* [PATCH 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
@ 2017-02-23 21:57 ` Laszlo Ersek
2017-02-23 21:57 ` [PATCH 2/5] CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance Laszlo Ersek
` (5 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Laszlo Ersek @ 2017-02-23 21:57 UTC (permalink / raw)
To: edk2-devel-01
Cc: Ard Biesheuvel, Gary Lin, Jiaxin Wu, Jordan Justen, Qin Long,
Ruiyu Ni, Ting Ye, Tomas Hoger
Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) removed the "no-queue" configuration option in
"process_files.sh", plus it enabled "process_files.sh" to place all libssl
source files into "OpensslLib.inf".
However, the patch apparently failed to capture two changes originating
from the above actions:
- the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not
removed from "opensslconf.h",
- "ssl/ssl_conf.c" was not added to "OpensslLib.inf".
Refresh these files, completing commit 32387e0081db.
I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu
with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 +
CryptoPkg/Library/OpensslLib/opensslconf.h | 6 ------
2 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index c14e36d341f7..42f523a611e5 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -516,6 +516,7 @@ [Sources]
$(OPENSSL_PATH)/ssl/ssl_asn1.c
$(OPENSSL_PATH)/ssl/ssl_txt.c
$(OPENSSL_PATH)/ssl/ssl_algs.c
+ $(OPENSSL_PATH)/ssl/ssl_conf.c
$(OPENSSL_PATH)/ssl/bio_ssl.c
$(OPENSSL_PATH)/ssl/ssl_err.c
$(OPENSSL_PATH)/ssl/kssl.c
diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h b/CryptoPkg/Library/OpensslLib/opensslconf.h
index adcaa01d6b1d..e0054a45fc5f 100644
--- a/CryptoPkg/Library/OpensslLib/opensslconf.h
+++ b/CryptoPkg/Library/OpensslLib/opensslconf.h
@@ -92,9 +92,6 @@ extern "C" {
#ifndef OPENSSL_NO_POSIX_IO
# define OPENSSL_NO_POSIX_IO
#endif
-#ifndef OPENSSL_NO_PQUEUE
-# define OPENSSL_NO_PQUEUE
-#endif
#ifndef OPENSSL_NO_RC2
# define OPENSSL_NO_RC2
#endif
@@ -263,9 +260,6 @@ extern "C" {
# if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)
# define NO_POSIX_IO
# endif
-# if defined(OPENSSL_NO_PQUEUE) && !defined(NO_PQUEUE)
-# define NO_PQUEUE
-# endif
# if defined(OPENSSL_NO_RC2) && !defined(NO_RC2)
# define NO_RC2
# endif
--
2.9.3
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 2/5] CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
2017-02-23 21:57 ` [PATCH 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00 Laszlo Ersek
@ 2017-02-23 21:57 ` Laszlo Ersek
2017-02-23 21:57 ` [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl Laszlo Ersek
` (4 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Laszlo Ersek @ 2017-02-23 21:57 UTC (permalink / raw)
To: edk2-devel-01
Cc: Ard Biesheuvel, Gary Lin, Jiaxin Wu, Jordan Justen, Qin Long,
Ruiyu Ni, Ting Ye, Tomas Hoger
Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library
instance unconditionally.
If a platform doesn't include the TLS modules, such as
- CryptoPkg/Library/TlsLib/TlsLib.inf
- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
- NetworkPkg/TlsDxe/TlsDxe.inf
then the platform never actually uses the libssl functionality that gets
built into "OpensslLib.inf".
Tomas Hoger from Red Hat Product Security tells me that security
evaluation is less demanding if we can actually *exclude* the libssl files
from such OVMF builds that don't specify -D TLS_ENABLE (rather than just
trust modules not to call libssl functions if we don't specify -D
TLS_ENABLE).
This patch introduces a parallel OpensslLib instance called
"OpensslLibNoSsl" that is appropriate for platform builds without TLS
enablement. It does not build C source files in vain, and it eases
security review -- all libssl vulnerabilities can be excluded at once.
"OpensslLibNoSsl.inf" is created as a copy of "OpensslLib.inf", modifying
the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines.
"process_files.sh" is extended to auto-generate the list of OpenSSL files
for both library instances accordingly. This list is updated in
"OpensslLibNoSsl.inf" at once.
"OpensslLibNoSsl.uni" is introduced as a copy of "OpensslLib.uni",
highlighting the difference.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 56 ++------------------
CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} | 8 +--
CryptoPkg/Library/OpensslLib/process_files.sh | 27 +++++++---
3 files changed, 28 insertions(+), 63 deletions(-)
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
similarity index 90%
copy from CryptoPkg/Library/OpensslLib/OpensslLib.inf
copy to CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
index 42f523a611e5..d106989b9521 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
@@ -14,9 +14,9 @@
[Defines]
INF_VERSION = 0x00010005
- BASE_NAME = OpensslLib
- MODULE_UNI_FILE = OpensslLib.uni
- FILE_GUID = C873A7D0-9824-409f-9B42-2C158B992E69
+ BASE_NAME = OpensslLibNoSsl
+ MODULE_UNI_FILE = OpensslLibNoSsl.uni
+ FILE_GUID = E29FC209-8B64-4500-BD20-AF4EAE47EA0E
MODULE_TYPE = BASE
VERSION_STRING = 1.0
LIBRARY_CLASS = OpensslLib
@@ -474,56 +474,6 @@ [Sources]
$(OPENSSL_PATH)/crypto/cmac/cmac.c
$(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
$(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c
- $(OPENSSL_PATH)/ssl/s2_meth.c
- $(OPENSSL_PATH)/ssl/s2_srvr.c
- $(OPENSSL_PATH)/ssl/s2_clnt.c
- $(OPENSSL_PATH)/ssl/s2_lib.c
- $(OPENSSL_PATH)/ssl/s2_enc.c
- $(OPENSSL_PATH)/ssl/s2_pkt.c
- $(OPENSSL_PATH)/ssl/s3_meth.c
- $(OPENSSL_PATH)/ssl/s3_srvr.c
- $(OPENSSL_PATH)/ssl/s3_clnt.c
- $(OPENSSL_PATH)/ssl/s3_lib.c
- $(OPENSSL_PATH)/ssl/s3_enc.c
- $(OPENSSL_PATH)/ssl/s3_pkt.c
- $(OPENSSL_PATH)/ssl/s3_both.c
- $(OPENSSL_PATH)/ssl/s3_cbc.c
- $(OPENSSL_PATH)/ssl/s23_meth.c
- $(OPENSSL_PATH)/ssl/s23_srvr.c
- $(OPENSSL_PATH)/ssl/s23_clnt.c
- $(OPENSSL_PATH)/ssl/s23_lib.c
- $(OPENSSL_PATH)/ssl/s23_pkt.c
- $(OPENSSL_PATH)/ssl/t1_meth.c
- $(OPENSSL_PATH)/ssl/t1_srvr.c
- $(OPENSSL_PATH)/ssl/t1_clnt.c
- $(OPENSSL_PATH)/ssl/t1_lib.c
- $(OPENSSL_PATH)/ssl/t1_enc.c
- $(OPENSSL_PATH)/ssl/t1_ext.c
- $(OPENSSL_PATH)/ssl/d1_meth.c
- $(OPENSSL_PATH)/ssl/d1_srvr.c
- $(OPENSSL_PATH)/ssl/d1_clnt.c
- $(OPENSSL_PATH)/ssl/d1_lib.c
- $(OPENSSL_PATH)/ssl/d1_pkt.c
- $(OPENSSL_PATH)/ssl/d1_both.c
- $(OPENSSL_PATH)/ssl/d1_srtp.c
- $(OPENSSL_PATH)/ssl/ssl_lib.c
- $(OPENSSL_PATH)/ssl/ssl_err2.c
- $(OPENSSL_PATH)/ssl/ssl_cert.c
- $(OPENSSL_PATH)/ssl/ssl_sess.c
- $(OPENSSL_PATH)/ssl/ssl_ciph.c
- $(OPENSSL_PATH)/ssl/ssl_stat.c
- $(OPENSSL_PATH)/ssl/ssl_rsa.c
- $(OPENSSL_PATH)/ssl/ssl_asn1.c
- $(OPENSSL_PATH)/ssl/ssl_txt.c
- $(OPENSSL_PATH)/ssl/ssl_algs.c
- $(OPENSSL_PATH)/ssl/ssl_conf.c
- $(OPENSSL_PATH)/ssl/bio_ssl.c
- $(OPENSSL_PATH)/ssl/ssl_err.c
- $(OPENSSL_PATH)/ssl/kssl.c
- $(OPENSSL_PATH)/ssl/t1_reneg.c
- $(OPENSSL_PATH)/ssl/tls_srp.c
- $(OPENSSL_PATH)/ssl/t1_trce.c
- $(OPENSSL_PATH)/ssl/ssl_utst.c
# Autogenerated files list ends here
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.uni b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.uni
similarity index 71%
copy from CryptoPkg/Library/OpensslLib/OpensslLib.uni
copy to CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.uni
index 0dffec1c98a3..52dfb70ab61c 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.uni
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.uni
@@ -1,7 +1,7 @@
// /** @file
-// This module provides openSSL Library implementation.
+// This module provides openSSL Library implementation without libssl.
//
-// This module provides OpenSSL Library implementation.
+// This module provides OpenSSL Library implementation without libssl.
//
// Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
//
@@ -16,7 +16,7 @@
// **/
-#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library implementation"
+#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library implementation without libssl"
-#string STR_MODULE_DESCRIPTION #language en-US "This module provides OpenSSL Library implementation."
+#string STR_MODULE_DESCRIPTION #language en-US "This module provides OpenSSL Library implementation without libssl."
diff --git a/CryptoPkg/Library/OpensslLib/process_files.sh b/CryptoPkg/Library/OpensslLib/process_files.sh
index 6f069ce264ac..fe1b8a01776b 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.sh
+++ b/CryptoPkg/Library/OpensslLib/process_files.sh
@@ -1,8 +1,8 @@
#!/bin/sh
#
-# This script runs the OpenSSL Configure script, then processes the
-# resulting file list into our local OpensslLib.inf and also takes
-# a copy of opensslconf.h.
+# This script runs the OpenSSL Configure script, then processes the resulting
+# file list into our local OpensslLib.inf and OpensslLibNoSsl.inf, and also
+# takes a copy of opensslconf.h.
#
# This only needs to be done once by a developer when updating to a
# new version of OpenSSL (or changing options, etc.). Normal users
@@ -10,6 +10,12 @@
# git repository for them.
OPENSSL_PATH=$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLib.inf)
+OPENSSL_NOSSL_PATH=$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLibNoSsl.inf)
+
+if [ "$OPENSSL_PATH" != "$OPENSSL_NOSSL_PATH" ]; then
+ echo "OPENSSL_PATH diverges between OpensslLib.inf and OpensslLibNoSsl.inf"
+ exit 1
+fi
if ! cd "${OPENSSL_PATH}" ; then
echo "Cannot change to OpenSSL directory \"${OPENSSL_PATH}\""
@@ -65,6 +71,8 @@ cd -
function filelist ()
{
+ SSL_SELECT="$1"
+
echo '1,/# Autogenerated files list starts here/p'
echo '/# Autogenerated files list ends here/,$p'
echo '/# Autogenerated files list starts here/a\'
@@ -76,18 +84,25 @@ function filelist ()
;;
LIBSRC=*)
LIBSRC=$(echo "$LINE" | sed s/^LIBSRC=//)
- for FILE in $LIBSRC; do
+ if [ "$RELATIVE_DIRECTORY" != "ssl" ] ||
+ [ "$SSL_SELECT" = "with-ssl" ]; then
+ for FILE in $LIBSRC; do
if [ "$FILE" != "b_print.c" ]; then
echo -e ' $(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\
fi
- done
+ done
+ fi
;;
esac
done
echo -e \\r
}
-filelist < "${OPENSSL_PATH}/MINFO" | sed -n -f - -i OpensslLib.inf
+filelist with-ssl < "${OPENSSL_PATH}/MINFO" \
+| sed -n -f - -i OpensslLib.inf
+
+filelist without-ssl < "${OPENSSL_PATH}/MINFO" \
+| sed -n -f - -i OpensslLibNoSsl.inf
# We can tell Windows users to put this back manually if they can't run
# Configure. For now, until the git repository is fixed to store things
--
2.9.3
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
2017-02-23 21:57 ` [PATCH 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00 Laszlo Ersek
2017-02-23 21:57 ` [PATCH 2/5] CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance Laszlo Ersek
@ 2017-02-23 21:57 ` Laszlo Ersek
2017-02-23 22:26 ` Ard Biesheuvel
2017-02-23 21:57 ` [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE Laszlo Ersek
` (3 subsequent siblings)
6 siblings, 1 reply; 13+ messages in thread
From: Laszlo Ersek @ 2017-02-23 21:57 UTC (permalink / raw)
To: edk2-devel-01; +Cc: Ard Biesheuvel, Tomas Hoger
The OpensslLibNoSsl library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature. It would not be
sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we
don't even enable plaintext HTTP booting for the time being.
Ease security analsysis by excluding libssl functionality from the
OpensslLib instance we use.
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 43699cb9bdd6..407b9b66dfe6 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -136,7 +136,7 @@ [LibraryClasses.common]
#
!if $(SECURE_BOOT_ENABLE) == TRUE
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
- OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
--
2.9.3
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl
2017-02-23 21:57 ` [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl Laszlo Ersek
@ 2017-02-23 22:26 ` Ard Biesheuvel
0 siblings, 0 replies; 13+ messages in thread
From: Ard Biesheuvel @ 2017-02-23 22:26 UTC (permalink / raw)
To: Laszlo Ersek; +Cc: edk2-devel-01, Tomas Hoger
On 23 February 2017 at 21:57, Laszlo Ersek <lersek@redhat.com> wrote:
> The OpensslLibNoSsl library instance (which does not contain libssl
> functions) is sufficient for the Secure Boot feature. It would not be
> sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we
> don't even enable plaintext HTTP booting for the time being.
>
> Ease security analsysis by excluding libssl functionality from the
> OpensslLib instance we use.
>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Tomas Hoger <thoger@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
> ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
> index 43699cb9bdd6..407b9b66dfe6 100644
> --- a/ArmVirtPkg/ArmVirt.dsc.inc
> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
> @@ -136,7 +136,7 @@ [LibraryClasses.common]
> #
> !if $(SECURE_BOOT_ENABLE) == TRUE
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> - OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
> AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> --
> 2.9.3
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
` (2 preceding siblings ...)
2017-02-23 21:57 ` [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl Laszlo Ersek
@ 2017-02-23 21:57 ` Laszlo Ersek
2017-02-24 4:09 ` Ni, Ruiyu
2017-02-23 21:57 ` [PATCH 5/5] OvmfPkg: " Laszlo Ersek
` (2 subsequent siblings)
6 siblings, 1 reply; 13+ messages in thread
From: Laszlo Ersek @ 2017-02-23 21:57 UTC (permalink / raw)
To: edk2-devel-01; +Cc: Ruiyu Ni, Tomas Hoger
Ease security analsysis by excluding libssl functionality from the
OpensslLib instance we use with TLS_ENABLE=FALSE.
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
Notes:
I can't build-test this.
Nt32Pkg/Nt32Pkg.dsc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc
index 47e37ecae134..c84bd71be408 100644
--- a/Nt32Pkg/Nt32Pkg.dsc
+++ b/Nt32Pkg/Nt32Pkg.dsc
@@ -159,7 +159,11 @@ [LibraryClasses]
CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf
--
2.9.3
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
2017-02-23 21:57 ` [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE Laszlo Ersek
@ 2017-02-24 4:09 ` Ni, Ruiyu
[not found] ` <895558F6EA4E3B41AC93A00D163B72741629D991@SHSMSX103.ccr.corp.intel.com>
0 siblings, 1 reply; 13+ messages in thread
From: Ni, Ruiyu @ 2017-02-24 4:09 UTC (permalink / raw)
To: Laszlo Ersek, edk2-devel-01, Wu, Jiaxin; +Cc: Tomas Hoger
Jiaxin,
can you review this patch?
Regards,
Ray
>-----Original Message-----
>From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo Ersek
>Sent: Friday, February 24, 2017 5:58 AM
>To: edk2-devel-01 <edk2-devel@ml01.01.org>
>Cc: Ni, Ruiyu <ruiyu.ni@intel.com>; Tomas Hoger <thoger@redhat.com>
>Subject: [edk2] [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
>
>Ease security analsysis by excluding libssl functionality from the
>OpensslLib instance we use with TLS_ENABLE=FALSE.
>
>Cc: Ruiyu Ni <ruiyu.ni@intel.com>
>Cc: Tomas Hoger <thoger@redhat.com>
>Contributed-under: TianoCore Contribution Agreement 1.0
>Signed-off-by: Laszlo Ersek <lersek@redhat.com>
>---
>
>Notes:
> I can't build-test this.
>
> Nt32Pkg/Nt32Pkg.dsc | 4 ++++
> 1 file changed, 4 insertions(+)
>
>diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc
>index 47e37ecae134..c84bd71be408 100644
>--- a/Nt32Pkg/Nt32Pkg.dsc
>+++ b/Nt32Pkg/Nt32Pkg.dsc
>@@ -159,7 +159,11 @@ [LibraryClasses]
> CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
> LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
>+!if $(TLS_ENABLE) == TRUE
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
>+!else
>+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
>+!endif
>
> !if $(SECURE_BOOT_ENABLE) == TRUE
> PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>--
>2.9.3
>
>
>_______________________________________________
>edk2-devel mailing list
>edk2-devel@lists.01.org
>https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
` (3 preceding siblings ...)
2017-02-23 21:57 ` [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE Laszlo Ersek
@ 2017-02-23 21:57 ` Laszlo Ersek
2017-02-24 6:15 ` Gary Lin
2017-02-23 22:09 ` [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
2017-02-23 22:25 ` Ard Biesheuvel
6 siblings, 1 reply; 13+ messages in thread
From: Laszlo Ersek @ 2017-02-23 21:57 UTC (permalink / raw)
To: edk2-devel-01; +Cc: Gary Lin, Jordan Justen, Tomas Hoger
The OpensslLibNoSsl library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature.
Ease security analsysis by excluding libssl functionality from the
OpensslLib instance we use with TLS_ENABLE=FALSE.
Cc: Gary Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 4 ++++
OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++
OvmfPkg/OvmfPkgX64.dsc | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 993547d4859e..44c74c2674e3 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -143,7 +143,11 @@ [LibraryClasses]
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index f36604ecb4d8..41ae1d88495b 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -148,7 +148,11 @@ [LibraryClasses]
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index c5bf1a672b1e..fa4fdc81b44f 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -148,7 +148,11 @@ [LibraryClasses]
DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+ OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
--
2.9.3
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
2017-02-23 21:57 ` [PATCH 5/5] OvmfPkg: " Laszlo Ersek
@ 2017-02-24 6:15 ` Gary Lin
0 siblings, 0 replies; 13+ messages in thread
From: Gary Lin @ 2017-02-24 6:15 UTC (permalink / raw)
To: Laszlo Ersek; +Cc: edk2-devel-01, Jordan Justen, Tomas Hoger
On Thu, Feb 23, 2017 at 10:57:44PM +0100, Laszlo Ersek wrote:
> The OpensslLibNoSsl library instance (which does not contain libssl
> functions) is sufficient for the Secure Boot feature.
>
> Ease security analsysis by excluding libssl functionality from the
> OpensslLib instance we use with TLS_ENABLE=FALSE.
>
> Cc: Gary Lin <glin@suse.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Tomas Hoger <thoger@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Look good to me.
Reviewed-by: Gary Lin <glin@suse.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 4 ++++
> OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++
> OvmfPkg/OvmfPkgX64.dsc | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 993547d4859e..44c74c2674e3 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -143,7 +143,11 @@ [LibraryClasses]
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>
> !if $(SECURE_BOOT_ENABLE) == TRUE
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index f36604ecb4d8..41ae1d88495b 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -148,7 +148,11 @@ [LibraryClasses]
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>
> !if $(SECURE_BOOT_ENABLE) == TRUE
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index c5bf1a672b1e..fa4fdc81b44f 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -148,7 +148,11 @@ [LibraryClasses]
> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>
> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>
> !if $(SECURE_BOOT_ENABLE) == TRUE
> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> --
> 2.9.3
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
` (4 preceding siblings ...)
2017-02-23 21:57 ` [PATCH 5/5] OvmfPkg: " Laszlo Ersek
@ 2017-02-23 22:09 ` Laszlo Ersek
2017-02-23 22:25 ` Ard Biesheuvel
6 siblings, 0 replies; 13+ messages in thread
From: Laszlo Ersek @ 2017-02-23 22:09 UTC (permalink / raw)
To: edk2-devel-01
Cc: Ruiyu Ni, Ard Biesheuvel, Ting Ye, Jordan Justen, Jiaxin Wu,
Gary Lin, Qin Long, Tomas Hoger
On 02/23/17 22:57, Laszlo Ersek wrote:
> In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
> directly", 2016-12-14), we enabled libssl functionality in
> CryptoPkg/OpensslLib unconditionally.
>
> While that's real convenient, it is also overkill for platforms (or
> platform builds) that don't want TLS. The impact (beyond wasted build
> time) is that when the next vulnerability comes out that affects the
> libssl subset of OpenSSL, security teams all around will look at build
> logs and INF files, see the libssl files being built, and get nervous --
> without a good reason for such builds that don't actually *use* TLS.
>
> Let's make this easier on them (and thereby on ourselves!), and
> introduce an OpensslLibNoSsl instance, which excludes libssl.
Public repo and branch:
https://github.com/lersek/edk2.git conditionalize-ssl
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
` (5 preceding siblings ...)
2017-02-23 22:09 ` [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
@ 2017-02-23 22:25 ` Ard Biesheuvel
2017-02-24 3:32 ` Long, Qin
6 siblings, 1 reply; 13+ messages in thread
From: Ard Biesheuvel @ 2017-02-23 22:25 UTC (permalink / raw)
To: Laszlo Ersek
Cc: edk2-devel-01, Gary Lin, Jiaxin Wu, Jordan Justen, Qin Long,
Ruiyu Ni, Ting Ye, Tomas Hoger
On 23 February 2017 at 21:57, Laszlo Ersek <lersek@redhat.com> wrote:
> In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
> directly", 2016-12-14), we enabled libssl functionality in
> CryptoPkg/OpensslLib unconditionally.
>
> While that's real convenient, it is also overkill for platforms (or
> platform builds) that don't want TLS. The impact (beyond wasted build
> time) is that when the next vulnerability comes out that affects the
> libssl subset of OpenSSL, security teams all around will look at build
> logs and INF files, see the libssl files being built, and get nervous --
> without a good reason for such builds that don't actually *use* TLS.
>
> Let's make this easier on them (and thereby on ourselves!), and
> introduce an OpensslLibNoSsl instance, which excludes libssl.
>
I think it would be nicer to align with OpenSSL more closely, and
split the functionality into a libcrypto and a libssl library, and
include the latter only if TLS functionality is needed. However, I am
not volunteering to do the work, and this approach comes down to the
same thing, given that libssl depends on libcrypto, and so libcrypto
and libcrypto+libssl are the only combinations that make any sense.
> The edk2 integration script "process_files.sh" is updated to process
> both INF files in the same invocation.
>
> If noone disagrees with the concept, I'd appreciate if we could review &
> merge this series real fast. (Sorry about that, but a downstream
> deadline looms close, and I consider this sort of a blocker for the next
> rebase.)
>
> I updated the following platform packages:
> - ArmVirtPkg, because I know it never uses TLS (or HTTP boot for that
> matter),
> - Nt32Pkg, because it exposes the TLS_ENABLE build flag,
> - OvmfPkg, because it exposes the TLS_ENABLE build flag.
>
> I didn't touch other packages because they don't expose TLS_ENABLE, and
> I don't have time to figure out if they want TLS built-in.
>
> I tested the new OpensslLibNoSsl instance with Secure Boot under OVMF.
>
> The series was formatted with "--find-copies-harder", which makes a real
> difference for patch #2.
>
> Tomas: if you would like to comment on this series, please subscribe to
> the edk2-devel list at
> <https://lists.01.org/mailman/listinfo/edk2-devel>, and also wait for
> your subscription request to complete, *before* responding.
>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Gary Lin <glin@suse.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Qin Long <qin.long@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: Tomas Hoger <thoger@redhat.com>
>
> Thanks!
> Laszlo
>
> Laszlo Ersek (5):
> CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after
> 32387e00
> CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance
> ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl
> Nt32Pkg: exclude libssl functionality from OpensslLib if
> TLS_ENABLE=FALSE
> OvmfPkg: exclude libssl functionality from OpensslLib if
> TLS_ENABLE=FALSE
>
> ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
> Nt32Pkg/Nt32Pkg.dsc | 4 ++
> OvmfPkg/OvmfPkgIa32.dsc | 4 ++
> OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++
> OvmfPkg/OvmfPkgX64.dsc | 4 ++
> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 +
> CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 55 ++------------------
> CryptoPkg/Library/OpensslLib/opensslconf.h | 6 ---
> CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} | 8 +--
> CryptoPkg/Library/OpensslLib/process_files.sh | 27 +++++++---
> 10 files changed, 46 insertions(+), 69 deletions(-)
> copy CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} (90%)
> copy CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} (71%)
>
> --
> 2.9.3
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib
2017-02-23 22:25 ` Ard Biesheuvel
@ 2017-02-24 3:32 ` Long, Qin
0 siblings, 0 replies; 13+ messages in thread
From: Long, Qin @ 2017-02-24 3:32 UTC (permalink / raw)
To: Ard Biesheuvel, Laszlo Ersek
Cc: edk2-devel-01, Gary Lin, Wu, Jiaxin, Justen, Jordan L, Ni, Ruiyu,
Ye, Ting, Tomas Hoger
> -----Original Message-----
> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
> Sent: Friday, February 24, 2017 6:25 AM
> To: Laszlo Ersek
> Cc: edk2-devel-01; Gary Lin; Wu, Jiaxin; Justen, Jordan L; Long, Qin; Ni, Ruiyu;
> Ye, Ting; Tomas Hoger
> Subject: Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg:
> conditionalize libssl presence in OpensslLib
>
> On 23 February 2017 at 21:57, Laszlo Ersek <lersek@redhat.com> wrote:
> > In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
> > directly", 2016-12-14), we enabled libssl functionality in
> > CryptoPkg/OpensslLib unconditionally.
> >
> > While that's real convenient, it is also overkill for platforms (or
> > platform builds) that don't want TLS. The impact (beyond wasted build
> > time) is that when the next vulnerability comes out that affects the
> > libssl subset of OpenSSL, security teams all around will look at build
> > logs and INF files, see the libssl files being built, and get nervous
> > -- without a good reason for such builds that don't actually *use* TLS.
> >
> > Let's make this easier on them (and thereby on ourselves!), and
> > introduce an OpensslLibNoSsl instance, which excludes libssl.
> >
>
> I think it would be nicer to align with OpenSSL more closely, and split the
> functionality into a libcrypto and a libssl library, and include the latter only if
> TLS functionality is needed. However, I am not volunteering to do the work,
> and this approach comes down to the same thing, given that libssl depends
> on libcrypto, and so libcrypto and libcrypto+libssl are the only combinations
> that make any sense.
I agree.
In fact, we used the two separated library (crypto & ssl) aligned with OpenSSL before,
And received some comments to combine them together. :-)
Two libraries (libcryto and the combination of libcrypto and libssl) are good to me. But
I prefer to use the OpensslLibCrypto as the name, then we can have:
OpensslLibCrypto (libcrypto)
OpensslLib (libcrypto + libssl)
OpensslLib may have more dependencies / usages in different module, we may need extra
Patches to update them.
LONG, Qin
>
> > The edk2 integration script "process_files.sh" is updated to process
> > both INF files in the same invocation.
> >
> > If noone disagrees with the concept, I'd appreciate if we could review
> > & merge this series real fast. (Sorry about that, but a downstream
> > deadline looms close, and I consider this sort of a blocker for the
> > next
> > rebase.)
> >
> > I updated the following platform packages:
> > - ArmVirtPkg, because I know it never uses TLS (or HTTP boot for that
> > matter),
> > - Nt32Pkg, because it exposes the TLS_ENABLE build flag,
> > - OvmfPkg, because it exposes the TLS_ENABLE build flag.
> >
> > I didn't touch other packages because they don't expose TLS_ENABLE,
> > and I don't have time to figure out if they want TLS built-in.
> >
> > I tested the new OpensslLibNoSsl instance with Secure Boot under OVMF.
> >
> > The series was formatted with "--find-copies-harder", which makes a
> > real difference for patch #2.
> >
> > Tomas: if you would like to comment on this series, please subscribe
> > to the edk2-devel list at
> > <https://lists.01.org/mailman/listinfo/edk2-devel>, and also wait for
> > your subscription request to complete, *before* responding.
> >
> > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > Cc: Gary Lin <glin@suse.com>
> > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Qin Long <qin.long@intel.com>
> > Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> > Cc: Ting Ye <ting.ye@intel.com>
> > Cc: Tomas Hoger <thoger@redhat.com>
> >
> > Thanks!
> > Laszlo
> >
> > Laszlo Ersek (5):
> > CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after
> > 32387e00
> > CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance
> > ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl
> > Nt32Pkg: exclude libssl functionality from OpensslLib if
> > TLS_ENABLE=FALSE
> > OvmfPkg: exclude libssl functionality from OpensslLib if
> > TLS_ENABLE=FALSE
> >
> > ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
> > Nt32Pkg/Nt32Pkg.dsc | 4 ++
> > OvmfPkg/OvmfPkgIa32.dsc | 4 ++
> > OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++
> > OvmfPkg/OvmfPkgX64.dsc | 4 ++
> > CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 +
> > CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 55
> ++------------------
> > CryptoPkg/Library/OpensslLib/opensslconf.h | 6 ---
> > CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} | 8
> +--
> > CryptoPkg/Library/OpensslLib/process_files.sh | 27 +++++++---
> > 10 files changed, 46 insertions(+), 69 deletions(-) copy
> > CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf}
> > (90%) copy CryptoPkg/Library/OpensslLib/{OpensslLib.uni =>
> > OpensslLibNoSsl.uni} (71%)
> >
> > --
> > 2.9.3
> >
^ permalink raw reply [flat|nested] 13+ messages in thread