* [PATCH 0/3] Enable HTTPS Boot in OVMF
@ 2017-01-17 4:52 Gary Lin
2017-01-17 4:52 ` [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib Gary Lin
` (5 more replies)
0 siblings, 6 replies; 20+ messages in thread
From: Gary Lin @ 2017-01-17 4:52 UTC (permalink / raw)
To: edk2-devel
This series adjusts the build files of OVMF in order to support HTTPS.
It introdues a new build option, TLS_ENABLE, and makes OpenSSL a hard
requirement to enable IPv6 support.
Gary Lin (3):
OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
OvmfPkg: correct the set of modules included for the IPv6 stack
OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
OvmfPkg/OvmfPkgIa32.dsc | 29 ++++++++++++++++-------------
OvmfPkg/OvmfPkgIa32.fdf | 8 ++++----
OvmfPkg/OvmfPkgIa32X64.dsc | 29 ++++++++++++++++-------------
OvmfPkg/OvmfPkgIa32X64.fdf | 8 ++++----
OvmfPkg/OvmfPkgX64.dsc | 29 ++++++++++++++++-------------
OvmfPkg/OvmfPkgX64.fdf | 8 ++++----
6 files changed, 60 insertions(+), 51 deletions(-)
--
2.11.0
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
2017-01-17 4:52 [PATCH 0/3] Enable HTTPS Boot in OVMF Gary Lin
@ 2017-01-17 4:52 ` Gary Lin
2017-01-17 8:03 ` Wu, Jiaxin
2017-01-17 9:13 ` Laszlo Ersek
2017-01-17 4:52 ` [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack Gary Lin
` (4 subsequent siblings)
5 siblings, 2 replies; 20+ messages in thread
From: Gary Lin @ 2017-01-17 4:52 UTC (permalink / raw)
To: edk2-devel; +Cc: Laszlo Ersek, Justen Jordan L, Wu Jiaxin, Long Qin
This commit provides unconditional library resolutions for the OpenSslLib,
IntrinsicLib and BaseCryptLib classes, regardless of whether those classes
are actually used by any module.
Although those libraries depends on OpenSSL, they won't be built unless
a module really uses them. Thus, missing OpenSSL from the tree won't
cause any build failure as long as SECURE_BOOT_ENABLE is false.
(Based on Jiaxin's patch and Laszlo's suggestion)
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Justen Jordan L <jordan.l.justen@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Lin <glin@suse.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 9 +++------
OvmfPkg/OvmfPkgIa32X64.dsc | 9 +++------
OvmfPkg/OvmfPkgX64.dsc | 9 +++------
3 files changed, 9 insertions(+), 18 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index e97f7f0262..9aa66eb951 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -141,10 +141,11 @@ [LibraryClasses]
LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
!if $(NETWORK_IP6_ENABLE) == TRUE
@@ -166,9 +167,7 @@ [LibraryClasses]
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
[LibraryClasses.common]
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-!endif
[LibraryClasses.common.SEC]
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
@@ -258,9 +257,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
!endif
UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
-!endif
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
[LibraryClasses.common.UEFI_DRIVER]
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 8e3e04c135..9537e92077 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -146,10 +146,11 @@ [LibraryClasses]
LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
!if $(NETWORK_IP6_ENABLE) == TRUE
@@ -171,9 +172,7 @@ [LibraryClasses]
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
[LibraryClasses.common]
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-!endif
[LibraryClasses.common.SEC]
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
@@ -263,9 +262,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
!endif
UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
-!endif
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
[LibraryClasses.common.UEFI_DRIVER]
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index 6ec3fe050d..d15294eb72 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -146,10 +146,11 @@ [LibraryClasses]
LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
- PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+
+!if $(SECURE_BOOT_ENABLE) == TRUE
+ PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
!if $(NETWORK_IP6_ENABLE) == TRUE
@@ -171,9 +172,7 @@ [LibraryClasses]
XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
[LibraryClasses.common]
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-!endif
[LibraryClasses.common.SEC]
TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
@@ -263,9 +262,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
!endif
UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
-!endif
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
[LibraryClasses.common.UEFI_DRIVER]
--
2.11.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
2017-01-17 4:52 [PATCH 0/3] Enable HTTPS Boot in OVMF Gary Lin
2017-01-17 4:52 ` [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib Gary Lin
@ 2017-01-17 4:52 ` Gary Lin
2017-01-17 8:04 ` Wu, Jiaxin
2017-01-17 9:22 ` Laszlo Ersek
2017-01-17 4:52 ` [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS) Gary Lin
` (3 subsequent siblings)
5 siblings, 2 replies; 20+ messages in thread
From: Gary Lin @ 2017-01-17 4:52 UTC (permalink / raw)
To: edk2-devel; +Cc: Laszlo Ersek, Justen Jordan L, Wu Jiaxin, Long Qin
Always use IScsiDxe from NetworkPkg when IPv6 is enabled since it provides
the complete ISCSI support.
NOTE: This makes OpenSSL a hard requirement when NETWORK_IP6_ENABLE is
true.
(Based on Jiaxin's suggestion)
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Justen Jordan L <jordan.l.justen@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Lin <glin@suse.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 11 ++++-------
OvmfPkg/OvmfPkgIa32.fdf | 4 ----
OvmfPkg/OvmfPkgIa32X64.dsc | 11 ++++-------
OvmfPkg/OvmfPkgIa32X64.fdf | 4 ----
OvmfPkg/OvmfPkgX64.dsc | 11 ++++-------
OvmfPkg/OvmfPkgX64.fdf | 4 ----
6 files changed, 12 insertions(+), 33 deletions(-)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 9aa66eb951..77287920e2 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -148,15 +148,16 @@ [LibraryClasses]
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-!if $(NETWORK_IP6_ENABLE) == TRUE
- TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
-!endif
!else
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
+!if $(NETWORK_IP6_ENABLE) == TRUE
+ TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
+!endif
+
!if $(HTTP_BOOT_ENABLE) == TRUE
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
@@ -697,12 +698,8 @@ [Components]
NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
NetworkPkg/IScsiDxe/IScsiDxe.inf
!else
- MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
-!endif
-!else
MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 34d57a6079..069e21b7d0 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -314,12 +314,8 @@ [FV.DXEFV]
INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
INF NetworkPkg/IScsiDxe/IScsiDxe.inf
!else
- INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
-!endif
-!else
INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 9537e92077..64a7c16d2f 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -153,15 +153,16 @@ [LibraryClasses]
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-!if $(NETWORK_IP6_ENABLE) == TRUE
- TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
-!endif
!else
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
+!if $(NETWORK_IP6_ENABLE) == TRUE
+ TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
+!endif
+
!if $(HTTP_BOOT_ENABLE) == TRUE
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
@@ -706,12 +707,8 @@ [Components.X64]
NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
NetworkPkg/IScsiDxe/IScsiDxe.inf
!else
- MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
-!endif
-!else
MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index df55c2b210..f29feb27b4 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -314,12 +314,8 @@ [FV.DXEFV]
INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
INF NetworkPkg/IScsiDxe/IScsiDxe.inf
!else
- INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
-!endif
-!else
INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index d15294eb72..ac4bf4f63e 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -153,15 +153,16 @@ [LibraryClasses]
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-!if $(NETWORK_IP6_ENABLE) == TRUE
- TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
-!endif
!else
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
+!if $(NETWORK_IP6_ENABLE) == TRUE
+ TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
+!endif
+
!if $(HTTP_BOOT_ENABLE) == TRUE
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
@@ -704,12 +705,8 @@ [Components]
NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
NetworkPkg/IScsiDxe/IScsiDxe.inf
!else
- MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
-!endif
-!else
MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 5e2e1dfaf5..8d66da099f 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -314,12 +314,8 @@ [FV.DXEFV]
INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
-!if $(SECURE_BOOT_ENABLE) == TRUE
INF NetworkPkg/IScsiDxe/IScsiDxe.inf
!else
- INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
-!endif
-!else
INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
--
2.11.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
2017-01-17 4:52 [PATCH 0/3] Enable HTTPS Boot in OVMF Gary Lin
2017-01-17 4:52 ` [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib Gary Lin
2017-01-17 4:52 ` [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack Gary Lin
@ 2017-01-17 4:52 ` Gary Lin
2017-01-17 8:04 ` Wu, Jiaxin
2017-01-17 9:24 ` Laszlo Ersek
2017-01-17 8:13 ` [PATCH 0/3] Enable HTTPS Boot in OVMF Long, Qin
` (2 subsequent siblings)
5 siblings, 2 replies; 20+ messages in thread
From: Gary Lin @ 2017-01-17 4:52 UTC (permalink / raw)
To: edk2-devel; +Cc: Laszlo Ersek, Justen Jordan L, Wu Jiaxin, Long Qin
This commit introduces a new build option, TLS_ENABLE, to pull in the
TLS-related modules. If HTTP_BOOT_ENABLE and TLS_ENABLE are enabled at
the same time, the HTTP driver locates the TLS protocols automatically
and thus HTTPS is enabled.
To build OVMF with HTTP Boot:
$ ./build.sh -D HTTP_BOOT_ENABLE
To build OVMF with HTTPS Boot:
$ ./build.sh -D HTTP_BOOT_ENABLE -D TLS_ENABLE
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Justen Jordan L <jordan.l.justen@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Lin <glin@suse.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 9 +++++++++
OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
OvmfPkg/OvmfPkgIa32X64.dsc | 9 +++++++++
OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
OvmfPkg/OvmfPkgX64.dsc | 9 +++++++++
OvmfPkg/OvmfPkgX64.fdf | 4 ++++
6 files changed, 39 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 77287920e2..e060602587 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -38,6 +38,7 @@ [Defines]
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
+ DEFINE TLS_ENABLE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -162,6 +163,10 @@ [LibraryClasses]
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
+
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
@@ -710,6 +715,10 @@ [Components]
NetworkPkg/HttpDxe/HttpDxe.inf
NetworkPkg/HttpBootDxe/HttpBootDxe.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ NetworkPkg/TlsDxe/TlsDxe.inf
+ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
OvmfPkg/VirtioNetDxe/VirtioNet.inf
#
diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 069e21b7d0..09c165882c 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -326,6 +326,10 @@ [FV.DXEFV]
INF NetworkPkg/HttpDxe/HttpDxe.inf
INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ INF NetworkPkg/TlsDxe/TlsDxe.inf
+ INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
#
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 64a7c16d2f..0e24e7a5bc 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -38,6 +38,7 @@ [Defines]
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
+ DEFINE TLS_ENABLE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -167,6 +168,10 @@ [LibraryClasses]
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
+
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
@@ -719,6 +724,10 @@ [Components.X64]
NetworkPkg/HttpDxe/HttpDxe.inf
NetworkPkg/HttpBootDxe/HttpBootDxe.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ NetworkPkg/TlsDxe/TlsDxe.inf
+ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
OvmfPkg/VirtioNetDxe/VirtioNet.inf
#
diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index f29feb27b4..5233314139 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -326,6 +326,10 @@ [FV.DXEFV]
INF NetworkPkg/HttpDxe/HttpDxe.inf
INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ INF NetworkPkg/TlsDxe/TlsDxe.inf
+ INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
#
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index ac4bf4f63e..108f7d59bf 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -38,6 +38,7 @@ [Defines]
DEFINE NETWORK_IP6_ENABLE = FALSE
DEFINE HTTP_BOOT_ENABLE = FALSE
DEFINE SMM_REQUIRE = FALSE
+ DEFINE TLS_ENABLE = FALSE
[BuildOptions]
GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
@@ -167,6 +168,10 @@ [LibraryClasses]
HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
+!endif
+
S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
@@ -717,6 +722,10 @@ [Components]
NetworkPkg/HttpDxe/HttpDxe.inf
NetworkPkg/HttpBootDxe/HttpBootDxe.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ NetworkPkg/TlsDxe/TlsDxe.inf
+ NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
OvmfPkg/VirtioNetDxe/VirtioNet.inf
#
diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index 8d66da099f..36150101e7 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -326,6 +326,10 @@ [FV.DXEFV]
INF NetworkPkg/HttpDxe/HttpDxe.inf
INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
!endif
+!if $(TLS_ENABLE) == TRUE
+ INF NetworkPkg/TlsDxe/TlsDxe.inf
+ INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
+!endif
INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
#
--
2.11.0
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
2017-01-17 4:52 ` [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib Gary Lin
@ 2017-01-17 8:03 ` Wu, Jiaxin
2017-01-17 9:13 ` Laszlo Ersek
1 sibling, 0 replies; 20+ messages in thread
From: Wu, Jiaxin @ 2017-01-17 8:03 UTC (permalink / raw)
To: Gary Lin, edk2-devel@lists.01.org
Cc: Laszlo Ersek, Justen, Jordan L, Long, Qin
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
> -----Original Message-----
> From: Gary Lin [mailto:glin@suse.com]
> Sent: Tuesday, January 17, 2017 12:53 PM
> To: edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Long, Qin
> <qin.long@intel.com>
> Subject: [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and
> BaseCryptLib
>
> This commit provides unconditional library resolutions for the OpenSslLib,
> IntrinsicLib and BaseCryptLib classes, regardless of whether those classes
> are actually used by any module.
>
> Although those libraries depends on OpenSSL, they won't be built unless
> a module really uses them. Thus, missing OpenSSL from the tree won't
> cause any build failure as long as SECURE_BOOT_ENABLE is false.
>
> (Based on Jiaxin's patch and Laszlo's suggestion)
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Justen Jordan L <jordan.l.justen@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 9 +++------
> OvmfPkg/OvmfPkgIa32X64.dsc | 9 +++------
> OvmfPkg/OvmfPkgX64.dsc | 9 +++------
> 3 files changed, 9 insertions(+), 18 deletions(-)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index e97f7f0262..9aa66eb951 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -141,10 +141,11 @@ [LibraryClasses]
>
> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
>
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
> ebugPrintErrorLevelLib.inf
>
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> -
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> !if $(NETWORK_IP6_ENABLE) == TRUE
> @@ -166,9 +167,7 @@ [LibraryClasses]
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> [LibraryClasses.common]
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> -!endif
>
> [LibraryClasses.common.SEC]
> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> @@ -258,9 +257,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
>
> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
> nf
> !endif
> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> -!endif
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 8e3e04c135..9537e92077 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -146,10 +146,11 @@ [LibraryClasses]
>
> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
>
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
> ebugPrintErrorLevelLib.inf
>
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> -
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> !if $(NETWORK_IP6_ENABLE) == TRUE
> @@ -171,9 +172,7 @@ [LibraryClasses]
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> [LibraryClasses.common]
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> -!endif
>
> [LibraryClasses.common.SEC]
> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> @@ -263,9 +262,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
>
> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
> nf
> !endif
> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> -!endif
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 6ec3fe050d..d15294eb72 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -146,10 +146,11 @@ [LibraryClasses]
>
> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
>
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
> ebugPrintErrorLevelLib.inf
>
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> -
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> +
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> !if $(NETWORK_IP6_ENABLE) == TRUE
> @@ -171,9 +172,7 @@ [LibraryClasses]
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> [LibraryClasses.common]
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> -!endif
>
> [LibraryClasses.common.SEC]
> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> @@ -263,9 +262,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
>
> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
> nf
> !endif
> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> -!endif
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> --
> 2.11.0
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
2017-01-17 4:52 ` [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack Gary Lin
@ 2017-01-17 8:04 ` Wu, Jiaxin
2017-01-17 9:22 ` Laszlo Ersek
1 sibling, 0 replies; 20+ messages in thread
From: Wu, Jiaxin @ 2017-01-17 8:04 UTC (permalink / raw)
To: Gary Lin, edk2-devel@lists.01.org
Cc: Laszlo Ersek, Justen, Jordan L, Long, Qin
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
> -----Original Message-----
> From: Gary Lin [mailto:glin@suse.com]
> Sent: Tuesday, January 17, 2017 12:53 PM
> To: edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Long, Qin
> <qin.long@intel.com>
> Subject: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6
> stack
>
> Always use IScsiDxe from NetworkPkg when IPv6 is enabled since it provides
> the complete ISCSI support.
>
> NOTE: This makes OpenSSL a hard requirement when NETWORK_IP6_ENABLE
> is
> true.
>
> (Based on Jiaxin's suggestion)
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Justen Jordan L <jordan.l.justen@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 11 ++++-------
> OvmfPkg/OvmfPkgIa32.fdf | 4 ----
> OvmfPkg/OvmfPkgIa32X64.dsc | 11 ++++-------
> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ----
> OvmfPkg/OvmfPkgX64.dsc | 11 ++++-------
> OvmfPkg/OvmfPkgX64.fdf | 4 ----
> 6 files changed, 12 insertions(+), 33 deletions(-)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 9aa66eb951..77287920e2 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -148,15 +148,16 @@ [LibraryClasses]
>
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -!if $(NETWORK_IP6_ENABLE) == TRUE
> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> -!endif
> !else
>
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> MeasurementLibNull.inf
>
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> Null.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>
> +!if $(NETWORK_IP6_ENABLE) == TRUE
> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> +!endif
> +
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
> @@ -697,12 +698,8 @@ [Components]
> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> index 34d57a6079..069e21b7d0 100644
> --- a/OvmfPkg/OvmfPkgIa32.fdf
> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> @@ -314,12 +314,8 @@ [FV.DXEFV]
> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 9537e92077..64a7c16d2f 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -153,15 +153,16 @@ [LibraryClasses]
>
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -!if $(NETWORK_IP6_ENABLE) == TRUE
> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> -!endif
> !else
>
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> MeasurementLibNull.inf
>
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> Null.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>
> +!if $(NETWORK_IP6_ENABLE) == TRUE
> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> +!endif
> +
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
> @@ -706,12 +707,8 @@ [Components.X64]
> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> index df55c2b210..f29feb27b4 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> @@ -314,12 +314,8 @@ [FV.DXEFV]
> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index d15294eb72..ac4bf4f63e 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -153,15 +153,16 @@ [LibraryClasses]
>
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -!if $(NETWORK_IP6_ENABLE) == TRUE
> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> -!endif
> !else
>
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> MeasurementLibNull.inf
>
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> Null.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>
> +!if $(NETWORK_IP6_ENABLE) == TRUE
> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> +!endif
> +
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
> @@ -704,12 +705,8 @@ [Components]
> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index 5e2e1dfaf5..8d66da099f 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -314,12 +314,8 @@ [FV.DXEFV]
> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> --
> 2.11.0
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
2017-01-17 4:52 ` [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS) Gary Lin
@ 2017-01-17 8:04 ` Wu, Jiaxin
2017-01-17 9:24 ` Laszlo Ersek
1 sibling, 0 replies; 20+ messages in thread
From: Wu, Jiaxin @ 2017-01-17 8:04 UTC (permalink / raw)
To: Gary Lin, edk2-devel@lists.01.org
Cc: Laszlo Ersek, Justen, Jordan L, Long, Qin
Reviewed-by: Wu Jiaxin <jiaxin.wu@intel.com>
> -----Original Message-----
> From: Gary Lin [mailto:glin@suse.com]
> Sent: Tuesday, January 17, 2017 12:53 PM
> To: edk2-devel@lists.01.org
> Cc: Laszlo Ersek <lersek@redhat.com>; Justen, Jordan L
> <jordan.l.justen@intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Long, Qin
> <qin.long@intel.com>
> Subject: [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also
> enabling HTTPS)
>
> This commit introduces a new build option, TLS_ENABLE, to pull in the
> TLS-related modules. If HTTP_BOOT_ENABLE and TLS_ENABLE are enabled at
> the same time, the HTTP driver locates the TLS protocols automatically
> and thus HTTPS is enabled.
