From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 89E1481D79 for ; Mon, 16 Jan 2017 17:08:51 -0800 (PST) Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP; 16 Jan 2017 17:08:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,242,1477983600"; d="scan'208";a="53759225" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga005.jf.intel.com with ESMTP; 16 Jan 2017 17:08:51 -0800 Received: from fmsmsx111.amr.corp.intel.com (10.18.116.5) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 16 Jan 2017 17:08:51 -0800 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx111.amr.corp.intel.com (10.18.116.5) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 16 Jan 2017 17:08:50 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.177]) with mapi id 14.03.0248.002; Tue, 17 Jan 2017 09:08:48 +0800 From: "Wu, Jiaxin" To: Laszlo Ersek , "edk2-devel@ml01.01.org" CC: "Justen, Jordan L" , Gary Lin , "Long, Qin" , "Kinney, Michael D" Thread-Topic: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries Thread-Index: AQHSb/M2yFe94f4290iraoyt2mHwgKE7CYkAgADR4oA= Date: Tue, 17 Jan 2017 01:08:47 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B727416294199@SHSMSX103.ccr.corp.intel.com> References: <1484569332-13440-1-git-send-email-jiaxin.wu@intel.com> <9d5d1d2a-01af-bdcc-65ca-338ae1142631@redhat.com> In-Reply-To: <9d5d1d2a-01af-bdcc-65ca-338ae1142631@redhat.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiN2IwNjY4NTctNGU0Yy00OWI5LTlmMjktODg2ZDMyNjMxZjA2IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6InhNeFRKbXgzXC90UHlaSFR6U3E0dDhVNlVFODNKUXQ2dzdZTFY5bHVQT1Q4PSJ9 x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 01:08:51 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Laszlo, I don't think this patch makes OpenSSL must requirement for building OVMF b= y default.=20 As I note in the commit log that "no build performance impacts" if OpenSSL = related library is not consumed by any other modules. That also means "Incl= uding OpenSSL libraries unconditionally won't break OVMF build by default s= ince all dependent modules are controlled by the defined flag with the fals= e value." Secure Boot feature is controlled by: * DEFINE SECURE_BOOT_ENABLE =3D FALSE ISCSIv6 requires OpenSSL, which is controlled by: =20 * DEFINE NETWORK_IP6_ENABLE =3D FALSE IPsec is a mandatory part of IPv6, but is not an integral part of IPv4, the= n it should be controlled by: * DEFINE NETWORK_IP6_ENABLE =3D FALSE (For IPsec, I just notice it's not included in OVMF platform if IPV6 enable= d, we should fix it.) HTTPS/TLS will also be controlled by: * DEFINE TLS_ENABLE =3D FALSE Namely: OpenSSL is required to follow Patch-HOWTO *only when needed*. Of course, as you propose, we can also add OPENSSL_ENABLE flag to control a= ll the OpenSSL libraries. But as I mentioned above, do you think it's neces= sary? I don't have strong opinion for OPENSSL_ENABLE flag, but makes the lo= gic more complexity as you list below. Thanks, Jiaxin > -----Original Message----- > From: Laszlo Ersek [mailto:lersek@redhat.com] > Sent: Tuesday, January 17, 2017 4:33 AM > To: Wu, Jiaxin ; edk2-devel@ml01.01.org > Cc: Justen, Jordan L ; Gary Lin ; > Long, Qin ; Kinney, Michael D > > Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPk= g > libraries >=20 > On 01/16/17 13:22, Jiaxin Wu wrote: > > v2: > > * Remove the flag for NetworkPkg/IScsiDxe > > > > This patch is to remove the 'SECURE_BOOT_ENABLE' flag control for > > the CryptoPkg librarie. > > > > Not only the secure boot feature requires the CryptoPkg libraries > > (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS > > features. Those modules can be always included since no build performan= ce > > impacts if they are not consumed. > > > > Cc: Laszlo Ersek > > Cc: Justen Jordan L > > Cc: Gary Lin > > Cc: Long Qin > > Contributed-under: TianoCore Contribution Agreement 1.0 > > Signed-off-by: Wu Jiaxin > > --- > > OvmfPkg/OvmfPkgIa32.dsc | 17 ++++++----------- > > OvmfPkg/OvmfPkgIa32X64.dsc | 17 ++++++----------- > > OvmfPkg/OvmfPkgX64.dsc | 17 ++++++----------- > > 3 files changed, 18 insertions(+), 33 deletions(-) >=20 > I disagree with this patch (assuming at least that I understand it > correctly). >=20 > Namely, > - unconditionally resolving OpensslLib in the DSC files, and > - unconditionally consuming OpensslLib in modules that are > unconditionally included in the DSC files, >=20 > makes OpenSSL a hard requirement for building OVMF. >=20 > Given that OpenSSL is not distributed as part of the edk2 tree, and > given that it's not even pulled in through an unmodified git submodule, > this patch would prevent people, IIUC, from building OVMF without > jumping through the hoops described in >=20 > CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt >=20 > That's a bad thing, forcing people to download and patch OpenSSL even if > they don't care about any of the dependent features. (It is perfectly > possible to be uninterested in *all* of: Secure Boot, IpSec, HTTPS boot, > and iSCSI, in a virtual machine.) >=20 > If OpenSSL were distributed as part of edk2, or if OpenSSL were > presented as a plain (unmodified) git submodule in edk2, then I might agr= ee. >=20 > For now, perhaps we can introduce an OPENSSL_ENABLE build option. >=20 > - Features that require OpenSSL no matter what, such as > SECURE_BOOT_ENABLE, should auto-define OPENSSL_ENABLE. >=20 > (I don't remember if the [Defines] section of the DSC file can set > macros conditionally, dependent on other macros, but I hope so.) >=20 > - Features that can utilize (but don't require) OpenSSL, such as > NETWORK_IP6_ENABLE and HTTP_BOOT_ENABLE, should provide conditional > DSC stanzas for both $(OPENSSL_ENABLE) =3D=3D TRUE and =3D=3D FALSE. >=20 > - The libraries and drivers that provide the crypto stuff (directly on > top of OpenSSL) should depend on OPENSSL_ENABLE. >=20 > In fact, looking at Gary's patch "OvmfPkg: Enable HTTPS for Ovmf" with > TLS_ENABLE, it seems like we need another layer. HTTP_BOOT_ENABLE should > not be customized for OPENSSL_ENABLE, but for TLS_ENABLE. >=20 > In summary: > - SECURE_BOOT_ENABLE should auto-select OPENSSL_ENABLE. > - TLS_ENABLE should auto-select OPENSSL_ENABLE. > - NETWORK_IP6_ENABLE should be customized based on OPENSSL_ENABLE > (for the ISCSI driver). > - HTTP_BOOT_ENABLE should be customized based on TLS_ENABLE. > - OPENSSL_ENABLE should control the CryptoPkg modules that directly > wrap the OpenSSL functionality, for edk2. >=20 > As a result, the following build option combinations would be valid > (listing some examples): >=20 > * -D SECURE_BOOT_ENABLE >=20 > It would set OPENSSL_ENABLE. If OpenSSL is available, it would build > fine, otherwise it would break, as it should. >=20 > * -D NETWORK_IP6_ENABLE >=20 > You get the IPv6 stack, but no secure ISCSI. >=20 > * -D NETWORK_IP6_ENABLE -D OPENSSL_ENABLE >=20 > You get the IPv6 stack, with secure ISCSI. If OpenSSL is not > available, the build breaks, as it should. >=20 > * -D HTTP_BOOT_ENABLE >=20 > You get HTTP boot, but not HTTPS boot. >=20 > * -D HTTP_BOOT_ENABLE -D OPENSSL_ENABLE <----- note that this is useless >=20 > Same, no change. >=20 > * -D TLS_ENABLE >=20 > Selects OPENSSL_ENABLE automatically. If OpenSSL is not available, > the build breaks. Otherwise, the TLS drivers are included in the fw > binary. They might not be used by any edk2 module, but some 3rd party > UEFI application (launched from the shell, eg.) could. >=20 > * -D HTTP_BOOT_ENABLE -D TLS_ENABLE >=20 > HTTP and HTTPS boot becomes available. If OpenSSL is absent from the > tree, the build breaks. >=20 > * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D > NETWORK_IP6_ENABLE >=20 > You get Secure Boot, and secure ISCSI with IPv6, but not HTTPS > boot. >=20 > * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D TLS_ENABLE \ > -D NETWORK_IP6_ENABLE >=20 > You get everything. >=20 > My point is, if we touch these build flags, then we should go the whole > way, and express their inter-dependencies precisely. >=20 > Thanks! > Laszlo >=20 > > diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > > index e97f7f0..6e53d9f 100644 > > --- a/OvmfPkg/OvmfPkgIa32.dsc > > +++ b/OvmfPkg/OvmfPkgIa32.dsc > > @@ -1,9 +1,9 @@ > > ## @file > > # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > > # > > -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<= BR> > > +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<= BR> > > # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> > # > > # This program and the accompanying materials > > # are licensed and made available under the terms and conditions of t= he > BSD License > > # which accompanies this distribution. The full text of the license m= ay be > found at > > @@ -139,14 +139,15 @@ > > > > ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > > > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > > > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > ebugPrintErrorLevelLib.inf > > > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > - > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > + > > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > easurementLib.inf > > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.= inf > > !if $(NETWORK_IP6_ENABLE) =3D=3D TRUE > > TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > > !endif > > @@ -164,13 +165,11 @@ > > SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > > > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > /BaseOrderedCollectionRedBlackTreeLib.inf > > XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > > > > [LibraryClasses.common] > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > -!endif > > > > [LibraryClasses.common.SEC] > > TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > > QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > > !ifdef $(DEBUG_ON_SERIAL_PORT) > > @@ -256,13 +255,13 @@ > > > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > > !else > > > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > nf > > !endif > > UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + > > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > -!endif > > + > > PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > > > > [LibraryClasses.common.UEFI_DRIVER] > > PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > > TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > > @@ -698,16 +697,12 @@ > > NetworkPkg/TcpDxe/TcpDxe.inf > > NetworkPkg/Udp6Dxe/Udp6Dxe.inf > > NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > > NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > > NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > NetworkPkg/IScsiDxe/IScsiDxe.inf > > !else > > - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > -!endif > > -!else > > MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > > MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > > MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > !endif > > !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > > diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc > > index 8e3e04c..15db2d5 100644 > > --- a/OvmfPkg/OvmfPkgIa32X64.dsc > > +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > > @@ -1,9 +1,9 @@ > > ## @file > > # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > > # > > -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<= BR> > > +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<= BR> > > # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> > # > > # This program and the accompanying materials > > # are licensed and made available under the terms and conditions of t= he > BSD License > > # which accompanies this distribution. The full text of the license m= ay be > found at > > @@ -144,14 +144,15 @@ > > > > ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > > > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > > > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > ebugPrintErrorLevelLib.inf > > > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > - > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > + > > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > easurementLib.inf > > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.= inf > > !if $(NETWORK_IP6_ENABLE) =3D=3D TRUE > > TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > > !endif > > @@ -169,13 +170,11 @@ > > SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > > > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > /BaseOrderedCollectionRedBlackTreeLib.inf > > XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > > > > [LibraryClasses.common] > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > -!endif > > > > [LibraryClasses.common.SEC] > > TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > > QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > > !ifdef $(DEBUG_ON_SERIAL_PORT) > > @@ -261,13 +260,13 @@ > > > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > > !else > > > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > nf > > !endif > > UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + > > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > -!endif > > + > > PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > > > > [LibraryClasses.common.UEFI_DRIVER] > > PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > > TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > > @@ -707,16 +706,12 @@ > > NetworkPkg/TcpDxe/TcpDxe.inf > > NetworkPkg/Udp6Dxe/Udp6Dxe.inf > > NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > > NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > > NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > NetworkPkg/IScsiDxe/IScsiDxe.inf > > !else > > - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > -!endif > > -!else > > MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > > MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > > MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > !endif > > !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > > diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > > index 6ec3fe0..9c6bdc2 100644 > > --- a/OvmfPkg/OvmfPkgX64.dsc > > +++ b/OvmfPkg/OvmfPkgX64.dsc > > @@ -1,9 +1,9 @@ > > ## @file > > # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > > # > > -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<= BR> > > +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<= BR> > > # (C) Copyright 2016 Hewlett Packard Enterprise Development LP
> > # > > # This program and the accompanying materials > > # are licensed and made available under the terms and conditions of t= he > BSD License > > # which accompanies this distribution. The full text of the license m= ay be > found at > > @@ -144,14 +144,15 @@ > > > > ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > > > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > > > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > ebugPrintErrorLevelLib.inf > > > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > - > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > > OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > > + > > +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > > > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > easurementLib.inf > > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.= inf > > !if $(NETWORK_IP6_ENABLE) =3D=3D TRUE > > TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > > !endif > > @@ -169,13 +170,11 @@ > > SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > > > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > /BaseOrderedCollectionRedBlackTreeLib.inf > > XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > > > > [LibraryClasses.common] > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > > -!endif > > > > [LibraryClasses.common.SEC] > > TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > > QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > > !ifdef $(DEBUG_ON_SERIAL_PORT) > > @@ -261,13 +260,13 @@ > > > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > > !else > > > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > nf > > !endif > > UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > + > > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > > -!endif > > + > > PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > > > > [LibraryClasses.common.UEFI_DRIVER] > > PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > > TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > > @@ -705,16 +704,12 @@ > > NetworkPkg/TcpDxe/TcpDxe.inf > > NetworkPkg/Udp6Dxe/Udp6Dxe.inf > > NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > > NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > > NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > > -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > > NetworkPkg/IScsiDxe/IScsiDxe.inf > > !else > > - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > -!endif > > -!else > > MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > > MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > > MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > > !endif > > !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > >