[URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib

[URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib

[Laszlo Ersek]

In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
directly", 2016-12-14), we enabled libssl functionality in
CryptoPkg/OpensslLib unconditionally.

While that's real convenient, it is also overkill for platforms (or
platform builds) that don't want TLS. The impact (beyond wasted build
time) is that when the next vulnerability comes out that affects the
libssl subset of OpenSSL, security teams all around will look at build
logs and INF files, see the libssl files being built, and get nervous --
without a good reason for such builds that don't actually *use* TLS.

Let's make this easier on them (and thereby on ourselves!), and
introduce an OpensslLibNoSsl instance, which excludes libssl.

The edk2 integration script "process_files.sh" is updated to process
both INF files in the same invocation.

If noone disagrees with the concept, I'd appreciate if we could review &
merge this series real fast. (Sorry about that, but a downstream
deadline looms close, and I consider this sort of a blocker for the next
rebase.)

I updated the following platform packages:
- ArmVirtPkg, because I know it never uses TLS (or HTTP boot for that
  matter),
- Nt32Pkg, because it exposes the TLS_ENABLE build flag,
- OvmfPkg, because it exposes the TLS_ENABLE build flag.

I didn't touch other packages because they don't expose TLS_ENABLE, and
I don't have time to figure out if they want TLS built-in.

I tested the new OpensslLibNoSsl instance with Secure Boot under OVMF.

The series was formatted with "--find-copies-harder", which makes a real
difference for patch #2.

Tomas: if you would like to comment on this series, please subscribe to
the edk2-devel list at
<https://lists.01.org/mailman/listinfo/edk2-devel>, and also wait for
your subscription request to complete, *before* responding.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>

Thanks!
Laszlo

Laszlo Ersek (5):
  CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after
    32387e00
  CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance
  ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl
  Nt32Pkg: exclude libssl functionality from OpensslLib if
    TLS_ENABLE=FALSE
  OvmfPkg: exclude libssl functionality from OpensslLib if
    TLS_ENABLE=FALSE

 ArmVirtPkg/ArmVirt.dsc.inc                                           |  2 +-
 Nt32Pkg/Nt32Pkg.dsc                                                  |  4 ++
 OvmfPkg/OvmfPkgIa32.dsc                                              |  4 ++
 OvmfPkg/OvmfPkgIa32X64.dsc                                           |  4 ++
 OvmfPkg/OvmfPkgX64.dsc                                               |  4 ++
 CryptoPkg/Library/OpensslLib/OpensslLib.inf                          |  1 +
 CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 55 ++------------------
 CryptoPkg/Library/OpensslLib/opensslconf.h                           |  6 ---
 CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} |  8 +--
 CryptoPkg/Library/OpensslLib/process_files.sh                        | 27 +++++++---
 10 files changed, 46 insertions(+), 69 deletions(-)
 copy CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} (90%)
 copy CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} (71%)

-- 
2.9.3

[PATCH 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00

[Laszlo Ersek]

Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) removed the "no-queue" configuration option in
"process_files.sh", plus it enabled "process_files.sh" to place all libssl
source files into "OpensslLib.inf".

However, the patch apparently failed to capture two changes originating
from the above actions:
- the definitions of the OPENSSL_NO_PQUEUE and NO_PQUEUE macros were not
  removed from "opensslconf.h",
- "ssl/ssl_conf.c" was not added to "OpensslLib.inf".

Refresh these files, completing commit 32387e0081db.

I built OVMF with -D SECURE_BOOT_ENABLE -D TLS_ENABLE, and ArmVirtQemu
with -D SECURE_BOOT_ENABLE, after this fix, and experienced no regression.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 +
 CryptoPkg/Library/OpensslLib/opensslconf.h  | 6 ------
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index c14e36d341f7..42f523a611e5 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -516,6 +516,7 @@ [Sources]
   $(OPENSSL_PATH)/ssl/ssl_asn1.c
   $(OPENSSL_PATH)/ssl/ssl_txt.c
   $(OPENSSL_PATH)/ssl/ssl_algs.c
+  $(OPENSSL_PATH)/ssl/ssl_conf.c
   $(OPENSSL_PATH)/ssl/bio_ssl.c
   $(OPENSSL_PATH)/ssl/ssl_err.c
   $(OPENSSL_PATH)/ssl/kssl.c
diff --git a/CryptoPkg/Library/OpensslLib/opensslconf.h b/CryptoPkg/Library/OpensslLib/opensslconf.h
index adcaa01d6b1d..e0054a45fc5f 100644
--- a/CryptoPkg/Library/OpensslLib/opensslconf.h
+++ b/CryptoPkg/Library/OpensslLib/opensslconf.h
@@ -92,9 +92,6 @@ extern "C" {
 #ifndef OPENSSL_NO_POSIX_IO
 # define OPENSSL_NO_POSIX_IO
 #endif
-#ifndef OPENSSL_NO_PQUEUE
-# define OPENSSL_NO_PQUEUE
-#endif
 #ifndef OPENSSL_NO_RC2
 # define OPENSSL_NO_RC2
 #endif
@@ -263,9 +260,6 @@ extern "C" {
 # if defined(OPENSSL_NO_POSIX_IO) && !defined(NO_POSIX_IO)
 #  define NO_POSIX_IO
 # endif
-# if defined(OPENSSL_NO_PQUEUE) && !defined(NO_PQUEUE)
-#  define NO_PQUEUE
-# endif
 # if defined(OPENSSL_NO_RC2) && !defined(NO_RC2)
 #  define NO_RC2
 # endif
-- 
2.9.3

[PATCH 2/5] CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance

[Laszlo Ersek]

Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly",
2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" library
instance unconditionally.

If a platform doesn't include the TLS modules, such as

- CryptoPkg/Library/TlsLib/TlsLib.inf
- NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf
- NetworkPkg/TlsDxe/TlsDxe.inf

then the platform never actually uses the libssl functionality that gets
built into "OpensslLib.inf".

Tomas Hoger from Red Hat Product Security tells me that security
evaluation is less demanding if we can actually *exclude* the libssl files
from such OVMF builds that don't specify -D TLS_ENABLE (rather than just
trust modules not to call libssl functions if we don't specify -D
TLS_ENABLE).

This patch introduces a parallel OpensslLib instance called
"OpensslLibNoSsl" that is appropriate for platform builds without TLS
enablement. It does not build C source files in vain, and it eases
security review -- all libssl vulnerabilities can be excluded at once.

"OpensslLibNoSsl.inf" is created as a copy of "OpensslLib.inf", modifying
the BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines.

"process_files.sh" is extended to auto-generate the list of OpenSSL files
for both library instances accordingly. This list is updated in
"OpensslLibNoSsl.inf" at once.

"OpensslLibNoSsl.uni" is introduced as a copy of "OpensslLib.uni",
highlighting the difference.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Gary Lin <glin@suse.com>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Qin Long <qin.long@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 56 ++------------------
 CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} |  8 +--
 CryptoPkg/Library/OpensslLib/process_files.sh                        | 27 +++++++---
 3 files changed, 28 insertions(+), 63 deletions(-)

diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
similarity index 90%
copy from CryptoPkg/Library/OpensslLib/OpensslLib.inf
copy to CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
index 42f523a611e5..d106989b9521 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
@@ -14,9 +14,9 @@
 
 [Defines]
   INF_VERSION                    = 0x00010005
-  BASE_NAME                      = OpensslLib
-  MODULE_UNI_FILE                = OpensslLib.uni
-  FILE_GUID                      = C873A7D0-9824-409f-9B42-2C158B992E69
+  BASE_NAME                      = OpensslLibNoSsl
+  MODULE_UNI_FILE                = OpensslLibNoSsl.uni
+  FILE_GUID                      = E29FC209-8B64-4500-BD20-AF4EAE47EA0E
   MODULE_TYPE                    = BASE
   VERSION_STRING                 = 1.0
   LIBRARY_CLASS                  = OpensslLib
@@ -474,56 +474,6 @@ [Sources]
   $(OPENSSL_PATH)/crypto/cmac/cmac.c
   $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c
   $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c
-  $(OPENSSL_PATH)/ssl/s2_meth.c
-  $(OPENSSL_PATH)/ssl/s2_srvr.c
-  $(OPENSSL_PATH)/ssl/s2_clnt.c
-  $(OPENSSL_PATH)/ssl/s2_lib.c
-  $(OPENSSL_PATH)/ssl/s2_enc.c
-  $(OPENSSL_PATH)/ssl/s2_pkt.c
-  $(OPENSSL_PATH)/ssl/s3_meth.c
-  $(OPENSSL_PATH)/ssl/s3_srvr.c
-  $(OPENSSL_PATH)/ssl/s3_clnt.c
-  $(OPENSSL_PATH)/ssl/s3_lib.c
-  $(OPENSSL_PATH)/ssl/s3_enc.c
-  $(OPENSSL_PATH)/ssl/s3_pkt.c
-  $(OPENSSL_PATH)/ssl/s3_both.c
-  $(OPENSSL_PATH)/ssl/s3_cbc.c
-  $(OPENSSL_PATH)/ssl/s23_meth.c
-  $(OPENSSL_PATH)/ssl/s23_srvr.c
-  $(OPENSSL_PATH)/ssl/s23_clnt.c
-  $(OPENSSL_PATH)/ssl/s23_lib.c
-  $(OPENSSL_PATH)/ssl/s23_pkt.c
-  $(OPENSSL_PATH)/ssl/t1_meth.c
-  $(OPENSSL_PATH)/ssl/t1_srvr.c
-  $(OPENSSL_PATH)/ssl/t1_clnt.c
-  $(OPENSSL_PATH)/ssl/t1_lib.c
-  $(OPENSSL_PATH)/ssl/t1_enc.c
-  $(OPENSSL_PATH)/ssl/t1_ext.c
-  $(OPENSSL_PATH)/ssl/d1_meth.c
-  $(OPENSSL_PATH)/ssl/d1_srvr.c
-  $(OPENSSL_PATH)/ssl/d1_clnt.c
-  $(OPENSSL_PATH)/ssl/d1_lib.c
-  $(OPENSSL_PATH)/ssl/d1_pkt.c
-  $(OPENSSL_PATH)/ssl/d1_both.c
-  $(OPENSSL_PATH)/ssl/d1_srtp.c
-  $(OPENSSL_PATH)/ssl/ssl_lib.c
-  $(OPENSSL_PATH)/ssl/ssl_err2.c
-  $(OPENSSL_PATH)/ssl/ssl_cert.c
-  $(OPENSSL_PATH)/ssl/ssl_sess.c
-  $(OPENSSL_PATH)/ssl/ssl_ciph.c
-  $(OPENSSL_PATH)/ssl/ssl_stat.c
-  $(OPENSSL_PATH)/ssl/ssl_rsa.c
-  $(OPENSSL_PATH)/ssl/ssl_asn1.c
-  $(OPENSSL_PATH)/ssl/ssl_txt.c
-  $(OPENSSL_PATH)/ssl/ssl_algs.c
-  $(OPENSSL_PATH)/ssl/ssl_conf.c
-  $(OPENSSL_PATH)/ssl/bio_ssl.c
-  $(OPENSSL_PATH)/ssl/ssl_err.c
-  $(OPENSSL_PATH)/ssl/kssl.c
-  $(OPENSSL_PATH)/ssl/t1_reneg.c
-  $(OPENSSL_PATH)/ssl/tls_srp.c
-  $(OPENSSL_PATH)/ssl/t1_trce.c
-  $(OPENSSL_PATH)/ssl/ssl_utst.c
 
 # Autogenerated files list ends here
 
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.uni b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.uni
similarity index 71%
copy from CryptoPkg/Library/OpensslLib/OpensslLib.uni
copy to CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.uni
index 0dffec1c98a3..52dfb70ab61c 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.uni
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.uni
@@ -1,7 +1,7 @@
 // /** @file
-// This module provides openSSL Library implementation.
+// This module provides openSSL Library implementation without libssl.
 //
-// This module provides OpenSSL Library implementation.
+// This module provides OpenSSL Library implementation without libssl.
 //
 // Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
 //
@@ -16,7 +16,7 @@
 // **/
 
 
-#string STR_MODULE_ABSTRACT             #language en-US "OpenSSL Library implementation"
+#string STR_MODULE_ABSTRACT             #language en-US "OpenSSL Library implementation without libssl"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "This module provides OpenSSL Library implementation."
+#string STR_MODULE_DESCRIPTION          #language en-US "This module provides OpenSSL Library implementation without libssl."
 
diff --git a/CryptoPkg/Library/OpensslLib/process_files.sh b/CryptoPkg/Library/OpensslLib/process_files.sh
index 6f069ce264ac..fe1b8a01776b 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.sh
+++ b/CryptoPkg/Library/OpensslLib/process_files.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 #
-# This script runs the OpenSSL Configure script, then processes the
-# resulting file list into our local OpensslLib.inf and also takes
-# a copy of opensslconf.h.
+# This script runs the OpenSSL Configure script, then processes the resulting
+# file list into our local OpensslLib.inf and OpensslLibNoSsl.inf, and also
+# takes a copy of opensslconf.h.
 #
 # This only needs to be done once by a developer when updating to a
 # new version of OpenSSL (or changing options, etc.). Normal users
@@ -10,6 +10,12 @@
 # git repository for them.
 
