From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id B5F1182124 for ; Thu, 23 Feb 2017 22:15:38 -0800 (PST) Received: from emea4-mta.ukb.novell.com ([10.120.13.87]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Fri, 24 Feb 2017 07:15:36 +0100 Received: from GaryWorkstation (nwb-a10-snat.microfocus.com [10.120.13.201]) by emea4-mta.ukb.novell.com with ESMTP (TLS encrypted); Fri, 24 Feb 2017 06:15:29 +0000 Date: Fri, 24 Feb 2017 14:15:22 +0800 From: Gary Lin To: Laszlo Ersek Cc: edk2-devel-01 , Jordan Justen , Tomas Hoger Message-ID: <20170224061522.ienctajrpww2tkjy@GaryWorkstation> References: <20170223215744.7293-1-lersek@redhat.com> <20170223215744.7293-6-lersek@redhat.com> MIME-Version: 1.0 In-Reply-To: <20170223215744.7293-6-lersek@redhat.com> User-Agent: Mutt/1.6.2 (2016-07-01) Subject: Re: [PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2017 06:15:39 -0000 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Feb 23, 2017 at 10:57:44PM +0100, Laszlo Ersek wrote: > The OpensslLibNoSsl library instance (which does not contain libssl > functions) is sufficient for the Secure Boot feature. > > Ease security analsysis by excluding libssl functionality from the > OpensslLib instance we use with TLS_ENABLE=FALSE. > > Cc: Gary Lin > Cc: Jordan Justen > Cc: Tomas Hoger > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Laszlo Ersek Look good to me. Reviewed-by: Gary Lin > --- > OvmfPkg/OvmfPkgIa32.dsc | 4 ++++ > OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++ > OvmfPkg/OvmfPkgX64.dsc | 4 ++++ > 3 files changed, 12 insertions(+) > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > index 993547d4859e..44c74c2674e3 100644 > --- a/OvmfPkg/OvmfPkgIa32.dsc > +++ b/OvmfPkg/OvmfPkgIa32.dsc > @@ -143,7 +143,11 @@ [LibraryClasses] > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf > > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > +!if $(TLS_ENABLE) == TRUE > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > +!else > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf > +!endif > > !if $(SECURE_BOOT_ENABLE) == TRUE > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > index f36604ecb4d8..41ae1d88495b 100644 > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > @@ -148,7 +148,11 @@ [LibraryClasses] > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf > > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > +!if $(TLS_ENABLE) == TRUE > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > +!else > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf > +!endif > > !if $(SECURE_BOOT_ENABLE) == TRUE > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > index c5bf1a672b1e..fa4fdc81b44f 100644 > --- a/OvmfPkg/OvmfPkgX64.dsc > +++ b/OvmfPkg/OvmfPkgX64.dsc > @@ -148,7 +148,11 @@ [LibraryClasses] > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf > > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > +!if $(TLS_ENABLE) == TRUE > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > +!else > + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf > +!endif > > !if $(SECURE_BOOT_ENABLE) == TRUE > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > -- > 2.9.3 > >