From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) by mx.groups.io with SMTP id smtpd.web11.979.1600894921895328310 for ; Wed, 23 Sep 2020 14:02:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Bt8WErRR; spf=pass (domain: gmail.com, ip: 209.85.214.193, mailfrom: matthewfcarlson@gmail.com) Received: by mail-pl1-f193.google.com with SMTP id j7so366482plk.11 for ; Wed, 23 Sep 2020 14:02:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:from:subject:thread-topic:in-reply-to:message-id :references:to:cc:content-transfer-encoding; bh=W7ql+M2jx8ygY6JaV4RMtwSLrbl4MW02jr+bCwY0oVo=; b=Bt8WErRRr+NufVG7KXwcbocQKEcOXVxW3hwsA0IEgzjquf3ajNSchpJCCNMDrktOwY l8ozAX4jvOMGEk1CIjt0pdeL1dP16Pf6/DrgVZhD+/IY44Pl/BRjUO1G3+k3UJwHkToV dVQX6MaKEan6sxeyXBDjMl9weo9liYyF9t2fzjQxWxoqTtC9fNxJ22d8HOo9b81lFGT2 IH+5xD+ibZ+Dg9kT9hZj1ddnveD6OlgcJwhWVoJolYYZGPjfufw2XQnyw+QvSLd41OKL 5Dr1K/N2+mpu69nTOJhzTmaI6ZCngzw5myCFtNee052msf85rKSY0+7j4N5K89wFDwNA TibQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:from:subject:thread-topic :in-reply-to:message-id:references:to:cc:content-transfer-encoding; bh=W7ql+M2jx8ygY6JaV4RMtwSLrbl4MW02jr+bCwY0oVo=; b=Ipwg4Ts+rVugLWIGqRaASO2yH/bLaWuJCQn0xciQKY6HYGGXXhLsvYExIYm1YG7NRC yx93o/MjytYtkuMOwxPSak7O12yj/Pr0CNHQoEVy5EMizvXbJ8L8M4FkfoJ63z2Y3COb tH8EEsSK3aYSrYSmwLGMltKYRme8oDRfU+dVejN/HLSERf50It+pHPJgdp6QQ+bM98p9 8GJRWy768d/XelETvNDP0H6GNwdSyyjbo5B/g0jZOkJF3k8VPdtWLL+d3RpDY6La+2Nb T31dFkmf2e9EG00FfRM+LHVcjx2YyDtHfe7iZ5p3ewGXA+QDNkILFXyf1FJP88rtOPZw fejg== X-Gm-Message-State: AOAM531z0mOe9PBNBoFG0qtGHId03SiSqyIEIpEiaVekyZ5Atg2cWvUI C9sPVSCL1dnyyLNsLCAp59I= X-Google-Smtp-Source: ABdhPJw8HJaEORPFkI8ZydUlq4O/b9hYvDoJRznImKR/ZHxXpQDWdwRQtKYzQog0B6p/BaHwJIw99w== X-Received: by 2002:a17:902:b60a:b029:d1:f2ad:439c with SMTP id b10-20020a170902b60ab02900d1f2ad439cmr1543298pls.82.1600894921220; Wed, 23 Sep 2020 14:02:01 -0700 (PDT) Return-Path: Received: from smtp.gmail.com ([50.34.58.90]) by smtp.gmail.com with ESMTPSA id 6sm700684pgu.16.2020.09.23.14.02.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Sep 2020 14:02:00 -0700 (PDT) MIME-Version: 1.0 Date: Wed, 23 Sep 2020 14:02:02 -0700 From: "Matthew Carlson" Subject: Re: [PATCH] EmulatorPkg: Add RngLib to satisfy dependency of OpensslLib Thread-Topic: RE: [PATCH] EmulatorPkg: Add RngLib to satisfy dependency of OpensslLib In-Reply-To: Message-ID: <229FADA0-B543-4CA2-9415-07371E41D6AD@hxcore.ol> References: , To: Samer El-Haj-Mahmoud , "devel@edk2.groups.io" , "divneil.r.wadhawan@intel.com" , Zhiguang Liu Cc: "Ni, Ray" , gaoliming , Andrew Fish , "Justen, Jordan L" , "Kinney, Michael D" , Laszlo Ersek , "Yao, Jiewen" , Ard Biesheuvel , Sean Brogan Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8"

Hi Samer,

=  

(I added you, zhiguang, because y= ou had a similar question)

 

There=E2=80=99s some instructions in the patch series abo= ut how to enable RngLib to be used by OpenSSL (on the cover letter)

 

Since this changes the dependencie= s of OpenSSL, this has the potential of being
a breaking change for plat= forms in edk2-platforms. The easiest solution is just
to use the RngLib = that uses the TimerLib as this closely mimics the behavior of
OpenSSL pr= ior to this patch series. There is also a null version of RngLib = for
CI environments that need this change
(https://edk2.groups.io/g/d= evel/message/50432). Though it should be pointed out
that in CI envi= ronments, the null version of BaseCryptLib or OpenSSL should be
used.

 

If you simp= ly want the behavior that existed prior to this commit, you can just add th= e TimerLib based RngLib. It is not a good source of randomness but is argua= bly slightly better than what OpenSSL was using before.

You can see that=E2=80=99s what was done for OvmfPkg and ArmVirtualPkg= (https://github.c= om/tianocore/edk2/commit/a09df5d2e1a7126e45198200628e388564f74668#diff-7676= 7f2fe9e8f4acca7cbeb049bc8152).

I=E2=80=99d reco= mmend adding a platform specific RngLib that leverages platform capabilitie= s. If your platforms has a driver that published the RngProtocol,

you can leverage the new library at MdePkg/Library/DxeRngLi= b/DxeRngLib.inf (https://github.com/tianocore/edk2/commi= t/ed0dce7d5466b6b22ff9e0923f3a3e885540bbfc).

It will add whatever driver that produces the RngProtocol as a dep= ex on any module that consumes crypto, so you might need to be careful not = to introduce a circular depex chain, so this might not be an option for som= e platforms.

 

On the note of adding Azure Platform CI, OvmfPkg recently ad= ded PlatformCI and it could be a good jumping off point. https://github.c= om/tianocore/edk2/tree/master/OvmfPkg/PlatformCI

In a nutshell, you=E2=80=99ll create a new Python build file = that stuart/pytools can leverage (https://github.com/tianocore/edk2-pytool-extensions<= /a>) (https://github.com/tianocore/edk2-pytool-extensions/bl= ob/master/docs/using.md)

Here=E2=80= =99s actually an example I wrote where I ported RPi to use Pytools (https://github.com/tianocore/edk2-pytool-ex= tensions/blob/master/docs/usability/porting_a_platform.md)

 

Once you h= ave a platform that=E2=80=99s building, you can use the platform build pipe= line (https://github.com/tianocore/edk2/tree/master/OvmfP= kg/PlatformCI/.azurepipelines)

 

Of course, it is totally possible use= a different tool like edkrepo or uefi-tools to not have to create a build = file. You=E2=80=99d just call that from the build pipeline. I personally ha= ven=E2=80=99t used them, but I=E2=80=99m sure there=E2=80=99s some folks on= the mailing list that could point you in the right direction.

You=E2=80=99re also welcome to use something other a= zure pipelines, there are plenty of options out there. Azure pipelines is n= ice since it provides a good number of build agents for free to open source= projects. But I=E2=80=99ve used TravisCI and Circle before (though not in = EDK2) and liked the experience.

&nb= sp;

You=E2=80=99d likely need to setup a new = project in the devops for tianocore (https://dev.azure.com/tianocore/) since the pipelines for edk2-c= i should remain in one project. Perhaps edk2-platforms-ci?

 

  • Matthew Carlson

=  

From: Samer El-Haj-Mahmoud
Sent: Wednesday, Sept= ember 23, 2020 6:43 AM
To: devel@edk2.groups.io; divneil.r.wadhawan@intel.com; matthewfcarlson@gmail.com
Cc: Ni, Ray; gaolimin= g; Andrew Fish; Justen, Jordan L; Kinney, Michael D; Laszlo Ersek; Yao, Jiewe= n; Ard Biesheuvel
S= ubject: RE: [PATCH] EmulatorPkg: Add RngLib to satisfy dependency of Op= ensslLib

 

Divneil,

 

Thanks for this patch.

 

<= p class=3DMsoNormal>However, it looks like multiple edk2-platforms are brok= en because of the OpensslLib change. I verified at least the following are = broken:

- RaspberryPi/RPi3

= - RaspberryPi/RPi4

- Qemu/SbsaQemu

- Socionext/DeveloperBox

- SolidRun/Armada8= 0x0McBin

- Hisilicon/D0*

Et= c.. Others are probably impacted. A quick search across edk2 and edk2-platf= orm shows openssllib used in 26 DSC files, but RngLib is implicitly used in= only 13 of them.

 

Mathew,

 

I think the offending commit (b5701a4c7a0fb185e0c5b9db9525939c78664= bfd) needs to be reverted, and re-submitted with a series that fixes the bu= ild for all impacted platforms.

 

Also, what would it take to add the Azure pipeline C= I that is currently used in edk2 to edk2-platform? I imagine some platform = maintainers would appreciate that capability. Or should every platform look= for their own CI/CD (possibly outside TianoCore)?

=  

Thanks,

-= -Samer

 

 

From: devel@edk2.groups.io <deve= l@edk2.groups.io> On Behalf Of Wadhawan, Divneil R via groups.io

Sent: Saturday, September 19, 2020 1:39 AM

To: devel@edk2.groups.io

Cc: Ni, Ray <r= ay.ni@intel.com>; gaoliming <gaoliming@byosoft.com.cn>; 'Andrew Fi= sh' <afish@apple.com>; Justen, Jordan L <jordan.l.justen@intel.com= >; Kinney, Michael D <michael.d.kinney@intel.com>; Wadhawan, Divne= il R <divneil.r.wadhawan@intel.com>

Subject: = [edk2-devel] [PATCH] EmulatorPkg: Add RngLib to satisfy dependency of Opens= slLib

 

 

o Recently, OpensslLib [LibraryClass= es] has been changed

=C2=A0 to include RngLib which= causes the SECURE_BOOT_ENABLE

=C2=A0 build to fail= in want of RngLib

 

o This patch adds the RngLib for OpensslLib

 

Signed-off-by: Divneil Rai Wad= hawan <mailto:divneil.r.wadhawan@intel.com>

-= --

EmulatorPkg/EmulatorPkg.dsc | 1 +

1 file changed, 1 insertion(+)

 = ;

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/= EmulatorPkg/EmulatorPkg.dsc

index c6e25c745e..a27cb= 1beb0 100644

--- a/EmulatorPkg/EmulatorPkg.dsc

<= p class=3DMsoNormal>+++ b/EmulatorPkg/EmulatorPkg.dsc

@@ -113,6 +113,7 @@

=C2=A0=C2=A0 FileHandleLib|M= dePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf

 

!if $(SECURE_BOOT_ENABLE) =3D= =3D TRUE

+=C2=A0 RngLib|MdePkg/Library/BaseRngLibT= imerLib/BaseRngLibTimerLib.inf

=C2=A0=C2=A0 Intrins= icLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf

=C2=A0=C2=A0 OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibCrypto.in= f

=C2=A0=C2=A0 PlatformSecureLib|SecurityPkg/Librar= y/PlatformSecureLibNull/PlatformSecureLibNull.inf

-= -

2.16.2.windows.1

IMPORTAN= T NOTICE: The contents of this email and any attachments are confidential a= nd may also be privileged. If you are not the intended recipient, please no= tify the sender immediately and do not disclose the contents to any other p= erson, use it for any purpose, or store or copy the information in any medi= um. Thank you.