>
> To build OVMF with HTTP Boot:
>
> $ ./build.sh -D HTTP_BOOT_ENABLE
>
> To build OVMF with HTTPS Boot:
>
> $ ./build.sh -D HTTP_BOOT_ENABLE -D TLS_ENABLE
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Justen Jordan L <jordan.l.justen@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 9 +++++++++
> OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
> OvmfPkg/OvmfPkgIa32X64.dsc | 9 +++++++++
> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
> OvmfPkg/OvmfPkgX64.dsc | 9 +++++++++
> OvmfPkg/OvmfPkgX64.fdf | 4 ++++
> 6 files changed, 39 insertions(+)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 77287920e2..e060602587 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -162,6 +163,10 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> +
>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> tLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
> /BaseOrderedCollectionRedBlackTreeLib.inf
> @@ -710,6 +715,10 @@ [Components]
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> index 069e21b7d0..09c165882c 100644
> --- a/OvmfPkg/OvmfPkgIa32.fdf
> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> @@ -326,6 +326,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 64a7c16d2f..0e24e7a5bc 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -167,6 +168,10 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> +
>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> tLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
> /BaseOrderedCollectionRedBlackTreeLib.inf
> @@ -719,6 +724,10 @@ [Components.X64]
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> index f29feb27b4..5233314139 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> @@ -326,6 +326,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index ac4bf4f63e..108f7d59bf 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -167,6 +168,10 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> +
>
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScrip
> tLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
> /BaseOrderedCollectionRedBlackTreeLib.inf
> @@ -717,6 +722,10 @@ [Components]
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index 8d66da099f..36150101e7 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -326,6 +326,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> --
> 2.11.0
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 0/3] Enable HTTPS Boot in OVMF
2017-01-17 4:52 [PATCH 0/3] Enable HTTPS Boot in OVMF Gary Lin
` (2 preceding siblings ...)
2017-01-17 4:52 ` [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS) Gary Lin
@ 2017-01-17 8:13 ` Long, Qin
2017-01-17 8:25 ` Jordan Justen
2017-01-17 9:49 ` Laszlo Ersek
5 siblings, 0 replies; 20+ messages in thread
From: Long, Qin @ 2017-01-17 8:13 UTC (permalink / raw)
To: Gary Lin, edk2-devel@lists.01.org
Series reviewed by: Long Qin <qin.long@intel.com>
Best Regards & Thanks,
LONG, Qin
> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Gary Lin
> Sent: Tuesday, January 17, 2017 12:52 PM
> To: edk2-devel@lists.01.org
> Subject: [edk2] [PATCH 0/3] Enable HTTPS Boot in OVMF
>
> This series adjusts the build files of OVMF in order to support HTTPS.
> It introdues a new build option, TLS_ENABLE, and makes OpenSSL a hard
> requirement to enable IPv6 support.
>
> Gary Lin (3):
> OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
> OvmfPkg: correct the set of modules included for the IPv6 stack
> OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
>
> OvmfPkg/OvmfPkgIa32.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgIa32.fdf | 8 ++++----
> OvmfPkg/OvmfPkgIa32X64.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgIa32X64.fdf | 8 ++++----
> OvmfPkg/OvmfPkgX64.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgX64.fdf | 8 ++++----
> 6 files changed, 60 insertions(+), 51 deletions(-)
>
> --
> 2.11.0
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 0/3] Enable HTTPS Boot in OVMF
2017-01-17 4:52 [PATCH 0/3] Enable HTTPS Boot in OVMF Gary Lin
` (3 preceding siblings ...)
2017-01-17 8:13 ` [PATCH 0/3] Enable HTTPS Boot in OVMF Long, Qin
@ 2017-01-17 8:25 ` Jordan Justen
2017-01-17 20:13 ` Laszlo Ersek
2017-01-17 9:49 ` Laszlo Ersek
5 siblings, 1 reply; 20+ messages in thread
From: Jordan Justen @ 2017-01-17 8:25 UTC (permalink / raw)
To: Gary Lin, edk2-devel
On 2017-01-16 20:52:29, Gary Lin wrote:
> This series adjusts the build files of OVMF in order to support HTTPS.
> It introdues a new build option, TLS_ENABLE, and makes OpenSSL a hard
> requirement to enable IPv6 support.
>
> Gary Lin (3):
> OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
Ok. I see that OpenSSL will still not be a dependency, unless one of
the dependent features is enabled. (And, they are all disabled by
default.)
Series Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
But, I'll let Laszlo take a look too.
Thanks,
-Jordan
> OvmfPkg: correct the set of modules included for the IPv6 stack
> OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
>
> OvmfPkg/OvmfPkgIa32.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgIa32.fdf | 8 ++++----
> OvmfPkg/OvmfPkgIa32X64.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgIa32X64.fdf | 8 ++++----
> OvmfPkg/OvmfPkgX64.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgX64.fdf | 8 ++++----
> 6 files changed, 60 insertions(+), 51 deletions(-)
>
> --
> 2.11.0
>
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
2017-01-17 4:52 ` [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib Gary Lin
2017-01-17 8:03 ` Wu, Jiaxin
@ 2017-01-17 9:13 ` Laszlo Ersek
1 sibling, 0 replies; 20+ messages in thread
From: Laszlo Ersek @ 2017-01-17 9:13 UTC (permalink / raw)
To: Gary Lin, edk2-devel; +Cc: Justen Jordan L, Wu Jiaxin, Long Qin
On 01/17/17 05:52, Gary Lin wrote:
> This commit provides unconditional library resolutions for the OpenSslLib,
> IntrinsicLib and BaseCryptLib classes, regardless of whether those classes
> are actually used by any module.
>
> Although those libraries depends on OpenSSL, they won't be built unless
> a module really uses them. Thus, missing OpenSSL from the tree won't
> cause any build failure as long as SECURE_BOOT_ENABLE is false.
>
> (Based on Jiaxin's patch and Laszlo's suggestion)
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Justen Jordan L <jordan.l.justen@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 9 +++------
> OvmfPkg/OvmfPkgIa32X64.dsc | 9 +++------
> OvmfPkg/OvmfPkgX64.dsc | 9 +++------
> 3 files changed, 9 insertions(+), 18 deletions(-)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index e97f7f0262..9aa66eb951 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -141,10 +141,11 @@ [LibraryClasses]
> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> - PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> !if $(NETWORK_IP6_ENABLE) == TRUE
> @@ -166,9 +167,7 @@ [LibraryClasses]
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> [LibraryClasses.common]
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> -!endif
>
> [LibraryClasses.common.SEC]
> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> @@ -258,9 +257,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
> !endif
> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> -!endif
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 8e3e04c135..9537e92077 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -146,10 +146,11 @@ [LibraryClasses]
> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> - PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> !if $(NETWORK_IP6_ENABLE) == TRUE
> @@ -171,9 +172,7 @@ [LibraryClasses]
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> [LibraryClasses.common]
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> -!endif
>
> [LibraryClasses.common.SEC]
> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> @@ -263,9 +262,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
> !endif
> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> -!endif
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 6ec3fe050d..d15294eb72 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -146,10 +146,11 @@ [LibraryClasses]
> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> - PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +
> +!if $(SECURE_BOOT_ENABLE) == TRUE
> + PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> !if $(NETWORK_IP6_ENABLE) == TRUE
> @@ -171,9 +172,7 @@ [LibraryClasses]
> XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>
> [LibraryClasses.common]
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> -!endif
>
> [LibraryClasses.common.SEC]
> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
> @@ -263,9 +262,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.inf
> !endif
> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> -!endif
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
2017-01-17 4:52 ` [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack Gary Lin
2017-01-17 8:04 ` Wu, Jiaxin
@ 2017-01-17 9:22 ` Laszlo Ersek
2017-01-18 0:47 ` Wu, Jiaxin
1 sibling, 1 reply; 20+ messages in thread
From: Laszlo Ersek @ 2017-01-17 9:22 UTC (permalink / raw)
To: Gary Lin, edk2-devel; +Cc: Justen Jordan L, Wu Jiaxin, Long Qin
On 01/17/17 05:52, Gary Lin wrote:
> Always use IScsiDxe from NetworkPkg when IPv6 is enabled since it provides
> the complete ISCSI support.
>
> NOTE: This makes OpenSSL a hard requirement when NETWORK_IP6_ENABLE is
> true.
>
> (Based on Jiaxin's suggestion)
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Justen Jordan L <jordan.l.justen@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 11 ++++-------
> OvmfPkg/OvmfPkgIa32.fdf | 4 ----
> OvmfPkg/OvmfPkgIa32X64.dsc | 11 ++++-------
> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ----
> OvmfPkg/OvmfPkgX64.dsc | 11 ++++-------
> OvmfPkg/OvmfPkgX64.fdf | 4 ----
> 6 files changed, 12 insertions(+), 33 deletions(-)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 9aa66eb951..77287920e2 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -148,15 +148,16 @@ [LibraryClasses]
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -!if $(NETWORK_IP6_ENABLE) == TRUE
> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> -!endif
> !else
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>
> +!if $(NETWORK_IP6_ENABLE) == TRUE
> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> +!endif
> +
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
> @@ -697,12 +698,8 @@ [Components]
> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> index 34d57a6079..069e21b7d0 100644
> --- a/OvmfPkg/OvmfPkgIa32.fdf
> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> @@ -314,12 +314,8 @@ [FV.DXEFV]
> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 9537e92077..64a7c16d2f 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -153,15 +153,16 @@ [LibraryClasses]
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -!if $(NETWORK_IP6_ENABLE) == TRUE
> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> -!endif
> !else
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>
> +!if $(NETWORK_IP6_ENABLE) == TRUE
> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> +!endif
> +
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
> @@ -706,12 +707,8 @@ [Components.X64]
> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> index df55c2b210..f29feb27b4 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> @@ -314,12 +314,8 @@ [FV.DXEFV]
> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index d15294eb72..ac4bf4f63e 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -153,15 +153,16 @@ [LibraryClasses]
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> -!if $(NETWORK_IP6_ENABLE) == TRUE
> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> -!endif
> !else
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>
> +!if $(NETWORK_IP6_ENABLE) == TRUE
> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> +!endif
> +
> !if $(HTTP_BOOT_ENABLE) == TRUE
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
> @@ -704,12 +705,8 @@ [Components]
> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index 5e2e1dfaf5..8d66da099f 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -314,12 +314,8 @@ [FV.DXEFV]
> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> -!if $(SECURE_BOOT_ENABLE) == TRUE
> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> !else
> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> -!endif
> -!else
> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>
For this patch, I think one of the following updates is necessary:
(a) either restrict the subject line to identify IScsiDxe (because the
current patch does not fix the full set of packages related to IPv6),
such as
OvmfPkg: correct the IScsiDxe module included for the IPv6 stack
(b) or else, squash the IpSecDxe addition into this patch (with the same
subject).
Perhaps I was not clear enough about this in the previous discussion.
Either way, I think (b) might need more experimentation / additional
work, and a later patch, so for now, I think we should do (a). I will
update the subject line myself, if that's okay with you. With that:
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Thanks!
Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
2017-01-17 4:52 ` [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS) Gary Lin
2017-01-17 8:04 ` Wu, Jiaxin
@ 2017-01-17 9:24 ` Laszlo Ersek
1 sibling, 0 replies; 20+ messages in thread
From: Laszlo Ersek @ 2017-01-17 9:24 UTC (permalink / raw)
To: Gary Lin, edk2-devel; +Cc: Justen Jordan L, Wu Jiaxin, Long Qin
On 01/17/17 05:52, Gary Lin wrote:
> This commit introduces a new build option, TLS_ENABLE, to pull in the
> TLS-related modules. If HTTP_BOOT_ENABLE and TLS_ENABLE are enabled at
> the same time, the HTTP driver locates the TLS protocols automatically
> and thus HTTPS is enabled.
>
> To build OVMF with HTTP Boot:
>
> $ ./build.sh -D HTTP_BOOT_ENABLE
>
> To build OVMF with HTTPS Boot:
>
> $ ./build.sh -D HTTP_BOOT_ENABLE -D TLS_ENABLE
>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Justen Jordan L <jordan.l.justen@intel.com>
> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> Cc: Long Qin <qin.long@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Gary Lin <glin@suse.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 9 +++++++++
> OvmfPkg/OvmfPkgIa32.fdf | 4 ++++
> OvmfPkg/OvmfPkgIa32X64.dsc | 9 +++++++++
> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ++++
> OvmfPkg/OvmfPkgX64.dsc | 9 +++++++++
> OvmfPkg/OvmfPkgX64.fdf | 4 ++++
> 6 files changed, 39 insertions(+)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 77287920e2..e060602587 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -162,6 +163,10 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> +
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
> @@ -710,6 +715,10 @@ [Components]
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> index 069e21b7d0..09c165882c 100644
> --- a/OvmfPkg/OvmfPkgIa32.fdf
> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> @@ -326,6 +326,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 64a7c16d2f..0e24e7a5bc 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -167,6 +168,10 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> +
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
> @@ -719,6 +724,10 @@ [Components.X64]
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> index f29feb27b4..5233314139 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> @@ -326,6 +326,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index ac4bf4f63e..108f7d59bf 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -38,6 +38,7 @@ [Defines]
> DEFINE NETWORK_IP6_ENABLE = FALSE
> DEFINE HTTP_BOOT_ENABLE = FALSE
> DEFINE SMM_REQUIRE = FALSE
> + DEFINE TLS_ENABLE = FALSE
>
> [BuildOptions]
> GCC:*_UNIXGCC_*_CC_FLAGS = -DMDEPKG_NDEBUG
> @@ -167,6 +168,10 @@ [LibraryClasses]
> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> !endif
>
> +!if $(TLS_ENABLE) == TRUE
> + TlsLib|CryptoPkg/Library/TlsLib/TlsLib.inf
> +!endif
> +
> S3BootScriptLib|MdeModulePkg/Library/PiDxeS3BootScriptLib/DxeS3BootScriptLib.inf
> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib/BaseOrderedCollectionRedBlackTreeLib.inf
> @@ -717,6 +722,10 @@ [Components]
> NetworkPkg/HttpDxe/HttpDxe.inf
> NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + NetworkPkg/TlsDxe/TlsDxe.inf
> + NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> index 8d66da099f..36150101e7 100644
> --- a/OvmfPkg/OvmfPkgX64.fdf
> +++ b/OvmfPkg/OvmfPkgX64.fdf
> @@ -326,6 +326,10 @@ [FV.DXEFV]
> INF NetworkPkg/HttpDxe/HttpDxe.inf
> INF NetworkPkg/HttpBootDxe/HttpBootDxe.inf
> !endif
> +!if $(TLS_ENABLE) == TRUE
> + INF NetworkPkg/TlsDxe/TlsDxe.inf
> + INF NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
> +!endif
> INF OvmfPkg/VirtioNetDxe/VirtioNet.inf
>
> #
>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 0/3] Enable HTTPS Boot in OVMF
2017-01-17 4:52 [PATCH 0/3] Enable HTTPS Boot in OVMF Gary Lin
` (4 preceding siblings ...)
2017-01-17 8:25 ` Jordan Justen
@ 2017-01-17 9:49 ` Laszlo Ersek
5 siblings, 0 replies; 20+ messages in thread
From: Laszlo Ersek @ 2017-01-17 9:49 UTC (permalink / raw)
To: Gary Lin, edk2-devel
On 01/17/17 05:52, Gary Lin wrote:
> This series adjusts the build files of OVMF in order to support HTTPS.
> It introdues a new build option, TLS_ENABLE, and makes OpenSSL a hard
> requirement to enable IPv6 support.
>
> Gary Lin (3):
> OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
> OvmfPkg: correct the set of modules included for the IPv6 stack
> OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
>
> OvmfPkg/OvmfPkgIa32.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgIa32.fdf | 8 ++++----
> OvmfPkg/OvmfPkgIa32X64.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgIa32X64.fdf | 8 ++++----
> OvmfPkg/OvmfPkgX64.dsc | 29 ++++++++++++++++-------------
> OvmfPkg/OvmfPkgX64.fdf | 8 ++++----
> 6 files changed, 60 insertions(+), 51 deletions(-)
>
I modified the subject line for patch #2, and pushed the series:
2b631390f9f5..315d9d08fd77.
Thanks!
Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 0/3] Enable HTTPS Boot in OVMF
2017-01-17 8:25 ` Jordan Justen
@ 2017-01-17 20:13 ` Laszlo Ersek
2017-01-18 1:59 ` Gary Lin
0 siblings, 1 reply; 20+ messages in thread
From: Laszlo Ersek @ 2017-01-17 20:13 UTC (permalink / raw)
To: Jordan Justen, Gary Lin, edk2-devel, Qin Long
On 01/17/17 09:25, Jordan Justen wrote:
> On 2017-01-16 20:52:29, Gary Lin wrote:
>> This series adjusts the build files of OVMF in order to support HTTPS.
>> It introdues a new build option, TLS_ENABLE, and makes OpenSSL a hard
>> requirement to enable IPv6 support.
>>
>> Gary Lin (3):
>> OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
>
> Ok. I see that OpenSSL will still not be a dependency, unless one of
> the dependent features is enabled. (And, they are all disabled by
> default.)
>
> Series Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
>
> But, I'll let Laszlo take a look too.
My sincere apologies to you and Qin Long for missing your R-b tags.
In retrospect, the Received headers in those messages are consistent
with the Date fields, so the messages did arrive in time (before my
commit / response) in my IMAP inbox. I must have missed them for one of
two reasons:
- my local OfflineIMAP sync glitched out temporarily (unlikely!), or
- these messages appeared only in my edk2-devel list folder, and not in
my INBOX (likely).
In order to decrease the likelihood of such mess-ups on my end in the
future, Gary, can you please ensure that you copy the complete set of
Cc: tags from across the patches to the blurb? This is good for two
goals: first, everyone CC'd on at least one patch will understand the
big picture from the blurb; second, feedback from people who (correctly)
hit "Reply All" on the blurb will reach everyone else too.
(I recommend this practice in
<https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-23>,
under the last bullet.)
Nonetheless, missing this feedback is my fault; I should have waited a
bit longer, and double-checked the list folder right before pushing. I'm
sorry!
Laszlo
> Thanks,
>
> -Jordan
>
>> OvmfPkg: correct the set of modules included for the IPv6 stack
>> OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
>>
>> OvmfPkg/OvmfPkgIa32.dsc | 29 ++++++++++++++++-------------
>> OvmfPkg/OvmfPkgIa32.fdf | 8 ++++----
>> OvmfPkg/OvmfPkgIa32X64.dsc | 29 ++++++++++++++++-------------
>> OvmfPkg/OvmfPkgIa32X64.fdf | 8 ++++----
>> OvmfPkg/OvmfPkgX64.dsc | 29 ++++++++++++++++-------------
>> OvmfPkg/OvmfPkgX64.fdf | 8 ++++----
>> 6 files changed, 60 insertions(+), 51 deletions(-)
>>
>> --
>> 2.11.0
>>
>> _______________________________________________
>> edk2-devel mailing list
>> edk2-devel@lists.01.org
>> https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
2017-01-17 9:22 ` Laszlo Ersek
@ 2017-01-18 0:47 ` Wu, Jiaxin
2017-01-18 8:17 ` Laszlo Ersek
0 siblings, 1 reply; 20+ messages in thread
From: Wu, Jiaxin @ 2017-01-18 0:47 UTC (permalink / raw)
To: Laszlo Ersek, Gary Lin, edk2-devel@ml01.01.org
Cc: Justen, Jordan L, Long, Qin
> Subject: Re: [edk2] [PATCH 2/3] OvmfPkg: correct the set of modules included
> for the IPv6 stack
>
> On 01/17/17 05:52, Gary Lin wrote:
> > Always use IScsiDxe from NetworkPkg when IPv6 is enabled since it provides
> > the complete ISCSI support.
> >
> > NOTE: This makes OpenSSL a hard requirement when NETWORK_IP6_ENABLE
> is
> > true.
> >
> > (Based on Jiaxin's suggestion)
> >
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Justen Jordan L <jordan.l.justen@intel.com>
> > Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> > Cc: Long Qin <qin.long@intel.com>
> > Contributed-under: TianoCore Contribution Agreement 1.0
> > Signed-off-by: Gary Lin <glin@suse.com>
> > ---
> > OvmfPkg/OvmfPkgIa32.dsc | 11 ++++-------
> > OvmfPkg/OvmfPkgIa32.fdf | 4 ----
> > OvmfPkg/OvmfPkgIa32X64.dsc | 11 ++++-------
> > OvmfPkg/OvmfPkgIa32X64.fdf | 4 ----
> > OvmfPkg/OvmfPkgX64.dsc | 11 ++++-------
> > OvmfPkg/OvmfPkgX64.fdf | 4 ----
> > 6 files changed, 12 insertions(+), 33 deletions(-)
> >
> > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> > index 9aa66eb951..77287920e2 100644
> > --- a/OvmfPkg/OvmfPkgIa32.dsc
> > +++ b/OvmfPkg/OvmfPkgIa32.dsc
> > @@ -148,15 +148,16 @@ [LibraryClasses]
> >
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> >
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > -!if $(NETWORK_IP6_ENABLE) == TRUE
> > - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > -!endif
> > !else
> >
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> MeasurementLibNull.inf
> >
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> Null.inf
> > !endif
> > VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> >
> > +!if $(NETWORK_IP6_ENABLE) == TRUE
> > + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > +!endif
> > +
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > !endif
> > @@ -697,12 +698,8 @@ [Components]
> > NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > -!if $(SECURE_BOOT_ENABLE) == TRUE
> > NetworkPkg/IScsiDxe/IScsiDxe.inf
> > !else
> > - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > -!endif
> > -!else
> > MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> > index 34d57a6079..069e21b7d0 100644
> > --- a/OvmfPkg/OvmfPkgIa32.fdf
> > +++ b/OvmfPkg/OvmfPkgIa32.fdf
> > @@ -314,12 +314,8 @@ [FV.DXEFV]
> > INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > -!if $(SECURE_BOOT_ENABLE) == TRUE
> > INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> > !else
> > - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > -!endif
> > -!else
> > INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> > index 9537e92077..64a7c16d2f 100644
> > --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> > @@ -153,15 +153,16 @@ [LibraryClasses]
> >
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> >
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > -!if $(NETWORK_IP6_ENABLE) == TRUE
> > - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > -!endif
> > !else
> >
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> MeasurementLibNull.inf
> >
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> Null.inf
> > !endif
> > VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> >
> > +!if $(NETWORK_IP6_ENABLE) == TRUE
> > + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > +!endif
> > +
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > !endif
> > @@ -706,12 +707,8 @@ [Components.X64]
> > NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > -!if $(SECURE_BOOT_ENABLE) == TRUE
> > NetworkPkg/IScsiDxe/IScsiDxe.inf
> > !else
> > - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > -!endif
> > -!else
> > MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> > index df55c2b210..f29feb27b4 100644
> > --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> > +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> > @@ -314,12 +314,8 @@ [FV.DXEFV]
> > INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > -!if $(SECURE_BOOT_ENABLE) == TRUE
> > INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> > !else
> > - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > -!endif
> > -!else
> > INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> > index d15294eb72..ac4bf4f63e 100644
> > --- a/OvmfPkg/OvmfPkgX64.dsc
> > +++ b/OvmfPkg/OvmfPkgX64.dsc
> > @@ -153,15 +153,16 @@ [LibraryClasses]
> >
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> >
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> easurementLib.inf
> > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> > -!if $(NETWORK_IP6_ENABLE) == TRUE
> > - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > -!endif
> > !else
> >
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> MeasurementLibNull.inf
> >
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> Null.inf
> > !endif
> > VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> >
> > +!if $(NETWORK_IP6_ENABLE) == TRUE
> > + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> > +!endif
> > +
> > !if $(HTTP_BOOT_ENABLE) == TRUE
> > HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> > !endif
> > @@ -704,12 +705,8 @@ [Components]
> > NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > -!if $(SECURE_BOOT_ENABLE) == TRUE
> > NetworkPkg/IScsiDxe/IScsiDxe.inf
> > !else
> > - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > -!endif
> > -!else
> > MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> > index 5e2e1dfaf5..8d66da099f 100644
> > --- a/OvmfPkg/OvmfPkgX64.fdf
> > +++ b/OvmfPkg/OvmfPkgX64.fdf
> > @@ -314,12 +314,8 @@ [FV.DXEFV]
> > INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> > INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> > INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > -!if $(SECURE_BOOT_ENABLE) == TRUE
> > INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> > !else
> > - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> > -!endif
> > -!else
> > INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> > INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> > INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >
>
> For this patch, I think one of the following updates is necessary:
>
> (a) either restrict the subject line to identify IScsiDxe (because the
> current patch does not fix the full set of packages related to IPv6),
> such as
>
> OvmfPkg: correct the IScsiDxe module included for the IPv6 stack
>
> (b) or else, squash the IpSecDxe addition into this patch (with the same
> subject).
>
> Perhaps I was not clear enough about this in the previous discussion.
>
> Either way, I think (b) might need more experimentation / additional
> work, and a later patch, so for now, I think we should do (a). I will
> update the subject line myself, if that's okay with you. With that:
>
Laszlo,
I also agree with (a).
For IpSec, we can do the below update later:
1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage for IPv4.
Or
2), Define new flag "IPSEC_ENABLE" for both of them.
I prefer 2).
Thanks,
Jiaxin
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>
> Thanks!
> Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 0/3] Enable HTTPS Boot in OVMF
2017-01-17 20:13 ` Laszlo Ersek
@ 2017-01-18 1:59 ` Gary Lin
0 siblings, 0 replies; 20+ messages in thread
From: Gary Lin @ 2017-01-18 1:59 UTC (permalink / raw)
To: Laszlo Ersek; +Cc: Jordan Justen, edk2-devel, Qin Long
On Tue, Jan 17, 2017 at 09:13:23PM +0100, Laszlo Ersek wrote:
> On 01/17/17 09:25, Jordan Justen wrote:
> > On 2017-01-16 20:52:29, Gary Lin wrote:
> >> This series adjusts the build files of OVMF in order to support HTTPS.
> >> It introdues a new build option, TLS_ENABLE, and makes OpenSSL a hard
> >> requirement to enable IPv6 support.
> >>
> >> Gary Lin (3):
> >> OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib
> >
> > Ok. I see that OpenSSL will still not be a dependency, unless one of
> > the dependent features is enabled. (And, they are all disabled by
> > default.)
> >
> > Series Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
> >
> > But, I'll let Laszlo take a look too.
>
> My sincere apologies to you and Qin Long for missing your R-b tags.
>
> In retrospect, the Received headers in those messages are consistent
> with the Date fields, so the messages did arrive in time (before my
> commit / response) in my IMAP inbox. I must have missed them for one of
> two reasons:
>
> - my local OfflineIMAP sync glitched out temporarily (unlikely!), or
> - these messages appeared only in my edk2-devel list folder, and not in
> my INBOX (likely).
>
> In order to decrease the likelihood of such mess-ups on my end in the
> future, Gary, can you please ensure that you copy the complete set of
> Cc: tags from across the patches to the blurb? This is good for two
> goals: first, everyone CC'd on at least one patch will understand the
> big picture from the blurb; second, feedback from people who (correctly)
> hit "Reply All" on the blurb will reach everyone else too.
>
> (I recommend this practice in
> <https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers#contrib-23>,
> under the last bullet.)
>
My bad. I forgot to edit the cc list in the cover letter. Will do that
next time.
Thanks,
Gary Lin
> Nonetheless, missing this feedback is my fault; I should have waited a
> bit longer, and double-checked the list folder right before pushing. I'm
> sorry!
>
> Laszlo
>
> > Thanks,
> >
> > -Jordan
> >
> >> OvmfPkg: correct the set of modules included for the IPv6 stack
> >> OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS)
> >>
> >> OvmfPkg/OvmfPkgIa32.dsc | 29 ++++++++++++++++-------------
> >> OvmfPkg/OvmfPkgIa32.fdf | 8 ++++----
> >> OvmfPkg/OvmfPkgIa32X64.dsc | 29 ++++++++++++++++-------------
> >> OvmfPkg/OvmfPkgIa32X64.fdf | 8 ++++----
> >> OvmfPkg/OvmfPkgX64.dsc | 29 ++++++++++++++++-------------
> >> OvmfPkg/OvmfPkgX64.fdf | 8 ++++----
> >> 6 files changed, 60 insertions(+), 51 deletions(-)
> >>
> >> --
> >> 2.11.0
> >>
> >> _______________________________________________
> >> edk2-devel mailing list
> >> edk2-devel@lists.01.org
> >> https://lists.01.org/mailman/listinfo/edk2-devel
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel
> >
>
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
2017-01-18 0:47 ` Wu, Jiaxin
@ 2017-01-18 8:17 ` Laszlo Ersek
2017-01-18 9:21 ` Gary Lin
0 siblings, 1 reply; 20+ messages in thread
From: Laszlo Ersek @ 2017-01-18 8:17 UTC (permalink / raw)
To: Wu, Jiaxin, Gary Lin, edk2-devel@ml01.01.org; +Cc: Justen, Jordan L, Long, Qin
On 01/18/17 01:47, Wu, Jiaxin wrote:
>> Subject: Re: [edk2] [PATCH 2/3] OvmfPkg: correct the set of modules included
>> for the IPv6 stack
>>
>> On 01/17/17 05:52, Gary Lin wrote:
>>> Always use IScsiDxe from NetworkPkg when IPv6 is enabled since it provides
>>> the complete ISCSI support.
>>>
>>> NOTE: This makes OpenSSL a hard requirement when NETWORK_IP6_ENABLE
>> is
>>> true.
>>>
>>> (Based on Jiaxin's suggestion)
>>>
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Justen Jordan L <jordan.l.justen@intel.com>
>>> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
>>> Cc: Long Qin <qin.long@intel.com>
>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>> Signed-off-by: Gary Lin <glin@suse.com>
>>> ---
>>> OvmfPkg/OvmfPkgIa32.dsc | 11 ++++-------
>>> OvmfPkg/OvmfPkgIa32.fdf | 4 ----
>>> OvmfPkg/OvmfPkgIa32X64.dsc | 11 ++++-------
>>> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ----
>>> OvmfPkg/OvmfPkgX64.dsc | 11 ++++-------
>>> OvmfPkg/OvmfPkgX64.fdf | 4 ----
>>> 6 files changed, 12 insertions(+), 33 deletions(-)
>>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
>>> index 9aa66eb951..77287920e2 100644
>>> --- a/OvmfPkg/OvmfPkgIa32.dsc
>>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
>>> @@ -148,15 +148,16 @@ [LibraryClasses]
>>>
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>
>> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
>> easurementLib.inf
>>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
>>> -!if $(NETWORK_IP6_ENABLE) == TRUE
>>> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>> -!endif
>>> !else
>>>
>> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
>> MeasurementLibNull.inf
>>>
>> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
>> Null.inf
>>> !endif
>>> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>>>
>>> +!if $(NETWORK_IP6_ENABLE) == TRUE
>>> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>> +!endif
>>> +
>>> !if $(HTTP_BOOT_ENABLE) == TRUE
>>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> !endif
>>> @@ -697,12 +698,8 @@ [Components]
>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> NetworkPkg/IScsiDxe/IScsiDxe.inf
>>> !else
>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
>>> index 34d57a6079..069e21b7d0 100644
>>> --- a/OvmfPkg/OvmfPkgIa32.fdf
>>> +++ b/OvmfPkg/OvmfPkgIa32.fdf
>>> @@ -314,12 +314,8 @@ [FV.DXEFV]
>>> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
>>> !else
>>> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
>>> index 9537e92077..64a7c16d2f 100644
>>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
>>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
>>> @@ -153,15 +153,16 @@ [LibraryClasses]
>>>
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>
>> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
>> easurementLib.inf
>>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
>>> -!if $(NETWORK_IP6_ENABLE) == TRUE
>>> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>> -!endif
>>> !else
>>>
>> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
>> MeasurementLibNull.inf
>>>
>> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
>> Null.inf
>>> !endif
>>> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>>>
>>> +!if $(NETWORK_IP6_ENABLE) == TRUE
>>> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>> +!endif
>>> +
>>> !if $(HTTP_BOOT_ENABLE) == TRUE
>>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> !endif
>>> @@ -706,12 +707,8 @@ [Components.X64]
>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> NetworkPkg/IScsiDxe/IScsiDxe.inf
>>> !else
>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
>>> index df55c2b210..f29feb27b4 100644
>>> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
>>> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
>>> @@ -314,12 +314,8 @@ [FV.DXEFV]
>>> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
>>> !else
>>> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
>>> index d15294eb72..ac4bf4f63e 100644
>>> --- a/OvmfPkg/OvmfPkgX64.dsc
>>> +++ b/OvmfPkg/OvmfPkgX64.dsc
>>> @@ -153,15 +153,16 @@ [LibraryClasses]
>>>
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>
>> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
>> easurementLib.inf
>>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
>>> -!if $(NETWORK_IP6_ENABLE) == TRUE
>>> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>> -!endif
>>> !else
>>>
>> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
>> MeasurementLibNull.inf
>>>
>> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
>> Null.inf
>>> !endif
>>> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
>>>
>>> +!if $(NETWORK_IP6_ENABLE) == TRUE
>>> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>> +!endif
>>> +
>>> !if $(HTTP_BOOT_ENABLE) == TRUE
>>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
>>> !endif
>>> @@ -704,12 +705,8 @@ [Components]
>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> NetworkPkg/IScsiDxe/IScsiDxe.inf
>>> !else
>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
>>> index 5e2e1dfaf5..8d66da099f 100644
>>> --- a/OvmfPkg/OvmfPkgX64.fdf
>>> +++ b/OvmfPkg/OvmfPkgX64.fdf
>>> @@ -314,12 +314,8 @@ [FV.DXEFV]
>>> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
>>> !else
>>> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>>
>>
>> For this patch, I think one of the following updates is necessary:
>>
>> (a) either restrict the subject line to identify IScsiDxe (because the
>> current patch does not fix the full set of packages related to IPv6),
>> such as
>>
>> OvmfPkg: correct the IScsiDxe module included for the IPv6 stack
>>
>> (b) or else, squash the IpSecDxe addition into this patch (with the same
>> subject).
>>
>> Perhaps I was not clear enough about this in the previous discussion.
>>
>> Either way, I think (b) might need more experimentation / additional
>> work, and a later patch, so for now, I think we should do (a). I will
>> update the subject line myself, if that's okay with you. With that:
>>
>
> Laszlo,
>
> I also agree with (a).
>
> For IpSec, we can do the below update later:
>
> 1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage for IPv4.
>
> Or
>
> 2), Define new flag "IPSEC_ENABLE" for both of them.
>
> I prefer 2).
Hmmm, I'm not so sure. Personally I've never used either IpSec or IPv6.
If I understand correctly:
- IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=FALSE would mean
IPv4 only + IpSec. While this may be a theoretically useful
combination, I wonder how often people would actually want this.
- IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=TRUE -- this is a valid
combination, especially for a full-fledged build of OVMF
- IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=TRUE -- as far as I
understand, this is actually an invalid (incomplete) build for the
IPv6 stack.
- IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=FALSE -- the most common
build, gives you just IPv4
Based on the above, I think I prefer (1); that is, I believe we
shouldn't introduce IPSEC_ENABLE. For IPv6, IpSec is apparently
mandatory, so turning it off makes no sense. And in an IPv4-only build
of OVMF, I see quite limited usefulness for IpSec; turning it on with a
dedicated flag looks overkill, at least for a virtual machine firmware.
Jordan, Gary, what do you think?
Thanks!
Laszlo
>
> Thanks,
> Jiaxin
>
>
>
>> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
>>
>> Thanks!
>> Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
2017-01-18 8:17 ` Laszlo Ersek
@ 2017-01-18 9:21 ` Gary Lin
2017-01-19 3:09 ` Wu, Jiaxin
0 siblings, 1 reply; 20+ messages in thread
From: Gary Lin @ 2017-01-18 9:21 UTC (permalink / raw)
To: Laszlo Ersek
Cc: Wu, Jiaxin, edk2-devel@ml01.01.org, Justen, Jordan L, Long, Qin
On Wed, Jan 18, 2017 at 09:17:28AM +0100, Laszlo Ersek wrote:
> On 01/18/17 01:47, Wu, Jiaxin wrote:
> >> Subject: Re: [edk2] [PATCH 2/3] OvmfPkg: correct the set of modules included
> >> for the IPv6 stack
> >>
> >> On 01/17/17 05:52, Gary Lin wrote:
> >>> Always use IScsiDxe from NetworkPkg when IPv6 is enabled since it provides
> >>> the complete ISCSI support.
> >>>
> >>> NOTE: This makes OpenSSL a hard requirement when NETWORK_IP6_ENABLE
> >> is
> >>> true.
> >>>
> >>> (Based on Jiaxin's suggestion)
> >>>
> >>> Cc: Laszlo Ersek <lersek@redhat.com>
> >>> Cc: Justen Jordan L <jordan.l.justen@intel.com>
> >>> Cc: Wu Jiaxin <jiaxin.wu@intel.com>
> >>> Cc: Long Qin <qin.long@intel.com>
> >>> Contributed-under: TianoCore Contribution Agreement 1.0
> >>> Signed-off-by: Gary Lin <glin@suse.com>
> >>> ---
> >>> OvmfPkg/OvmfPkgIa32.dsc | 11 ++++-------
> >>> OvmfPkg/OvmfPkgIa32.fdf | 4 ----
> >>> OvmfPkg/OvmfPkgIa32X64.dsc | 11 ++++-------
> >>> OvmfPkg/OvmfPkgIa32X64.fdf | 4 ----
> >>> OvmfPkg/OvmfPkgX64.dsc | 11 ++++-------
> >>> OvmfPkg/OvmfPkgX64.fdf | 4 ----
> >>> 6 files changed, 12 insertions(+), 33 deletions(-)
> >>>
> >>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> >>> index 9aa66eb951..77287920e2 100644
> >>> --- a/OvmfPkg/OvmfPkgIa32.dsc
> >>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> >>> @@ -148,15 +148,16 @@ [LibraryClasses]
> >>>
> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> >>>
> >> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> >> easurementLib.inf
> >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> >>> -!if $(NETWORK_IP6_ENABLE) == TRUE
> >>> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> >>> -!endif
> >>> !else
> >>>
> >> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> >> MeasurementLibNull.inf
> >>>
> >> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> >> Null.inf
> >>> !endif
> >>> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> >>>
> >>> +!if $(NETWORK_IP6_ENABLE) == TRUE
> >>> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> >>> +!endif
> >>> +
> >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> >>> !endif
> >>> @@ -697,12 +698,8 @@ [Components]
> >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> >>> NetworkPkg/IScsiDxe/IScsiDxe.inf
> >>> !else
> >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> -!endif
> >>> -!else
> >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
> >>> index 34d57a6079..069e21b7d0 100644
> >>> --- a/OvmfPkg/OvmfPkgIa32.fdf
> >>> +++ b/OvmfPkg/OvmfPkgIa32.fdf
> >>> @@ -314,12 +314,8 @@ [FV.DXEFV]
> >>> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> >>> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> >>> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> >>> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> >>> !else
> >>> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> -!endif
> >>> -!else
> >>> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> >>> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> >>> index 9537e92077..64a7c16d2f 100644
> >>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> >>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> >>> @@ -153,15 +153,16 @@ [LibraryClasses]
> >>>
> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> >>>
> >> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> >> easurementLib.inf
> >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> >>> -!if $(NETWORK_IP6_ENABLE) == TRUE
> >>> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> >>> -!endif
> >>> !else
> >>>
> >> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> >> MeasurementLibNull.inf
> >>>
> >> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> >> Null.inf
> >>> !endif
> >>> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> >>>
> >>> +!if $(NETWORK_IP6_ENABLE) == TRUE
> >>> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> >>> +!endif
> >>> +
> >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> >>> !endif
> >>> @@ -706,12 +707,8 @@ [Components.X64]
> >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> >>> NetworkPkg/IScsiDxe/IScsiDxe.inf
> >>> !else
> >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> -!endif
> >>> -!else
> >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
> >>> index df55c2b210..f29feb27b4 100644
> >>> --- a/OvmfPkg/OvmfPkgIa32X64.fdf
> >>> +++ b/OvmfPkg/OvmfPkgIa32X64.fdf
> >>> @@ -314,12 +314,8 @@ [FV.DXEFV]
> >>> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> >>> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> >>> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> >>> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> >>> !else
> >>> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> -!endif
> >>> -!else
> >>> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> >>> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> >>> index d15294eb72..ac4bf4f63e 100644
> >>> --- a/OvmfPkg/OvmfPkgX64.dsc
> >>> +++ b/OvmfPkg/OvmfPkgX64.dsc
> >>> @@ -153,15 +153,16 @@ [LibraryClasses]
> >>>
> >> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> >>>
> >> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
> >> easurementLib.inf
> >>> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> >>> -!if $(NETWORK_IP6_ENABLE) == TRUE
> >>> - TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> >>> -!endif
> >>> !else
> >>>
> >> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tpm
> >> MeasurementLibNull.inf
> >>>
> >> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib
> >> Null.inf
> >>> !endif
> >>> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> >>>
> >>> +!if $(NETWORK_IP6_ENABLE) == TRUE
> >>> + TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
> >>> +!endif
> >>> +
> >>> !if $(HTTP_BOOT_ENABLE) == TRUE
> >>> HttpLib|MdeModulePkg/Library/DxeHttpLib/DxeHttpLib.inf
> >>> !endif
> >>> @@ -704,12 +705,8 @@ [Components]
> >>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> >>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> >>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> >>> NetworkPkg/IScsiDxe/IScsiDxe.inf
> >>> !else
> >>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> -!endif
> >>> -!else
> >>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> >>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
> >>> index 5e2e1dfaf5..8d66da099f 100644
> >>> --- a/OvmfPkg/OvmfPkgX64.fdf
> >>> +++ b/OvmfPkg/OvmfPkgX64.fdf
> >>> @@ -314,12 +314,8 @@ [FV.DXEFV]
> >>> INF NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
> >>> INF NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
> >>> INF NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> -!if $(SECURE_BOOT_ENABLE) == TRUE
> >>> INF NetworkPkg/IScsiDxe/IScsiDxe.inf
> >>> !else
> >>> - INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>> -!endif
> >>> -!else
> >>> INF MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
> >>> INF MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
> >>> INF MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
> >>>
> >>
> >> For this patch, I think one of the following updates is necessary:
> >>
> >> (a) either restrict the subject line to identify IScsiDxe (because the
> >> current patch does not fix the full set of packages related to IPv6),
> >> such as
> >>
> >> OvmfPkg: correct the IScsiDxe module included for the IPv6 stack
> >>
> >> (b) or else, squash the IpSecDxe addition into this patch (with the same
> >> subject).
> >>
> >> Perhaps I was not clear enough about this in the previous discussion.
> >>
> >> Either way, I think (b) might need more experimentation / additional
> >> work, and a later patch, so for now, I think we should do (a). I will
> >> update the subject line myself, if that's okay with you. With that:
> >>
> >
> > Laszlo,
> >
> > I also agree with (a).
> >
> > For IpSec, we can do the below update later:
> >
> > 1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage for IPv4.
> >
> > Or
> >
> > 2), Define new flag "IPSEC_ENABLE" for both of them.
> >
> > I prefer 2).
>
> Hmmm, I'm not so sure. Personally I've never used either IpSec or IPv6.
>
> If I understand correctly:
>
> - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=FALSE would mean
> IPv4 only + IpSec. While this may be a theoretically useful
> combination, I wonder how often people would actually want this.
>
> - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=TRUE -- this is a valid
> combination, especially for a full-fledged build of OVMF
>
> - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=TRUE -- as far as I
> understand, this is actually an invalid (incomplete) build for the
> IPv6 stack.
>
> - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=FALSE -- the most common
> build, gives you just IPv4
>
> Based on the above, I think I prefer (1); that is, I believe we
> shouldn't introduce IPSEC_ENABLE. For IPv6, IpSec is apparently
> mandatory, so turning it off makes no sense. And in an IPv4-only build
> of OVMF, I see quite limited usefulness for IpSec; turning it on with a
> dedicated flag looks overkill, at least for a virtual machine firmware.
>
> Jordan, Gary, what do you think?
IpSec is optional for me. The Ip6 driver detects the protocol dynamically,
so we don't really need IpSec for IPv6. (PXEv6 and HTTPBoot v6 works for
me with the current settings.) Besides, it seems we didn't provide a proper
user interface (e.g. config UI or a shell command) to setup IpSec. The user
probably has to find a tool, e.g. NetworkPkg/Application/IpsecConfig, to
config it properly. So I feel it's not mandatory and would prefer 2).
Thanks,
Gary Lin
>
> Thanks!
> Laszlo
>
> >
> > Thanks,
> > Jiaxin
> >
> >
> >
> >> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> >>
> >> Thanks!
> >> Laszlo
>
>
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
2017-01-18 9:21 ` Gary Lin
@ 2017-01-19 3:09 ` Wu, Jiaxin
2017-01-19 8:36 ` Laszlo Ersek
0 siblings, 1 reply; 20+ messages in thread
From: Wu, Jiaxin @ 2017-01-19 3:09 UTC (permalink / raw)
To: Gary Lin, Laszlo Ersek
Cc: edk2-devel@ml01.01.org, Justen, Jordan L, Long, Qin
> > > Laszlo,
> > >
> > > I also agree with (a).
> > >
> > > For IpSec, we can do the below update later:
> > >
> > > 1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage
> for IPv4.
> > >
> > > Or
> > >
> > > 2), Define new flag "IPSEC_ENABLE" for both of them.
> > >
> > > I prefer 2).
> >
> > Hmmm, I'm not so sure. Personally I've never used either IpSec or IPv6.
> >
> > If I understand correctly:
> >
> > - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=FALSE would mean
> > IPv4 only + IpSec. While this may be a theoretically useful
> > combination, I wonder how often people would actually want this.
> >
> > - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=TRUE -- this is a valid
> > combination, especially for a full-fledged build of OVMF
> >
> > - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=TRUE -- as far as I
> > understand, this is actually an invalid (incomplete) build for the
> > IPv6 stack.
> >
> > - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=FALSE -- the most
> common
> > build, gives you just IPv4
> >
> > Based on the above, I think I prefer (1); that is, I believe we
> > shouldn't introduce IPSEC_ENABLE. For IPv6, IpSec is apparently
> > mandatory, so turning it off makes no sense. And in an IPv4-only build
> > of OVMF, I see quite limited usefulness for IpSec; turning it on with a
> > dedicated flag looks overkill, at least for a virtual machine firmware.
> >
> > Jordan, Gary, what do you think?
>
> IpSec is optional for me. The Ip6 driver detects the protocol dynamically,
> so we don't really need IpSec for IPv6. (PXEv6 and HTTPBoot v6 works for
> me with the current settings.) Besides, it seems we didn't provide a proper
> user interface (e.g. config UI or a shell command) to setup IpSec. The user
> probably has to find a tool, e.g. NetworkPkg/Application/IpsecConfig, to
> config it properly. So I feel it's not mandatory and would prefer 2).
I did quick investigation for the IpSec deployment requirement for IPv4 and IPv6.
Now, the goal of the IpSec is to provide the security service for both the IPv4 and IPv6 environments.
Previously, IPsec implementation was mandatory requirement for IPv6. But in RFC 6434 (IPv6 Node Requirements), the document updates that recommendation by making support of the IPsec Architecture a *SHOULD* for all IPv6 nodes. That means it has been made optional for IPv6 since RFC 6434. Detailed see RFC 6434 section 11:
"
Previously, IPv6 mandated implementation of IPsec and recommended the
key management approach of IKE. This document updates that
recommendation by making support of the IPsec Architecture [RFC4301]
a SHOULD for all IPv6 nodes.
"
"
This document recognizes that there exists a range of device types
and environments where approaches to security other than IPsec can be
justified. For example, special-purpose devices may support only a
very limited number or type of applications, and an application-
specific security approach may be sufficient for limited management
or configuration capabilities. Alternatively, some devices may run
on extremely constrained hardware (e.g., sensors) where the full
IPsec Architecture is not justified.
"
So, according above information, IPSEC_ENABLE should be fine to include the feature or just keep the current until it truly required:).
Thanks,
Jiaxin
>
> Thanks,
>
> Gary Lin
>
> >
> > Thanks!
> > Laszlo
> >
> > >
> > > Thanks,
> > > Jiaxin
> > >
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
2017-01-19 3:09 ` Wu, Jiaxin
@ 2017-01-19 8:36 ` Laszlo Ersek
0 siblings, 0 replies; 20+ messages in thread
From: Laszlo Ersek @ 2017-01-19 8:36 UTC (permalink / raw)
To: Wu, Jiaxin, Gary Lin; +Cc: edk2-devel@ml01.01.org, Justen, Jordan L, Long, Qin
On 01/19/17 04:09, Wu, Jiaxin wrote:
>>>> Laszlo,
>>>>
>>>> I also agree with (a).
>>>>
>>>> For IpSec, we can do the below update later:
>>>>
>>>> 1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage
>> for IPv4.
>>>>
>>>> Or
>>>>
>>>> 2), Define new flag "IPSEC_ENABLE" for both of them.
>>>>
>>>> I prefer 2).
>>>
>>> Hmmm, I'm not so sure. Personally I've never used either IpSec or IPv6.
>>>
>>> If I understand correctly:
>>>
>>> - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=FALSE would mean
>>> IPv4 only + IpSec. While this may be a theoretically useful
>>> combination, I wonder how often people would actually want this.
>>>
>>> - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=TRUE -- this is a valid
>>> combination, especially for a full-fledged build of OVMF
>>>
>>> - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=TRUE -- as far as I
>>> understand, this is actually an invalid (incomplete) build for the
>>> IPv6 stack.
>>>
>>> - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=FALSE -- the most
>> common
>>> build, gives you just IPv4
>>>
>>> Based on the above, I think I prefer (1); that is, I believe we
>>> shouldn't introduce IPSEC_ENABLE. For IPv6, IpSec is apparently
>>> mandatory, so turning it off makes no sense. And in an IPv4-only build
>>> of OVMF, I see quite limited usefulness for IpSec; turning it on with a
>>> dedicated flag looks overkill, at least for a virtual machine firmware.
>>>
>>> Jordan, Gary, what do you think?
>>
>> IpSec is optional for me. The Ip6 driver detects the protocol dynamically,
>> so we don't really need IpSec for IPv6. (PXEv6 and HTTPBoot v6 works for
>> me with the current settings.) Besides, it seems we didn't provide a proper
>> user interface (e.g. config UI or a shell command) to setup IpSec. The user
>> probably has to find a tool, e.g. NetworkPkg/Application/IpsecConfig, to
>> config it properly. So I feel it's not mandatory and would prefer 2).
>
> I did quick investigation for the IpSec deployment requirement for IPv4 and IPv6.
>
> Now, the goal of the IpSec is to provide the security service for both the IPv4 and IPv6 environments.
>
> Previously, IPsec implementation was mandatory requirement for IPv6. But in RFC 6434 (IPv6 Node Requirements), the document updates that recommendation by making support of the IPsec Architecture a *SHOULD* for all IPv6 nodes. That means it has been made optional for IPv6 since RFC 6434. Detailed see RFC 6434 section 11:
>
> "
> Previously, IPv6 mandated implementation of IPsec and recommended the
> key management approach of IKE. This document updates that
> recommendation by making support of the IPsec Architecture [RFC4301]
> a SHOULD for all IPv6 nodes.
> "
>
> "
> This document recognizes that there exists a range of device types
> and environments where approaches to security other than IPsec can be
> justified. For example, special-purpose devices may support only a
> very limited number or type of applications, and an application-
> specific security approach may be sufficient for limited management
> or configuration capabilities. Alternatively, some devices may run
> on extremely constrained hardware (e.g., sensors) where the full
> IPsec Architecture is not justified.
> "
>
> So, according above information, IPSEC_ENABLE should be fine to
> include the feature or just keep the current until it truly
> required:).
Thanks a lot for tracking this down!
Given that we're apparently unaware of any actual need for IpSec in
OVMF, I suggest that we postpone it. And, when the need arises, we
should do -D IPSEC_ENABLE (affecting both IPv4 and IPv6); I understand
now that that will be the right thing to do.
Cheers!
Laszlo
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2017-01-19 8:36 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-17 4:52 [PATCH 0/3] Enable HTTPS Boot in OVMF Gary Lin
2017-01-17 4:52 ` [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib Gary Lin
2017-01-17 8:03 ` Wu, Jiaxin
2017-01-17 9:13 ` Laszlo Ersek
2017-01-17 4:52 ` [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack Gary Lin
2017-01-17 8:04 ` Wu, Jiaxin
2017-01-17 9:22 ` Laszlo Ersek
2017-01-18 0:47 ` Wu, Jiaxin
2017-01-18 8:17 ` Laszlo Ersek
2017-01-18 9:21 ` Gary Lin
2017-01-19 3:09 ` Wu, Jiaxin
2017-01-19 8:36 ` Laszlo Ersek
2017-01-17 4:52 ` [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS) Gary Lin
2017-01-17 8:04 ` Wu, Jiaxin
2017-01-17 9:24 ` Laszlo Ersek
2017-01-17 8:13 ` [PATCH 0/3] Enable HTTPS Boot in OVMF Long, Qin
2017-01-17 8:25 ` Jordan Justen
2017-01-17 20:13 ` Laszlo Ersek
2017-01-18 1:59 ` Gary Lin
2017-01-17 9:49 ` Laszlo Ersek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox