From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glin@suse.com>
Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id B5F1182124
 for <edk2-devel@ml01.01.org>; Thu, 23 Feb 2017 22:15:38 -0800 (PST)
Received: from emea4-mta.ukb.novell.com ([10.120.13.87])
 by smtp.nue.novell.com with ESMTP (TLS encrypted);
 Fri, 24 Feb 2017 07:15:36 +0100
Received: from GaryWorkstation (nwb-a10-snat.microfocus.com [10.120.13.201])
 by emea4-mta.ukb.novell.com with ESMTP (TLS encrypted);
 Fri, 24 Feb 2017 06:15:29 +0000
Date: Fri, 24 Feb 2017 14:15:22 +0800
From: Gary Lin <glin@suse.com>
To: Laszlo Ersek <lersek@redhat.com>
Cc: edk2-devel-01 <edk2-devel@ml01.01.org>,
 Jordan Justen <jordan.l.justen@intel.com>, Tomas Hoger <thoger@redhat.com>
Message-ID: <20170224061522.ienctajrpww2tkjy@GaryWorkstation>
References: <20170223215744.7293-1-lersek@redhat.com>
 <20170223215744.7293-6-lersek@redhat.com>
MIME-Version: 1.0
In-Reply-To: <20170223215744.7293-6-lersek@redhat.com>
User-Agent: Mutt/1.6.2 (2016-07-01)
Subject: Re: [PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 06:15:39 -0000
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Feb 23, 2017 at 10:57:44PM +0100, Laszlo Ersek wrote:
> The OpensslLibNoSsl library instance (which does not contain libssl
> functions) is sufficient for the Secure Boot feature.
> 
> Ease security analsysis by excluding libssl functionality from the
> OpensslLib instance we use with TLS_ENABLE=FALSE.
> 
> Cc: Gary Lin <glin@suse.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Tomas Hoger <thoger@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Look good to me.

Reviewed-by: Gary Lin <glin@suse.com>
> ---
>  OvmfPkg/OvmfPkgIa32.dsc    | 4 ++++
>  OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++
>  OvmfPkg/OvmfPkgX64.dsc     | 4 ++++
>  3 files changed, 12 insertions(+)
> 
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 993547d4859e..44c74c2674e3 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -143,7 +143,11 @@ [LibraryClasses]
>    DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>  
>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>  
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>    PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index f36604ecb4d8..41ae1d88495b 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -148,7 +148,11 @@ [LibraryClasses]
>    DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>  
>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>  
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>    PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index c5bf1a672b1e..fa4fdc81b44f 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -148,7 +148,11 @@ [LibraryClasses]
>    DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>  
>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>  
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>    PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> -- 
> 2.9.3
> 
>