From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id CA72B8036B for ; Wed, 22 Mar 2017 06:02:33 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E27C03D96B; Wed, 22 Mar 2017 13:02:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E27C03D96B Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=lersek@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com E27C03D96B Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-105.phx2.redhat.com [10.3.116.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3FBE018201; Wed, 22 Mar 2017 13:02:31 +0000 (UTC) To: Qin Long , edk2-devel@lists.01.org References: <20170321155612.1192-1-qin.long@intel.com> Cc: ard.biesheuvel@linaro.org, ting.ye@intel.com, ronald.cron@arm.com, jiaxin.wu@intel.com, glin@suse.com From: Laszlo Ersek Message-ID: <4410fa53-b0e4-d64a-7b95-8a430a4c7b06@redhat.com> Date: Wed, 22 Mar 2017 14:02:28 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170321155612.1192-1-qin.long@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 22 Mar 2017 13:02:34 +0000 (UTC) Subject: Re: [PATCH v1 0/9] *** Upgrade CryptoPkg to use the latest OpenSSL 1.1.0xx/stable release *** X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2017 13:02:34 -0000 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 03/21/17 16:56, Qin Long wrote: > (https://github.com/qloong/edk2/tree/dev-openssl-stable) > > Current EDKII-CryptoPkg is leveraging OpenSSL-1.0.2xx as the underlying > cryptographic provider, which requires some extra patches > (EDKII-openssl-xxxx.patch) and installation scripts for EDKII build & usage. > The latest stable version of OpenSSL was upgraded to the 1.1.0 series > of release, with lots of EDKII-specific patches integration, which make > CryptoPkg possbile to remove all extra patch and scripts for more native > build support. > > This patch series is to update EDKII-CryptoPkg to support native building > with the latest OpenSSL 1.1.0xx. (By now, the latest OpenSSL stable release > is 1.1.0e). Refer "CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt" for the > information about the version and source installation. > > (NOTE: The extra build options for ARM/RVCT/XCODE were kept, which expect > further optimizations from community) > > Qin Long (9): > CryptoPkg/OpensslLib: Update INF files to support OpenSSL-1.1.0xx build. > CryptoPkg/OpensslLib: Remove patch file and installation scripts. > CryptoPkg: Fix handling of &strcmp function pointers > CryptoPkg/OpensslLib: Use new Perl script for file list generation. > CryptoPkg: Clean-up CRT Library Wrapper. > CryptoPkg: Add extra build option to disable VS build warning > CryptoPkg: Update HMAC Wrapper implementation with opaque HMAC_CTX object. > CryptoPkg: Update PK Ciphers Wrapper Implementations work with opaque objects. > CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL changes. * I build-tested this series with ArmVirtQemu, as in: build -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtQemu.dsc \ -n 12 -b DEBUG -D DEBUG_PRINT_ERROR_LEVEL=0x8040004F \ -D PURE_ACPI_BOOT_ENABLE --cmd-len=65536 -D SECURE_BOOT_ENABLE Note that the buid does not cover TLS functionality (patch #9), because ArmVirtQemu uses "OpensslLibCrypto.inf" * I did some functional testing with OVMF (Ia32X64), again without enabling TLS (so patch #9 was likely not exercised.) Secure Boot remains enabled & working for VMs that had it enabled earlier. Also, deleting the PK, and re-enrolling all the keys (re-enabling SB) works too. Unsigned images are rejected. If this was the final version of the set, I'd give my T-b, for patches 1-8. But, I think you are going to submit a v2 anyway, which I'll have to test again. (I tested v1 to see if there was a functional problem that I should report.) Thanks! Laszlo