From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>,
Xiaoyu Lu <xiaoyu1.lu@intel.com>,
Guomin Jiang <guomin.jiang@intel.com>,
Christopher Zurcher <christopher.zurcher@microsoft.com>
Subject: [Patch 01/12] CryptoPkg: Document and disable deprecated crypto services
Date: Tue, 11 Oct 2022 08:03:47 -0700 [thread overview]
Message-ID: <20221011150358.1332-2-michael.d.kinney@intel.com> (raw)
In-Reply-To: <20221011150358.1332-1-michael.d.kinney@intel.com>
Also note services that are recommended to be disabled and
update CryptoPkg.dsc PcdCryptoServiceFamilyEnable settings
disable all deprecated services.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Christopher Zurcher <christopher.zurcher@microsoft.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
---
CryptoPkg/CryptoPkg.dsc | 10 +-
.../Pcd/PcdCryptoServiceFamilyEnable.h | 122 ++++++++++--------
2 files changed, 77 insertions(+), 55 deletions(-)
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index e4e7bc0dbfae..ab28d8861f10 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -150,7 +150,6 @@ [PcdsFixedAtBuild]
!if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -160,8 +159,10 @@ [PcdsFixedAtBuild]
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -172,7 +173,7 @@ [PcdsFixedAtBuild]
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.ParallelHash.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Bn.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family | 0
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
!endif
!if $(CRYPTO_SERVICES) == MIN_PEI
@@ -216,6 +217,7 @@ [PcdsFixedAtBuild]
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE
gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE
diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
index 47405894176c..da533543172f 100644
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@@ -1,6 +1,26 @@
/** @file
Defines the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure associated with
- gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.
+ gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable that is used
+ to enable/disable crypto services at either the family scope or the
+ individual service scope. Platforms can minimize the number of enabled
+ services to reduce size.
+
+ The following services have been deprecated and must never be enabled.
+ The associated fields in this data structure are never removed or replaced
+ to preseve the binary layout of the data structure. New services are
+ always added to the end of the data structure.
+ * HmacMd5 family
+ * HmacSha1 family
+ * Md4 family
+ * Md5 family
+ * Tdes family
+ * Arc4 family
+ * Aes.Services.EcbEncrypt service
+ * Aes.Services.EcbDecrypt service
+
+ Is is recommended that the following services always be disabled and may
+ be deprecated in the future.
+ * Sha1 family
Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -25,25 +45,25 @@
typedef struct {
union {
struct {
- UINT8 New : 1;
- UINT8 Free : 1;
- UINT8 SetKey : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
+ UINT8 New : 1; // Deprecated
+ UINT8 Free : 1; // Deprecated
+ UINT8 SetKey : 1; // Deprecated
+ UINT8 Duplicate : 1; // Deprecated
+ UINT8 Update : 1; // Deprecated
+ UINT8 Final : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} HmacMd5;
union {
struct {
- UINT8 New : 1;
- UINT8 Free : 1;
- UINT8 SetKey : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
+ UINT8 New : 1; // Deprecated
+ UINT8 Free : 1; // Deprecated
+ UINT8 SetKey : 1; // Deprecated
+ UINT8 Duplicate : 1; // Deprecated
+ UINT8 Update : 1; // Deprecated
+ UINT8 Final : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} HmacSha1;
union {
struct {
@@ -71,26 +91,26 @@ typedef struct {
} HmacSha384;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
- UINT8 HashAll : 1;
+ UINT8 GetContextSize : 1; // Deprecated
+ UINT8 Init : 1; // Deprecated
+ UINT8 Duplicate : 1; // Deprecated
+ UINT8 Update : 1; // Deprecated
+ UINT8 Final : 1; // Deprecated
+ UINT8 HashAll : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} Md4;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
- UINT8 HashAll : 1;
+ UINT8 GetContextSize : 1; // Deprecated
+ UINT8 Init : 1; // Deprecated
+ UINT8 Duplicate : 1; // Deprecated
+ UINT8 Update : 1; // Deprecated
+ UINT8 Final : 1; // Deprecated
+ UINT8 HashAll : 1; // Deprecated
} Services;
UINT32 Family;
- } Md5;
+ } Md5; // Deprecated
union {
struct {
UINT8 Pkcs1v2Encrypt : 1;
@@ -143,14 +163,14 @@ typedef struct {
} Rsa;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 Duplicate : 1;
- UINT8 Update : 1;
- UINT8 Final : 1;
- UINT8 HashAll : 1;
+ UINT8 GetContextSize : 1; // Recommend disable
+ UINT8 Init : 1; // Recommend disable
+ UINT8 Duplicate : 1; // Recommend disable
+ UINT8 Update : 1; // Recommend disable
+ UINT8 Final : 1; // Recommend disable
+ UINT8 HashAll : 1; // Recommend disable
} Services;
- UINT32 Family;
+ UINT32 Family; // Recommend disable
} Sha1;
union {
struct {
@@ -202,21 +222,21 @@ typedef struct {
} X509;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 EcbEncrypt : 1;
- UINT8 EcbDecrypt : 1;
- UINT8 CbcEncrypt : 1;
- UINT8 CbcDecrypt : 1;
+ UINT8 GetContextSize : 1; // Deprecated
+ UINT8 Init : 1; // Deprecated
+ UINT8 EcbEncrypt : 1; // Deprecated
+ UINT8 EcbDecrypt : 1; // Deprecated
+ UINT8 CbcEncrypt : 1; // Deprecated
+ UINT8 CbcDecrypt : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} Tdes;
union {
struct {
UINT8 GetContextSize : 1;
UINT8 Init : 1;
- UINT8 EcbEncrypt : 1;
- UINT8 EcbDecrypt : 1;
+ UINT8 EcbEncrypt : 1; // Deprecated
+ UINT8 EcbDecrypt : 1; // Deprecated
UINT8 CbcEncrypt : 1;
UINT8 CbcDecrypt : 1;
} Services;
@@ -224,13 +244,13 @@ typedef struct {
} Aes;
union {
struct {
- UINT8 GetContextSize : 1;
- UINT8 Init : 1;
- UINT8 Encrypt : 1;
- UINT8 Decrypt : 1;
- UINT8 Reset : 1;
+ UINT8 GetContextSize : 1; // Deprecated
+ UINT8 Init : 1; // Deprecated
+ UINT8 Encrypt : 1; // Deprecated
+ UINT8 Decrypt : 1; // Deprecated
+ UINT8 Reset : 1; // Deprecated
} Services;
- UINT32 Family;
+ UINT32 Family; // Deprecated
} Arc4;
union {
struct {
--
2.37.1.windows.1
next prev parent reply other threads:[~2022-10-11 15:04 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-11 15:03 [Patch 00/12] CryptoPkg: Remove EC PCD and merge perf opt OpensslLibs Michael D Kinney
2022-10-11 15:03 ` Michael D Kinney [this message]
2022-10-11 15:03 ` [Patch 02/12] CryptoPkg/Library/BaseCryptLib: Add missing UNI file and fix format Michael D Kinney
2022-10-11 15:03 ` [Patch 03/12] CryptoPkg/Library/BaseCryptLib: Update internal functions/variables Michael D Kinney
2022-10-11 15:03 ` [Patch 04/12] CryptoPkg/Test/UnitTest/Library/BaseCryptLib: Unit test fixes Michael D Kinney
2022-10-11 15:03 ` [Patch 05/12] CryptoPkg/Library: Cleanup BaseCryptLib and TlsLib Michael D Kinney
2022-10-11 15:03 ` [Patch 06/12] CryptoPkg/Library/OpensslLib: Combine all performance optimized INFs Michael D Kinney
2022-10-11 23:20 ` [edk2-devel] " Christopher Zurcher
2022-10-11 23:58 ` Michael D Kinney
2022-10-11 15:03 ` [Patch 07/12] CryptoPkg/Library/OpensslLib: Produce consistent set of APIs Michael D Kinney
2022-10-11 15:03 ` [Patch 08/12] CryptoPkg/Library/OpensslLib: Remove PrintLib from INF files Michael D Kinney
2022-10-11 15:03 ` [Patch 09/12] CryptoPkg: Remove PcdOpensslEcEnabled from CryptoPkg.dec Michael D Kinney
2022-10-11 15:03 ` [Patch 10/12] CryptoPkg: Update DSC to improve CI test coverage Michael D Kinney
2022-10-11 15:03 ` [Patch 11/12] CryptoPkg: Fixed host-based unit tests Michael D Kinney
2022-10-11 15:03 ` [Patch 12/12] CryptoPkg: Add Readme.md Michael D Kinney
2022-10-12 1:08 ` [Patch 00/12] CryptoPkg: Remove EC PCD and merge perf opt OpensslLibs Yao, Jiewen
2022-10-12 1:24 ` Michael D Kinney
2022-10-12 1:36 ` Yao, Jiewen
2022-10-12 1:55 ` Michael D Kinney
2022-10-12 2:07 ` Yao, Jiewen
2022-10-12 2:23 ` Michael D Kinney
2022-10-12 8:33 ` Yao, Jiewen
[not found] ` <171D30322FF3DC63.20882@groups.io>
2022-10-12 2:12 ` [edk2-devel] " Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221011150358.1332-2-michael.d.kinney@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox