L=Taipei/O=Insyde.com/OU=OU/CN=httpboot.local" -config openssl.cnf
|
|
|
|
2. Create CRT file by key
|
|
openssl x509 -req -in httpboot_local.csr -signkey httpboot_local.key -out httpboot_local.crt -days 3650
|
|
|
|
3. Create PEM file to content key and CRT files.
|
|
type httpboot_local.key httpboot_local.crt > httpboot_local.pem
|
|
|
|
CA
|
|
|
|
openssl genrsa -out ca.key 2048
|
|
openssl req -new -x509 -key ca.key -out ca.crt -config openssl.cnf
|
|
type ca.key ca.crt > ca.pem
|
|
|
|
sign with CA
|
|
|
|
openssl req -new -newkey rsa:2048 -nodes -out httpboot_local.csr -keyout httpboot_local.key -subj "/C=TW/ST=Taipei/L=Taipei/O=Insyde.com/OU=OU/CN=httpboot.local" -config openssl.cnf
|
|
openssl x509 -req -in httpboot_local.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out httpboot_localCA.crt
|
|
type httpboot_local.key httpboot_localCA.crt > httpboot_localCA.pem
|
|
|
|
CA management: (Via ImportCA application, project side can follow the steps in the application source code to implement management interface)
|
|
|
|
Import:
|
|
ImportCA --import --file CA_FILE_PATH --guid GUID_STRING
|
|
|
|
If --guid is not exist, it will using the default GUID to import CA to DB.
|
|
|
|
Export:
|
|
ImportCA --export INDEX --file CA_OUTPUT_FILE_PATH
|
|
|
|
Get INDEX via command "Import --list".
|
|
|
|
List:
|
|
ImportCA --list
|
|
|
|
Download HTTPS file by RestTest application
|
|
|
|
RestTest --device 0 --get https://httpboot.local/download/bootx64.efi
|
|
|
|
Demo nsh file:
|
|
|
|
Environment setup:
|
|
fs0:
|
|
ifconfig -s eth0 dhcp
|
|
importCA --import --file CA\ca.pem
|