From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id 9A0588216E
 for <edk2-devel@ml01.01.org>; Fri, 24 Feb 2017 03:01:48 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id 36B4ED599F;
 Fri, 24 Feb 2017 11:01:49 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-39.phx2.redhat.com
 [10.3.116.39])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 v1OB1bDv003054; Fri, 24 Feb 2017 06:01:48 -0500
From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>, Tomas Hoger <thoger@redhat.com>
Date: Fri, 24 Feb 2017 12:01:30 +0100
Message-Id: <20170224110132.19374-4-lersek@redhat.com>
In-Reply-To: <20170224110132.19374-1-lersek@redhat.com>
References: <20170224110132.19374-1-lersek@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.38]); Fri, 24 Feb 2017 11:01:49 +0000 (UTC)
Subject: [PATCH v2 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibCrypto
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 11:01:48 -0000

The OpensslLibCrypto library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature. It would not be
sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we
don't even enable plaintext HTTP booting for the time being.

Ease security analysis by excluding libssl functionality from the
OpensslLib instance we use.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---

Notes:
    v2:
    - replace "OpensslLibNoSsl" with "OpensslLibCrypto" in commit message
    - fix typo "analsysis" in commit message
    - pick up Ard's R-b
    - resolve OpensslLib to OpensslLibCrypto.inf in ArmVirt.dsc.inc, rather
      than OpensslLibNoSsl.inf
    - test-build ArmVirtQemu

 ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 43699cb9bdd6..b5de4163c1cb 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -136,7 +136,7 @@ [LibraryClasses.common]
   #
 !if $(SECURE_BOOT_ENABLE) == TRUE
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
-  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-- 
2.9.3