From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by groups.io with SMTP; Thu, 16 May 2019 11:53:29 -0700 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4BA0C81DE3; Thu, 16 May 2019 18:53:21 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-121-88.rdu2.redhat.com [10.10.121.88]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E117600C4; Thu, 16 May 2019 18:53:18 +0000 (UTC) Subject: Re: [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b To: Xiaoyu Lu , devel@edk2.groups.io Cc: Jian J Wang , Ting Ye References: <1557993298-22205-1-git-send-email-xiaoyux.lu@intel.com> From: "Laszlo Ersek" Message-ID: <2762276e-f4b2-808c-c9dd-6d92f79fb3cd@redhat.com> Date: Thu, 16 May 2019 20:53:17 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <1557993298-22205-1-git-send-email-xiaoyux.lu@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 16 May 2019 18:53:26 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 05/16/19 09:54, Xiaoyu Lu wrote: > This series is also available at: > https://github.com/xiaoyuxlu/edk2/tree/bz_1089_upgrade_to_openssl_1_1_1b_v4 > > Changes: > > (1) CryptoPkgOpensslLib: Modify process_files.pl for upgrading OpenSSL > > (2) CryptoPkg/OpensslLib: Exclude unnecessary files in process_files.pl > crypto/store/* are excluded. > crypto/rand/randfile.c is excluded. > > (3) CryptoPkg/IntrinsicLib: Fix possible unresolved external symbol issue > > (4) CryptoPkg/OpensslLib: Prepare for upgrading OpenSSL > Disable warnings for buiding OpenSSL_1_1_1b > > (5) CryptoPkg/OpensslLib: Fix cross-build problem for AARCH64 > > (6) CryptoPkg: Upgrade OpenSSL to 1.1.1b > The biggest change is use TSC as entropy source > If TSC isn't avaiable, fallback to TimerLib(PerformanceCounter). > > (7) CryptoPkg/BaseCryptLib: Make HMAC_CTX size backward compatible > > > Verification done for this series: > * Https boot in OvmfPkg. > * BaseCrypt Library test. (Ovmf, EmulatorPkg) > > Important notice: > Nt32Pkg doesn't support TimerLib >> TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplate.inf > So it will failed in Nt32Pkg. I did some minimal functional testing, as follows: - built OvmfPkgIa32X64.dsc with -D SMM_REQUIRE -D SECURE_BOOT_ENABLE - with SB pre-enabled in an existing VM, the firmware continued to reject an unsigned UEFI app - in the same config, the firmware continued to accept a correctly signed UEFI boot loader (the Fedora OS was booted OK) - with SB disabled afresh (deleting PK through SecureBootConfigDxe), both of the above binaries were accepted - in the same SB-disabled state, OvmfPkg/EnrollDefaultKeys was possible to invoke from the UEFI shell, and it successfully re-enabled SB (with the effects described in the prior section). So this part looks good. Thanks Laszlo