From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <lersek@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ml01.01.org (Postfix) with ESMTPS id CA72B8036B
 for <edk2-devel@lists.01.org>; Wed, 22 Mar 2017 06:02:33 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.redhat.com (Postfix) with ESMTPS id E27C03D96B;
 Wed, 22 Mar 2017 13:02:33 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E27C03D96B
Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com;
 spf=pass smtp.mailfrom=lersek@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com E27C03D96B
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-105.phx2.redhat.com
 [10.3.116.105])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 3FBE018201;
 Wed, 22 Mar 2017 13:02:31 +0000 (UTC)
To: Qin Long <qin.long@intel.com>, edk2-devel@lists.01.org
References: <20170321155612.1192-1-qin.long@intel.com>
Cc: ard.biesheuvel@linaro.org, ting.ye@intel.com, ronald.cron@arm.com,
 jiaxin.wu@intel.com, glin@suse.com
From: Laszlo Ersek <lersek@redhat.com>
Message-ID: <4410fa53-b0e4-d64a-7b95-8a430a4c7b06@redhat.com>
Date: Wed, 22 Mar 2017 14:02:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170321155612.1192-1-qin.long@intel.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
 (mx1.redhat.com [10.5.110.30]); Wed, 22 Mar 2017 13:02:34 +0000 (UTC)
Subject: Re: [PATCH v1 0/9] *** Upgrade CryptoPkg to use the latest OpenSSL 1.1.0xx/stable release ***
X-BeenThere: edk2-devel@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: EDK II Development  <edk2-devel.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/edk2-devel/>
List-Post: <mailto:edk2-devel@lists.01.org>
List-Help: <mailto:edk2-devel-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/edk2-devel>,
 <mailto:edk2-devel-request@lists.01.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 13:02:34 -0000
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit

On 03/21/17 16:56, Qin Long wrote:
> (https://github.com/qloong/edk2/tree/dev-openssl-stable)
> 
> Current EDKII-CryptoPkg is leveraging OpenSSL-1.0.2xx as the underlying
> cryptographic provider, which requires some extra patches
> (EDKII-openssl-xxxx.patch) and installation scripts for EDKII build & usage.
> The latest stable version of OpenSSL was upgraded to the 1.1.0 series
> of release, with lots of EDKII-specific patches integration, which make
> CryptoPkg possbile to remove all extra patch and scripts for more native
> build support.
> 
> This patch series is to update EDKII-CryptoPkg to support native building
> with the latest OpenSSL 1.1.0xx. (By now, the latest OpenSSL stable release
> is 1.1.0e). Refer "CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt" for the
> information about the version and source installation.
> 
> (NOTE: The extra build options for ARM/RVCT/XCODE were kept, which expect
>        further optimizations from community)
> 
> Qin Long (9):
>   CryptoPkg/OpensslLib: Update INF files to support OpenSSL-1.1.0xx build.
>   CryptoPkg/OpensslLib: Remove patch file and installation scripts.
>   CryptoPkg: Fix handling of &strcmp function pointers
>   CryptoPkg/OpensslLib: Use new Perl script for file list generation.
>   CryptoPkg: Clean-up CRT Library Wrapper.
>   CryptoPkg: Add extra build option to disable VS build warning
>   CryptoPkg: Update HMAC Wrapper implementation with opaque HMAC_CTX object.
>   CryptoPkg: Update PK Ciphers Wrapper Implementations work with opaque objects.
>   CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes.

* I build-tested this series with ArmVirtQemu, as in:

build -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtQemu.dsc \
  -n 12 -b DEBUG -D DEBUG_PRINT_ERROR_LEVEL=0x8040004F \
  -D PURE_ACPI_BOOT_ENABLE --cmd-len=65536 -D SECURE_BOOT_ENABLE

Note that the buid does not cover TLS functionality (patch #9), because
ArmVirtQemu uses "OpensslLibCrypto.inf"

* I did some functional testing with OVMF (Ia32X64), again without
enabling TLS (so patch #9 was likely not exercised.) Secure Boot remains
enabled & working for VMs that had it enabled earlier. Also, deleting
the PK, and re-enrolling all the keys (re-enabling SB) works too.
Unsigned images are rejected.

If this was the final version of the set, I'd give my T-b, for patches
1-8. But, I think you are going to submit a v2 anyway, which I'll have
to test again.

(I tested v1 to see if there was a functional problem that I should report.)

Thanks!
Laszlo