From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web11.8589.1665500668772364869 for ; Tue, 11 Oct 2022 08:04:29 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=EV3exwGm; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: michael.d.kinney@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1665500669; x=1697036669; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1nPonpGwg4B8jtLsflGU8IPmIs3jP8XDTdNTAYbeeSw=; b=EV3exwGmEnzeav0GsZ2zxk9stj9TKf1FdSTFgg3gRoA9xfV1wVKFE10/ XhqEKTFToZrm4P9SzFteQzhcrTvWffhGzkWNBrvyX1RWI8uSK+bd5x650 GarQ0D46Fz1bEfcBMR3Z3+AYBCQJb+mYyowVhlNRQLpx2ulZDc/iC96gs fJ6rO3jL+1Tjuhep6XwV4xGkf9TPWDxYgndN3L5ZetmOagCHrQSLubQhp s9Xo40vjTIuuQfapHW1fGmesdP2XQksnizBOdRTqMNinU5L/TPK0yrmUU rCd5uqOlTXhwaJBR5W6MxfgZYKAAhMxUh4vuTLljvB6Ez9Nb8RywWF+HS g==; X-IronPort-AV: E=McAfee;i="6500,9779,10497"; a="331008779" X-IronPort-AV: E=Sophos;i="5.95,176,1661842800"; d="scan'208";a="331008779" Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Oct 2022 08:04:06 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10497"; a="604172803" X-IronPort-AV: E=Sophos;i="5.95,176,1661842800"; d="scan'208";a="604172803" Received: from mdkinney-mobl2.amr.corp.intel.com ([10.209.79.249]) by orsmga006-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Oct 2022 08:04:05 -0700 From: "Michael D Kinney" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang , Christopher Zurcher Subject: [Patch 01/12] CryptoPkg: Document and disable deprecated crypto services Date: Tue, 11 Oct 2022 08:03:47 -0700 Message-Id: <20221011150358.1332-2-michael.d.kinney@intel.com> X-Mailer: git-send-email 2.37.1.windows.1 In-Reply-To: <20221011150358.1332-1-michael.d.kinney@intel.com> References: <20221011150358.1332-1-michael.d.kinney@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Also note services that are recommended to be disabled and update CryptoPkg.dsc PcdCryptoServiceFamilyEnable settings disable all deprecated services. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Christopher Zurcher Signed-off-by: Michael D Kinney --- CryptoPkg/CryptoPkg.dsc | 10 +- .../Pcd/PcdCryptoServiceFamilyEnable.h | 122 ++++++++++-------- 2 files changed, 77 insertions(+), 55 deletions(-) diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index e4e7bc0dbfae..ab28d8861f10 100644 --- a/CryptoPkg/CryptoPkg.dsc +++ b/CryptoPkg/CryptoPkg.dsc @@ -150,7 +150,6 @@ [PcdsFixedAtBuild] !if $(CRYPTO_SERVICES) IN "PACKAGE ALL" gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY @@ -160,8 +159,10 @@ [PcdsFixedAtBuild] gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY @@ -172,7 +173,7 @@ [PcdsFixedAtBuild] gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.ParallelHash.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.AeadAesGcm.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Bn.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family | 0 + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Ec.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY !endif !if $(CRYPTO_SERVICES) == MIN_PEI @@ -216,6 +217,7 @@ [PcdsFixedAtBuild] gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt | TRUE gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt | TRUE diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index 47405894176c..da533543172f 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -1,6 +1,26 @@ /** @file Defines the PCD_CRYPTO_SERVICE_FAMILY_ENABLE structure associated with - gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable. + gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable that is used + to enable/disable crypto services at either the family scope or the + individual service scope. Platforms can minimize the number of enabled + services to reduce size. + + The following services have been deprecated and must never be enabled. + The associated fields in this data structure are never removed or replaced + to preseve the binary layout of the data structure. New services are + always added to the end of the data structure. + * HmacMd5 family + * HmacSha1 family + * Md4 family + * Md5 family + * Tdes family + * Arc4 family + * Aes.Services.EcbEncrypt service + * Aes.Services.EcbDecrypt service + + Is is recommended that the following services always be disabled and may + be deprecated in the future. + * Sha1 family Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent @@ -25,25 +45,25 @@ typedef struct { union { struct { - UINT8 New : 1; - UINT8 Free : 1; - UINT8 SetKey : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; + UINT8 New : 1; // Deprecated + UINT8 Free : 1; // Deprecated + UINT8 SetKey : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } HmacMd5; union { struct { - UINT8 New : 1; - UINT8 Free : 1; - UINT8 SetKey : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; + UINT8 New : 1; // Deprecated + UINT8 Free : 1; // Deprecated + UINT8 SetKey : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } HmacSha1; union { struct { @@ -71,26 +91,26 @@ typedef struct { } HmacSha384; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated + UINT8 HashAll : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Md4; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Duplicate : 1; // Deprecated + UINT8 Update : 1; // Deprecated + UINT8 Final : 1; // Deprecated + UINT8 HashAll : 1; // Deprecated } Services; UINT32 Family; - } Md5; + } Md5; // Deprecated union { struct { UINT8 Pkcs1v2Encrypt : 1; @@ -143,14 +163,14 @@ typedef struct { } Rsa; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Duplicate : 1; - UINT8 Update : 1; - UINT8 Final : 1; - UINT8 HashAll : 1; + UINT8 GetContextSize : 1; // Recommend disable + UINT8 Init : 1; // Recommend disable + UINT8 Duplicate : 1; // Recommend disable + UINT8 Update : 1; // Recommend disable + UINT8 Final : 1; // Recommend disable + UINT8 HashAll : 1; // Recommend disable } Services; - UINT32 Family; + UINT32 Family; // Recommend disable } Sha1; union { struct { @@ -202,21 +222,21 @@ typedef struct { } X509; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 EcbEncrypt : 1; - UINT8 EcbDecrypt : 1; - UINT8 CbcEncrypt : 1; - UINT8 CbcDecrypt : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 EcbEncrypt : 1; // Deprecated + UINT8 EcbDecrypt : 1; // Deprecated + UINT8 CbcEncrypt : 1; // Deprecated + UINT8 CbcDecrypt : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Tdes; union { struct { UINT8 GetContextSize : 1; UINT8 Init : 1; - UINT8 EcbEncrypt : 1; - UINT8 EcbDecrypt : 1; + UINT8 EcbEncrypt : 1; // Deprecated + UINT8 EcbDecrypt : 1; // Deprecated UINT8 CbcEncrypt : 1; UINT8 CbcDecrypt : 1; } Services; @@ -224,13 +244,13 @@ typedef struct { } Aes; union { struct { - UINT8 GetContextSize : 1; - UINT8 Init : 1; - UINT8 Encrypt : 1; - UINT8 Decrypt : 1; - UINT8 Reset : 1; + UINT8 GetContextSize : 1; // Deprecated + UINT8 Init : 1; // Deprecated + UINT8 Encrypt : 1; // Deprecated + UINT8 Decrypt : 1; // Deprecated + UINT8 Reset : 1; // Deprecated } Services; - UINT32 Family; + UINT32 Family; // Deprecated } Arc4; union { struct { -- 2.37.1.windows.1