 OPENSSL_PATH=$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLib.inf)
+OPENSSL_NOSSL_PATH=$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0-9.]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLibNoSsl.inf)
+
+if [ "$OPENSSL_PATH" != "$OPENSSL_NOSSL_PATH" ]; then
+    echo "OPENSSL_PATH diverges between OpensslLib.inf and OpensslLibNoSsl.inf"
+    exit 1
+fi
 
 if ! cd "${OPENSSL_PATH}" ; then
     echo "Cannot change to OpenSSL directory \"${OPENSSL_PATH}\""
@@ -65,6 +71,8 @@ cd -
 
 function filelist ()
 {
+    SSL_SELECT="$1"
+
     echo '1,/# Autogenerated files list starts here/p'
     echo '/# Autogenerated files list ends here/,$p'
     echo '/# Autogenerated files list starts here/a\'
@@ -76,18 +84,25 @@ function filelist ()
 		;;
 	    LIBSRC=*)
 		LIBSRC=$(echo "$LINE" | sed s/^LIBSRC=//)
-		for FILE in $LIBSRC; do
+		if [ "$RELATIVE_DIRECTORY" != "ssl" ] ||
+		   [ "$SSL_SELECT" = "with-ssl" ]; then
+		    for FILE in $LIBSRC; do
 			if [ "$FILE" != "b_print.c" ]; then
 			    echo -e '  $(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\
 			fi
-		done
+		    done
+		fi
 		;;
 	esac
     done
     echo -e \\r
 }
 
-filelist < "${OPENSSL_PATH}/MINFO" |  sed -n -f - -i OpensslLib.inf
+filelist with-ssl < "${OPENSSL_PATH}/MINFO" \
+| sed -n -f - -i OpensslLib.inf
+
+filelist without-ssl < "${OPENSSL_PATH}/MINFO" \
+| sed -n -f - -i OpensslLibNoSsl.inf
 
 # We can tell Windows users to put this back manually if they can't run
 # Configure. For now, until the git repository is fixed to store things
-- 
2.9.3

[PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl

[Laszlo Ersek]

The OpensslLibNoSsl library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature. It would not be
sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we
don't even enable plaintext HTTP booting for the time being.

Ease security analsysis by excluding libssl functionality from the
OpensslLib instance we use.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index 43699cb9bdd6..407b9b66dfe6 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -136,7 +136,7 @@ [LibraryClasses.common]
   #
 !if $(SECURE_BOOT_ENABLE) == TRUE
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
-  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
   TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
   AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
   BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
-- 
2.9.3

[PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE

[Laszlo Ersek]

Ease security analsysis by excluding libssl functionality from the
OpensslLib instance we use with TLS_ENABLE=FALSE.

Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

Notes:
    I can't build-test this.

 Nt32Pkg/Nt32Pkg.dsc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc
index 47e37ecae134..c84bd71be408 100644
--- a/Nt32Pkg/Nt32Pkg.dsc
+++ b/Nt32Pkg/Nt32Pkg.dsc
@@ -159,7 +159,11 @@ [LibraryClasses]
   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
   
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf
-- 
2.9.3

[PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE

[Laszlo Ersek]

The OpensslLibNoSsl library instance (which does not contain libssl
functions) is sufficient for the Secure Boot feature.

Ease security analsysis by excluding libssl functionality from the
OpensslLib instance we use with TLS_ENABLE=FALSE.

Cc: Gary Lin <glin@suse.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Tomas Hoger <thoger@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
 OvmfPkg/OvmfPkgIa32.dsc    | 4 ++++
 OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++
 OvmfPkg/OvmfPkgX64.dsc     | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 993547d4859e..44c74c2674e3 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -143,7 +143,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
 
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index f36604ecb4d8..41ae1d88495b 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -148,7 +148,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
 
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index c5bf1a672b1e..fa4fdc81b44f 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -148,7 +148,11 @@ [LibraryClasses]
   DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
 
   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
+!if $(TLS_ENABLE) == TRUE
   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
+!else
+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
+!endif
 
 !if $(SECURE_BOOT_ENABLE) == TRUE
   PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
-- 
2.9.3

Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib

[Laszlo Ersek]

On 02/23/17 22:57, Laszlo Ersek wrote:
> In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
> directly", 2016-12-14), we enabled libssl functionality in
> CryptoPkg/OpensslLib unconditionally.
> 
> While that's real convenient, it is also overkill for platforms (or
> platform builds) that don't want TLS. The impact (beyond wasted build
> time) is that when the next vulnerability comes out that affects the
> libssl subset of OpenSSL, security teams all around will look at build
> logs and INF files, see the libssl files being built, and get nervous --
> without a good reason for such builds that don't actually *use* TLS.
> 
> Let's make this easier on them (and thereby on ourselves!), and
> introduce an OpensslLibNoSsl instance, which excludes libssl.

Public repo and branch:
https://github.com/lersek/edk2.git conditionalize-ssl

Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib

[Ard Biesheuvel]

On 23 February 2017 at 21:57, Laszlo Ersek <lersek@redhat.com> wrote:
> In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
> directly", 2016-12-14), we enabled libssl functionality in
> CryptoPkg/OpensslLib unconditionally.
>
> While that's real convenient, it is also overkill for platforms (or
> platform builds) that don't want TLS. The impact (beyond wasted build
> time) is that when the next vulnerability comes out that affects the
> libssl subset of OpenSSL, security teams all around will look at build
> logs and INF files, see the libssl files being built, and get nervous --
> without a good reason for such builds that don't actually *use* TLS.
>
> Let's make this easier on them (and thereby on ourselves!), and
> introduce an OpensslLibNoSsl instance, which excludes libssl.
>

I think it would be nicer to align with OpenSSL more closely, and
split the functionality into a libcrypto and a libssl library, and
include the latter only if TLS functionality is needed. However, I am
not volunteering to do the work, and this approach comes down to the
same thing, given that libssl depends on libcrypto, and so libcrypto
and libcrypto+libssl are the only combinations that make any sense.

> The edk2 integration script "process_files.sh" is updated to process
> both INF files in the same invocation.
>
> If noone disagrees with the concept, I'd appreciate if we could review &
> merge this series real fast. (Sorry about that, but a downstream
> deadline looms close, and I consider this sort of a blocker for the next
> rebase.)
>
> I updated the following platform packages:
> - ArmVirtPkg, because I know it never uses TLS (or HTTP boot for that
>   matter),
> - Nt32Pkg, because it exposes the TLS_ENABLE build flag,
> - OvmfPkg, because it exposes the TLS_ENABLE build flag.
>
> I didn't touch other packages because they don't expose TLS_ENABLE, and
> I don't have time to figure out if they want TLS built-in.
>
> I tested the new OpensslLibNoSsl instance with Secure Boot under OVMF.
>
> The series was formatted with "--find-copies-harder", which makes a real
> difference for patch #2.
>
> Tomas: if you would like to comment on this series, please subscribe to
> the edk2-devel list at
> <https://lists.01.org/mailman/listinfo/edk2-devel>, and also wait for
> your subscription request to complete, *before* responding.
>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Gary Lin <glin@suse.com>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Qin Long <qin.long@intel.com>
> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: Tomas Hoger <thoger@redhat.com>
>
> Thanks!
> Laszlo
>
> Laszlo Ersek (5):
>   CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after
>     32387e00
>   CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance
>   ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl
>   Nt32Pkg: exclude libssl functionality from OpensslLib if
>     TLS_ENABLE=FALSE
>   OvmfPkg: exclude libssl functionality from OpensslLib if
>     TLS_ENABLE=FALSE
>
>  ArmVirtPkg/ArmVirt.dsc.inc                                           |  2 +-
>  Nt32Pkg/Nt32Pkg.dsc                                                  |  4 ++
>  OvmfPkg/OvmfPkgIa32.dsc                                              |  4 ++
>  OvmfPkg/OvmfPkgIa32X64.dsc                                           |  4 ++
>  OvmfPkg/OvmfPkgX64.dsc                                               |  4 ++
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf                          |  1 +
>  CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 55 ++------------------
>  CryptoPkg/Library/OpensslLib/opensslconf.h                           |  6 ---
>  CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} |  8 +--
>  CryptoPkg/Library/OpensslLib/process_files.sh                        | 27 +++++++---
>  10 files changed, 46 insertions(+), 69 deletions(-)
>  copy CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} (90%)
>  copy CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} (71%)
>
> --
> 2.9.3
>

Re: [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl

[Ard Biesheuvel]

On 23 February 2017 at 21:57, Laszlo Ersek <lersek@redhat.com> wrote:
> The OpensslLibNoSsl library instance (which does not contain libssl
> functions) is sufficient for the Secure Boot feature. It would not be
> sufficient for HTTPS booting (which requires TLS), but in ArmVirtPkg, we
> don't even enable plaintext HTTP booting for the time being.
>
> Ease security analsysis by excluding libssl functionality from the
> OpensslLib instance we use.
>
> Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Cc: Tomas Hoger <thoger@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> ---
>  ArmVirtPkg/ArmVirt.dsc.inc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
> index 43699cb9bdd6..407b9b66dfe6 100644
> --- a/ArmVirtPkg/ArmVirt.dsc.inc
> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
> @@ -136,7 +136,7 @@ [LibraryClasses.common]
>    #
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> -  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
>    TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
>    AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
>    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> --
> 2.9.3
>
>

Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib

[Long, Qin]

> -----Original Message-----
> From: Ard Biesheuvel [mailto:ard.biesheuvel@linaro.org]
> Sent: Friday, February 24, 2017 6:25 AM
> To: Laszlo Ersek
> Cc: edk2-devel-01; Gary Lin; Wu, Jiaxin; Justen, Jordan L; Long, Qin; Ni, Ruiyu;
> Ye, Ting; Tomas Hoger
> Subject: Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg:
> conditionalize libssl presence in OpensslLib
> 
> On 23 February 2017 at 21:57, Laszlo Ersek <lersek@redhat.com> wrote:
> > In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
> > directly", 2016-12-14), we enabled libssl functionality in
> > CryptoPkg/OpensslLib unconditionally.
> >
> > While that's real convenient, it is also overkill for platforms (or
> > platform builds) that don't want TLS. The impact (beyond wasted build
> > time) is that when the next vulnerability comes out that affects the
> > libssl subset of OpenSSL, security teams all around will look at build
> > logs and INF files, see the libssl files being built, and get nervous
> > -- without a good reason for such builds that don't actually *use* TLS.
> >
> > Let's make this easier on them (and thereby on ourselves!), and
> > introduce an OpensslLibNoSsl instance, which excludes libssl.
> >
> 
> I think it would be nicer to align with OpenSSL more closely, and split the
> functionality into a libcrypto and a libssl library, and include the latter only if
> TLS functionality is needed. However, I am not volunteering to do the work,
> and this approach comes down to the same thing, given that libssl depends
> on libcrypto, and so libcrypto and libcrypto+libssl are the only combinations
> that make any sense.

I agree.
In fact, we used the two separated library (crypto & ssl) aligned with OpenSSL before,
And received some comments to combine them together. :-)
Two libraries (libcryto and the combination of libcrypto and libssl) are good to me. But
I prefer to use the OpensslLibCrypto as the name, then we can have:
	OpensslLibCrypto     (libcrypto)
	OpensslLib	        (libcrypto + libssl)

OpensslLib may have more dependencies / usages in different module, we may need extra
Patches to update them.

LONG, Qin

> 
> > The edk2 integration script "process_files.sh" is updated to process
> > both INF files in the same invocation.
> >
> > If noone disagrees with the concept, I'd appreciate if we could review
> > & merge this series real fast. (Sorry about that, but a downstream
> > deadline looms close, and I consider this sort of a blocker for the
> > next
> > rebase.)
> >
> > I updated the following platform packages:
> > - ArmVirtPkg, because I know it never uses TLS (or HTTP boot for that
> >   matter),
> > - Nt32Pkg, because it exposes the TLS_ENABLE build flag,
> > - OvmfPkg, because it exposes the TLS_ENABLE build flag.
> >
> > I didn't touch other packages because they don't expose TLS_ENABLE,
> > and I don't have time to figure out if they want TLS built-in.
> >
> > I tested the new OpensslLibNoSsl instance with Secure Boot under OVMF.
> >
> > The series was formatted with "--find-copies-harder", which makes a
> > real difference for patch #2.
> >
> > Tomas: if you would like to comment on this series, please subscribe
> > to the edk2-devel list at
> > <https://lists.01.org/mailman/listinfo/edk2-devel>, and also wait for
> > your subscription request to complete, *before* responding.
> >
> > Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> > Cc: Gary Lin <glin@suse.com>
> > Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> > Cc: Jordan Justen <jordan.l.justen@intel.com>
> > Cc: Qin Long <qin.long@intel.com>
> > Cc: Ruiyu Ni <ruiyu.ni@intel.com>
> > Cc: Ting Ye <ting.ye@intel.com>
> > Cc: Tomas Hoger <thoger@redhat.com>
> >
> > Thanks!
> > Laszlo
> >
> > Laszlo Ersek (5):
> >   CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after
> >     32387e00
> >   CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance
> >   ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl
> >   Nt32Pkg: exclude libssl functionality from OpensslLib if
> >     TLS_ENABLE=FALSE
> >   OvmfPkg: exclude libssl functionality from OpensslLib if
> >     TLS_ENABLE=FALSE
> >
> >  ArmVirtPkg/ArmVirt.dsc.inc                                           |  2 +-
> >  Nt32Pkg/Nt32Pkg.dsc                                                  |  4 ++
> >  OvmfPkg/OvmfPkgIa32.dsc                                              |  4 ++
> >  OvmfPkg/OvmfPkgIa32X64.dsc                                           |  4 ++
> >  OvmfPkg/OvmfPkgX64.dsc                                               |  4 ++
> >  CryptoPkg/Library/OpensslLib/OpensslLib.inf                          |  1 +
> >  CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf} | 55
> ++------------------
> >  CryptoPkg/Library/OpensslLib/opensslconf.h                           |  6 ---
> >  CryptoPkg/Library/OpensslLib/{OpensslLib.uni => OpensslLibNoSsl.uni} |  8
> +--
> >  CryptoPkg/Library/OpensslLib/process_files.sh                        | 27 +++++++---
> >  10 files changed, 46 insertions(+), 69 deletions(-)  copy
> > CryptoPkg/Library/OpensslLib/{OpensslLib.inf => OpensslLibNoSsl.inf}
> > (90%)  copy CryptoPkg/Library/OpensslLib/{OpensslLib.uni =>
> > OpensslLibNoSsl.uni} (71%)
> >
> > --
> > 2.9.3
> >

Re: [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE

[Ni, Ruiyu]

Jiaxin,
can you review this patch?

Regards,
Ray

>-----Original Message-----
>From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Laszlo Ersek
>Sent: Friday, February 24, 2017 5:58 AM
>To: edk2-devel-01 <edk2-devel@ml01.01.org>
>Cc: Ni, Ruiyu <ruiyu.ni@intel.com>; Tomas Hoger <thoger@redhat.com>
>Subject: [edk2] [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE
>
>Ease security analsysis by excluding libssl functionality from the
>OpensslLib instance we use with TLS_ENABLE=FALSE.
>
>Cc: Ruiyu Ni <ruiyu.ni@intel.com>
>Cc: Tomas Hoger <thoger@redhat.com>
>Contributed-under: TianoCore Contribution Agreement 1.0
>Signed-off-by: Laszlo Ersek <lersek@redhat.com>
>---
>
>Notes:
>    I can't build-test this.
>
> Nt32Pkg/Nt32Pkg.dsc | 4 ++++
> 1 file changed, 4 insertions(+)
>
>diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc
>index 47e37ecae134..c84bd71be408 100644
>--- a/Nt32Pkg/Nt32Pkg.dsc
>+++ b/Nt32Pkg/Nt32Pkg.dsc
>@@ -159,7 +159,11 @@ [LibraryClasses]
>   CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibNull/CpuExceptionHandlerLibNull.inf
>   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
>   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
>+!if $(TLS_ENABLE) == TRUE
>   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
>+!else
>+  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
>+!endif
>
> !if $(SECURE_BOOT_ENABLE) == TRUE
>   PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>--
>2.9.3
>
>
>_______________________________________________
>edk2-devel mailing list
>edk2-devel@lists.01.org
>https://lists.01.org/mailman/listinfo/edk2-devel

Re: [PATCH 5/5] OvmfPkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE

[Gary Lin]

On Thu, Feb 23, 2017 at 10:57:44PM +0100, Laszlo Ersek wrote:
> The OpensslLibNoSsl library instance (which does not contain libssl
> functions) is sufficient for the Secure Boot feature.
> 
> Ease security analsysis by excluding libssl functionality from the
> OpensslLib instance we use with TLS_ENABLE=FALSE.
> 
> Cc: Gary Lin <glin@suse.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Tomas Hoger <thoger@redhat.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>

Look good to me.

Reviewed-by: Gary Lin <glin@suse.com>
> ---
>  OvmfPkg/OvmfPkgIa32.dsc    | 4 ++++
>  OvmfPkg/OvmfPkgIa32X64.dsc | 4 ++++
>  OvmfPkg/OvmfPkgX64.dsc     | 4 ++++
>  3 files changed, 12 insertions(+)
> 
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index 993547d4859e..44c74c2674e3 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -143,7 +143,11 @@ [LibraryClasses]
>    DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>  
>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>  
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>    PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index f36604ecb4d8..41ae1d88495b 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -148,7 +148,11 @@ [LibraryClasses]
>    DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>  
>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>  
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>    PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index c5bf1a672b1e..fa4fdc81b44f 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -148,7 +148,11 @@ [LibraryClasses]
>    DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseDebugPrintErrorLevelLib.inf
>  
>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
> +!if $(TLS_ENABLE) == TRUE
>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +!else
> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
> +!endif
>  
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>    PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
> -- 
> 2.9.3
> 
> 

Re: [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE

[Laszlo Ersek]

On 02/24/17 06:18, Wu, Jiaxin wrote:
> Okay, I can review the patch.
> 
> Laszlo,
> 
> Would you like to change the module name (OpensslLibNoSsl or OpensslLibCrypto)?

Sure, I'll submit an update ASAP.

Thanks
Laszlo

> 
> Best Regards,
> Jiaxin 
> 
>> -----Original Message-----
>> From: Ni, Ruiyu
>> Sent: Friday, February 24, 2017 12:09 PM
>> To: Laszlo Ersek <lersek@redhat.com>; edk2-devel-01 <edk2-
>> devel@ml01.01.org>; Wu, Jiaxin <jiaxin.wu@intel.com>
>> Cc: Tomas Hoger <thoger@redhat.com>
>> Subject: RE: [edk2] [PATCH 4/5] Nt32Pkg: exclude libssl functionality from
>> OpensslLib if TLS_ENABLE=FALSE
>>
>> Jiaxin,
>> can you review this patch?
>>
>> Regards,
>> Ray
>>
>>> -----Original Message-----
>>> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
>> Laszlo Ersek
>>> Sent: Friday, February 24, 2017 5:58 AM
>>> To: edk2-devel-01 <edk2-devel@ml01.01.org>
>>> Cc: Ni, Ruiyu <ruiyu.ni@intel.com>; Tomas Hoger <thoger@redhat.com>
>>> Subject: [edk2] [PATCH 4/5] Nt32Pkg: exclude libssl functionality from
>> OpensslLib if TLS_ENABLE=FALSE
>>>
>>> Ease security analsysis by excluding libssl functionality from the
>>> OpensslLib instance we use with TLS_ENABLE=FALSE.
>>>
>>> Cc: Ruiyu Ni <ruiyu.ni@intel.com>
>>> Cc: Tomas Hoger <thoger@redhat.com>
>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
>>> ---
>>>
>>> Notes:
>>>    I can't build-test this.
>>>
>>> Nt32Pkg/Nt32Pkg.dsc | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/Nt32Pkg/Nt32Pkg.dsc b/Nt32Pkg/Nt32Pkg.dsc
>>> index 47e37ecae134..c84bd71be408 100644
>>> --- a/Nt32Pkg/Nt32Pkg.dsc
>>> +++ b/Nt32Pkg/Nt32Pkg.dsc
>>> @@ -159,7 +159,11 @@ [LibraryClasses]
>>>
>> CpuExceptionHandlerLib|MdeModulePkg/Library/CpuExceptionHandlerLibN
>> ull/CpuExceptionHandlerLibNull.inf
>>>   LockBoxLib|MdeModulePkg/Library/LockBoxNullLib/LockBoxNullLib.inf
>>>   IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
>>> +!if $(TLS_ENABLE) == TRUE
>>>   OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
>>> +!else
>>> +  OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLibNoSsl.inf
>>> +!endif
>>>
>>> !if $(SECURE_BOOT_ENABLE) == TRUE
>>>
>> PlatformSecureLib|Nt32Pkg/Library/PlatformSecureLib/PlatformSecureLib.in
>> f
>>> --
>>> 2.9.3
>>>
>>>
>>> _______________________________________________
>>> edk2-devel mailing list
>>> edk2-devel@lists.01.org
>>> https://lists.01.org/mailman/listinfo/edk2-devel