[PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Cc: Gary Lin <glin@suse.com>,
	Jordan Justen <jordan.l.justen@intel.com>,
	Tomas Hoger <thoger@redhat.com>
Subject: [PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
Date: Thu, 23 Feb 2017 22:57:44 +0100	[thread overview]
Message-ID: <20170223215744.7293-6-lersek@redhat.com> (raw)
In-Reply-To: <20170223215744.7293-1-lersek@redhat.com>

The OpensslLibNoSsl library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature.

Ease security analsysis by excluding libssl functionality from the
OpensslLib instance we use with TLS_ENABLE=FALSE.

Cc: Gary Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 OvmfPkg/OvmfPkgIa32.dsc    | 4 ++++
 OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++
 OvmfPkg/OvmfPkgX64.dsc     | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 993547d4859e..44c74c2674e3 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -143,7 +143,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
 
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index f36604ecb4d8..41ae1d88495b 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -148,7 +148,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
 
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index c5bf1a672b1e..fa4fdc81b44f 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -148,7 +148,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
 
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
-- 
2.9.3

next prev parent reply	other threads:[~2017-02-23 21:58 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
2017-02-23 21:57 ` [PATCH 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00 Laszlo Ersek
2017-02-23 21:57 ` [PATCH 2/5] CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance Laszlo Ersek
2017-02-23 21:57 ` [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl Laszlo Ersek
2017-02-23 22:26   ` Ard Biesheuvel
2017-02-23 21:57 ` [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE Laszlo Ersek
2017-02-24  4:09   ` Ni, Ruiyu
     [not found]     ` <895558F6EA4E3B41AC93A00D163B72741629D991@SHSMSX103.ccr.corp.intel.com>
2017-02-24  9:46       ` Laszlo Ersek
2017-02-23 21:57 ` Laszlo Ersek [this message]
2017-02-24  6:15   ` [PATCH 5/5] OvmfPkg: " Gary Lin
2017-02-23 22:09 ` [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
2017-02-23 22:25 ` Ard Biesheuvel
2017-02-24  3:32   ` Long, Qin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:993547d4859 dfblob:44c74c2674e dfblob:f36604ecb4d
dfblob:41ae1d88495 dfblob:c5bf1a672b1 dfblob:fa4fdc81b44 )
 OR (
bs:"[PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170223215744.7293-6-lersek@redhat.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox