* [PATCH] CryptoPkg/Readme.md: typo and grammar fixes @ 2022-11-02 9:36 Laszlo Ersek 2022-11-02 16:48 ` Michael D Kinney 0 siblings, 1 reply; 4+ messages in thread From: Laszlo Ersek @ 2022-11-02 9:36 UTC (permalink / raw) To: devel, lersek Cc: Christopher Zurcher, Guomin Jiang, Jian J Wang, Jiewen Yao, Michael D Kinney, Xiaoyu Lu Commit 244ce33bdd2f ("CryptoPkg: Add Readme.md", 2022-10-24) had added the long-awaited documentation on the dynamic crypto services. Fix some of the typos and arguable grammar errors in "Readme.md". A few light clarifications are also snuck in. Cc: Christopher Zurcher <christopher.zurcher@microsoft.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Michael D Kinney <michael.d.kinney@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Signed-off-by: Laszlo Ersek <lersek@redhat.com> --- Notes: Best displayed as a word-diff for review, for example with the command git show --word-diff or on the web at https://pagure.io/lersek/edk2/c/a7269f170437?branch=cryptopkg_readme_typos CryptoPkg/Readme.md | 48 ++++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/CryptoPkg/Readme.md b/CryptoPkg/Readme.md index 946aa1e99e7d..9dd3a951836b 100644 --- a/CryptoPkg/Readme.md +++ b/CryptoPkg/Readme.md @@ -39,7 +39,7 @@ provides the smallest overall firmware overhead. ## Statically Linking Cryptographic Services -The figure below shows an example of a firmware modules that requires the use of +The figure below shows an example of a firmware module that requires the use of cryptographic services. The cryptographic services are provided by three library classes called BaseCryptLib, TlsLib, and HashApiLib. These library classes are implemented using APIs from the OpenSSL project that are abstracted by the @@ -49,7 +49,7 @@ full C runtime library for firmware components. Instead, the CryptoPkg includes the smallest subset of services required to build the OpenSSL project in the private library class called IntrinsicLib. -The CryptoPkg provides several instances if the BaseCryptLib and OpensslLib with +The CryptoPkg provides several instances of the BaseCryptLib and OpensslLib with different cryptographic service features and performance optimizations. The platform developer must select the correct instances based on cryptographic service requirements in each UEFI/PI firmware phase (SEC, PEI, DXE, UEFI, @@ -97,9 +97,9 @@ linking is not available for SEC or UEFI RT modules. The EDK II modules/libraries that require cryptographic services use the same BaseCryptLib/TlsLib/HashApiLib APIs. This means no source changes are required -to use static linking or dynamic linking. It is a platform configuration options -to select static linking or dynamic linking. This choice can be make globally, -per firmware module type, or individual modules. +to use static linking or dynamic linking. It is a platform configuration option +to select static linking or dynamic linking. This choice can be made globally, +per firmware module type, or for individual modules. ``` +===================+ +===================+ +===================+ @@ -159,7 +159,7 @@ The table below provides a summary of the supported cryptographic services. It indicates if the family or service is deprecated or recommended to not be used. It also shows which *CryptLib library instances support the family or service. If a cell is blank then the service or family is always disabled and the -`PcdCryptoServiceFamilyEnable` settings for that family or service is ignored. +`PcdCryptoServiceFamilyEnable` setting for that family or service is ignored. If the cell is not blank, then the service or family is configurable using `PcdCryptoServiceFamilyEnable` as long as the correct OpensslLib or TlsLib is also configured. @@ -234,10 +234,10 @@ phases (SEC, PEI, DXE, UEFI, SMM, UEFI RT). The following table can be used to help select the best OpensslLib instance for each phase. The Size column only shows the estimated size increase for a -compressed IA32/X64 modules that uses the cryptographic services with +compressed IA32/X64 module that uses the cryptographic services with `OpensslLib.inf` as the baseline size. The actual size increase depends on the specific set of enabled cryptographic services. If ECC services are not -required, then size can be reduced by using OpensslLib.inf instead of +required, then the size can be reduced by using OpensslLib.inf instead of `OpensslLibFull.inf`. Performance optimization requires a size increase. | OpensslLib Instance | SSL | ECC | Perf Opt | CPU Arch | Size | @@ -371,10 +371,10 @@ settings. ### UEFI Runtime Driver Library Mappings -UEFI Runtime Drivers only supports static linking of cryptographic services. -The following library mappings are recommended for UEFI Runtime Drivers. It uses -the runtime specific version of the BaseCryptLib and the null version of the -TlsLib because TLS services are not typically used in runtime. +UEFI Runtime Drivers only support static linking of cryptographic services. +The following library mappings are recommended for UEFI Runtime Drivers. They +use the runtime specific version of the BaseCryptLib and the null version of the +TlsLib because TLS services are not typically used at runtime. ``` [LibraryClasses.common.DXE_RUNTIME_DRIVER] @@ -388,13 +388,13 @@ TlsLib because TLS services are not typically used in runtime. ### PCD Configuration Settings There are 2 PCD settings that are used to configure cryptographic services. -`PcdHashApiLibPolicy` is used to configure the hash algorithm provided by the +`PcdHashApiLibPolicy` is used to configure the hash algorithms provided by the BaseHashApiLib library instance. `PcdCryptoServiceFamilyEnable` is used to configure the cryptographic services supported by the CryptoPei, CryptoDxe, and CryptoSmm modules. * `gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy` - This PCD indicates the - HASH algorithm to to use in the BaseHashApiLib to calculate hash of data. The + HASH algorithms to use in the BaseHashApiLib to calculate hash of data. The default hashing algorithm for BaseHashApiLib is set to HASH_ALG_SHA256. | Setting | Algorithm | |------------|------------------| @@ -407,8 +407,8 @@ and CryptoSmm modules. * `gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable` - Enable/Disable the families and individual services produced by the EDK II Crypto Protocols/PPIs. The default is all services disabled. This Structured PCD is - associated with `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that defined in - `Include/Pcd/PcdCryptoServiceFamilyEnable.h`. + associated with the `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that is + defined in `Include/Pcd/PcdCryptoServiceFamilyEnable.h`. There are three layers of priority that determine if a specific family or individual cryptographic service is actually enabled in the CryptoPei, @@ -420,15 +420,15 @@ and CryptoSmm modules. OpensslLib instance linked, then the service is always disabled. 2) BaseCryptLib instance selection. * CryptoPei is always linked with the PeiCryptLib instance of the - BaseCryptLib library class. The table above have a column for the + BaseCryptLib library class. The table above has a column for the PeiCryptLib. If the family or service is blank, then that family or service is always disabled. * CryptoDxe is always linked with the BaseCryptLib instance of the - BaseCryptLib library class. The table above have a column for the + BaseCryptLib library class. The table above has a column for the BaseCryptLib. If the family or service is blank, then that family or service is always disabled. * CryptoSmm is always linked with the SmmCryptLib instance of the - BaseCryptLib library class. The table above have a column for the + BaseCryptLib library class. The table above has a column for the SmmCryptLib. If the family or service is blank, then that family or service is always disabled. 3) If a family or service is enabled in the OpensslLib instance and it is @@ -438,11 +438,11 @@ and CryptoSmm modules. bit fields for each family of services. All of the families are disabled by default. An entire family of services can be enabled by setting the family field to the value `PCD_CRYPTO_SERVICE_ENABLE_FAMILY`. Individual - services can be enabled by setting a single service name to `TRUE`. - Settings listed later in the DSC file have priority over settings earlier - in the DSC file, so it is legal for an entire family to be enabled first - and then a few individual services disabled by setting the service name to - `FALSE`. + services can be enabled by setting a single service name (bit) to `TRUE`. + Settings listed later in the DSC file have priority over settings listed + earlier in the DSC file, so it is valid for an entire family to be enabled + first and then for a few individual services to be disabled by setting + those service names to `FALSE`. #### Common PEI PcdCryptoServiceFamilyEnable Settings ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] CryptoPkg/Readme.md: typo and grammar fixes 2022-11-02 9:36 [PATCH] CryptoPkg/Readme.md: typo and grammar fixes Laszlo Ersek @ 2022-11-02 16:48 ` Michael D Kinney 2022-11-03 14:35 ` Laszlo Ersek 0 siblings, 1 reply; 4+ messages in thread From: Michael D Kinney @ 2022-11-02 16:48 UTC (permalink / raw) To: Laszlo Ersek, devel@edk2.groups.io, Kinney, Michael D Cc: Zurcher, Christopher, Jiang, Guomin, Wang, Jian J, Yao, Jiewen, Lu, Xiaoyu1 Hi Laszlo, Thank you for all the updates. One comment below. Mike > -----Original Message----- > From: Laszlo Ersek <lersek@redhat.com> > Sent: Wednesday, November 2, 2022 2:37 AM > To: devel@edk2.groups.io; lersek@redhat.com > Cc: Zurcher, Christopher <christopher.zurcher@microsoft.com>; Jiang, Guomin <guomin.jiang@intel.com>; Wang, Jian J > <jian.j.wang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Lu, Xiaoyu1 > <xiaoyu1.lu@intel.com> > Subject: [PATCH] CryptoPkg/Readme.md: typo and grammar fixes > > Commit 244ce33bdd2f ("CryptoPkg: Add Readme.md", 2022-10-24) had added the > long-awaited documentation on the dynamic crypto services. Fix some of the > typos and arguable grammar errors in "Readme.md". A few light > clarifications are also snuck in. > > Cc: Christopher Zurcher <christopher.zurcher@microsoft.com> > Cc: Guomin Jiang <guomin.jiang@intel.com> > Cc: Jian J Wang <jian.j.wang@intel.com> > Cc: Jiewen Yao <jiewen.yao@intel.com> > Cc: Michael D Kinney <michael.d.kinney@intel.com> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > Signed-off-by: Laszlo Ersek <lersek@redhat.com> > --- > > Notes: > Best displayed as a word-diff for review, for example with the command > > git show --word-diff > > or on the web at > > https://pagure.io/lersek/edk2/c/a7269f170437?branch=cryptopkg_readme_typos > > CryptoPkg/Readme.md | 48 ++++++++++---------- > 1 file changed, 24 insertions(+), 24 deletions(-) > > diff --git a/CryptoPkg/Readme.md b/CryptoPkg/Readme.md > index 946aa1e99e7d..9dd3a951836b 100644 > --- a/CryptoPkg/Readme.md > +++ b/CryptoPkg/Readme.md > @@ -39,7 +39,7 @@ provides the smallest overall firmware overhead. > > ## Statically Linking Cryptographic Services > > -The figure below shows an example of a firmware modules that requires the use of > +The figure below shows an example of a firmware module that requires the use of > cryptographic services. The cryptographic services are provided by three library > classes called BaseCryptLib, TlsLib, and HashApiLib. These library classes are > implemented using APIs from the OpenSSL project that are abstracted by the > @@ -49,7 +49,7 @@ full C runtime library for firmware components. Instead, the CryptoPkg includes > the smallest subset of services required to build the OpenSSL project in the > private library class called IntrinsicLib. > > -The CryptoPkg provides several instances if the BaseCryptLib and OpensslLib with > +The CryptoPkg provides several instances of the BaseCryptLib and OpensslLib with > different cryptographic service features and performance optimizations. The > platform developer must select the correct instances based on cryptographic > service requirements in each UEFI/PI firmware phase (SEC, PEI, DXE, UEFI, > @@ -97,9 +97,9 @@ linking is not available for SEC or UEFI RT modules. > > The EDK II modules/libraries that require cryptographic services use the same > BaseCryptLib/TlsLib/HashApiLib APIs. This means no source changes are required > -to use static linking or dynamic linking. It is a platform configuration options > -to select static linking or dynamic linking. This choice can be make globally, > -per firmware module type, or individual modules. > +to use static linking or dynamic linking. It is a platform configuration option > +to select static linking or dynamic linking. This choice can be made globally, > +per firmware module type, or for individual modules. > > ``` > +===================+ +===================+ +===================+ > @@ -159,7 +159,7 @@ The table below provides a summary of the supported cryptographic services. It > indicates if the family or service is deprecated or recommended to not be used. > It also shows which *CryptLib library instances support the family or service. > If a cell is blank then the service or family is always disabled and the > -`PcdCryptoServiceFamilyEnable` settings for that family or service is ignored. > +`PcdCryptoServiceFamilyEnable` setting for that family or service is ignored. > If the cell is not blank, then the service or family is configurable using > `PcdCryptoServiceFamilyEnable` as long as the correct OpensslLib or TlsLib is > also configured. > @@ -234,10 +234,10 @@ phases (SEC, PEI, DXE, UEFI, SMM, UEFI RT). > > The following table can be used to help select the best OpensslLib instance for > each phase. The Size column only shows the estimated size increase for a > -compressed IA32/X64 modules that uses the cryptographic services with > +compressed IA32/X64 module that uses the cryptographic services with > `OpensslLib.inf` as the baseline size. The actual size increase depends on the > specific set of enabled cryptographic services. If ECC services are not > -required, then size can be reduced by using OpensslLib.inf instead of > +required, then the size can be reduced by using OpensslLib.inf instead of > `OpensslLibFull.inf`. Performance optimization requires a size increase. > > | OpensslLib Instance | SSL | ECC | Perf Opt | CPU Arch | Size | > @@ -371,10 +371,10 @@ settings. > > ### UEFI Runtime Driver Library Mappings > > -UEFI Runtime Drivers only supports static linking of cryptographic services. > -The following library mappings are recommended for UEFI Runtime Drivers. It uses > -the runtime specific version of the BaseCryptLib and the null version of the > -TlsLib because TLS services are not typically used in runtime. > +UEFI Runtime Drivers only support static linking of cryptographic services. > +The following library mappings are recommended for UEFI Runtime Drivers. They > +use the runtime specific version of the BaseCryptLib and the null version of the > +TlsLib because TLS services are not typically used at runtime. > > ``` > [LibraryClasses.common.DXE_RUNTIME_DRIVER] > @@ -388,13 +388,13 @@ TlsLib because TLS services are not typically used in runtime. > ### PCD Configuration Settings > > There are 2 PCD settings that are used to configure cryptographic services. > -`PcdHashApiLibPolicy` is used to configure the hash algorithm provided by the > +`PcdHashApiLibPolicy` is used to configure the hash algorithms provided by the > BaseHashApiLib library instance. `PcdCryptoServiceFamilyEnable` is used to > configure the cryptographic services supported by the CryptoPei, CryptoDxe, > and CryptoSmm modules. > > * `gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy` - This PCD indicates the > - HASH algorithm to to use in the BaseHashApiLib to calculate hash of data. The > + HASH algorithms to use in the BaseHashApiLib to calculate hash of data. The It is my understanding that the BaseHashApiLib supports at most one algorithm. Perhaps this is only an attribute of the current implementation. The declaration of the PCD values for this PCD could support a bitmask that could allow multiple algorithm values to be ORed together. However, the DEC file description does not state that. The example below shows the current implementation that does not interpret as a bitmask. In fact, setting more than one algorithm value would fall through to the default clause. So you recommend an update to DEC and implementation to support bitmask? Or restrict the PCD and implementation to a single algorithm? UINTN EFIAPI HashApiGetContextSize ( VOID ) { switch (PcdGet32 (PcdHashApiLibPolicy)) { case HASH_ALG_SHA1: return Sha1GetContextSize (); break; case HASH_ALG_SHA256: return Sha256GetContextSize (); break; case HASH_ALG_SHA384: return Sha384GetContextSize (); break; case HASH_ALG_SHA512: return Sha512GetContextSize (); break; case HASH_ALG_SM3_256: return Sm3GetContextSize (); break; default: ASSERT (FALSE); return 0; break; } } > default hashing algorithm for BaseHashApiLib is set to HASH_ALG_SHA256. > | Setting | Algorithm | > |------------|------------------| > @@ -407,8 +407,8 @@ and CryptoSmm modules. > * `gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable` - Enable/Disable > the families and individual services produced by the EDK II Crypto > Protocols/PPIs. The default is all services disabled. This Structured PCD is > - associated with `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that defined in > - `Include/Pcd/PcdCryptoServiceFamilyEnable.h`. > + associated with the `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that is > + defined in `Include/Pcd/PcdCryptoServiceFamilyEnable.h`. > > There are three layers of priority that determine if a specific family or > individual cryptographic service is actually enabled in the CryptoPei, > @@ -420,15 +420,15 @@ and CryptoSmm modules. > OpensslLib instance linked, then the service is always disabled. > 2) BaseCryptLib instance selection. > * CryptoPei is always linked with the PeiCryptLib instance of the > - BaseCryptLib library class. The table above have a column for the > + BaseCryptLib library class. The table above has a column for the > PeiCryptLib. If the family or service is blank, then that family or > service is always disabled. > * CryptoDxe is always linked with the BaseCryptLib instance of the > - BaseCryptLib library class. The table above have a column for the > + BaseCryptLib library class. The table above has a column for the > BaseCryptLib. If the family or service is blank, then that family or > service is always disabled. > * CryptoSmm is always linked with the SmmCryptLib instance of the > - BaseCryptLib library class. The table above have a column for the > + BaseCryptLib library class. The table above has a column for the > SmmCryptLib. If the family or service is blank, then that family or > service is always disabled. > 3) If a family or service is enabled in the OpensslLib instance and it is > @@ -438,11 +438,11 @@ and CryptoSmm modules. > bit fields for each family of services. All of the families are disabled > by default. An entire family of services can be enabled by setting the > family field to the value `PCD_CRYPTO_SERVICE_ENABLE_FAMILY`. Individual > - services can be enabled by setting a single service name to `TRUE`. > - Settings listed later in the DSC file have priority over settings earlier > - in the DSC file, so it is legal for an entire family to be enabled first > - and then a few individual services disabled by setting the service name to > - `FALSE`. > + services can be enabled by setting a single service name (bit) to `TRUE`. > + Settings listed later in the DSC file have priority over settings listed > + earlier in the DSC file, so it is valid for an entire family to be enabled > + first and then for a few individual services to be disabled by setting > + those service names to `FALSE`. > > #### Common PEI PcdCryptoServiceFamilyEnable Settings > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] CryptoPkg/Readme.md: typo and grammar fixes 2022-11-02 16:48 ` Michael D Kinney @ 2022-11-03 14:35 ` Laszlo Ersek 2022-11-03 16:50 ` [edk2-devel] " Michael D Kinney 0 siblings, 1 reply; 4+ messages in thread From: Laszlo Ersek @ 2022-11-03 14:35 UTC (permalink / raw) To: Kinney, Michael D, devel@edk2.groups.io Cc: Zurcher, Christopher, Jiang, Guomin, Wang, Jian J, Yao, Jiewen, Lu, Xiaoyu1, Amol N Sukerkar Hi Mike, On 11/02/22 17:48, Kinney, Michael D wrote: > Hi Laszlo, > > Thank you for all the updates. One comment below. > > Mike > >> -----Original Message----- >> From: Laszlo Ersek <lersek@redhat.com> >> Sent: Wednesday, November 2, 2022 2:37 AM >> To: devel@edk2.groups.io; lersek@redhat.com >> Cc: Zurcher, Christopher <christopher.zurcher@microsoft.com>; Jiang, Guomin <guomin.jiang@intel.com>; Wang, Jian J >> <jian.j.wang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Lu, Xiaoyu1 >> <xiaoyu1.lu@intel.com> >> Subject: [PATCH] CryptoPkg/Readme.md: typo and grammar fixes >> >> Commit 244ce33bdd2f ("CryptoPkg: Add Readme.md", 2022-10-24) had added the >> long-awaited documentation on the dynamic crypto services. Fix some of the >> typos and arguable grammar errors in "Readme.md". A few light >> clarifications are also snuck in. >> >> Cc: Christopher Zurcher <christopher.zurcher@microsoft.com> >> Cc: Guomin Jiang <guomin.jiang@intel.com> >> Cc: Jian J Wang <jian.j.wang@intel.com> >> Cc: Jiewen Yao <jiewen.yao@intel.com> >> Cc: Michael D Kinney <michael.d.kinney@intel.com> >> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> >> Signed-off-by: Laszlo Ersek <lersek@redhat.com> >> --- >> >> Notes: >> Best displayed as a word-diff for review, for example with the command >> >> git show --word-diff >> >> or on the web at >> >> https://pagure.io/lersek/edk2/c/a7269f170437?branch=cryptopkg_readme_typos >> >> CryptoPkg/Readme.md | 48 ++++++++++---------- >> 1 file changed, 24 insertions(+), 24 deletions(-) >> >> diff --git a/CryptoPkg/Readme.md b/CryptoPkg/Readme.md >> index 946aa1e99e7d..9dd3a951836b 100644 >> --- a/CryptoPkg/Readme.md >> +++ b/CryptoPkg/Readme.md >> @@ -39,7 +39,7 @@ provides the smallest overall firmware overhead. >> >> ## Statically Linking Cryptographic Services >> >> -The figure below shows an example of a firmware modules that requires the use of >> +The figure below shows an example of a firmware module that requires the use of >> cryptographic services. The cryptographic services are provided by three library >> classes called BaseCryptLib, TlsLib, and HashApiLib. These library classes are >> implemented using APIs from the OpenSSL project that are abstracted by the >> @@ -49,7 +49,7 @@ full C runtime library for firmware components. Instead, the CryptoPkg includes >> the smallest subset of services required to build the OpenSSL project in the >> private library class called IntrinsicLib. >> >> -The CryptoPkg provides several instances if the BaseCryptLib and OpensslLib with >> +The CryptoPkg provides several instances of the BaseCryptLib and OpensslLib with >> different cryptographic service features and performance optimizations. The >> platform developer must select the correct instances based on cryptographic >> service requirements in each UEFI/PI firmware phase (SEC, PEI, DXE, UEFI, >> @@ -97,9 +97,9 @@ linking is not available for SEC or UEFI RT modules. >> >> The EDK II modules/libraries that require cryptographic services use the same >> BaseCryptLib/TlsLib/HashApiLib APIs. This means no source changes are required >> -to use static linking or dynamic linking. It is a platform configuration options >> -to select static linking or dynamic linking. This choice can be make globally, >> -per firmware module type, or individual modules. >> +to use static linking or dynamic linking. It is a platform configuration option >> +to select static linking or dynamic linking. This choice can be made globally, >> +per firmware module type, or for individual modules. >> >> ``` >> +===================+ +===================+ +===================+ >> @@ -159,7 +159,7 @@ The table below provides a summary of the supported cryptographic services. It >> indicates if the family or service is deprecated or recommended to not be used. >> It also shows which *CryptLib library instances support the family or service. >> If a cell is blank then the service or family is always disabled and the >> -`PcdCryptoServiceFamilyEnable` settings for that family or service is ignored. >> +`PcdCryptoServiceFamilyEnable` setting for that family or service is ignored. >> If the cell is not blank, then the service or family is configurable using >> `PcdCryptoServiceFamilyEnable` as long as the correct OpensslLib or TlsLib is >> also configured. >> @@ -234,10 +234,10 @@ phases (SEC, PEI, DXE, UEFI, SMM, UEFI RT). >> >> The following table can be used to help select the best OpensslLib instance for >> each phase. The Size column only shows the estimated size increase for a >> -compressed IA32/X64 modules that uses the cryptographic services with >> +compressed IA32/X64 module that uses the cryptographic services with >> `OpensslLib.inf` as the baseline size. The actual size increase depends on the >> specific set of enabled cryptographic services. If ECC services are not >> -required, then size can be reduced by using OpensslLib.inf instead of >> +required, then the size can be reduced by using OpensslLib.inf instead of >> `OpensslLibFull.inf`. Performance optimization requires a size increase. >> >> | OpensslLib Instance | SSL | ECC | Perf Opt | CPU Arch | Size | >> @@ -371,10 +371,10 @@ settings. >> >> ### UEFI Runtime Driver Library Mappings >> >> -UEFI Runtime Drivers only supports static linking of cryptographic services. >> -The following library mappings are recommended for UEFI Runtime Drivers. It uses >> -the runtime specific version of the BaseCryptLib and the null version of the >> -TlsLib because TLS services are not typically used in runtime. >> +UEFI Runtime Drivers only support static linking of cryptographic services. >> +The following library mappings are recommended for UEFI Runtime Drivers. They >> +use the runtime specific version of the BaseCryptLib and the null version of the >> +TlsLib because TLS services are not typically used at runtime. >> >> ``` >> [LibraryClasses.common.DXE_RUNTIME_DRIVER] >> @@ -388,13 +388,13 @@ TlsLib because TLS services are not typically used in runtime. >> ### PCD Configuration Settings >> >> There are 2 PCD settings that are used to configure cryptographic services. >> -`PcdHashApiLibPolicy` is used to configure the hash algorithm provided by the >> +`PcdHashApiLibPolicy` is used to configure the hash algorithms provided by the >> BaseHashApiLib library instance. `PcdCryptoServiceFamilyEnable` is used to >> configure the cryptographic services supported by the CryptoPei, CryptoDxe, >> and CryptoSmm modules. >> >> * `gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy` - This PCD indicates the >> - HASH algorithm to to use in the BaseHashApiLib to calculate hash of data. The >> + HASH algorithms to use in the BaseHashApiLib to calculate hash of data. The > > It is my understanding that the BaseHashApiLib supports at most one algorithm. > Perhaps this is only an attribute of the current implementation. The declaration > of the PCD values for this PCD could support a bitmask that could allow multiple > algorithm values to be ORed together. However, the DEC file description does not > state that. The example below shows the current implementation that does > not interpret as a bitmask. In fact, setting more than one algorithm value > would fall through to the default clause. So you recommend an update to DEC > and implementation to support bitmask? Or restrict the PCD and implementation > to a single algorithm? > > UINTN > EFIAPI > HashApiGetContextSize ( > VOID > ) > { > switch (PcdGet32 (PcdHashApiLibPolicy)) { > case HASH_ALG_SHA1: > return Sha1GetContextSize (); > break; > > case HASH_ALG_SHA256: > return Sha256GetContextSize (); > break; > > case HASH_ALG_SHA384: > return Sha384GetContextSize (); > break; > > case HASH_ALG_SHA512: > return Sha512GetContextSize (); > break; > > case HASH_ALG_SM3_256: > return Sm3GetContextSize (); > break; > > default: > ASSERT (FALSE); > return 0; > break; > } > } Thank you for confirming this; in fact I had my doubts on this hunk. I had checked the PCD in the DEC file, but not the implementation. The DEC file does employ the term "algorithm" in singular, multiple times at that. However, the individual values are not consecutive -- they are values of distinct bits. This suggests a a bitmap, and it also seemed "more sensible" for a library to support multiple hash algorithms at the same time (similarly to how PcdCryptoServiceFamilyEnable could enable multiple algorithms at the same time). I didn't realize the PCD was supposed to bind the library to one particular hash algorithm -- that seemed too limiting for an entire platform. (Even with component-scope or component-type-scope Fixed-at-Build overrides in a DSC file, it was hard to find a use case for fixating different sets of modules in the same platform to different *unique* hash algos at build time.) In effect I expected PcdHashApiLibPolicy to work similarly to PcdCryptoServiceFamilyEnable. Additionally -- I had missed @ValidList in the DEC file; sorry about that. The explicit listing there makes it a bit clearer that PcdHashApiLibPolicy is not a bitmap. I don't know why the current values suggest the possibility of a bitmap -- were they meant as future-proofing, for an implementation that might support more algos at the same time? So my suggestion would be to "restrict the PCD and implementation to a single algorithm" (as you write), in particular remove the confusion by renumbering the identifiers so they form a consecutive sequence. Except... :) I notice that: (a) These macros (such as HASH_ALG_SHA256) are defined in "MdePkg/Include/IndustryStandard/Tpm20.h". So it's not possible to just change the integer values in the DEC file but keep the macro names; that would de-sync the PCD file with "Tpm20.h". To be honest I find it suboptimal that the Hash library API is bound to TPM2 specifics -- hashing is more general than its usage in TPM2. (b) "git blame" actually provides context: - commit 3feea54eae33 ("CryptoPkg/BaseHashApiLib: Implement Unified Hash Calculation API", 2020-02-03), for bugzilla 2151, introduced HashApiLib with a consecutive list of integer hash algo identifiers, - commit c70bdf9d4a6a ("CryptoPkg/BaseHashApiLib: Align BaseHashApiLib with TPM 2.0 Implementation", 2020-02-19), for bugzilla 2511, replaced the originally consecutive values with the TPM2 bit values, So what I thought was logical had actually existed in the past, but then it got replaced with the current "bitmask-suggesting" values, for bug 2511. In the end I think I should drop this hunk from the "Readme.md" patch; however, while technically correct, the DEC file remains confusing. The values seem to be aligned with the TPM2 spec just for simplicity's sake, and that's fine, but it should be documented. IIUC the TPM2 spec does actually rely on these values being organized into a bitmap, but that's something that HashApiLib does not utilize. I think this should be emphasized in the DEC file (i.e. that the library interface permits a single hash algo only). We also have: > @Prompt Set policy for hashing unsigned image for Secure Boot. which I think is too restrictive; surely there are uses for HashApiLib other than SecureBoot. This very "Readme.md" file discusses HashApiLib in the SEC and PEI phases, and Secure Boot is not defined in those phases. I'm happy to update this patch for Readme.md (note: there's still a typo to fix in this context: "to to use"); I'd rather leave the "CryptoPkg.dec" update to someone else :) (Most likely Amol -- CC'd.) Thanks, Laszlo > > > >> default hashing algorithm for BaseHashApiLib is set to HASH_ALG_SHA256. >> | Setting | Algorithm | >> |------------|------------------| >> @@ -407,8 +407,8 @@ and CryptoSmm modules. >> * `gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable` - Enable/Disable >> the families and individual services produced by the EDK II Crypto >> Protocols/PPIs. The default is all services disabled. This Structured PCD is >> - associated with `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that defined in >> - `Include/Pcd/PcdCryptoServiceFamilyEnable.h`. >> + associated with the `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that is >> + defined in `Include/Pcd/PcdCryptoServiceFamilyEnable.h`. >> >> There are three layers of priority that determine if a specific family or >> individual cryptographic service is actually enabled in the CryptoPei, >> @@ -420,15 +420,15 @@ and CryptoSmm modules. >> OpensslLib instance linked, then the service is always disabled. >> 2) BaseCryptLib instance selection. >> * CryptoPei is always linked with the PeiCryptLib instance of the >> - BaseCryptLib library class. The table above have a column for the >> + BaseCryptLib library class. The table above has a column for the >> PeiCryptLib. If the family or service is blank, then that family or >> service is always disabled. >> * CryptoDxe is always linked with the BaseCryptLib instance of the >> - BaseCryptLib library class. The table above have a column for the >> + BaseCryptLib library class. The table above has a column for the >> BaseCryptLib. If the family or service is blank, then that family or >> service is always disabled. >> * CryptoSmm is always linked with the SmmCryptLib instance of the >> - BaseCryptLib library class. The table above have a column for the >> + BaseCryptLib library class. The table above has a column for the >> SmmCryptLib. If the family or service is blank, then that family or >> service is always disabled. >> 3) If a family or service is enabled in the OpensslLib instance and it is >> @@ -438,11 +438,11 @@ and CryptoSmm modules. >> bit fields for each family of services. All of the families are disabled >> by default. An entire family of services can be enabled by setting the >> family field to the value `PCD_CRYPTO_SERVICE_ENABLE_FAMILY`. Individual >> - services can be enabled by setting a single service name to `TRUE`. >> - Settings listed later in the DSC file have priority over settings earlier >> - in the DSC file, so it is legal for an entire family to be enabled first >> - and then a few individual services disabled by setting the service name to >> - `FALSE`. >> + services can be enabled by setting a single service name (bit) to `TRUE`. >> + Settings listed later in the DSC file have priority over settings listed >> + earlier in the DSC file, so it is valid for an entire family to be enabled >> + first and then for a few individual services to be disabled by setting >> + those service names to `FALSE`. >> >> #### Common PEI PcdCryptoServiceFamilyEnable Settings >> ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [edk2-devel] [PATCH] CryptoPkg/Readme.md: typo and grammar fixes 2022-11-03 14:35 ` Laszlo Ersek @ 2022-11-03 16:50 ` Michael D Kinney 0 siblings, 0 replies; 4+ messages in thread From: Michael D Kinney @ 2022-11-03 16:50 UTC (permalink / raw) To: devel@edk2.groups.io, lersek@redhat.com, Kinney, Michael D Cc: Zurcher, Christopher, Jiang, Guomin, Wang, Jian J, Yao, Jiewen, Lu, Xiaoyu1, Sukerkar, Amol N Hi Laszlo, I think we should consider expending the meaning of PCD to allow multiple algos and update lib implementation to support multiple. This should not have a size impact for platforms that only want one algo. And should also be backwards compatible to expand meaning to support multiple. Let's go with your updated patch that leaves it single algo to get the Readme.md fixed now. We can enter new BZs feature requests to expand PCD from single to multiple and expand lib to support multiple. Thanks, Mike > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo Ersek > Sent: Thursday, November 3, 2022 7:35 AM > To: Kinney, Michael D <michael.d.kinney@intel.com>; devel@edk2.groups.io > Cc: Zurcher, Christopher <christopher.zurcher@microsoft.com>; Jiang, Guomin <guomin.jiang@intel.com>; Wang, Jian J > <jian.j.wang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>; Sukerkar, Amol N > <amol.n.sukerkar@intel.com> > Subject: Re: [edk2-devel] [PATCH] CryptoPkg/Readme.md: typo and grammar fixes > > Hi Mike, > > On 11/02/22 17:48, Kinney, Michael D wrote: > > Hi Laszlo, > > > > Thank you for all the updates. One comment below. > > > > Mike > > > >> -----Original Message----- > >> From: Laszlo Ersek <lersek@redhat.com> > >> Sent: Wednesday, November 2, 2022 2:37 AM > >> To: devel@edk2.groups.io; lersek@redhat.com > >> Cc: Zurcher, Christopher <christopher.zurcher@microsoft.com>; Jiang, Guomin <guomin.jiang@intel.com>; Wang, Jian J > >> <jian.j.wang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Lu, Xiaoyu1 > >> <xiaoyu1.lu@intel.com> > >> Subject: [PATCH] CryptoPkg/Readme.md: typo and grammar fixes > >> > >> Commit 244ce33bdd2f ("CryptoPkg: Add Readme.md", 2022-10-24) had added the > >> long-awaited documentation on the dynamic crypto services. Fix some of the > >> typos and arguable grammar errors in "Readme.md". A few light > >> clarifications are also snuck in. > >> > >> Cc: Christopher Zurcher <christopher.zurcher@microsoft.com> > >> Cc: Guomin Jiang <guomin.jiang@intel.com> > >> Cc: Jian J Wang <jian.j.wang@intel.com> > >> Cc: Jiewen Yao <jiewen.yao@intel.com> > >> Cc: Michael D Kinney <michael.d.kinney@intel.com> > >> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> > >> Signed-off-by: Laszlo Ersek <lersek@redhat.com> > >> --- > >> > >> Notes: > >> Best displayed as a word-diff for review, for example with the command > >> > >> git show --word-diff > >> > >> or on the web at > >> > >> https://pagure.io/lersek/edk2/c/a7269f170437?branch=cryptopkg_readme_typos > >> > >> CryptoPkg/Readme.md | 48 ++++++++++---------- > >> 1 file changed, 24 insertions(+), 24 deletions(-) > >> > >> diff --git a/CryptoPkg/Readme.md b/CryptoPkg/Readme.md > >> index 946aa1e99e7d..9dd3a951836b 100644 > >> --- a/CryptoPkg/Readme.md > >> +++ b/CryptoPkg/Readme.md > >> @@ -39,7 +39,7 @@ provides the smallest overall firmware overhead. > >> > >> ## Statically Linking Cryptographic Services > >> > >> -The figure below shows an example of a firmware modules that requires the use of > >> +The figure below shows an example of a firmware module that requires the use of > >> cryptographic services. The cryptographic services are provided by three library > >> classes called BaseCryptLib, TlsLib, and HashApiLib. These library classes are > >> implemented using APIs from the OpenSSL project that are abstracted by the > >> @@ -49,7 +49,7 @@ full C runtime library for firmware components. Instead, the CryptoPkg includes > >> the smallest subset of services required to build the OpenSSL project in the > >> private library class called IntrinsicLib. > >> > >> -The CryptoPkg provides several instances if the BaseCryptLib and OpensslLib with > >> +The CryptoPkg provides several instances of the BaseCryptLib and OpensslLib with > >> different cryptographic service features and performance optimizations. The > >> platform developer must select the correct instances based on cryptographic > >> service requirements in each UEFI/PI firmware phase (SEC, PEI, DXE, UEFI, > >> @@ -97,9 +97,9 @@ linking is not available for SEC or UEFI RT modules. > >> > >> The EDK II modules/libraries that require cryptographic services use the same > >> BaseCryptLib/TlsLib/HashApiLib APIs. This means no source changes are required > >> -to use static linking or dynamic linking. It is a platform configuration options > >> -to select static linking or dynamic linking. This choice can be make globally, > >> -per firmware module type, or individual modules. > >> +to use static linking or dynamic linking. It is a platform configuration option > >> +to select static linking or dynamic linking. This choice can be made globally, > >> +per firmware module type, or for individual modules. > >> > >> ``` > >> +===================+ +===================+ +===================+ > >> @@ -159,7 +159,7 @@ The table below provides a summary of the supported cryptographic services. It > >> indicates if the family or service is deprecated or recommended to not be used. > >> It also shows which *CryptLib library instances support the family or service. > >> If a cell is blank then the service or family is always disabled and the > >> -`PcdCryptoServiceFamilyEnable` settings for that family or service is ignored. > >> +`PcdCryptoServiceFamilyEnable` setting for that family or service is ignored. > >> If the cell is not blank, then the service or family is configurable using > >> `PcdCryptoServiceFamilyEnable` as long as the correct OpensslLib or TlsLib is > >> also configured. > >> @@ -234,10 +234,10 @@ phases (SEC, PEI, DXE, UEFI, SMM, UEFI RT). > >> > >> The following table can be used to help select the best OpensslLib instance for > >> each phase. The Size column only shows the estimated size increase for a > >> -compressed IA32/X64 modules that uses the cryptographic services with > >> +compressed IA32/X64 module that uses the cryptographic services with > >> `OpensslLib.inf` as the baseline size. The actual size increase depends on the > >> specific set of enabled cryptographic services. If ECC services are not > >> -required, then size can be reduced by using OpensslLib.inf instead of > >> +required, then the size can be reduced by using OpensslLib.inf instead of > >> `OpensslLibFull.inf`. Performance optimization requires a size increase. > >> > >> | OpensslLib Instance | SSL | ECC | Perf Opt | CPU Arch | Size | > >> @@ -371,10 +371,10 @@ settings. > >> > >> ### UEFI Runtime Driver Library Mappings > >> > >> -UEFI Runtime Drivers only supports static linking of cryptographic services. > >> -The following library mappings are recommended for UEFI Runtime Drivers. It uses > >> -the runtime specific version of the BaseCryptLib and the null version of the > >> -TlsLib because TLS services are not typically used in runtime. > >> +UEFI Runtime Drivers only support static linking of cryptographic services. > >> +The following library mappings are recommended for UEFI Runtime Drivers. They > >> +use the runtime specific version of the BaseCryptLib and the null version of the > >> +TlsLib because TLS services are not typically used at runtime. > >> > >> ``` > >> [LibraryClasses.common.DXE_RUNTIME_DRIVER] > >> @@ -388,13 +388,13 @@ TlsLib because TLS services are not typically used in runtime. > >> ### PCD Configuration Settings > >> > >> There are 2 PCD settings that are used to configure cryptographic services. > >> -`PcdHashApiLibPolicy` is used to configure the hash algorithm provided by the > >> +`PcdHashApiLibPolicy` is used to configure the hash algorithms provided by the > >> BaseHashApiLib library instance. `PcdCryptoServiceFamilyEnable` is used to > >> configure the cryptographic services supported by the CryptoPei, CryptoDxe, > >> and CryptoSmm modules. > >> > >> * `gEfiCryptoPkgTokenSpaceGuid.PcdHashApiLibPolicy` - This PCD indicates the > >> - HASH algorithm to to use in the BaseHashApiLib to calculate hash of data. The > >> + HASH algorithms to use in the BaseHashApiLib to calculate hash of data. The > > > > It is my understanding that the BaseHashApiLib supports at most one algorithm. > > Perhaps this is only an attribute of the current implementation. The declaration > > of the PCD values for this PCD could support a bitmask that could allow multiple > > algorithm values to be ORed together. However, the DEC file description does not > > state that. The example below shows the current implementation that does > > not interpret as a bitmask. In fact, setting more than one algorithm value > > would fall through to the default clause. So you recommend an update to DEC > > and implementation to support bitmask? Or restrict the PCD and implementation > > to a single algorithm? > > > > UINTN > > EFIAPI > > HashApiGetContextSize ( > > VOID > > ) > > { > > switch (PcdGet32 (PcdHashApiLibPolicy)) { > > case HASH_ALG_SHA1: > > return Sha1GetContextSize (); > > break; > > > > case HASH_ALG_SHA256: > > return Sha256GetContextSize (); > > break; > > > > case HASH_ALG_SHA384: > > return Sha384GetContextSize (); > > break; > > > > case HASH_ALG_SHA512: > > return Sha512GetContextSize (); > > break; > > > > case HASH_ALG_SM3_256: > > return Sm3GetContextSize (); > > break; > > > > default: > > ASSERT (FALSE); > > return 0; > > break; > > } > > } > > Thank you for confirming this; in fact I had my doubts on this hunk. I > had checked the PCD in the DEC file, but not the implementation. > > The DEC file does employ the term "algorithm" in singular, multiple > times at that. However, the individual values are not consecutive -- > they are values of distinct bits. This suggests a a bitmap, and it also > seemed "more sensible" for a library to support multiple hash algorithms > at the same time (similarly to how PcdCryptoServiceFamilyEnable could > enable multiple algorithms at the same time). I didn't realize the PCD > was supposed to bind the library to one particular hash algorithm -- > that seemed too limiting for an entire platform. (Even with > component-scope or component-type-scope Fixed-at-Build overrides in a > DSC file, it was hard to find a use case for fixating different sets of > modules in the same platform to different *unique* hash algos at build > time.) In effect I expected PcdHashApiLibPolicy to work similarly to > PcdCryptoServiceFamilyEnable. > > Additionally -- I had missed @ValidList in the DEC file; sorry about > that. The explicit listing there makes it a bit clearer that > PcdHashApiLibPolicy is not a bitmap. > > I don't know why the current values suggest the possibility of a bitmap > -- were they meant as future-proofing, for an implementation that might > support more algos at the same time? > > So my suggestion would be to "restrict the PCD and implementation to a > single algorithm" (as you write), in particular remove the confusion by > renumbering the identifiers so they form a consecutive sequence. > > Except... :) I notice that: > > (a) These macros (such as HASH_ALG_SHA256) are defined in > "MdePkg/Include/IndustryStandard/Tpm20.h". So it's not possible to just > change the integer values in the DEC file but keep the macro names; that > would de-sync the PCD file with "Tpm20.h". > > To be honest I find it suboptimal that the Hash library API is bound to > TPM2 specifics -- hashing is more general than its usage in TPM2. > > (b) "git blame" actually provides context: > > - commit 3feea54eae33 ("CryptoPkg/BaseHashApiLib: Implement Unified Hash > Calculation API", 2020-02-03), for bugzilla 2151, introduced HashApiLib > with a consecutive list of integer hash algo identifiers, > > - commit c70bdf9d4a6a ("CryptoPkg/BaseHashApiLib: Align BaseHashApiLib > with TPM 2.0 Implementation", 2020-02-19), for bugzilla 2511, replaced > the originally consecutive values with the TPM2 bit values, > > So what I thought was logical had actually existed in the past, but then > it got replaced with the current "bitmask-suggesting" values, for bug 2511. > > > In the end I think I should drop this hunk from the "Readme.md" patch; > however, while technically correct, the DEC file remains confusing. The > values seem to be aligned with the TPM2 spec just for simplicity's sake, > and that's fine, but it should be documented. IIUC the TPM2 spec does > actually rely on these values being organized into a bitmap, but that's > something that HashApiLib does not utilize. I think this should be > emphasized in the DEC file (i.e. that the library interface permits a > single hash algo only). > > We also have: > > > @Prompt Set policy for hashing unsigned image for Secure Boot. > > which I think is too restrictive; surely there are uses for HashApiLib > other than SecureBoot. This very "Readme.md" file discusses HashApiLib > in the SEC and PEI phases, and Secure Boot is not defined in those phases. > > I'm happy to update this patch for Readme.md (note: there's still a typo > to fix in this context: "to to use"); I'd rather leave the > "CryptoPkg.dec" update to someone else :) (Most likely Amol -- CC'd.) > > Thanks, > Laszlo > > > > > > > > > >> default hashing algorithm for BaseHashApiLib is set to HASH_ALG_SHA256. > >> | Setting | Algorithm | > >> |------------|------------------| > >> @@ -407,8 +407,8 @@ and CryptoSmm modules. > >> * `gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable` - Enable/Disable > >> the families and individual services produced by the EDK II Crypto > >> Protocols/PPIs. The default is all services disabled. This Structured PCD is > >> - associated with `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that defined in > >> - `Include/Pcd/PcdCryptoServiceFamilyEnable.h`. > >> + associated with the `PCD_CRYPTO_SERVICE_FAMILY_ENABLE` structure that is > >> + defined in `Include/Pcd/PcdCryptoServiceFamilyEnable.h`. > >> > >> There are three layers of priority that determine if a specific family or > >> individual cryptographic service is actually enabled in the CryptoPei, > >> @@ -420,15 +420,15 @@ and CryptoSmm modules. > >> OpensslLib instance linked, then the service is always disabled. > >> 2) BaseCryptLib instance selection. > >> * CryptoPei is always linked with the PeiCryptLib instance of the > >> - BaseCryptLib library class. The table above have a column for the > >> + BaseCryptLib library class. The table above has a column for the > >> PeiCryptLib. If the family or service is blank, then that family or > >> service is always disabled. > >> * CryptoDxe is always linked with the BaseCryptLib instance of the > >> - BaseCryptLib library class. The table above have a column for the > >> + BaseCryptLib library class. The table above has a column for the > >> BaseCryptLib. If the family or service is blank, then that family or > >> service is always disabled. > >> * CryptoSmm is always linked with the SmmCryptLib instance of the > >> - BaseCryptLib library class. The table above have a column for the > >> + BaseCryptLib library class. The table above has a column for the > >> SmmCryptLib. If the family or service is blank, then that family or > >> service is always disabled. > >> 3) If a family or service is enabled in the OpensslLib instance and it is > >> @@ -438,11 +438,11 @@ and CryptoSmm modules. > >> bit fields for each family of services. All of the families are disabled > >> by default. An entire family of services can be enabled by setting the > >> family field to the value `PCD_CRYPTO_SERVICE_ENABLE_FAMILY`. Individual > >> - services can be enabled by setting a single service name to `TRUE`. > >> - Settings listed later in the DSC file have priority over settings earlier > >> - in the DSC file, so it is legal for an entire family to be enabled first > >> - and then a few individual services disabled by setting the service name to > >> - `FALSE`. > >> + services can be enabled by setting a single service name (bit) to `TRUE`. > >> + Settings listed later in the DSC file have priority over settings listed > >> + earlier in the DSC file, so it is valid for an entire family to be enabled > >> + first and then for a few individual services to be disabled by setting > >> + those service names to `FALSE`. > >> > >> #### Common PEI PcdCryptoServiceFamilyEnable Settings > >> > > > > > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-11-03 16:50 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-11-02 9:36 [PATCH] CryptoPkg/Readme.md: typo and grammar fixes Laszlo Ersek 2022-11-02 16:48 ` Michael D Kinney 2022-11-03 14:35 ` Laszlo Ersek 2022-11-03 16:50 ` [edk2-devel] " Michael D Kinney
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox