From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 15AF481DEC for ; Mon, 16 Jan 2017 19:21:10 -0800 (PST) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga101.fm.intel.com with ESMTP; 16 Jan 2017 19:21:10 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,242,1477983600"; d="scan'208";a="809689754" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by FMSMGA003.fm.intel.com with ESMTP; 16 Jan 2017 19:21:10 -0800 Received: from fmsmsx152.amr.corp.intel.com (10.18.125.5) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 16 Jan 2017 19:21:10 -0800 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by FMSMSX152.amr.corp.intel.com (10.18.125.5) with Microsoft SMTP Server (TLS) id 14.3.248.2; Mon, 16 Jan 2017 19:21:09 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by shsmsx102.ccr.corp.intel.com ([169.254.2.88]) with mapi id 14.03.0248.002; Tue, 17 Jan 2017 11:20:58 +0800 From: "Wu, Jiaxin" To: Laszlo Ersek , "edk2-devel@ml01.01.org" CC: "Kinney, Michael D" , "Justen, Jordan L" , Gary Lin , "Long, Qin" Thread-Topic: [edk2] [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries Thread-Index: AQHSb/M2yFe94f4290iraoyt2mHwgKE7CYkAgADR4oD//4YCAIAAi3/w//+M6gCAAIb9IA== Date: Tue, 17 Jan 2017 03:20:57 +0000 Message-ID: <895558F6EA4E3B41AC93A00D163B72741629434B@SHSMSX103.ccr.corp.intel.com> References: <1484569332-13440-1-git-send-email-jiaxin.wu@intel.com> <9d5d1d2a-01af-bdcc-65ca-338ae1142631@redhat.com> <895558F6EA4E3B41AC93A00D163B727416294199@SHSMSX103.ccr.corp.intel.com> <903fd117-7d01-fe09-6cb2-234a657c2cae@redhat.com> <895558F6EA4E3B41AC93A00D163B72741629426B@SHSMSX103.ccr.corp.intel.com> In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMDllYTUzYzItM2IwMS00ZWYzLWEyNjEtMWMxMWU3ZjFiMGFiIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6Ik5mbjhTUjEwT3ZVRjNDWXRPeFBRSmFNNDlpcCsxeHpNbTc3U2NCbjE1T3c9In0= x-ctpclassification: CTP_IC x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2017 03:21:10 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of La= szlo > Ersek > Sent: Tuesday, January 17, 2017 11:15 AM > To: Wu, Jiaxin ; edk2-devel@ml01.01.org > Cc: Kinney, Michael D ; Justen, Jordan L > ; Gary Lin ; Long, Qin > > Subject: Re: [edk2] [PATCH v2] OvmfPkg: Remove the flag control for the > CryptoPkg libraries >=20 > On 01/17/17 03:56, Wu, Jiaxin wrote: > >> Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the Crypt= oPkg > >> libraries > >> > >> On 01/17/17 02:08, Wu, Jiaxin wrote: > >>> Laszlo, > >>> > >>> I don't think this patch makes OpenSSL must requirement for building > >>> OVMF by default. > >>> > >>> As I note in the commit log that "no build performance impacts" if > >>> OpenSSL related library is not consumed by any other modules. > >> > >> I saw that comment, and I didn't understand it. What do you mean by > >> "performance impact"? How quickly the tree builds? Or how quickly the > >> resultant firmware boots? My concerns aren't related to performance, b= ut > >> whether OVMF builds at all, or not. > >> > >>> That > >>> also means "Including OpenSSL libraries unconditionally won't break > >>> OVMF build by default since all dependent modules are controlled by > >>> the defined flag with the false value." > >> > >> So practically the suggestion is to provide unconditional library > >> resolutions for the OpenSslLib, IntrinsicLib and BaseCryptLib classes, > >> regardless of whether those classes are actually used by any module. > >> > > > > Yes. > > I thought "build performance" should include the build result and time > consumption during the OVMF build. Sorry for the misunderstanding due to = the > ambiguity of "build performance