From: Gary Lin <glin@suse.com>
To: "Wu, Jiaxin" <jiaxin.wu@intel.com>, Laszlo Ersek <lersek@redhat.com>
Cc: "edk2-devel@ml01.01.org" <edk2-devel@ml01.01.org>,
"Kinney, Michael D" <michael.d.kinney@intel.com>,
"Justen, Jordan L" <jordan.l.justen@intel.com>,
"Long, Qin" <qin.long@intel.com>
Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries
Date: Tue, 17 Jan 2017 11:35:36 +0800 [thread overview]
Message-ID: <20170117033535.nosawlykabkzekjy@GaryWorkstation> (raw)
In-Reply-To: <895558F6EA4E3B41AC93A00D163B72741629426B@SHSMSX103.ccr.corp.intel.com>
On Tue, Jan 17, 2017 at 02:56:16AM +0000, Wu, Jiaxin wrote:
> > Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg
> > libraries
> >
> > On 01/17/17 02:08, Wu, Jiaxin wrote:
> > > Laszlo,
> > >
> > > I don't think this patch makes OpenSSL must requirement for building
> > > OVMF by default.
> > >
> > > As I note in the commit log that "no build performance impacts" if
> > > OpenSSL related library is not consumed by any other modules.
> >
> > I saw that comment, and I didn't understand it. What do you mean by
> > "performance impact"? How quickly the tree builds? Or how quickly the
> > resultant firmware boots? My concerns aren't related to performance, but
> > whether OVMF builds at all, or not.
> >
> > > That
> > > also means "Including OpenSSL libraries unconditionally won't break
> > > OVMF build by default since all dependent modules are controlled by
> > > the defined flag with the false value."
> >
> > So practically the suggestion is to provide unconditional library
> > resolutions for the OpenSslLib, IntrinsicLib and BaseCryptLib classes,
> > regardless of whether those classes are actually used by any module.
> >
>
> Yes.
> I thought "build performance" should include the build result and time consumption during the OVMF build. Sorry for the misunderstanding due to the ambiguity of "build performance impacts", and I agree to refine the commit log.
>
>
Just did a test on OvmfPkgX64.dsc and confirmed that providing those
library resolutions doesn't break the build without openssl.
>
> > I see the point, but then the commit message should be improved. It
> > should also explain that unused lib class resolutions that refer to
> > nonexistent INF files (for example when OpenSSL is missing from the
> > tree) do not cause build failures, unless the lib class is actually used.
> >
> > The commit message could be
> >
> > OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
> >
>
> I don't have the strong opinion for the commit message change. That's also fine to me since we can reach an agreement:).
>
>
>
> > >
> > > Secure Boot feature is controlled by:
> > > * DEFINE SECURE_BOOT_ENABLE = FALSE
> > >
> > > ISCSIv6 requires OpenSSL, which is controlled by:
> > > * DEFINE NETWORK_IP6_ENABLE = FALSE
> >
> > That's not entirely right; currently you can build with -D
> > NETWORK_IP6_ENABLE and without OpenSSL (i.e., without -D
> > SECURE_BOOT_ENABLE, at the moment). It will use IScsiDxe from
> > MdeModulePkg, rather than from NetworkPkg.
> >
> > Is your argument that such an IPv6 stack (that is, with IScsiDxe comes
> > from MdeModulePkg) is incomplete in itself? In other words, that a
> > complete IPv6 stack requires IScsiDxe from NetworkPkg, hence OpenSSL too?
>
> Yes, that's my point.
>
>
>
> >
> > In that case, the relevant parts of the OVMF DSC / FDF files should be
> > fixed in a separate patch, with a separate justification. Something like:
> >
> > OvmfPkg: correct the set of modules included for the IPv6 stack
> >
>
> Ok, that's fine the separate patch.
>
>
>
> > >
> > > IPsec is a mandatory part of IPv6, but is not an integral part of IPv4, then it
> > should be controlled by:
> > > * DEFINE NETWORK_IP6_ENABLE = FALSE
> > > (For IPsec, I just notice it's not included in OVMF platform if IPV6 enabled, we
> > should fix it.)
> >
> > Yes, it could be part of the above-suggested IPv6-oriented patch.
> >
> > >
> > > HTTPS/TLS will also be controlled by:
> > > * DEFINE TLS_ENABLE = FALSE
> >
> > Makes sense.
> >
> > (And then HTTP_BOOT_ENABLE should pull in different modules dependent on
> > TLS_ENABLE.)
>
> No, we can keep the current modules included in HTTP_BOOT_ENABLE, and make the TLS_ENABLE independently since TLS feature should not be limit to HTTP(S) feature.
>
> As I explained to Gary, TLS can be treated as independent module, which can be leveraged by third part drivers/apps (e.g. EAP-TLS). No TLS means no HTTPS.
>
>
>
> >
> > > Namely:
> > > OpenSSL is required to follow Patch-HOWTO *only when needed*.
> > >
> > > Of course, as you propose, we can also add OPENSSL_ENABLE flag to
> > > control all the OpenSSL libraries. But as I mentioned above, do you
> > > think it's necessary? I don't have strong opinion for OPENSSL_ENABLE
> > > flag, but makes the logic more complexity as you list below.
> >
> > No, with your explanation, it seems fine. I think in total we'll need
> > four patches:
> >
> > * OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
> >
> > Does what it says; commit message suggestions above.
> >
> > * OvmfPkg: correct the set of modules included for the IPv6 stack
> >
> > Fixes up IScsiDxe and IPSec, makes OpenSSL a hard requirement for
> > IPv6. (And documents the fact in the commit message.)
> >
> > * OvmfPkg: pull in TLS modules with -D TLS_ENABLE
> >
> > Resolves the TLS-specific library classes, and pulls in TLS drivers
> > (that are independent of HTTPS).
> >
> > * OvmfPkg: enable HTTPS boot under (HTTP_BOOT_ENABLE + TLS_ENABLE)
> >
> > Adds any TLS-specific customizations to existent HTTP_BOOT_ENABLE
> > parts.
> >
> > What do you guys think?
> >
>
> We can combine the last two patches instead:
>
> * OvmfPkg: Enable HTTPS/TLS feature under (HTTP_BOOT_ENABLE + TLS_ENABLE)
>
Combining the last two patches makes sense to me since we don't really need
to change anything in HTTP_BOOT_ENABLE. Just add TlsLib, TlsDxe, and
TlsAuthConfigDxe.
>
>
> > I believe it would be preferable if one of you (Gary?) could submit the
> > whole 4-part series, with the other one (Jiaxin?) helping out with the
> > review. Would that work for you both?
> >
> I'm fine with the propose:).
>
I'm working on the patches now :)
Thanks,
Gary Lin
> Thanks,
> Jiaxin
>
>
>
>
> > Thanks!
> > Laszlo
> >
> > >
> > > Thanks,
> > > Jiaxin
> > >
> > >> -----Original Message-----
> > >> From: Laszlo Ersek [mailto:lersek@redhat.com]
> > >> Sent: Tuesday, January 17, 2017 4:33 AM
> > >> To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
> > >> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Gary Lin <glin@suse.com>;
> > >> Long, Qin <qin.long@intel.com>; Kinney, Michael D
> > >> <michael.d.kinney@intel.com>
> > >> Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg
> > >> libraries
> > >>
> > >> On 01/16/17 13:22, Jiaxin Wu wrote:
> > >>> v2:
> > >>> * Remove the flag for NetworkPkg/IScsiDxe
> > >>>
> > >>> This patch is to remove the 'SECURE_BOOT_ENABLE' flag control for
> > >>> the CryptoPkg librarie.
> > >>>
> > >>> Not only the secure boot feature requires the CryptoPkg libraries
> > >>> (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS
> > >>> features. Those modules can be always included since no build
> > performance
> > >>> impacts if they are not consumed.
> > >>>
> > >>> Cc: Laszlo Ersek <lersek@redhat.com>
> > >>> Cc: Justen Jordan L <jordan.l.justen@intel.com>
> > >>> Cc: Gary Lin <glin@suse.com>
> > >>> Cc: Long Qin <qin.long@intel.com>
> > >>> Contributed-under: TianoCore Contribution Agreement 1.0
> > >>> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
> > >>> ---
> > >>> OvmfPkg/OvmfPkgIa32.dsc | 17 ++++++-----------
> > >>> OvmfPkg/OvmfPkgIa32X64.dsc | 17 ++++++-----------
> > >>> OvmfPkg/OvmfPkgX64.dsc | 17 ++++++-----------
> > >>> 3 files changed, 18 insertions(+), 33 deletions(-)
> > >>
> > >> I disagree with this patch (assuming at least that I understand it
> > >> correctly).
> > >>
> > >> Namely,
> > >> - unconditionally resolving OpensslLib in the DSC files, and
> > >> - unconditionally consuming OpensslLib in modules that are
> > >> unconditionally included in the DSC files,
> > >>
> > >> makes OpenSSL a hard requirement for building OVMF.
> > >>
> > >> Given that OpenSSL is not distributed as part of the edk2 tree, and
> > >> given that it's not even pulled in through an unmodified git submodule,
> > >> this patch would prevent people, IIUC, from building OVMF without
> > >> jumping through the hoops described in
> > >>
> > >> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
> > >>
> > >> That's a bad thing, forcing people to download and patch OpenSSL even if
> > >> they don't care about any of the dependent features. (It is perfectly
> > >> possible to be uninterested in *all* of: Secure Boot, IpSec, HTTPS boot,
> > >> and iSCSI, in a virtual machine.)
> > >>
> > >> If OpenSSL were distributed as part of edk2, or if OpenSSL were
> > >> presented as a plain (unmodified) git submodule in edk2, then I might agree.
> > >>
> > >> For now, perhaps we can introduce an OPENSSL_ENABLE build option.
> > >>
> > >> - Features that require OpenSSL no matter what, such as
> > >> SECURE_BOOT_ENABLE, should auto-define OPENSSL_ENABLE.
> > >>
> > >> (I don't remember if the [Defines] section of the DSC file can set
> > >> macros conditionally, dependent on other macros, but I hope so.)
> > >>
> > >> - Features that can utilize (but don't require) OpenSSL, such as
> > >> NETWORK_IP6_ENABLE and HTTP_BOOT_ENABLE, should provide
> > conditional
> > >> DSC stanzas for both $(OPENSSL_ENABLE) == TRUE and == FALSE.
> > >>
> > >> - The libraries and drivers that provide the crypto stuff (directly on
> > >> top of OpenSSL) should depend on OPENSSL_ENABLE.
> > >>
> > >> In fact, looking at Gary's patch "OvmfPkg: Enable HTTPS for Ovmf" with
> > >> TLS_ENABLE, it seems like we need another layer. HTTP_BOOT_ENABLE
> > should
> > >> not be customized for OPENSSL_ENABLE, but for TLS_ENABLE.
> > >>
> > >> In summary:
> > >> - SECURE_BOOT_ENABLE should auto-select OPENSSL_ENABLE.
> > >> - TLS_ENABLE should auto-select OPENSSL_ENABLE.
> > >> - NETWORK_IP6_ENABLE should be customized based on OPENSSL_ENABLE
> > >> (for the ISCSI driver).
> > >> - HTTP_BOOT_ENABLE should be customized based on TLS_ENABLE.
> > >> - OPENSSL_ENABLE should control the CryptoPkg modules that directly
> > >> wrap the OpenSSL functionality, for edk2.
> > >>
> > >> As a result, the following build option combinations would be valid
> > >> (listing some examples):
> > >>
> > >> * -D SECURE_BOOT_ENABLE
> > >>
> > >> It would set OPENSSL_ENABLE. If OpenSSL is available, it would build
> > >> fine, otherwise it would break, as it should.
> > >>
> > >> * -D NETWORK_IP6_ENABLE
> > >>
> > >> You get the IPv6 stack, but no secure ISCSI.
> > >>
> > >> * -D NETWORK_IP6_ENABLE -D OPENSSL_ENABLE
> > >>
> > >> You get the IPv6 stack, with secure ISCSI. If OpenSSL is not
> > >> available, the build breaks, as it should.
> > >>
> > >> * -D HTTP_BOOT_ENABLE
> > >>
> > >> You get HTTP boot, but not HTTPS boot.
> > >>
> > >> * -D HTTP_BOOT_ENABLE -D OPENSSL_ENABLE <----- note that this is
> > useless
> > >>
> > >> Same, no change.
> > >>
> > >> * -D TLS_ENABLE
> > >>
> > >> Selects OPENSSL_ENABLE automatically. If OpenSSL is not available,
> > >> the build breaks. Otherwise, the TLS drivers are included in the fw
> > >> binary. They might not be used by any edk2 module, but some 3rd party
> > >> UEFI application (launched from the shell, eg.) could.
> > >>
> > >> * -D HTTP_BOOT_ENABLE -D TLS_ENABLE
> > >>
> > >> HTTP and HTTPS boot becomes available. If OpenSSL is absent from the
> > >> tree, the build breaks.
> > >>
> > >> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D
> > >> NETWORK_IP6_ENABLE
> > >>
> > >> You get Secure Boot, and secure ISCSI with IPv6, but not HTTPS
> > >> boot.
> > >>
> > >> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D TLS_ENABLE \
> > >> -D NETWORK_IP6_ENABLE
> > >>
> > >> You get everything.
> > >>
> > >> My point is, if we touch these build flags, then we should go the whole
> > >> way, and express their inter-dependencies precisely.
> > >>
> > >> Thanks!
> > >> Laszlo
> > >>
> > >>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> > >>> index e97f7f0..6e53d9f 100644
> > >>> --- a/OvmfPkg/OvmfPkgIa32.dsc
> > >>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> > >>> @@ -1,9 +1,9 @@
> > >>> ## @file
> > >>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform
> > >>> #
> > >>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
> > >>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
> > >>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> > >>> #
> > >>> # This program and the accompanying materials
> > >>> # are licensed and made available under the terms and conditions of the
> > >> BSD License
> > >>> # which accompanies this distribution. The full text of the license may be
> > >> found at
> > >>> @@ -139,14 +139,15 @@
> > >>>
> > >>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
> > >>>
> > >>
> > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
> > >>>
> > >>
> > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
> > >> ebugPrintErrorLevelLib.inf
> > >>>
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> -
> > >>
> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> > >>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> > >>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > >>> +
> > >>> +!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> +
> > >>
> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> > >>>
> > >>
> > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> > >> easurementLib.inf
> > >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > >>> !if $(NETWORK_IP6_ENABLE) == TRUE
> > >>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > >>> !endif
> > >>> @@ -164,13 +165,11 @@
> > >>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> > >>>
> > >>
> > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
> > >> /BaseOrderedCollectionRedBlackTreeLib.inf
> > >>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
> > >>>
> > >>> [LibraryClasses.common]
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > >>> -!endif
> > >>>
> > >>> [LibraryClasses.common.SEC]
> > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> > >>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
> > >>> !ifdef $(DEBUG_ON_SERIAL_PORT)
> > >>> @@ -256,13 +255,13 @@
> > >>>
> > >>
> > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
> > >>> !else
> > >>>
> > >>
> > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
> > >> nf
> > >>> !endif
> > >>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> +
> > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > >>> -!endif
> > >>> +
> > >>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> > >>>
> > >>> [LibraryClasses.common.UEFI_DRIVER]
> > >>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
> > >>> @@ -698,16 +697,12 @@
> > >>> NetworkPkg/TcpDxe/TcpDxe.inf
> > >>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf
> > >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> NetworkPkg/IScsiDxe/IScsiDxe.inf
> > >>> !else
> > >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > >>> -!endif
> > >>> -!else
> > >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > >>> !endif
> > >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> > >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> > >>> index 8e3e04c..15db2d5 100644
> > >>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> > >>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> > >>> @@ -1,9 +1,9 @@
> > >>> ## @file
> > >>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform
> > >>> #
> > >>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
> > >>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
> > >>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> > >>> #
> > >>> # This program and the accompanying materials
> > >>> # are licensed and made available under the terms and conditions of the
> > >> BSD License
> > >>> # which accompanies this distribution. The full text of the license may be
> > >> found at
> > >>> @@ -144,14 +144,15 @@
> > >>>
> > >>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
> > >>>
> > >>
> > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
> > >>>
> > >>
> > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
> > >> ebugPrintErrorLevelLib.inf
> > >>>
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> -
> > >>
> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> > >>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> > >>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > >>> +
> > >>> +!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> +
> > >>
> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> > >>>
> > >>
> > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> > >> easurementLib.inf
> > >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > >>> !if $(NETWORK_IP6_ENABLE) == TRUE
> > >>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > >>> !endif
> > >>> @@ -169,13 +170,11 @@
> > >>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> > >>>
> > >>
> > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
> > >> /BaseOrderedCollectionRedBlackTreeLib.inf
> > >>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
> > >>>
> > >>> [LibraryClasses.common]
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > >>> -!endif
> > >>>
> > >>> [LibraryClasses.common.SEC]
> > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> > >>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
> > >>> !ifdef $(DEBUG_ON_SERIAL_PORT)
> > >>> @@ -261,13 +260,13 @@
> > >>>
> > >>
> > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
> > >>> !else
> > >>>
> > >>
> > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
> > >> nf
> > >>> !endif
> > >>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> +
> > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > >>> -!endif
> > >>> +
> > >>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> > >>>
> > >>> [LibraryClasses.common.UEFI_DRIVER]
> > >>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
> > >>> @@ -707,16 +706,12 @@
> > >>> NetworkPkg/TcpDxe/TcpDxe.inf
> > >>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf
> > >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> NetworkPkg/IScsiDxe/IScsiDxe.inf
> > >>> !else
> > >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > >>> -!endif
> > >>> -!else
> > >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > >>> !endif
> > >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> > >>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> > >>> index 6ec3fe0..9c6bdc2 100644
> > >>> --- a/OvmfPkg/OvmfPkgX64.dsc
> > >>> +++ b/OvmfPkg/OvmfPkgX64.dsc
> > >>> @@ -1,9 +1,9 @@
> > >>> ## @file
> > >>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform
> > >>> #
> > >>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
> > >>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
> > >>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> > >>> #
> > >>> # This program and the accompanying materials
> > >>> # are licensed and made available under the terms and conditions of the
> > >> BSD License
> > >>> # which accompanies this distribution. The full text of the license may be
> > >> found at
> > >>> @@ -144,14 +144,15 @@
> > >>>
> > >>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
> > >>>
> > >>
> > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
> > >>>
> > >>
> > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
> > >> ebugPrintErrorLevelLib.inf
> > >>>
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> -
> > >>
> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> > >>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> > >>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> > >>> +
> > >>> +!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> +
> > >>
> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> > >>>
> > >>
> > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> > >> easurementLib.inf
> > >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > >>> !if $(NETWORK_IP6_ENABLE) == TRUE
> > >>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > >>> !endif
> > >>> @@ -169,13 +170,11 @@
> > >>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> > >>>
> > >>
> > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
> > >> /BaseOrderedCollectionRedBlackTreeLib.inf
> > >>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
> > >>>
> > >>> [LibraryClasses.common]
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > >>> -!endif
> > >>>
> > >>> [LibraryClasses.common.SEC]
> > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> > >>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
> > >>> !ifdef $(DEBUG_ON_SERIAL_PORT)
> > >>> @@ -261,13 +260,13 @@
> > >>>
> > >>
> > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
> > >>> !else
> > >>>
> > >>
> > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
> > >> nf
> > >>> !endif
> > >>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> +
> > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > >>> -!endif
> > >>> +
> > >>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> > >>>
> > >>> [LibraryClasses.common.UEFI_DRIVER]
> > >>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
> > >>> @@ -705,16 +704,12 @@
> > >>> NetworkPkg/TcpDxe/TcpDxe.inf
> > >>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf
> > >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> > >>> NetworkPkg/IScsiDxe/IScsiDxe.inf
> > >>> !else
> > >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > >>> -!endif
> > >>> -!else
> > >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > >>> !endif
> > >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> > >>>
> > >
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
>
next prev parent reply other threads:[~2017-01-17 3:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-16 12:22 [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries Jiaxin Wu
2017-01-16 20:33 ` Laszlo Ersek
2017-01-17 1:08 ` Wu, Jiaxin
2017-01-17 1:47 ` Laszlo Ersek
2017-01-17 2:56 ` Wu, Jiaxin
2017-01-17 3:15 ` Laszlo Ersek
2017-01-17 3:20 ` Wu, Jiaxin
2017-01-17 3:35 ` Gary Lin [this message]
2017-01-17 1:54 ` Jordan Justen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170117033535.nosawlykabkzekjy@GaryWorkstation \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox