[PATCH V2 0/7] Disable the deprecated MD5 and SHA1 support

[PATCH V2 0/7] Disable the deprecated MD5 and SHA1 support

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027

MD5 is deprecated, make it disable as default for security.
It required to set MD5 enable explicitly if the module is still using 
MD5. List the modules that are still using it:
iSCSI, Hash2DxeCrypto, CryptoDxe(Pei, Smm) (with PACKAGE or ALL config).

This patch set would affact the platforms that are using iSCSI 
function.

V2:
Remove MD5 and SHA1 support of Hash2DxeCrypto.
Remove the MD5 GUID defination in MdePkg.dec. SHA1 related GUIDs
are still using in TPM2, so keep them.
No requirement to add MD5 enable MACRO in SecurityPkg.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Kelly Steele <kelly.steele@intel.com>
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Roger Feng <roger.feng@intel.com>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>

Zhichao Gao (7):
  NetworkPkg/Defines: Make iSCSI disable as default
  NetworkPkg: Enable MD5 while enable iSCSI
  SecurityPkg/Hash2DxeCrypto: Remove MD5 support
  MdePkg/dec: Remove the MD5 GUID
  SecurityPkg/Hash2DxeCrypto: Remove SHA1 support
  CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5
  CryptoPkg: Make the MD5 disable as default for security

 CryptoPkg/CryptoPkg.dsc                                | 3 +++
 CryptoPkg/Driver/Crypto.c                              | 4 ++--
 CryptoPkg/Include/Library/BaseCryptLib.h               | 2 +-
 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c         | 2 +-
 CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
 MdePkg/Include/Protocol/Hash.h                         | 8 +-------
 MdePkg/MdePkg.dec                                      | 3 ---
 NetworkPkg/Network.dsc.inc                             | 5 +++++
 NetworkPkg/NetworkDefines.dsc.inc                      | 4 ++--
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c            | 2 --
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf          | 4 +---
 11 files changed, 17 insertions(+), 22 deletions(-)

-- 
2.21.0.windows.1

[PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

iSCSI is using the undeprecated function MD5. It is
better to make the default setting secure. If the platforms
want to use the iSCSI, they should enable it in the platforms'
dsc file and be aware they are using an unsafe function.

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Kelly Steele <kelly.steele@intel.com>
Cc: Zailiang Sun <zailiang.sun@intel.com>
Cc: Yi Qian <yi.qian@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.dsc.inc
index a442d1b157..18921d81f6 100644
--- a/NetworkPkg/NetworkDefines.dsc.inc
+++ b/NetworkPkg/NetworkDefines.dsc.inc
@@ -17,7 +17,7 @@
 #   DEFINE NETWORK_TLS_ENABLE             = TRUE
 #   DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE
 #   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
-#   DEFINE NETWORK_ISCSI_ENABLE           = TRUE
+#   DEFINE NETWORK_ISCSI_ENABLE           = FALSE
 #   DEFINE NETWORK_VLAN_ENABLE            = TRUE
 #
 # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
@@ -101,7 +101,7 @@
   #       Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
   #       since libssl is not required for iSCSI.
   #
-  DEFINE NETWORK_ISCSI_ENABLE = TRUE
+  DEFINE NETWORK_ISCSI_ENABLE = FALSE
 !endif
 
 !if $(NETWORK_ENABLE) == TRUE
-- 
2.21.0.windows.1

[PATCH V2 2/7] NetworkPkg: Enable MD5 while enable iSCSI

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003

There is a plan to make MD5 disable as default.
The new MACRO ENABLE_MD5_DEPRECATED_INTERFACES
would be introduced to enable MD5. Make the
definition ahead of the change to avoid build
error after the MACRO changed.

Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 NetworkPkg/Network.dsc.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/NetworkPkg/Network.dsc.inc b/NetworkPkg/Network.dsc.inc
index 16f090a187..b761df900b 100644
--- a/NetworkPkg/Network.dsc.inc
+++ b/NetworkPkg/Network.dsc.inc
@@ -30,6 +30,11 @@
 [LibraryClasses]
 !include NetworkPkg/NetworkLibs.dsc.inc
 
+[BuildOptions]
+!if $(NETWORK_ISCSI_ENABLE) == TRUE
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
+
 !if $(PLATFORMX64_ENABLE) == TRUE
 [Components.X64]
 !include NetworkPkg/NetworkComponents.dsc.inc
-- 
2.21.0.windows.1

[PATCH V2 3/7] SecurityPkg/Hash2DxeCrypto: Remove MD5 support

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027

Remove the deprecated MD5 support of Hash2DxeCrypto
driver.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c   | 1 -
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf | 3 +--
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
index d96bc136e2..50a6157bd9 100644
--- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
+++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
@@ -120,7 +120,6 @@ typedef struct {
 } EFI_HASH_INFO;
 
 EFI_HASH_INFO  mHashInfo[] = {
-  {&gEfiHashAlgorithmMD5Guid,     sizeof(EFI_MD5_HASH2),    Md5GetContextSize,    Md5Init,    Md5Update,    Md5Final  },
   {&gEfiHashAlgorithmSha1Guid,    sizeof(EFI_SHA1_HASH2),   Sha1GetContextSize,   Sha1Init,   Sha1Update,   Sha1Final   },
   {&gEfiHashAlgorithmSha256Guid,  sizeof(EFI_SHA256_HASH2), Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final },
   {&gEfiHashAlgorithmSha384Guid,  sizeof(EFI_SHA384_HASH2), Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final },
diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
index a0b57f0514..a65943056a 100644
--- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
@@ -4,7 +4,7 @@
 #  This module will use EDKII crypto library to HASH2 protocol.
 #
 #  (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
-#  Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -44,7 +44,6 @@
   UefiLib
 
 [Guids]
-  gEfiHashAlgorithmMD5Guid              ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha1Guid             ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha256Guid           ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha384Guid           ## CONSUMES               ## GUID
-- 
2.21.0.windows.1

[PATCH V2 4/7] MdePkg/dec: Remove the MD5 GUID

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027

The gEfiHashAlgorithmMD5Guid is added for the
Hash2DxeCrypto driver. Remove it as it is not
supported.

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 MdePkg/Include/Protocol/Hash.h | 8 +-------
 MdePkg/MdePkg.dec              | 3 ---
 2 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/MdePkg/Include/Protocol/Hash.h b/MdePkg/Include/Protocol/Hash.h
index 931d7916ef..c1c77c698c 100644
--- a/MdePkg/Include/Protocol/Hash.h
+++ b/MdePkg/Include/Protocol/Hash.h
@@ -5,7 +5,7 @@
   provided by a driver and to create and destroy instances of the EFI Hash Protocol
   so that a multiple drivers can use the underlying hashing services.
 
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -48,11 +48,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
     0xcaa4381e, 0x750c, 0x4770, {0xb8, 0x70, 0x7a, 0x23, 0xb4, 0xe4, 0x21, 0x30 } \
   }
 
-#define EFI_HASH_ALGORTIHM_MD5_GUID \
-  { \
-    0xaf7c79c, 0x65b5, 0x4319, {0xb0, 0xae, 0x44, 0xec, 0x48, 0x4e, 0x4a, 0xd7 } \
-  }
-
 #define EFI_HASH_ALGORITHM_SHA1_NOPAD_GUID \
   { \
     0x24c5dc2f, 0x53e2, 0x40ca, {0x9e, 0xd6, 0xa5, 0xd9, 0xa4, 0x9f, 0x46, 0x3b } \
@@ -162,7 +157,6 @@ extern EFI_GUID gEfiHashAlgorithmSha224Guid;
 extern EFI_GUID gEfiHashAlgorithmSha256Guid;
 extern EFI_GUID gEfiHashAlgorithmSha384Guid;
 extern EFI_GUID gEfiHashAlgorithmSha512Guid;
-extern EFI_GUID gEfiHashAlgorithmMD5Guid;
 extern EFI_GUID gEfiHashAlgorithmSha1NoPadGuid;
 extern EFI_GUID gEfiHashAlgorithmSha256NoPadGuid;
 
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 812be75fb3..f42eab54cd 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -361,9 +361,6 @@
   ## Include/Guid/HiiKeyBoardLayout.h
   gEfiHiiKeyBoardLayoutGuid      = { 0x14982a4f, 0xb0ed, 0x45b8, { 0xa8, 0x11, 0x5a, 0x7a, 0x9b, 0xc2, 0x32, 0xdf }}
 
-  ## Include/Protocol/Hash.h
-  gEfiHashAlgorithmMD5Guid       = { 0x0AF7C79C, 0x65B5, 0x4319, { 0xB0, 0xAE, 0x44, 0xEC, 0x48, 0x4E, 0x4A, 0xD7 }}
-
   ## Include/Protocol/Hash.h
   gEfiHashAlgorithmSha512Guid    = { 0xCAA4381E, 0x750C, 0x4770, { 0xB8, 0x70, 0x7A, 0x23, 0xB4, 0xE4, 0x21, 0x30 }}
 
-- 
2.21.0.windows.1

[PATCH V2 5/7] SecurityPkg/Hash2DxeCrypto: Remove SHA1 support

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027

Remove the deprecated SHA1 support of Hash2DxeCrypto
driver.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c   | 1 -
 SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf | 1 -
 2 files changed, 2 deletions(-)

diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
index 50a6157bd9..c1c0470be9 100644
--- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
+++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
@@ -120,7 +120,6 @@ typedef struct {
 } EFI_HASH_INFO;
 
 EFI_HASH_INFO  mHashInfo[] = {
-  {&gEfiHashAlgorithmSha1Guid,    sizeof(EFI_SHA1_HASH2),   Sha1GetContextSize,   Sha1Init,   Sha1Update,   Sha1Final   },
   {&gEfiHashAlgorithmSha256Guid,  sizeof(EFI_SHA256_HASH2), Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final },
   {&gEfiHashAlgorithmSha384Guid,  sizeof(EFI_SHA384_HASH2), Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final },
   {&gEfiHashAlgorithmSha512Guid,  sizeof(EFI_SHA512_HASH2), Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final },
diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
index a65943056a..6a456ed2a6 100644
--- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
+++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
@@ -44,7 +44,6 @@
   UefiLib
 
 [Guids]
-  gEfiHashAlgorithmSha1Guid             ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha256Guid           ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha384Guid           ## CONSUMES               ## GUID
   gEfiHashAlgorithmSha512Guid           ## CONSUMES               ## GUID
-- 
2.21.0.windows.1

[PATCH V2 6/7] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021

CRYPTO_SERVICES PACKAGES and ALL config would enable MD5
function. So explicitly enable MD5 while CRYPTO_SERVICES
are set PACKAGES and ALL.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 0490eeb7e2..30c4909397 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -285,3 +285,6 @@
 
 [BuildOptions]
   *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
+!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
+  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
+!endif
-- 
2.21.0.windows.1

[PATCH V2 7/7] CryptoPkg: Make the MD5 disable as default for security

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021

Make the deprecated MD5 disable as default setting for
security.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Driver/Crypto.c                              | 4 ++--
 CryptoPkg/Include/Library/BaseCryptLib.h               | 2 +-
 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c         | 2 +-
 CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index d9096ea603..26f280cd5d 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -243,7 +243,7 @@ DeprecatedCryptoServiceMd4HashAll (
   return BaseCryptLibServiceDeprecated ("Md4HashAll"), FALSE;
 }
 
-#ifdef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifndef ENABLE_MD5_DEPRECATED_INTERFACES
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
@@ -4494,7 +4494,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   DeprecatedCryptoServiceMd4Update,
   DeprecatedCryptoServiceMd4Final,
   DeprecatedCryptoServiceMd4HashAll,
-#ifdef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifndef ENABLE_MD5_DEPRECATED_INTERFACES
   /// Md5 - deprecated and unsupported
   DeprecatedCryptoServiceMd5GetContextSize,
   DeprecatedCryptoServiceMd5Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index ae9bde9e37..496121e6a4 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -72,7 +72,7 @@ typedef enum {
 //    One-Way Cryptographic Hash Primitives
 //=====================================================================================
 
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
index b85e7f4d12..d670f17424 100644
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
+++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
@@ -9,7 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "InternalCryptLib.h"
 #include <openssl/md5.h>
 
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 3f14c6d262..8b43d1363c 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -99,7 +99,7 @@ CryptoServiceNotAvailable (
 //    One-Way Cryptographic Hash Primitives
 //=====================================================================================
 
-#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
-- 
2.21.0.windows.1

Re: [PATCH V2 3/7] SecurityPkg/Hash2DxeCrypto: Remove MD5 support

[Yao, Jiewen]

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Tuesday, October 27, 2020 10:43 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> Subject: [PATCH V2 3/7] SecurityPkg/Hash2DxeCrypto: Remove MD5 support
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027
> 
> Remove the deprecated MD5 support of Hash2DxeCrypto
> driver.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c   | 1 -
>  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf | 3 +--
>  2 files changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
> b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
> index d96bc136e2..50a6157bd9 100644
> --- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
> +++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
> @@ -120,7 +120,6 @@ typedef struct {
>  } EFI_HASH_INFO;
> 
>  EFI_HASH_INFO  mHashInfo[] = {
> -  {&gEfiHashAlgorithmMD5Guid,     sizeof(EFI_MD5_HASH2),
> Md5GetContextSize,    Md5Init,    Md5Update,    Md5Final  },
>    {&gEfiHashAlgorithmSha1Guid,    sizeof(EFI_SHA1_HASH2),
> Sha1GetContextSize,   Sha1Init,   Sha1Update,   Sha1Final   },
>    {&gEfiHashAlgorithmSha256Guid,  sizeof(EFI_SHA256_HASH2),
> Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final },
>    {&gEfiHashAlgorithmSha384Guid,  sizeof(EFI_SHA384_HASH2),
> Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final },
> diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
> b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
> index a0b57f0514..a65943056a 100644
> --- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
> +++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
> @@ -4,7 +4,7 @@
>  #  This module will use EDKII crypto library to HASH2 protocol.
>  #
>  #  (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
> -#  Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2015 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
>  ##
> @@ -44,7 +44,6 @@
>    UefiLib
> 
>  [Guids]
> -  gEfiHashAlgorithmMD5Guid              ## CONSUMES               ## GUID
>    gEfiHashAlgorithmSha1Guid             ## CONSUMES               ## GUID
>    gEfiHashAlgorithmSha256Guid           ## CONSUMES               ## GUID
>    gEfiHashAlgorithmSha384Guid           ## CONSUMES               ## GUID
> --
> 2.21.0.windows.1

Re: [PATCH V2 5/7] SecurityPkg/Hash2DxeCrypto: Remove SHA1 support

[Yao, Jiewen]

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Tuesday, October 27, 2020 10:43 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>
> Subject: [PATCH V2 5/7] SecurityPkg/Hash2DxeCrypto: Remove SHA1 support
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027
> 
> Remove the deprecated SHA1 support of Hash2DxeCrypto
> driver.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c   | 1 -
>  SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf | 1 -
>  2 files changed, 2 deletions(-)
> 
> diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
> b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
> index 50a6157bd9..c1c0470be9 100644
> --- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
> +++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.c
> @@ -120,7 +120,6 @@ typedef struct {
>  } EFI_HASH_INFO;
> 
>  EFI_HASH_INFO  mHashInfo[] = {
> -  {&gEfiHashAlgorithmSha1Guid,    sizeof(EFI_SHA1_HASH2),
> Sha1GetContextSize,   Sha1Init,   Sha1Update,   Sha1Final   },
>    {&gEfiHashAlgorithmSha256Guid,  sizeof(EFI_SHA256_HASH2),
> Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final },
>    {&gEfiHashAlgorithmSha384Guid,  sizeof(EFI_SHA384_HASH2),
> Sha384GetContextSize, Sha384Init, Sha384Update, Sha384Final },
>    {&gEfiHashAlgorithmSha512Guid,  sizeof(EFI_SHA512_HASH2),
> Sha512GetContextSize, Sha512Init, Sha512Update, Sha512Final },
> diff --git a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
> b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
> index a65943056a..6a456ed2a6 100644
> --- a/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
> +++ b/SecurityPkg/Hash2DxeCrypto/Hash2DxeCrypto.inf
> @@ -44,7 +44,6 @@
>    UefiLib
> 
>  [Guids]
> -  gEfiHashAlgorithmSha1Guid             ## CONSUMES               ## GUID
>    gEfiHashAlgorithmSha256Guid           ## CONSUMES               ## GUID
>    gEfiHashAlgorithmSha384Guid           ## CONSUMES               ## GUID
>    gEfiHashAlgorithmSha512Guid           ## CONSUMES               ## GUID
> --
> 2.21.0.windows.1

Re: [PATCH V2 6/7] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES enable MD5

[Yao, Jiewen]

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Tuesday, October 27, 2020 10:43 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>
> Subject: [PATCH V2 6/7] CryptoPkg/dsc: Enable MD5 when CRYPTO_SERVICES
> enable MD5
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
> 
> CRYPTO_SERVICES PACKAGES and ALL config would enable MD5
> function. So explicitly enable MD5 while CRYPTO_SERVICES
> are set PACKAGES and ALL.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dsc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 0490eeb7e2..30c4909397 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -285,3 +285,6 @@
> 
>  [BuildOptions]
>    *_*_*_CC_FLAGS = -D DISABLE_NEW_DEPRECATED_INTERFACES
> +!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> +  *_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES
> +!endif
> --
> 2.21.0.windows.1

Re: [PATCH V2 7/7] CryptoPkg: Make the MD5 disable as default for security

[Yao, Jiewen]

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Tuesday, October 27, 2020 10:43 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>
> Subject: [PATCH V2 7/7] CryptoPkg: Make the MD5 disable as default for
> security
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3021
> 
> Make the deprecated MD5 disable as default setting for
> security.
> 
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/Driver/Crypto.c                              | 4 ++--
>  CryptoPkg/Include/Library/BaseCryptLib.h               | 2 +-
>  CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c         | 2 +-
>  CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 2 +-
>  4 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index d9096ea603..26f280cd5d 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -243,7 +243,7 @@ DeprecatedCryptoServiceMd4HashAll (
>    return BaseCryptLibServiceDeprecated ("Md4HashAll"), FALSE;
>  }
> 
> -#ifdef DISABLE_MD5_DEPRECATED_INTERFACES
> +#ifndef ENABLE_MD5_DEPRECATED_INTERFACES
>  /**
>    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
> 
> @@ -4494,7 +4494,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
>    DeprecatedCryptoServiceMd4Update,
>    DeprecatedCryptoServiceMd4Final,
>    DeprecatedCryptoServiceMd4HashAll,
> -#ifdef DISABLE_MD5_DEPRECATED_INTERFACES
> +#ifndef ENABLE_MD5_DEPRECATED_INTERFACES
>    /// Md5 - deprecated and unsupported
>    DeprecatedCryptoServiceMd5GetContextSize,
>    DeprecatedCryptoServiceMd5Init,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index ae9bde9e37..496121e6a4 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -72,7 +72,7 @@ typedef enum {
>  //    One-Way Cryptographic Hash Primitives
> 
> //===============================================================
> ======================
> 
> -#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
> +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
>  /**
>    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
> b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
> index b85e7f4d12..d670f17424 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd5.c
> @@ -9,7 +9,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>  #include "InternalCryptLib.h"
>  #include <openssl/md5.h>
> 
> -#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
> +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
>  /**
>    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 3f14c6d262..8b43d1363c 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -99,7 +99,7 @@ CryptoServiceNotAvailable (
>  //    One-Way Cryptographic Hash Primitives
> 
> //===============================================================
> ======================
> 
> -#ifndef DISABLE_MD5_DEPRECATED_INTERFACES
> +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES
>  /**
>    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
> 
> --
> 2.21.0.windows.1

Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default

[Laszlo Ersek]

Hi Zhichao,

thanks for the CC, I appreciate it. Please see my comments below.

On 10/27/20 03:42, Zhichao Gao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> 
> iSCSI is using the undeprecated function MD5. It is
> better to make the default setting secure. If the platforms
> want to use the iSCSI, they should enable it in the platforms'
> dsc file and be aware they are using an unsafe function.
> 
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Sami Mujawar <sami.mujawar@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Kelly Steele <kelly.steele@intel.com>
> Cc: Zailiang Sun <zailiang.sun@intel.com>
> Cc: Yi Qian <yi.qian@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.dsc.inc
> index a442d1b157..18921d81f6 100644
> --- a/NetworkPkg/NetworkDefines.dsc.inc
> +++ b/NetworkPkg/NetworkDefines.dsc.inc
> @@ -17,7 +17,7 @@
>  #   DEFINE NETWORK_TLS_ENABLE             = TRUE
>  #   DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE
>  #   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
> -#   DEFINE NETWORK_ISCSI_ENABLE           = TRUE
> +#   DEFINE NETWORK_ISCSI_ENABLE           = FALSE
>  #   DEFINE NETWORK_VLAN_ENABLE            = TRUE
>  #
>  # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> @@ -101,7 +101,7 @@
>    #       Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
>    #       since libssl is not required for iSCSI.
>    #
> -  DEFINE NETWORK_ISCSI_ENABLE = TRUE
> +  DEFINE NETWORK_ISCSI_ENABLE = FALSE
>  !endif
>  
>  !if $(NETWORK_ENABLE) == TRUE
> 

I know of people that use iSCSI with the ArmVirtQemu and OVMF platforms.

Please prepend two patches to this series (that is, the v3 series should
begin with these two patches below):

(1) locate "NETWORK_ALLOW_HTTP_CONNECTIONS" in the files:

- ArmVirtPkg/ArmVirtQemu.dsc
- ArmVirtPkg/ArmVirtQemuKernel.dsc

and explicitly enable NETWORK_ISCSI_ENABLE in the same place.

(2) Please do the same for the following files, in a separate patch:

- OvmfPkg/Bhyve/BhyveX64.dsc
- OvmfPkg/OvmfPkgIa32.dsc
- OvmfPkg/OvmfPkgIa32X64.dsc
- OvmfPkg/OvmfPkgX64.dsc
- OvmfPkg/OvmfXen.dsc

Thanks!
Laszlo

Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default

[Gao, Zhichao]

Sure. I would do it. I am thinking using Network.dsc.inc instead of others inc's combination. But there may be a question: the default Network.dsc.inc would only cover below build:
Components.IA32, Components.X64, Components.ARM, Components.AARCH64, Components.RISCV64
I am not sure if the above would match ArmVirt and Ovmf's requirements.

Thanks,
Zhichao

> -----Original Message-----
> From: Laszlo Ersek <lersek@redhat.com>
> Sent: Tuesday, October 27, 2020 6:48 PM
> To: Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io
> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Ard Biesheuvel
> <ard.biesheuvel@arm.com>; Sami Mujawar <sami.mujawar@arm.com>; Leif
> Lindholm <leif@nuviainc.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian
> J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin
> <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>;
> Steele, Kelly <kelly.steele@intel.com>; Sun, Zailiang <zailiang.sun@intel.com>;
> Qian, Yi <yi.qian@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>; Maciej
> Rabeda <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu,
> Siyuan <siyuan.fu@intel.com>
> Subject: Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default
> 
> Hi Zhichao,
> 
> thanks for the CC, I appreciate it. Please see my comments below.
> 
> On 10/27/20 03:42, Zhichao Gao wrote:
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
> >
> > iSCSI is using the undeprecated function MD5. It is better to make the
> > default setting secure. If the platforms want to use the iSCSI, they
> > should enable it in the platforms'
> > dsc file and be aware they are using an unsafe function.
> >
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Laszlo Ersek <lersek@redhat.com>
> > Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> > Cc: Sami Mujawar <sami.mujawar@arm.com>
> > Cc: Leif Lindholm <leif@nuviainc.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Kelly Steele <kelly.steele@intel.com>
> > Cc: Zailiang Sun <zailiang.sun@intel.com>
> > Cc: Yi Qian <yi.qian@intel.com>
> > Cc: Liming Gao <gaoliming@byosoft.com.cn>
> > Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > ---
> >  NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/NetworkPkg/NetworkDefines.dsc.inc
> > b/NetworkPkg/NetworkDefines.dsc.inc
> > index a442d1b157..18921d81f6 100644
> > --- a/NetworkPkg/NetworkDefines.dsc.inc
> > +++ b/NetworkPkg/NetworkDefines.dsc.inc
> > @@ -17,7 +17,7 @@
> >  #   DEFINE NETWORK_TLS_ENABLE             = TRUE
> >  #   DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE
> >  #   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
> > -#   DEFINE NETWORK_ISCSI_ENABLE           = TRUE
> > +#   DEFINE NETWORK_ISCSI_ENABLE           = FALSE
> >  #   DEFINE NETWORK_VLAN_ENABLE            = TRUE
> >  #
> >  # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> @@
> > -101,7 +101,7 @@
> >    #       Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
> >    #       since libssl is not required for iSCSI.
> >    #
> > -  DEFINE NETWORK_ISCSI_ENABLE = TRUE
> > +  DEFINE NETWORK_ISCSI_ENABLE = FALSE
> >  !endif
> >
> >  !if $(NETWORK_ENABLE) == TRUE
> >
> 
> I know of people that use iSCSI with the ArmVirtQemu and OVMF platforms.
> 
> Please prepend two patches to this series (that is, the v3 series should begin with
> these two patches below):
> 
> (1) locate "NETWORK_ALLOW_HTTP_CONNECTIONS" in the files:
> 
> - ArmVirtPkg/ArmVirtQemu.dsc
> - ArmVirtPkg/ArmVirtQemuKernel.dsc
> 
> and explicitly enable NETWORK_ISCSI_ENABLE in the same place.
> 
> (2) Please do the same for the following files, in a separate patch:
> 
> - OvmfPkg/Bhyve/BhyveX64.dsc
> - OvmfPkg/OvmfPkgIa32.dsc
> - OvmfPkg/OvmfPkgIa32X64.dsc
> - OvmfPkg/OvmfPkgX64.dsc
> - OvmfPkg/OvmfXen.dsc
> 
> Thanks!
> Laszlo

回复: [edk2-devel] [PATCH V2 4/7] MdePkg/dec: Remove the MD5 GUID

[gaoliming]

Zhichao:
  MD5 GUID is still defined in UEFI spec. Its definition should be kept. 

Thanks
Liming
> -----邮件原件-----
> 发件人: bounce+27952+66623+4905953+8761045@groups.io
> <bounce+27952+66623+4905953+8761045@groups.io> 代表 Gao, Zhichao
> 发送时间: 2020年10月27日 10:43
> 收件人: devel@edk2.groups.io
> 抄送: Michael D Kinney <michael.d.kinney@intel.com>; Liming Gao
> <gaoliming@byosoft.com.cn>; Zhiguang Liu <zhiguang.liu@intel.com>
> 主题: [edk2-devel] [PATCH V2 4/7] MdePkg/dec: Remove the MD5 GUID
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3027
> 
> The gEfiHashAlgorithmMD5Guid is added for the
> Hash2DxeCrypto driver. Remove it as it is not
> supported.
> 
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Liming Gao <gaoliming@byosoft.com.cn>
> Cc: Zhiguang Liu <zhiguang.liu@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  MdePkg/Include/Protocol/Hash.h | 8 +-------
>  MdePkg/MdePkg.dec              | 3 ---
>  2 files changed, 1 insertion(+), 10 deletions(-)
> 
> diff --git a/MdePkg/Include/Protocol/Hash.h
> b/MdePkg/Include/Protocol/Hash.h
> index 931d7916ef..c1c77c698c 100644
> --- a/MdePkg/Include/Protocol/Hash.h
> +++ b/MdePkg/Include/Protocol/Hash.h
> @@ -5,7 +5,7 @@
>    provided by a driver and to create and destroy instances of the EFI
Hash
> Protocol
>    so that a multiple drivers can use the underlying hashing services.
> 
> -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>
>  SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  **/
> @@ -48,11 +48,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>      0xcaa4381e, 0x750c, 0x4770, {0xb8, 0x70, 0x7a, 0x23, 0xb4, 0xe4,
0x21,
> 0x30 } \
>    }
> 
> -#define EFI_HASH_ALGORTIHM_MD5_GUID \
> -  { \
> -    0xaf7c79c, 0x65b5, 0x4319, {0xb0, 0xae, 0x44, 0xec, 0x48, 0x4e, 0x4a,
> 0xd7 } \
> -  }
> -
>  #define EFI_HASH_ALGORITHM_SHA1_NOPAD_GUID \
>    { \
>      0x24c5dc2f, 0x53e2, 0x40ca, {0x9e, 0xd6, 0xa5, 0xd9, 0xa4, 0x9f,
0x46,
> 0x3b } \
> @@ -162,7 +157,6 @@ extern EFI_GUID gEfiHashAlgorithmSha224Guid;
>  extern EFI_GUID gEfiHashAlgorithmSha256Guid;
>  extern EFI_GUID gEfiHashAlgorithmSha384Guid;
>  extern EFI_GUID gEfiHashAlgorithmSha512Guid;
> -extern EFI_GUID gEfiHashAlgorithmMD5Guid;
>  extern EFI_GUID gEfiHashAlgorithmSha1NoPadGuid;
>  extern EFI_GUID gEfiHashAlgorithmSha256NoPadGuid;
> 
> diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
> index 812be75fb3..f42eab54cd 100644
> --- a/MdePkg/MdePkg.dec
> +++ b/MdePkg/MdePkg.dec
> @@ -361,9 +361,6 @@
>    ## Include/Guid/HiiKeyBoardLayout.h
>    gEfiHiiKeyBoardLayoutGuid      = { 0x14982a4f, 0xb0ed, 0x45b8, { 0xa8,
> 0x11, 0x5a, 0x7a, 0x9b, 0xc2, 0x32, 0xdf }}
> 
> -  ## Include/Protocol/Hash.h
> -  gEfiHashAlgorithmMD5Guid       = { 0x0AF7C79C, 0x65B5, 0x4319,
> { 0xB0, 0xAE, 0x44, 0xEC, 0x48, 0x4E, 0x4A, 0xD7 }}
> -
>    ## Include/Protocol/Hash.h
>    gEfiHashAlgorithmSha512Guid    = { 0xCAA4381E, 0x750C, 0x4770,
> { 0xB8, 0x70, 0x7A, 0x23, 0xB4, 0xE4, 0x21, 0x30 }}
> 
> --
> 2.21.0.windows.1
> 
> 
> 
> 
> 

Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default

[Laszlo Ersek]

On 10/29/20 03:34, Gao, Zhichao wrote:
> Sure. I would do it. I am thinking using Network.dsc.inc instead of others inc's combination. But there may be a question: the default Network.dsc.inc would only cover below build:
> Components.IA32, Components.X64, Components.ARM, Components.AARCH64, Components.RISCV64
> I am not sure if the above would match ArmVirt and Ovmf's requirements.

Indeed, modifying just "Network.dsc.inc" is insufficient.

"Network.dsc.inc" is convenient when it is applicable, but for some
platforms, it is not flexible enough. That's why we have the separate
DSC include files under NetworkPkg that do not contain the section
headers themselves (such as [LibraryClasses], [Components] etc).

This lets platforms decide *where* they include those snippets.

"Network.dsc.inc" is not used by either ArmVirtPkg or OvmfPkg platforms.
The platform DSC files in those package directories reference
"NetworkDefines.dsc.inc" and "NetworkComponents.dsc.inc" instead.

Thanks,
Laszlo


>> -----Original Message-----
>> From: Laszlo Ersek <lersek@redhat.com>
>> Sent: Tuesday, October 27, 2020 6:48 PM
>> To: Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io
>> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Ard Biesheuvel
>> <ard.biesheuvel@arm.com>; Sami Mujawar <sami.mujawar@arm.com>; Leif
>> Lindholm <leif@nuviainc.com>; Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian
>> J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin
>> <guomin.jiang@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>;
>> Steele, Kelly <kelly.steele@intel.com>; Sun, Zailiang <zailiang.sun@intel.com>;
>> Qian, Yi <yi.qian@intel.com>; Liming Gao <gaoliming@byosoft.com.cn>; Maciej
>> Rabeda <maciej.rabeda@linux.intel.com>; Wu, Jiaxin <jiaxin.wu@intel.com>; Fu,
>> Siyuan <siyuan.fu@intel.com>
>> Subject: Re: [PATCH V2 1/7] NetworkPkg/Defines: Make iSCSI disable as default
>>
>> Hi Zhichao,
>>
>> thanks for the CC, I appreciate it. Please see my comments below.
>>
>> On 10/27/20 03:42, Zhichao Gao wrote:
>>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3003
>>>
>>> iSCSI is using the undeprecated function MD5. It is better to make the
>>> default setting secure. If the platforms want to use the iSCSI, they
>>> should enable it in the platforms'
>>> dsc file and be aware they are using an unsafe function.
>>>
>>> Cc: Jordan Justen <jordan.l.justen@intel.com>
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
>>> Cc: Sami Mujawar <sami.mujawar@arm.com>
>>> Cc: Leif Lindholm <leif@nuviainc.com>
>>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>>> Cc: Jian J Wang <jian.j.wang@intel.com>
>>> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
>>> Cc: Guomin Jiang <guomin.jiang@intel.com>
>>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>>> Cc: Kelly Steele <kelly.steele@intel.com>
>>> Cc: Zailiang Sun <zailiang.sun@intel.com>
>>> Cc: Yi Qian <yi.qian@intel.com>
>>> Cc: Liming Gao <gaoliming@byosoft.com.cn>
>>> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
>>> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
>>> Cc: Siyuan Fu <siyuan.fu@intel.com>
>>> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
>>> ---
>>>  NetworkPkg/NetworkDefines.dsc.inc | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/NetworkPkg/NetworkDefines.dsc.inc
>>> b/NetworkPkg/NetworkDefines.dsc.inc
>>> index a442d1b157..18921d81f6 100644
>>> --- a/NetworkPkg/NetworkDefines.dsc.inc
>>> +++ b/NetworkPkg/NetworkDefines.dsc.inc
>>> @@ -17,7 +17,7 @@
>>>  #   DEFINE NETWORK_TLS_ENABLE             = TRUE
>>>  #   DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE
>>>  #   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE
>>> -#   DEFINE NETWORK_ISCSI_ENABLE           = TRUE
>>> +#   DEFINE NETWORK_ISCSI_ENABLE           = FALSE
>>>  #   DEFINE NETWORK_VLAN_ENABLE            = TRUE
>>>  #
>>>  # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> @@
>>> -101,7 +101,7 @@
>>>    #       Both OpensslLib.inf and OpensslLibCrypto.inf library instance can be used
>>>    #       since libssl is not required for iSCSI.
>>>    #
>>> -  DEFINE NETWORK_ISCSI_ENABLE = TRUE
>>> +  DEFINE NETWORK_ISCSI_ENABLE = FALSE
>>>  !endif
>>>
>>>  !if $(NETWORK_ENABLE) == TRUE
>>>
>>
>> I know of people that use iSCSI with the ArmVirtQemu and OVMF platforms.
>>
>> Please prepend two patches to this series (that is, the v3 series should begin with
>> these two patches below):
>>
>> (1) locate "NETWORK_ALLOW_HTTP_CONNECTIONS" in the files:
>>
>> - ArmVirtPkg/ArmVirtQemu.dsc
>> - ArmVirtPkg/ArmVirtQemuKernel.dsc
>>
>> and explicitly enable NETWORK_ISCSI_ENABLE in the same place.
>>
>> (2) Please do the same for the following files, in a separate patch:
>>
>> - OvmfPkg/Bhyve/BhyveX64.dsc
>> - OvmfPkg/OvmfPkgIa32.dsc
>> - OvmfPkg/OvmfPkgIa32X64.dsc
>> - OvmfPkg/OvmfPkgX64.dsc
>> - OvmfPkg/OvmfXen.dsc
>>
>> Thanks!
>> Laszlo
>