From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id BF56881BD6 for ; Mon, 16 Jan 2017 19:36:00 -0800 (PST) Received: from nwb-ext-pat.microfocus.com ([10.120.13.103]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Tue, 17 Jan 2017 04:35:59 +0100 Received: from GaryWorkstation (nwb-a10-snat.microfocus.com [10.120.13.202]) by nwb-ext-pat.microfocus.com with ESMTP (TLS encrypted); Tue, 17 Jan 2017 03:35:48 +0000 Date: Tue, 17 Jan 2017 11:35:36 +0800 From: Gary Lin To: "Wu, Jiaxin" , Laszlo Ersek Cc: "edk2-devel@ml01.01.org" , "Kinney, Michael D" , "Justen, Jordan L" , "Long, Qin" Message-ID: <20170117033535.nosawlykabkzekjy@GaryWorkstation> References: <1484569332-13440-1-git-send-email-jiaxin.wu@intel.com> <9d5d1d2a-01af-bdcc-65ca-338ae1142631@redhat.com> <895558F6EA4E3B41AC93A00D163B727416294199@SHSMSX103.ccr.corp.intel.com> <903fd117-7d01-fe09-6cb2-234a657c2cae@redhat.com> <895558F6EA4E3B41AC93A00D163B72741629426B@SHSMSX103.ccr.corp.intel.com> MIME-Version: 1.0 In-Reply-To: <895558F6EA4E3B41AC93A00D163B72741629426B@SHSMSX103.ccr.corp.intel.com> User-Agent: Mutt/1.6.2 (2016-07-01) Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 03:36:01 -0000 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jan 17, 2017 at 02:56:16AM +0000, Wu, Jiaxin wrote: > > Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg > > libraries > > > > On 01/17/17 02:08, Wu, Jiaxin wrote: > > > Laszlo, > > > > > > I don't think this patch makes OpenSSL must requirement for building > > > OVMF by default. > > > > > > As I note in the commit log that "no build performance impacts" if > > > OpenSSL related library is not consumed by any other modules. > > > > I saw that comment, and I didn't understand it. What do you mean by > > "performance impact"? How quickly the tree builds? Or how quickly the > > resultant firmware boots? My concerns aren't related to performance, but > > whether OVMF builds at all, or not. > > > > > That > > > also means "Including OpenSSL libraries unconditionally won't break > > > OVMF build by default since all dependent modules are controlled by > > > the defined flag with the false value." > > > > So practically the suggestion is to provide unconditional library > > resolutions for the OpenSslLib, IntrinsicLib and BaseCryptLib classes, > > regardless of whether those classes are actually used by any module. > > > > Yes. > I thought "build performance" should include the build result and time consumption during the OVMF build. Sorry for the misunderstanding due to the ambiguity of "build performance impacts", and I agree to refine the commit log. > > Just did a test on OvmfPkgX64.dsc and confirmed that providing those library resolutions doesn't break the build without openssl. > > > I see the point, but then the commit message should be improved. It > > should also explain that unused lib class resolutions that refer to > > nonexistent INF files (for example when OpenSSL is missing from the > > tree) do not cause build failures, unless the lib class is actually used. > > > > The commit message could be > > > > OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib > > > > I don't have the strong opinion for the commit message change. That's also fine to me since we can reach an agreement:). > > > > > > > > > Secure Boot feature is controlled by: > > > * DEFINE SECURE_BOOT_ENABLE = FALSE > > > > > > ISCSIv6 requires OpenSSL, which is controlled by: > > > * DEFINE NETWORK_IP6_ENABLE = FALSE > > > > That's not entirely right; currently you can build with -D > > NETWORK_IP6_ENABLE and without OpenSSL (i.e., without -D > > SECURE_BOOT_ENABLE, at the moment). It will use IScsiDxe from > > MdeModulePkg, rather than from NetworkPkg. > > > > Is your argument that such an IPv6 stack (that is, with IScsiDxe comes > > from MdeModulePkg) is incomplete in itself? In other words, that a > > complete IPv6 stack requires IScsiDxe from NetworkPkg, hence OpenSSL too? > > Yes, that's my point. > > > > > > > In that case, the relevant parts of the OVMF DSC / FDF files should be > > fixed in a separate patch, with a separate justification. Something like: > > > > OvmfPkg: correct the set of modules included for the IPv6 stack > > > > Ok, that's fine the separate patch. > > > > > > > > > IPsec is a mandatory part of IPv6, but is not an integral part of IPv4, then it > > should be controlled by: > > > * DEFINE NETWORK_IP6_ENABLE = FALSE > > > (For IPsec, I just notice it's not included in OVMF platform if IPV6 enabled, we > > should fix it.) > > > > Yes, it could be part of the above-suggested IPv6-oriented patch. > > > > > > > > HTTPS/TLS will also be controlled by: > > > * DEFINE TLS_ENABLE = FALSE > > > > Makes sense. > > > > (And then HTTP_BOOT_ENABLE should pull in different modules dependent on > > TLS_ENABLE.) > > No, we can keep the current modules included in HTTP_BOOT_ENABLE, and make the TLS_ENABLE independently since TLS feature should not be limit to HTTP(S) feature. > > As I explained to Gary, TLS can be treated as independent module, which can be leveraged by third part drivers/apps (e.g. EAP-TLS). No TLS means no HTTPS. > > > > > > > > Namely: > > > OpenSSL is required to follow Patch-HOWTO *only when needed*. > > > > > > Of course, as you propose, we can also add OPENSSL_ENABLE flag to > > > control all the OpenSSL libraries. But as I mentioned above, do you > > > think it's necessary? I don't have strong opinion for OPENSSL_ENABLE > > > flag, but makes the logic more complexity as you list below. > > > > No, with your explanation, it seems fine. I think in total we'll need > > four patches: > > > > * OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib > > > > Does what it says; commit message suggestions above. > > > > * OvmfPkg: correct the set of modules included for the IPv6 stack > > > > Fixes up IScsiDxe and IPSec, makes OpenSSL a hard requirement for > > IPv6. (And documents the fact in the commit message.) > > > > * OvmfPkg: pull in TLS modules with -D TLS_ENABLE > > > > Resolves the TLS-specific library classes, and pulls in TLS drivers > > (that are independent of HTTPS). > > > > * OvmfPkg: enable HTTPS boot under (HTTP_BOOT_ENABLE + TLS_ENABLE) > > > > Adds any TLS-specific customizations to existent HTTP_BOOT_ENABLE > > parts. > > > > What do you guys think? > > > > We can combine the last two patches instead: > > * OvmfPkg: Enable HTTPS/TLS feature under (HTTP_BOOT_ENABLE + TLS_ENABLE) > Combining the last two patches makes sense to me since we don't really need to change anything in HTTP_BOOT_ENABLE. Just add TlsLib, TlsDxe, and TlsAuthConfigDxe. > > > > I believe it would be preferable if one of you (Gary?) could submit the > > whole 4-part series, with the other one (Jiaxin?) helping out with the > > review. Would that work for you both? > > > I'm fine with the propose:). > I'm working on the patches now :) Thanks, Gary Lin > Thanks, > Jiaxin > > > > > > Thanks! > > Laszlo > > > > > > > > Thanks, > > > Jiaxin > > > > > >> -----Original Message----- > > >> From: Laszlo Ersek [mailto:lersek@redhat.com] > > >> Sent: Tuesday, January 17, 2017 4:33 AM > > >> To: Wu, Jiaxin ; edk2-devel@ml01.01.org > > >> Cc: Justen, Jordan L ; Gary Lin ; > > >> Long, Qin ; Kinney, Michael D > > >> > > >> Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg > > >> libraries > > >> > > >> On 01/16/17 13:22, Jiaxin Wu wrote: > > >>> v2: > > >>> * Remove the flag for NetworkPkg/IScsiDxe > > >>> > > >>> This patch is to remove the 'SECURE_BOOT_ENABLE' flag control for > > >>> the CryptoPkg librarie. > > >>> > > >>> Not only the secure boot feature requires the CryptoPkg libraries > > >>> (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS > > >>> features. Those modules can be always included since no build > > performance > > >>> impacts if they are not consumed. > > >>> > > >>> Cc: Laszlo Ersek > > >>> Cc: Justen Jordan L > > >>> Cc: Gary Lin > > >>> Cc: Long Qin > > >>> Contributed-under: TianoCore Contribution Agreement 1.0 > > >>> Signed-off-by: Wu Jiaxin > > >>> --- > > >>> OvmfPkg/OvmfPkgIa32.dsc | 17 ++++++----------- > > >>> OvmfPkg/OvmfPkgIa32X64.dsc | 17 ++++++----------- > > >>> OvmfPkg/OvmfPkgX64.dsc | 17 ++++++----------- > > >>> 3 files changed, 18 insertions(+), 33 deletions(-) > > >> > > >> I disagree with this patch (assuming at least that I understand it > > >> correctly). > > >> > > >> Namely, > > >> - unconditionally resolving OpensslLib in the DSC files, and > > >> - unconditionally consuming OpensslLib in modules that are > > >> unconditionally included in the DSC files, > > >> > > >> makes OpenSSL a hard requirement for building OVMF. > > >> > > >> Given that OpenSSL is not distributed as part of the edk2 tree, and > > >> given that it's not even pulled in through an unmodified git submodule, > > >> this patch would prevent people, IIUC, from building OVMF without > > >> jumping through the hoops described in > > >> > > >> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > > >> > > >> That's a bad thing, forcing people to download and patch OpenSSL even if > > >> they don't care about any of the dependent features. (It is perfectly > > >> possible to be uninterested in *all* of: Secure Boot, IpSec, HTTPS boot, > > >> and iSCSI, in a virtual machine.) > > >> > > >> If OpenSSL were distributed as part of edk2, or if OpenSSL were > > >> presented as a plain (unmodified) git submodule in edk2, then I might agree. > > >> > > >> For now, perhaps we can introduce an OPENSSL_ENABLE build option. > > >> > > >> - Features that require OpenSSL no matter what, such as > > >> SECURE_BOOT_ENABLE, should auto-define OPENSSL_ENABLE. > > >> > > >> (I don't remember if the [Defines] section of the DSC file can set > > >> macros conditionally, dependent on other macros, but I hope so.) > > >> > > >> - Features that can utilize (but don't require) OpenSSL, such as > > >> NETWORK_IP6_ENABLE and HTTP_BOOT_ENABLE, should provide > > conditional > > >> DSC stanzas for both $(OPENSSL_ENABLE) == TRUE and == FALSE. > > >> > > >> - The libraries and drivers that provide the crypto stuff (directly on > > >> top of OpenSSL) should depend on OPENSSL_ENABLE. > > >> > > >> In fact, looking at Gary's patch "OvmfPkg: Enable HTTPS for Ovmf" with > > >> TLS_ENABLE, it seems like we need another layer. HTTP_BOOT_ENABLE > > should > > >> not be customized for OPENSSL_ENABLE, but for TLS_ENABLE. > > >> > > >> In summary: > > >> - SECURE_BOOT_ENABLE should auto-select OPENSSL_ENABLE. > > >> - TLS_ENABLE should auto-select OPENSSL_ENABLE. > > >> - NETWORK_IP6_ENABLE should be customized based on OPENSSL_ENABLE > > >> (for the ISCSI driver). > > >> - HTTP_BOOT_ENABLE should be customized based on TLS_ENABLE. > > >> - OPENSSL_ENABLE should control the CryptoPkg modules that directly > > >> wrap the OpenSSL functionality, for edk2. > > >> > > >> As a result, the following build option combinations would be valid > > >> (listing some examples): > > >> > > >> * -D SECURE_BOOT_ENABLE > > >> > > >> It would set OPENSSL_ENABLE. If OpenSSL is available, it would build > > >> fine, otherwise it would break, as it should. > > >> > > >> * -D NETWORK_IP6_ENABLE > > >> > > >> You get the IPv6 stack, but no secure ISCSI. > > >> > > >> * -D NETWORK_IP6_ENABLE -D OPENSSL_ENABLE > > >> > > >> You get the IPv6 stack, with secure ISCSI. If OpenSSL is not > > >> available, the build breaks, as it should. > > >> > > >> * -D HTTP_BOOT_ENABLE > > >> > > >> You get HTTP boot, but not HTTPS boot. > > >> > > >> * -D HTTP_BOOT_ENABLE -D OPENSSL_ENABLE <----- note that this is > > useless > > >> > > >> Same, no change. > > >> > > >> * -D TLS_ENABLE > > >> > > >> Selects OPENSSL_ENABLE automatically. If OpenSSL is not available, > > >> the build breaks. Otherwise, the TLS drivers are included in the fw > > >> binary. They might not be used by any edk2 module, but some 3rd party > > >> UEFI application (launched from the shell, eg.) could. > > >> > > >> * -D HTTP_BOOT_ENABLE -D TLS_ENABLE > > >> > > >> HTTP and HTTPS boot becomes available. If OpenSSL is absent from the > > >> tree, the build breaks. > > >> > > >> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D > > >> NETWORK_IP6_ENABLE > > >> > > >> You get Secure Boot, and secure ISCSI with IPv6, but not HTTPS > > >> boot. > > >> > > >> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D TLS_ENABLE \ > > >> -D NETWORK_IP6_ENABLE > > >> > > >> You get everything. > > >> > > >> My point is, if we touch these build flags, then we should go the whole > > >> way, and express their inter-dependencies precisely. > > >> > > >> Thanks! > > >> Laszlo > > >> > > >>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > > >>> index e97f7f0..6e53d9f 100644 > > >>> --- a/OvmfPkg/OvmfPkgIa32.dsc > > >>> +++ b/OvmfPkg/OvmfPkgIa32.dsc > > >>> @@ -1,9 +1,9 @@ > > >>> ## @file > > >>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > > >>> # > > >>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
> > >>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
> > >>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> > >>> # > > >>> # This program and the accompanying materials > > >>> # are licensed and made available under the terms and conditions of the > > >> BSD License > > >>> # which accompanies this distribution. The full text of the license may be > > >> found at > > >>> @@ -139,14 +139,15 @@ > > >>> > > >>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > > >>> > > >> > > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > > >>> > > >> > > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > > >> ebugPrintErrorLevelLib.inf > > >>> > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> - > > >> > > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > >>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > >>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > >>> + > > >>> +!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> + > > >> > > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > >>> > > >> > > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > > >> easurementLib.inf > > >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > > >>> !if $(NETWORK_IP6_ENABLE) == TRUE > > >>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > > >>> !endif > > >>> @@ -164,13 +165,11 @@ > > >>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > > >>> > > >> > > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > > >> /BaseOrderedCollectionRedBlackTreeLib.inf > > >>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > > >>> > > >>> [LibraryClasses.common] > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > >>> -!endif > > >>> > > >>> [LibraryClasses.common.SEC] > > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > > >>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > > >>> !ifdef $(DEBUG_ON_SERIAL_PORT) > > >>> @@ -256,13 +255,13 @@ > > >>> > > >> > > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > > >>> !else > > >>> > > >> > > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > > >> nf > > >>> !endif > > >>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> + > > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > >>> -!endif > > >>> + > > >>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > > >>> > > >>> [LibraryClasses.common.UEFI_DRIVER] > > >>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > > >>> @@ -698,16 +697,12 @@ > > >>> NetworkPkg/TcpDxe/TcpDxe.inf > > >>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf > > >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > > >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > > >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> NetworkPkg/IScsiDxe/IScsiDxe.inf > > >>> !else > > >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > >>> -!endif > > >>> -!else > > >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > > >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > > >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > >>> !endif > > >>> !if $(HTTP_BOOT_ENABLE) == TRUE > > >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > > >>> index 8e3e04c..15db2d5 100644 > > >>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc > > >>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > > >>> @@ -1,9 +1,9 @@ > > >>> ## @file > > >>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > > >>> # > > >>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
> > >>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
> > >>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> > >>> # > > >>> # This program and the accompanying materials > > >>> # are licensed and made available under the terms and conditions of the > > >> BSD License > > >>> # which accompanies this distribution. The full text of the license may be > > >> found at > > >>> @@ -144,14 +144,15 @@ > > >>> > > >>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > > >>> > > >> > > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > > >>> > > >> > > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > > >> ebugPrintErrorLevelLib.inf > > >>> > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> - > > >> > > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > >>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > >>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > >>> + > > >>> +!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> + > > >> > > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > >>> > > >> > > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > > >> easurementLib.inf > > >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > > >>> !if $(NETWORK_IP6_ENABLE) == TRUE > > >>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > > >>> !endif > > >>> @@ -169,13 +170,11 @@ > > >>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > > >>> > > >> > > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > > >> /BaseOrderedCollectionRedBlackTreeLib.inf > > >>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > > >>> > > >>> [LibraryClasses.common] > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > >>> -!endif > > >>> > > >>> [LibraryClasses.common.SEC] > > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > > >>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > > >>> !ifdef $(DEBUG_ON_SERIAL_PORT) > > >>> @@ -261,13 +260,13 @@ > > >>> > > >> > > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > > >>> !else > > >>> > > >> > > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > > >> nf > > >>> !endif > > >>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> + > > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > >>> -!endif > > >>> + > > >>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > > >>> > > >>> [LibraryClasses.common.UEFI_DRIVER] > > >>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > > >>> @@ -707,16 +706,12 @@ > > >>> NetworkPkg/TcpDxe/TcpDxe.inf > > >>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf > > >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > > >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > > >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> NetworkPkg/IScsiDxe/IScsiDxe.inf > > >>> !else > > >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > >>> -!endif > > >>> -!else > > >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > > >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > > >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > >>> !endif > > >>> !if $(HTTP_BOOT_ENABLE) == TRUE > > >>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > > >>> index 6ec3fe0..9c6bdc2 100644 > > >>> --- a/OvmfPkg/OvmfPkgX64.dsc > > >>> +++ b/OvmfPkg/OvmfPkgX64.dsc > > >>> @@ -1,9 +1,9 @@ > > >>> ## @file > > >>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > > >>> # > > >>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.
> > >>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.
> > >>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> > >>> # > > >>> # This program and the accompanying materials > > >>> # are licensed and made available under the terms and conditions of the > > >> BSD License > > >>> # which accompanies this distribution. The full text of the license may be > > >> found at > > >>> @@ -144,14 +144,15 @@ > > >>> > > >>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > > >>> > > >> > > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > > >>> > > >> > > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > > >> ebugPrintErrorLevelLib.inf > > >>> > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> - > > >> > > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > >>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > >>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > >>> + > > >>> +!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> + > > >> > > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > >>> > > >> > > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > > >> easurementLib.inf > > >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > > >>> !if $(NETWORK_IP6_ENABLE) == TRUE > > >>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > > >>> !endif > > >>> @@ -169,13 +170,11 @@ > > >>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > > >>> > > >> > > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > > >> /BaseOrderedCollectionRedBlackTreeLib.inf > > >>> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > > >>> > > >>> [LibraryClasses.common] > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > >>> -!endif > > >>> > > >>> [LibraryClasses.common.SEC] > > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > > >>> QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > > >>> !ifdef $(DEBUG_ON_SERIAL_PORT) > > >>> @@ -261,13 +260,13 @@ > > >>> > > >> > > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > > >>> !else > > >>> > > >> > > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > > >> nf > > >>> !endif > > >>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> + > > >>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > >>> -!endif > > >>> + > > >>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > > >>> > > >>> [LibraryClasses.common.UEFI_DRIVER] > > >>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > > >>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > > >>> @@ -705,16 +704,12 @@ > > >>> NetworkPkg/TcpDxe/TcpDxe.inf > > >>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf > > >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > > >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > > >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > > >>> -!if $(SECURE_BOOT_ENABLE) == TRUE > > >>> NetworkPkg/IScsiDxe/IScsiDxe.inf > > >>> !else > > >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > >>> -!endif > > >>> -!else > > >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > > >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > > >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > >>> !endif > > >>> !if $(HTTP_BOOT_ENABLE) == TRUE > > >>> > > > > > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel >