On Fri, 2021-03-19 at 14:15 +0100, Laszlo Ersek wrote:
RFC 7143 requires CHAP-MD5 as a mandatory option offered by an iscsi
At the same time, edk2 has deprecated MD5 in general, as a
cryptographically weak hash algorithm.
Consequently, the "NetworkDefines.dsc.inc" file defines
NETWORK_ISCSI_ENABLE with default value FALSE (commit 4ecb1ba5efa3 /
TianoCore#3003). Platforms that want to include IScsiDxe need to opt in
consciously to the presence of CHAP-MD5 in the code.
We're not happy with this granularity. We'd prefer:
- explicitly breaking RFC 7143 conformance,
- removing CHAP-MD5,
- and using an IScsiDxe variant that is honest about having no
confidentiality / integrity.
IScsiDxe is safe on a trusted network, and only on a trusted network.
The presence of CHAP-MD5 suggests it may be safe on an untrusted network
too, and that implication (not the whole iscsi client functionality) is
what we should rid ourselves of.
This sounds like the right direction to me.
Are NetworkPkg maintainers open to breaking RFC 7143 conformance in
IScsiDxe (perhaps with a feature PCD?), or should we look into this only
Downstream, we might decide to drop IScsiDxe altogether, in sync with
the upstream NETWORK_ISCSI_ENABLE=FALSE default -- that decision has not
been made yet. Now I'm just testing whether keeping IScsiDxe enabled
down-stream would require us to carry downstream-only patches.
RHEL Crypto Team
Red Hat, Inc