From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id A032082174
 for <edk2-devel@ml01.01.org>; Thu, 23 Feb 2017 13:57:51 -0800 (PST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com
 (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id D67CC4E4CA;
 Thu, 23 Feb 2017 21:57:51 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-58.phx2.redhat.com
 [10.3.116.58])
 by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v1NLvmtA018936; Thu, 23 Feb 2017 16:57:49 -0500
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>, Gary Lin <glin@suse.com>,
 Jiaxin Wu <jiaxin.wu@intel.com>, Jordan Justen <jordan.l.justen@intel.com>,
 Qin Long <qin.long@intel.com>, Ruiyu Ni <ruiyu.ni@intel.com>,
 Ting Ye <ting.ye@intel.com>, Tomas Hoger <thoger@redhat.com>
Date: Thu, 23 Feb 2017 22:57:39 +0100
Message-Id: <20170223215744.7293-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.38]); Thu, 23 Feb 2017 21:57:52 +0000 (UTC)
Subject: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 21:57:51 -0000

In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
directly", 2016-12-14), we enabled libssl functionality in
CryptoPkg/OpensslLib unconditionally.

While that's real convenient, it is also overkill for platforms (or
platform builds) that don't want TLS. The impact (beyond wasted build
time) is that when the next vulnerability comes out that affects the
libssl subset of OpenSSL, security teams all around will look at build
logs and INF files, see the libssl files being built, and get nervous --
without a good reason for such builds that don't actually *use* TLS.

Let's make this easier on them (and thereby on ourselves!), and
introduce an OpensslLibNoSsl instance, which excludes libssl.

The edk2 integration script "process_files.sh" is updated to process
both INF files in the same invocation.

If noone disagrees with the concept, I'd appreciate if we could review &
merge this series real fast. (Sorry about that, but a downstream
deadline looms close, and I consider this sort of a blocker for the next
rebase.)

I updated the following platform packages:
- ArmVirtPkg, because I know it never uses TLS (or HTTP boot for that
  matter),
- Nt32Pkg, because it exposes the TLS_ENABLE build flag,
- OvmfPkg, because it exposes the TLS_ENABLE build flag.

I didn't touch other packages because they don't expose TLS_ENABLE, and
I don't have time to figure out if they want TLS built-in.

I tested the new OpensslLibNoSsl instance with Secure Boot under OVMF.

The series was formatted with "--find-copies-harder", which makes a real
difference for patch #2.

Tomas: if you would like to comment on this series, please subscribe to
the edk2-devel list at
<https://lists.01.org/mailman/listinfo/edk2-devel>, and also wait for
your subscription request to complete, *before* responding.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>

Thanks!
Laszlo

Laszlo Ersek (5):
  CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after
    32387e00
  CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance
  ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl
  Nt32Pkg: exclude libssl functionality from OpensslLib if
    TLS_ENABLE=FALSE
  OvmfPkg: exclude libssl functionality from OpensslLib if
    TLS_ENABLE=FALSE

 ArmVirtPkg/ArmVirt.dsc.inc                                           |  2 +-
 Nt32Pkg/Nt32Pkg.dsc                                                  |  4 ++
 OvmfPkg/OvmfPkgIa32.dsc                                              |  4 ++
 OvmfPkg/OvmfPkgIa32X64.dsc                                           |  4 ++
 OvmfPkg/OvmfPkgX64.dsc                                               |  4 ++
 CryptoPkg/Library/OpensslLib/OpensslLib.inf                          |  1 +
 CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 55 ++------------------
 CryptoPkg/Library/OpensslLib/opensslconf.h                           |  6 ---
 CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} |  8 +--
 CryptoPkg/Library/OpensslLib/process_files.sh                        | 27 +++++++---
 10 files changed, 46 insertions(+), 69 deletions(-)
 copy CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} (90%)
 copy CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} (71%)

-- 
2.9.3