impacts", and I agree to refine the commi= t log. > > > > > > > >> I see the point, but then the commit message should be improved. It > >> should also explain that unused lib class resolutions that refer to > >> nonexistent INF files (for example when OpenSSL is missing from the > >> tree) do not cause build failures, unless the lib class is actually us= ed. > >> > >> The commit message could be > >> > >> OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib > >> > > > > I don't have the strong opinion for the commit message change. That's a= lso > fine to me since we can reach an agreement:). > > > > > > > >>> > >>> Secure Boot feature is controlled by: > >>> * DEFINE SECURE_BOOT_ENABLE =3D FALSE > >>> > >>> ISCSIv6 requires OpenSSL, which is controlled by: > >>> * DEFINE NETWORK_IP6_ENABLE =3D FALSE > >> > >> That's not entirely right; currently you can build with -D > >> NETWORK_IP6_ENABLE and without OpenSSL (i.e., without -D > >> SECURE_BOOT_ENABLE, at the moment). It will use IScsiDxe from > >> MdeModulePkg, rather than from NetworkPkg. > >> > >> Is your argument that such an IPv6 stack (that is, with IScsiDxe comes > >> from MdeModulePkg) is incomplete in itself? In other words, that a > >> complete IPv6 stack requires IScsiDxe from NetworkPkg, hence OpenSSL t= oo? > > > > Yes, that's my point. > > > > > > > >> > >> In that case, the relevant parts of the OVMF DSC / FDF files should be > >> fixed in a separate patch, with a separate justification. Something li= ke: > >> > >> OvmfPkg: correct the set of modules included for the IPv6 stack > >> > > > > Ok, that's fine the separate patch. > > > > > > > >>> > >>> IPsec is a mandatory part of IPv6, but is not an integral part of IPv= 4, then it > >> should be controlled by: > >>> * DEFINE NETWORK_IP6_ENABLE =3D FALSE > >>> (For IPsec, I just notice it's not included in OVMF platform if IPV6 = enabled, > we > >> should fix it.) > >> > >> Yes, it could be part of the above-suggested IPv6-oriented patch. > >> > >>> > >>> HTTPS/TLS will also be controlled by: > >>> * DEFINE TLS_ENABLE =3D FALSE > >> > >> Makes sense. > >> > >> (And then HTTP_BOOT_ENABLE should pull in different modules dependent > on > >> TLS_ENABLE.) > > > > No, we can keep the current modules included in HTTP_BOOT_ENABLE, and > make the TLS_ENABLE independently since TLS feature should not be limit t= o > HTTP(S) feature. > > > > As I explained to Gary, TLS can be treated as independent module, which= can > be leveraged by third part drivers/apps (e.g. EAP-TLS). No TLS means no H= TTPS. > > > > > > > >> > >>> Namely: > >>> OpenSSL is required to follow Patch-HOWTO *only when needed*. > >>> > >>> Of course, as you propose, we can also add OPENSSL_ENABLE flag to > >>> control all the OpenSSL libraries. But as I mentioned above, do you > >>> think it's necessary? I don't have strong opinion for OPENSSL_ENABLE > >>> flag, but makes the logic more complexity as you list below. > >> > >> No, with your explanation, it seems fine. I think in total we'll need > >> four patches: > >> > >> * OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib > >> > >> Does what it says; commit message suggestions above. > >> > >> * OvmfPkg: correct the set of modules included for the IPv6 stack > >> > >> Fixes up IScsiDxe and IPSec, makes OpenSSL a hard requirement for > >> IPv6. (And documents the fact in the commit message.) > >> > >> * OvmfPkg: pull in TLS modules with -D TLS_ENABLE > >> > >> Resolves the TLS-specific library classes, and pulls in TLS drivers > >> (that are independent of HTTPS). > >> > >> * OvmfPkg: enable HTTPS boot under (HTTP_BOOT_ENABLE + TLS_ENABLE) > >> > >> Adds any TLS-specific customizations to existent HTTP_BOOT_ENABLE > >> parts. > >> > >> What do you guys think? > >> > > > > We can combine the last two patches instead: > > > > * OvmfPkg: Enable HTTPS/TLS feature under (HTTP_BOOT_ENABLE + > TLS_ENABLE) >=20 > Hm, okay. So I guess the presence of TLS-related protocols (provided by > the drivers pulled in due to -D TLS_ENABLE) automatically enables HTTPS > when the firmware runs, in the drivers that are pulled in by -D > HTTP_BOOT_ENABLE? >=20 > In that case, I suggest the subject >=20 > OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS) >=20 > and explain in the commit message that TLS_ENABLE and HTTP_BOOT_ENABLE > remain independent, but their intersection at build time produces HTTPS > capability dynamically, when the firmware runs. Is this correct? Exactly. Thanks, Jiaxin >=20 > Thanks! > Laszlo >=20 > >> I believe it would be preferable if one of you (Gary?) could submit th= e > >> whole 4-part series, with the other one (Jiaxin?) helping out with the > >> review. Would that work for you both? > >> > > I'm fine with the propose:). > > > > Thanks, > > Jiaxin > > > > > > > > > >> Thanks! > >> Laszlo > >> > >>> > >>> Thanks, > >>> Jiaxin > >>> > >>>> -----Original Message----- > >>>> From: Laszlo Ersek [mailto:lersek@redhat.com] > >>>> Sent: Tuesday, January 17, 2017 4:33 AM > >>>> To: Wu, Jiaxin ; edk2-devel@ml01.01.org > >>>> Cc: Justen, Jordan L ; Gary Lin > ; > >>>> Long, Qin ; Kinney, Michael D > >>>> > >>>> Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the > CryptoPkg > >>>> libraries > >>>> > >>>> On 01/16/17 13:22, Jiaxin Wu wrote: > >>>>> v2: > >>>>> * Remove the flag for NetworkPkg/IScsiDxe > >>>>> > >>>>> This patch is to remove the 'SECURE_BOOT_ENABLE' flag control for > >>>>> the CryptoPkg librarie. > >>>>> > >>>>> Not only the secure boot feature requires the CryptoPkg libraries > >>>>> (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TL= S > >>>>> features. Those modules can be always included since no build > >> performance > >>>>> impacts if they are not consumed. > >>>>> > >>>>> Cc: Laszlo Ersek > >>>>> Cc: Justen Jordan L > >>>>> Cc: Gary Lin > >>>>> Cc: Long Qin > >>>>> Contributed-under: TianoCore Contribution Agreement 1.0 > >>>>> Signed-off-by: Wu Jiaxin > >>>>> --- > >>>>> OvmfPkg/OvmfPkgIa32.dsc | 17 ++++++----------- > >>>>> OvmfPkg/OvmfPkgIa32X64.dsc | 17 ++++++----------- > >>>>> OvmfPkg/OvmfPkgX64.dsc | 17 ++++++----------- > >>>>> 3 files changed, 18 insertions(+), 33 deletions(-) > >>>> > >>>> I disagree with this patch (assuming at least that I understand it > >>>> correctly). > >>>> > >>>> Namely, > >>>> - unconditionally resolving OpensslLib in the DSC files, and > >>>> - unconditionally consuming OpensslLib in modules that are > >>>> unconditionally included in the DSC files, > >>>> > >>>> makes OpenSSL a hard requirement for building OVMF. > >>>> > >>>> Given that OpenSSL is not distributed as part of the edk2 tree, and > >>>> given that it's not even pulled in through an unmodified git submodu= le, > >>>> this patch would prevent people, IIUC, from building OVMF without > >>>> jumping through the hoops described in > >>>> > >>>> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt > >>>> > >>>> That's a bad thing, forcing people to download and patch OpenSSL eve= n if > >>>> they don't care about any of the dependent features. (It is perfectl= y > >>>> possible to be uninterested in *all* of: Secure Boot, IpSec, HTTPS b= oot, > >>>> and iSCSI, in a virtual machine.) > >>>> > >>>> If OpenSSL were distributed as part of edk2, or if OpenSSL were > >>>> presented as a plain (unmodified) git submodule in edk2, then I migh= t > agree. > >>>> > >>>> For now, perhaps we can introduce an OPENSSL_ENABLE build option. > >>>> > >>>> - Features that require OpenSSL no matter what, such as > >>>> SECURE_BOOT_ENABLE, should auto-define OPENSSL_ENABLE. > >>>> > >>>> (I don't remember if the [Defines] section of the DSC file can set > >>>> macros conditionally, dependent on other macros, but I hope so.) > >>>> > >>>> - Features that can utilize (but don't require) OpenSSL, such as > >>>> NETWORK_IP6_ENABLE and HTTP_BOOT_ENABLE, should provide > >> conditional > >>>> DSC stanzas for both $(OPENSSL_ENABLE) =3D=3D TRUE and =3D=3D FALS= E. > >>>> > >>>> - The libraries and drivers that provide the crypto stuff (directly = on > >>>> top of OpenSSL) should depend on OPENSSL_ENABLE. > >>>> > >>>> In fact, looking at Gary's patch "OvmfPkg: Enable HTTPS for Ovmf" wi= th > >>>> TLS_ENABLE, it seems like we need another layer. HTTP_BOOT_ENABLE > >> should > >>>> not be customized for OPENSSL_ENABLE, but for TLS_ENABLE. > >>>> > >>>> In summary: > >>>> - SECURE_BOOT_ENABLE should auto-select OPENSSL_ENABLE. > >>>> - TLS_ENABLE should auto-select OPENSSL_ENABLE. > >>>> - NETWORK_IP6_ENABLE should be customized based on > OPENSSL_ENABLE > >>>> (for the ISCSI driver). > >>>> - HTTP_BOOT_ENABLE should be customized based on TLS_ENABLE. > >>>> - OPENSSL_ENABLE should control the CryptoPkg modules that directly > >>>> wrap the OpenSSL functionality, for edk2. > >>>> > >>>> As a result, the following build option combinations would be valid > >>>> (listing some examples): > >>>> > >>>> * -D SECURE_BOOT_ENABLE > >>>> > >>>> It would set OPENSSL_ENABLE. If OpenSSL is available, it would bui= ld > >>>> fine, otherwise it would break, as it should. > >>>> > >>>> * -D NETWORK_IP6_ENABLE > >>>> > >>>> You get the IPv6 stack, but no secure ISCSI. > >>>> > >>>> * -D NETWORK_IP6_ENABLE -D OPENSSL_ENABLE > >>>> > >>>> You get the IPv6 stack, with secure ISCSI. If OpenSSL is not > >>>> available, the build breaks, as it should. > >>>> > >>>> * -D HTTP_BOOT_ENABLE > >>>> > >>>> You get HTTP boot, but not HTTPS boot. > >>>> > >>>> * -D HTTP_BOOT_ENABLE -D OPENSSL_ENABLE <----- note that this is > >> useless > >>>> > >>>> Same, no change. > >>>> > >>>> * -D TLS_ENABLE > >>>> > >>>> Selects OPENSSL_ENABLE automatically. If OpenSSL is not available, > >>>> the build breaks. Otherwise, the TLS drivers are included in the f= w > >>>> binary. They might not be used by any edk2 module, but some 3rd pa= rty > >>>> UEFI application (launched from the shell, eg.) could. > >>>> > >>>> * -D HTTP_BOOT_ENABLE -D TLS_ENABLE > >>>> > >>>> HTTP and HTTPS boot becomes available. If OpenSSL is absent from t= he > >>>> tree, the build breaks. > >>>> > >>>> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D > >>>> NETWORK_IP6_ENABLE > >>>> > >>>> You get Secure Boot, and secure ISCSI with IPv6, but not HTTPS > >>>> boot. > >>>> > >>>> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D TLS_ENABLE \ > >>>> -D NETWORK_IP6_ENABLE > >>>> > >>>> You get everything. > >>>> > >>>> My point is, if we touch these build flags, then we should go the wh= ole > >>>> way, and express their inter-dependencies precisely. > >>>> > >>>> Thanks! > >>>> Laszlo > >>>> > >>>>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc > >>>>> index e97f7f0..6e53d9f 100644 > >>>>> --- a/OvmfPkg/OvmfPkgIa32.dsc > >>>>> +++ b/OvmfPkg/OvmfPkgIa32.dsc > >>>>> @@ -1,9 +1,9 @@ > >>>>> ## @file > >>>>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > >>>>> # > >>>>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserv= ed.
> >>>>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserv= ed.
> >>>>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP > >>>>> # > >>>>> # This program and the accompanying materials > >>>>> # are licensed and made available under the terms and conditions = of > the > >>>> BSD License > >>>>> # which accompanies this distribution. The full text of the licen= se may > be > >>>> found at > >>>>> @@ -139,14 +139,15 @@ > >>>>> > >>>>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > >>>>> > >>>> > >> > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > >>>>> > >>>> > >> > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > >>>> ebugPrintErrorLevelLib.inf > >>>>> > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> - > >>>> > >> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > >>>>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > >>>>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > >>>>> + > >>>>> +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> + > >>>> > >> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > >>>>> > >>>> > >> > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > >>>> easurementLib.inf > >>>>> > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > >>>>> !if $(NETWORK_IP6_ENABLE) =3D=3D TRUE > >>>>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > >>>>> !endif > >>>>> @@ -164,13 +165,11 @@ > >>>>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > >>>>> > >>>> > >> > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > >>>> /BaseOrderedCollectionRedBlackTreeLib.inf > >>>>> > XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > >>>>> > >>>>> [LibraryClasses.common] > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > >>>>> -!endif > >>>>> > >>>>> [LibraryClasses.common.SEC] > >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > >>>>> > QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > >>>>> !ifdef $(DEBUG_ON_SERIAL_PORT) > >>>>> @@ -256,13 +255,13 @@ > >>>>> > >>>> > >> > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > >>>>> !else > >>>>> > >>>> > >> > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > >>>> nf > >>>>> !endif > >>>>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> + > >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > >>>>> -!endif > >>>>> + > >>>>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > >>>>> > >>>>> [LibraryClasses.common.UEFI_DRIVER] > >>>>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > >>>>> @@ -698,16 +697,12 @@ > >>>>> NetworkPkg/TcpDxe/TcpDxe.inf > >>>>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf > >>>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > >>>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > >>>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> NetworkPkg/IScsiDxe/IScsiDxe.inf > >>>>> !else > >>>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > >>>>> -!endif > >>>>> -!else > >>>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > >>>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > >>>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > >>>>> !endif > >>>>> !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > >>>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc > b/OvmfPkg/OvmfPkgIa32X64.dsc > >>>>> index 8e3e04c..15db2d5 100644 > >>>>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc > >>>>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc > >>>>> @@ -1,9 +1,9 @@ > >>>>> ## @file > >>>>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > >>>>> # > >>>>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserv= ed.
> >>>>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserv= ed.
> >>>>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP > >>>>> # > >>>>> # This program and the accompanying materials > >>>>> # are licensed and made available under the terms and conditions = of > the > >>>> BSD License > >>>>> # which accompanies this distribution. The full text of the licen= se may > be > >>>> found at > >>>>> @@ -144,14 +144,15 @@ > >>>>> > >>>>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > >>>>> > >>>> > >> > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > >>>>> > >>>> > >> > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > >>>> ebugPrintErrorLevelLib.inf > >>>>> > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> - > >>>> > >> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > >>>>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > >>>>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > >>>>> + > >>>>> +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> + > >>>> > >> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > >>>>> > >>>> > >> > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > >>>> easurementLib.inf > >>>>> > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > >>>>> !if $(NETWORK_IP6_ENABLE) =3D=3D TRUE > >>>>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > >>>>> !endif > >>>>> @@ -169,13 +170,11 @@ > >>>>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > >>>>> > >>>> > >> > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > >>>> /BaseOrderedCollectionRedBlackTreeLib.inf > >>>>> > XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > >>>>> > >>>>> [LibraryClasses.common] > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > >>>>> -!endif > >>>>> > >>>>> [LibraryClasses.common.SEC] > >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > >>>>> > QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > >>>>> !ifdef $(DEBUG_ON_SERIAL_PORT) > >>>>> @@ -261,13 +260,13 @@ > >>>>> > >>>> > >> > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > >>>>> !else > >>>>> > >>>> > >> > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > >>>> nf > >>>>> !endif > >>>>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> + > >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > >>>>> -!endif > >>>>> + > >>>>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > >>>>> > >>>>> [LibraryClasses.common.UEFI_DRIVER] > >>>>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > >>>>> @@ -707,16 +706,12 @@ > >>>>> NetworkPkg/TcpDxe/TcpDxe.inf > >>>>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf > >>>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > >>>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > >>>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> NetworkPkg/IScsiDxe/IScsiDxe.inf > >>>>> !else > >>>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > >>>>> -!endif > >>>>> -!else > >>>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > >>>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > >>>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > >>>>> !endif > >>>>> !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > >>>>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc > >>>>> index 6ec3fe0..9c6bdc2 100644 > >>>>> --- a/OvmfPkg/OvmfPkgX64.dsc > >>>>> +++ b/OvmfPkg/OvmfPkgX64.dsc > >>>>> @@ -1,9 +1,9 @@ > >>>>> ## @file > >>>>> # EFI/Framework Open Virtual Machine Firmware (OVMF) platform > >>>>> # > >>>>> -# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserv= ed.
> >>>>> +# Copyright (c) 2006 - 2017, Intel Corporation. All rights reserv= ed.
> >>>>> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP > >>>>> # > >>>>> # This program and the accompanying materials > >>>>> # are licensed and made available under the terms and conditions = of > the > >>>> BSD License > >>>>> # which accompanies this distribution. The full text of the licen= se may > be > >>>> found at > >>>>> @@ -144,14 +144,15 @@ > >>>>> > >>>>> ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf > >>>>> > >>>> > >> > LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf > >>>>> > >>>> > >> > DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD > >>>> ebugPrintErrorLevelLib.inf > >>>>> > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> - > >>>> > >> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > >>>>> IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf > >>>>> OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf > >>>>> + > >>>>> +!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> + > >>>> > >> > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > >>>>> > >>>> > >> > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM > >>>> easurementLib.inf > >>>>> > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > >>>>> !if $(NETWORK_IP6_ENABLE) =3D=3D TRUE > >>>>> TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf > >>>>> !endif > >>>>> @@ -169,13 +170,11 @@ > >>>>> SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf > >>>>> > >>>> > >> > OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib > >>>> /BaseOrderedCollectionRedBlackTreeLib.inf > >>>>> > XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf > >>>>> > >>>>> [LibraryClasses.common] > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf > >>>>> -!endif > >>>>> > >>>>> [LibraryClasses.common.SEC] > >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf > >>>>> > QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf > >>>>> !ifdef $(DEBUG_ON_SERIAL_PORT) > >>>>> @@ -261,13 +260,13 @@ > >>>>> > >>>> > >> > DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf > >>>>> !else > >>>>> > >>>> > >> > DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i > >>>> nf > >>>>> !endif > >>>>> UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> + > >>>>> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > >>>>> -!endif > >>>>> + > >>>>> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf > >>>>> > >>>>> [LibraryClasses.common.UEFI_DRIVER] > >>>>> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf > >>>>> TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf > >>>>> @@ -705,16 +704,12 @@ > >>>>> NetworkPkg/TcpDxe/TcpDxe.inf > >>>>> NetworkPkg/Udp6Dxe/Udp6Dxe.inf > >>>>> NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf > >>>>> NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf > >>>>> NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf > >>>>> -!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE > >>>>> NetworkPkg/IScsiDxe/IScsiDxe.inf > >>>>> !else > >>>>> - MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > >>>>> -!endif > >>>>> -!else > >>>>> MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf > >>>>> MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf > >>>>> MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf > >>>>> !endif > >>>>> !if $(HTTP_BOOT_ENABLE) =3D=3D TRUE > >>>>> > >>> > > >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel