Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg libraries

[Laszlo Ersek <lersek@redhat.com>]

On 01/17/17 02:08, Wu, Jiaxin wrote:
> Laszlo,
> 
> I don't think this patch makes OpenSSL must requirement for building
> OVMF by default.
> 
> As I note in the commit log that "no build performance impacts" if
> OpenSSL related library is not consumed by any other modules.

I saw that comment, and I didn't understand it. What do you mean by
"performance impact"? How quickly the tree builds? Or how quickly the
resultant firmware boots? My concerns aren't related to performance, but
whether OVMF builds at all, or not.

> That
> also means "Including OpenSSL libraries unconditionally won't break
> OVMF build by default since all dependent modules are controlled by
> the defined flag with the false value."

So practically the suggestion is to provide unconditional library
resolutions for the OpenSslLib, IntrinsicLib and BaseCryptLib classes,
regardless of whether those classes are actually used by any module.

I see the point, but then the commit message should be improved. It
should also explain that unused lib class resolutions that refer to
nonexistent INF files (for example when OpenSSL is missing from the
tree) do not cause build failures, unless the lib class is actually used.

The commit message could be

OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib

> 
> Secure Boot feature is controlled by:
> * DEFINE SECURE_BOOT_ENABLE      = FALSE
> 
> ISCSIv6 requires OpenSSL, which is controlled by:   
> * DEFINE NETWORK_IP6_ENABLE      = FALSE

That's not entirely right; currently you can build with -D
NETWORK_IP6_ENABLE and without OpenSSL (i.e., without -D
SECURE_BOOT_ENABLE, at the moment). It will use IScsiDxe from
MdeModulePkg, rather than from NetworkPkg.

Is your argument that such an IPv6 stack (that is, with IScsiDxe comes
from MdeModulePkg) is incomplete in itself? In other words, that a
complete IPv6 stack requires IScsiDxe from NetworkPkg, hence OpenSSL too?

In that case, the relevant parts of the OVMF DSC / FDF files should be
fixed in a separate patch, with a separate justification. Something like:

OvmfPkg: correct the set of modules included for the IPv6 stack

> 
> IPsec is a mandatory part of IPv6, but is not an integral part of IPv4, then it should be controlled by:
> * DEFINE NETWORK_IP6_ENABLE      = FALSE
> (For IPsec, I just notice it's not included in OVMF platform if IPV6 enabled, we should fix it.)

Yes, it could be part of the above-suggested IPv6-oriented patch.

> 
> HTTPS/TLS will also be controlled by:
> * DEFINE TLS_ENABLE    = FALSE

Makes sense.

(And then HTTP_BOOT_ENABLE should pull in different modules dependent on
TLS_ENABLE.)

> Namely:
> OpenSSL is required to follow Patch-HOWTO *only when needed*.
> 
> Of course, as you propose, we can also add OPENSSL_ENABLE flag to
> control all the OpenSSL libraries. But as I mentioned above, do you
> think it's necessary? I don't have strong opinion for OPENSSL_ENABLE
> flag, but makes the logic more complexity as you list below.

No, with your explanation, it seems fine. I think in total we'll need
four patches:

* OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib

  Does what it says; commit message suggestions above.

* OvmfPkg: correct the set of modules included for the IPv6 stack

  Fixes up IScsiDxe and IPSec, makes OpenSSL a hard requirement for
  IPv6. (And documents the fact in the commit message.)

* OvmfPkg: pull in TLS modules with -D TLS_ENABLE

  Resolves the TLS-specific library classes, and pulls in TLS drivers
  (that are independent of HTTPS).

* OvmfPkg: enable HTTPS boot under (HTTP_BOOT_ENABLE + TLS_ENABLE)

  Adds any TLS-specific customizations to existent HTTP_BOOT_ENABLE
  parts.

What do you guys think?

I believe it would be preferable if one of you (Gary?) could submit the
whole 4-part series, with the other one (Jiaxin?) helping out with the
review. Would that work for you both?

Thanks!
Laszlo

> 
> Thanks,
> Jiaxin
> 
>> -----Original Message-----
>> From: Laszlo Ersek [mailto:lersek@redhat.com]
>> Sent: Tuesday, January 17, 2017 4:33 AM
>> To: Wu, Jiaxin <jiaxin.wu@intel.com>; edk2-devel@ml01.01.org
>> Cc: Justen, Jordan L <jordan.l.justen@intel.com>; Gary Lin <glin@suse.com>;
>> Long, Qin <qin.long@intel.com>; Kinney, Michael D
>> <michael.d.kinney@intel.com>
>> Subject: Re: [PATCH v2] OvmfPkg: Remove the flag control for the CryptoPkg
>> libraries
>>
>> On 01/16/17 13:22, Jiaxin Wu wrote:
>>> v2:
>>> * Remove the flag for NetworkPkg/IScsiDxe
>>>
>>> This patch is to remove the 'SECURE_BOOT_ENABLE' flag control for
>>> the CryptoPkg librarie.
>>>
>>> Not only the secure boot feature requires the CryptoPkg libraries
>>> (e.g, OpensslLib, BaseCryptLib), but also ISCSI, IpSec and HTTPS/TLS
>>> features. Those modules can be always included since no build performance
>>> impacts if they are not consumed.
>>>
>>> Cc: Laszlo Ersek <lersek@redhat.com>
>>> Cc: Justen Jordan L <jordan.l.justen@intel.com>
>>> Cc: Gary Lin <glin@suse.com>
>>> Cc: Long Qin <qin.long@intel.com>
>>> Contributed-under: TianoCore Contribution Agreement 1.0
>>> Signed-off-by: Wu Jiaxin <jiaxin.wu@intel.com>
>>> ---
>>>  OvmfPkg/OvmfPkgIa32.dsc    | 17 ++++++-----------
>>>  OvmfPkg/OvmfPkgIa32X64.dsc | 17 ++++++-----------
>>>  OvmfPkg/OvmfPkgX64.dsc     | 17 ++++++-----------
>>>  3 files changed, 18 insertions(+), 33 deletions(-)
>>
>> I disagree with this patch (assuming at least that I understand it
>> correctly).
>>
>> Namely,
>> - unconditionally resolving OpensslLib in the DSC files, and
>> - unconditionally consuming OpensslLib in modules that are
>>   unconditionally included in the DSC files,
>>
>> makes OpenSSL a hard requirement for building OVMF.
>>
>> Given that OpenSSL is not distributed as part of the edk2 tree, and
>> given that it's not even pulled in through an unmodified git submodule,
>> this patch would prevent people, IIUC, from building OVMF without
>> jumping through the hoops described in
>>
>>   CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>>
>> That's a bad thing, forcing people to download and patch OpenSSL even if
>> they don't care about any of the dependent features. (It is perfectly
>> possible to be uninterested in *all* of: Secure Boot, IpSec, HTTPS boot,
>> and iSCSI, in a virtual machine.)
>>
>> If OpenSSL were distributed as part of edk2, or if OpenSSL were
>> presented as a plain (unmodified) git submodule in edk2, then I might agree.
>>
>> For now, perhaps we can introduce an OPENSSL_ENABLE build option.
>>
>> - Features that require OpenSSL no matter what, such as
>>   SECURE_BOOT_ENABLE, should auto-define OPENSSL_ENABLE.
>>
>>   (I don't remember if the [Defines] section of the DSC file can set
>>   macros conditionally, dependent on other macros, but I hope so.)
>>
>> - Features that can utilize (but don't require) OpenSSL, such as
>>   NETWORK_IP6_ENABLE and HTTP_BOOT_ENABLE, should provide conditional
>>   DSC stanzas for both $(OPENSSL_ENABLE) == TRUE and == FALSE.
>>
>> - The libraries and drivers that provide the crypto stuff (directly on
>>   top of OpenSSL) should depend on OPENSSL_ENABLE.
>>
>> In fact, looking at Gary's patch "OvmfPkg: Enable HTTPS for Ovmf" with
>> TLS_ENABLE, it seems like we need another layer. HTTP_BOOT_ENABLE should
>> not be customized for OPENSSL_ENABLE, but for TLS_ENABLE.
>>
>> In summary:
>> - SECURE_BOOT_ENABLE should auto-select OPENSSL_ENABLE.
>> - TLS_ENABLE should auto-select OPENSSL_ENABLE.
>> - NETWORK_IP6_ENABLE should be customized based on OPENSSL_ENABLE
>>   (for the ISCSI driver).
>> - HTTP_BOOT_ENABLE should be customized based on TLS_ENABLE.
>> - OPENSSL_ENABLE should control the CryptoPkg modules that directly
>>   wrap the OpenSSL functionality, for edk2.
>>
>> As a result, the following build option combinations would be valid
>> (listing some examples):
>>
>> * -D SECURE_BOOT_ENABLE
>>
>>   It would set OPENSSL_ENABLE. If OpenSSL is available, it would build
>>   fine, otherwise it would break, as it should.
>>
>> * -D NETWORK_IP6_ENABLE
>>
>>   You get the IPv6 stack, but no secure ISCSI.
>>
>> * -D NETWORK_IP6_ENABLE -D OPENSSL_ENABLE
>>
>>   You get the IPv6 stack, with secure ISCSI. If OpenSSL is not
>>   available, the build breaks, as it should.
>>
>> * -D HTTP_BOOT_ENABLE
>>
>>   You get HTTP boot, but not HTTPS boot.
>>
>> * -D HTTP_BOOT_ENABLE -D OPENSSL_ENABLE <----- note that this is useless
>>
>>   Same, no change.
>>
>> * -D TLS_ENABLE
>>
>>   Selects OPENSSL_ENABLE automatically. If OpenSSL is not available,
>>   the build breaks. Otherwise, the TLS drivers are included in the fw
>>   binary. They might not be used by any edk2 module, but some 3rd party
>>   UEFI application (launched from the shell, eg.) could.
>>
>> * -D HTTP_BOOT_ENABLE -D TLS_ENABLE
>>
>>   HTTP and HTTPS boot becomes available. If OpenSSL is absent from the
>>   tree, the build breaks.
>>
>> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D
>> NETWORK_IP6_ENABLE
>>
>>   You get Secure Boot, and secure ISCSI with IPv6, but not HTTPS
>>   boot.
>>
>> * -D SECURE_BOOT_ENABLE -D HTTP_BOOT_ENABLE -D TLS_ENABLE \
>>   -D NETWORK_IP6_ENABLE
>>
>>   You get everything.
>>
>> My point is, if we touch these build flags, then we should go the whole
>> way, and express their inter-dependencies precisely.
>>
>> Thanks!
>> Laszlo
>>
>>> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
>>> index e97f7f0..6e53d9f 100644
>>> --- a/OvmfPkg/OvmfPkgIa32.dsc
>>> +++ b/OvmfPkg/OvmfPkgIa32.dsc
>>> @@ -1,9 +1,9 @@
>>>  ## @file
>>>  #  EFI/Framework Open Virtual Machine Firmware (OVMF) platform
>>>  #
>>> -#  Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
>>> +#  Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
>>>  #  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>>>  #
>>>  #  This program and the accompanying materials
>>>  #  are licensed and made available under the terms and conditions of the
>> BSD License
>>>  #  which accompanies this distribution. The full text of the license may be
>> found at
>>> @@ -139,14 +139,15 @@
>>>
>>>    ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
>>>
>> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
>>>
>> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
>> ebugPrintErrorLevelLib.inf
>>>
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> -
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
>>>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
>>> +
>>> +!if $(SECURE_BOOT_ENABLE) == TRUE
>>> +
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>
>> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
>> easurementLib.inf
>>>    AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
>>>  !if $(NETWORK_IP6_ENABLE) == TRUE
>>>    TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>>  !endif
>>> @@ -164,13 +165,11 @@
>>>    SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>>>
>> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
>> /BaseOrderedCollectionRedBlackTreeLib.inf
>>>    XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>>>
>>>  [LibraryClasses.common]
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>>    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
>>> -!endif
>>>
>>>  [LibraryClasses.common.SEC]
>>>    TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
>>>    QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
>>>  !ifdef $(DEBUG_ON_SERIAL_PORT)
>>> @@ -256,13 +255,13 @@
>>>
>> DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
>>>  !else
>>>
>> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
>> nf
>>>  !endif
>>>    UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> +
>>>    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
>>> -!endif
>>> +
>>>    PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>>>
>>>  [LibraryClasses.common.UEFI_DRIVER]
>>>    PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
>>>    TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
>>> @@ -698,16 +697,12 @@
>>>    NetworkPkg/TcpDxe/TcpDxe.inf
>>>    NetworkPkg/Udp6Dxe/Udp6Dxe.inf
>>>    NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>>    NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>>    NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>>    NetworkPkg/IScsiDxe/IScsiDxe.inf
>>>  !else
>>> -  MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>>    MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>>    MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>>    MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>>  !endif
>>>  !if $(HTTP_BOOT_ENABLE) == TRUE
>>> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
>>> index 8e3e04c..15db2d5 100644
>>> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
>>> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
>>> @@ -1,9 +1,9 @@
>>>  ## @file
>>>  #  EFI/Framework Open Virtual Machine Firmware (OVMF) platform
>>>  #
>>> -#  Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
>>> +#  Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
>>>  #  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>>>  #
>>>  #  This program and the accompanying materials
>>>  #  are licensed and made available under the terms and conditions of the
>> BSD License
>>>  #  which accompanies this distribution. The full text of the license may be
>> found at
>>> @@ -144,14 +144,15 @@
>>>
>>>    ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
>>>
>> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
>>>
>> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
>> ebugPrintErrorLevelLib.inf
>>>
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> -
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
>>>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
>>> +
>>> +!if $(SECURE_BOOT_ENABLE) == TRUE
>>> +
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>
>> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
>> easurementLib.inf
>>>    AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
>>>  !if $(NETWORK_IP6_ENABLE) == TRUE
>>>    TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>>  !endif
>>> @@ -169,13 +170,11 @@
>>>    SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>>>
>> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
>> /BaseOrderedCollectionRedBlackTreeLib.inf
>>>    XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>>>
>>>  [LibraryClasses.common]
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>>    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
>>> -!endif
>>>
>>>  [LibraryClasses.common.SEC]
>>>    TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
>>>    QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
>>>  !ifdef $(DEBUG_ON_SERIAL_PORT)
>>> @@ -261,13 +260,13 @@
>>>
>> DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
>>>  !else
>>>
>> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
>> nf
>>>  !endif
>>>    UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> +
>>>    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
>>> -!endif
>>> +
>>>    PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>>>
>>>  [LibraryClasses.common.UEFI_DRIVER]
>>>    PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
>>>    TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
>>> @@ -707,16 +706,12 @@
>>>    NetworkPkg/TcpDxe/TcpDxe.inf
>>>    NetworkPkg/Udp6Dxe/Udp6Dxe.inf
>>>    NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>>    NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>>    NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>>    NetworkPkg/IScsiDxe/IScsiDxe.inf
>>>  !else
>>> -  MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>>    MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>>    MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>>    MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>>  !endif
>>>  !if $(HTTP_BOOT_ENABLE) == TRUE
>>> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
>>> index 6ec3fe0..9c6bdc2 100644
>>> --- a/OvmfPkg/OvmfPkgX64.dsc
>>> +++ b/OvmfPkg/OvmfPkgX64.dsc
>>> @@ -1,9 +1,9 @@
>>>  ## @file
>>>  #  EFI/Framework Open Virtual Machine Firmware (OVMF) platform
>>>  #
>>> -#  Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
>>> +#  Copyright (c) 2006 - 2017, Intel Corporation. All rights reserved.<BR>
>>>  #  (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
>>>  #
>>>  #  This program and the accompanying materials
>>>  #  are licensed and made available under the terms and conditions of the
>> BSD License
>>>  #  which accompanies this distribution. The full text of the license may be
>> found at
>>> @@ -144,14 +144,15 @@
>>>
>>>    ResetSystemLib|OvmfPkg/Library/ResetSystemLib/ResetSystemLib.inf
>>>
>> LocalApicLib|UefiCpuPkg/Library/BaseXApicX2ApicLib/BaseXApicX2ApicLib.inf
>>>
>> DebugPrintErrorLevelLib|MdePkg/Library/BaseDebugPrintErrorLevelLib/BaseD
>> ebugPrintErrorLevelLib.inf
>>>
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> -
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>    IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf
>>>    OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf
>>> +
>>> +!if $(SECURE_BOOT_ENABLE) == TRUE
>>> +
>> PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
>>>
>> TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmM
>> easurementLib.inf
>>>    AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
>>>  !if $(NETWORK_IP6_ENABLE) == TRUE
>>>    TcpIoLib|MdeModulePkg/Library/DxeTcpIoLib/DxeTcpIoLib.inf
>>>  !endif
>>> @@ -169,13 +170,11 @@
>>>    SmbusLib|MdePkg/Library/BaseSmbusLibNull/BaseSmbusLibNull.inf
>>>
>> OrderedCollectionLib|MdePkg/Library/BaseOrderedCollectionRedBlackTreeLib
>> /BaseOrderedCollectionRedBlackTreeLib.inf
>>>    XenHypercallLib|OvmfPkg/Library/XenHypercallLib/XenHypercallLib.inf
>>>
>>>  [LibraryClasses.common]
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>>    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
>>> -!endif
>>>
>>>  [LibraryClasses.common.SEC]
>>>    TimerLib|OvmfPkg/Library/AcpiTimerLib/BaseRomAcpiTimerLib.inf
>>>    QemuFwCfgLib|OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgSecLib.inf
>>>  !ifdef $(DEBUG_ON_SERIAL_PORT)
>>> @@ -261,13 +260,13 @@
>>>
>> DebugLib|MdePkg/Library/BaseDebugLibSerialPort/BaseDebugLibSerialPort.inf
>>>  !else
>>>
>> DebugLib|OvmfPkg/Library/PlatformDebugLibIoPort/PlatformDebugLibIoPort.i
>> nf
>>>  !endif
>>>    UefiRuntimeLib|MdePkg/Library/UefiRuntimeLib/UefiRuntimeLib.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>> +
>>>    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
>>> -!endif
>>> +
>>>    PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
>>>
>>>  [LibraryClasses.common.UEFI_DRIVER]
>>>    PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
>>>    TimerLib|OvmfPkg/Library/AcpiTimerLib/DxeAcpiTimerLib.inf
>>> @@ -705,16 +704,12 @@
>>>    NetworkPkg/TcpDxe/TcpDxe.inf
>>>    NetworkPkg/Udp6Dxe/Udp6Dxe.inf
>>>    NetworkPkg/Dhcp6Dxe/Dhcp6Dxe.inf
>>>    NetworkPkg/Mtftp6Dxe/Mtftp6Dxe.inf
>>>    NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>> -!if $(SECURE_BOOT_ENABLE) == TRUE
>>>    NetworkPkg/IScsiDxe/IScsiDxe.inf
>>>  !else
>>> -  MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>> -!endif
>>> -!else
>>>    MdeModulePkg/Universal/Network/Tcp4Dxe/Tcp4Dxe.inf
>>>    MdeModulePkg/Universal/Network/UefiPxeBcDxe/UefiPxeBcDxe.inf
>>>    MdeModulePkg/Universal/Network/IScsiDxe/IScsiDxe.inf
>>>  !endif
>>>  !if $(HTTP_BOOT_ENABLE) == TRUE
>>>
>