From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 776948211E for ; Fri, 24 Feb 2017 05:30:48 -0800 (PST) Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Feb 2017 05:30:47 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.35,201,1484035200"; d="scan'208";a="229275309" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga004.fm.intel.com with ESMTP; 24 Feb 2017 05:30:47 -0800 Received: from fmsmsx114.amr.corp.intel.com (10.18.116.8) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.248.2; Fri, 24 Feb 2017 05:30:47 -0800 Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by FMSMSX114.amr.corp.intel.com (10.18.116.8) with Microsoft SMTP Server (TLS) id 14.3.248.2; Fri, 24 Feb 2017 05:30:47 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by SHSMSX151.ccr.corp.intel.com ([169.254.3.204]) with mapi id 14.03.0248.002; Fri, 24 Feb 2017 21:30:43 +0800 From: "Long, Qin" To: Laszlo Ersek , edk2-devel-01 CC: "Ni, Ruiyu" , Ard Biesheuvel , "Ye, Ting" , "Justen, Jordan L" , "Wu, Jiaxin" , Gary Lin , Tomas Hoger Thread-Topic: [edk2] [PATCH v2 2/5] CryptoPkg/OpensslLib: introduce OpensslLibCrypto instance Thread-Index: AQHSjo14X3fgaNqZvkiSH0+DGL0PeaF4Jb5w Date: Fri, 24 Feb 2017 13:30:42 +0000 Message-ID: References: <20170224110132.19374-1-lersek@redhat.com> <20170224110132.19374-3-lersek@redhat.com> In-Reply-To: <20170224110132.19374-3-lersek@redhat.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2 2/5] CryptoPkg/OpensslLib: introduce OpensslLibCrypto instance X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2017 13:30:48 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Qin Long Best Regards & Thanks, LONG, Qin > -----Original Message----- > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of > Laszlo Ersek > Sent: Friday, February 24, 2017 7:01 PM > To: edk2-devel-01 > Cc: Ni, Ruiyu ; Ard Biesheuvel > ; Ye, Ting ; Justen, Jordan= L > ; Wu, Jiaxin ; Gary Lin > ; Long, Qin ; Tomas Hoger > > Subject: [edk2] [PATCH v2 2/5] CryptoPkg/OpensslLib: introduce > OpensslLibCrypto instance >=20 > Commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib directly"= , > 2016-12-14) pulls OpenSSL's libssl files into the "OpensslLib.inf" librar= y > instance unconditionally. >=20 > If a platform doesn't include the TLS modules, such as >=20 > - CryptoPkg/Library/TlsLib/TlsLib.inf > - NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf > - NetworkPkg/TlsDxe/TlsDxe.inf >=20 > then the platform never actually uses the libssl functionality that gets = built > into "OpensslLib.inf". >=20 > Tomas Hoger from Red Hat Product Security tells me that security evaluati= on > is less demanding if we can actually *exclude* the libssl files from such= OVMF > builds that don't specify -D TLS_ENABLE (rather than just trust modules n= ot > to call libssl functions if we don't specify -D TLS_ENABLE). >=20 > This patch introduces a parallel OpensslLib instance called "OpensslLibCr= ypto" > that is appropriate for platform builds without TLS enablement. It does n= ot > build C source files in vain, and it eases security review -- all libssl > vulnerabilities can be excluded at once. >=20 > "OpensslLibCrypto.inf" is created as a copy of "OpensslLib.inf", modifyin= g the > BASE_NAME, MODULE_UNI_FILE and FILE_GUID defines. >=20 > "process_files.sh" is extended to auto-generate the list of OpenSSL files= for > both library instances accordingly. This list is updated in > "OpensslLibCrypto.inf" at once. >=20 > "OpensslLibCrypto.uni" is introduced as a copy of "OpensslLib.uni", > highlighting the difference. >=20 > Cc: Ard Biesheuvel > Cc: Gary Lin > Cc: Jiaxin Wu > Cc: Jordan Justen > Cc: Qin Long > Cc: Ruiyu Ni > Cc: Ting Ye > Cc: Tomas Hoger > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Laszlo Ersek > --- >=20 > Notes: > v2: > - relace "OpensslLibNoSsl" with "OpensslLibCrypto" in commit message > - rename OpensslLibNoSsl.{inf,uni} to OpensslLibCrypto.{inf,uni} > - adapt BASE_NAME and MODULE_UNI_FILE in INF file > - replace "without libssl" with "(libcrypto only, no libssl)" in UNI > file > - replace "OpensslLibNoSsl" with "OpensslLibCrypto" in shell script > - rename variable OPENSSL_NOSSL_PATH to OPENSSL_CRYPTO_PATH in > shell > script > - replace "with-ssl" parameter to "filelist" function with > "crypto-and-ssl" in shell script > - replace "without-ssl" parameter to "filelist" function with > "crypto-only" in shell script > - retest shell script >=20 > CryptoPkg/Library/OpensslLib/{OpensslLib.inf =3D> OpensslLibCrypto.inf} = | 56 > ++------------------ CryptoPkg/Library/OpensslLib/{OpensslLib.uni =3D> > OpensslLibCrypto.uni} | 8 +-- > CryptoPkg/Library/OpensslLib/process_files.sh | = 27 +++++++--- > 3 files changed, 28 insertions(+), 63 deletions(-) >=20 > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > similarity index 90% > copy from CryptoPkg/Library/OpensslLib/OpensslLib.inf > copy to CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > index 42f523a611e5..9a03c2cf10c5 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf > @@ -14,9 +14,9 @@ >=20 > [Defines] > INF_VERSION =3D 0x00010005 > - BASE_NAME =3D OpensslLib > - MODULE_UNI_FILE =3D OpensslLib.uni > - FILE_GUID =3D C873A7D0-9824-409f-9B42-2C158B992E6= 9 > + BASE_NAME =3D OpensslLibCrypto > + MODULE_UNI_FILE =3D OpensslLibCrypto.uni > + FILE_GUID =3D E29FC209-8B64-4500-BD20-AF4EAE47EA0= E > MODULE_TYPE =3D BASE > VERSION_STRING =3D 1.0 > LIBRARY_CLASS =3D OpensslLib > @@ -474,56 +474,6 @@ [Sources] > $(OPENSSL_PATH)/crypto/cmac/cmac.c > $(OPENSSL_PATH)/crypto/cmac/cm_ameth.c > $(OPENSSL_PATH)/crypto/cmac/cm_pmeth.c > - $(OPENSSL_PATH)/ssl/s2_meth.c > - $(OPENSSL_PATH)/ssl/s2_srvr.c > - $(OPENSSL_PATH)/ssl/s2_clnt.c > - $(OPENSSL_PATH)/ssl/s2_lib.c > - $(OPENSSL_PATH)/ssl/s2_enc.c > - $(OPENSSL_PATH)/ssl/s2_pkt.c > - $(OPENSSL_PATH)/ssl/s3_meth.c > - $(OPENSSL_PATH)/ssl/s3_srvr.c > - $(OPENSSL_PATH)/ssl/s3_clnt.c > - $(OPENSSL_PATH)/ssl/s3_lib.c > - $(OPENSSL_PATH)/ssl/s3_enc.c > - $(OPENSSL_PATH)/ssl/s3_pkt.c > - $(OPENSSL_PATH)/ssl/s3_both.c > - $(OPENSSL_PATH)/ssl/s3_cbc.c > - $(OPENSSL_PATH)/ssl/s23_meth.c > - $(OPENSSL_PATH)/ssl/s23_srvr.c > - $(OPENSSL_PATH)/ssl/s23_clnt.c > - $(OPENSSL_PATH)/ssl/s23_lib.c > - $(OPENSSL_PATH)/ssl/s23_pkt.c > - $(OPENSSL_PATH)/ssl/t1_meth.c > - $(OPENSSL_PATH)/ssl/t1_srvr.c > - $(OPENSSL_PATH)/ssl/t1_clnt.c > - $(OPENSSL_PATH)/ssl/t1_lib.c > - $(OPENSSL_PATH)/ssl/t1_enc.c > - $(OPENSSL_PATH)/ssl/t1_ext.c > - $(OPENSSL_PATH)/ssl/d1_meth.c > - $(OPENSSL_PATH)/ssl/d1_srvr.c > - $(OPENSSL_PATH)/ssl/d1_clnt.c > - $(OPENSSL_PATH)/ssl/d1_lib.c > - $(OPENSSL_PATH)/ssl/d1_pkt.c > - $(OPENSSL_PATH)/ssl/d1_both.c > - $(OPENSSL_PATH)/ssl/d1_srtp.c > - $(OPENSSL_PATH)/ssl/ssl_lib.c > - $(OPENSSL_PATH)/ssl/ssl_err2.c > - $(OPENSSL_PATH)/ssl/ssl_cert.c > - $(OPENSSL_PATH)/ssl/ssl_sess.c > - $(OPENSSL_PATH)/ssl/ssl_ciph.c > - $(OPENSSL_PATH)/ssl/ssl_stat.c > - $(OPENSSL_PATH)/ssl/ssl_rsa.c > - $(OPENSSL_PATH)/ssl/ssl_asn1.c > - $(OPENSSL_PATH)/ssl/ssl_txt.c > - $(OPENSSL_PATH)/ssl/ssl_algs.c > - $(OPENSSL_PATH)/ssl/ssl_conf.c > - $(OPENSSL_PATH)/ssl/bio_ssl.c > - $(OPENSSL_PATH)/ssl/ssl_err.c > - $(OPENSSL_PATH)/ssl/kssl.c > - $(OPENSSL_PATH)/ssl/t1_reneg.c > - $(OPENSSL_PATH)/ssl/tls_srp.c > - $(OPENSSL_PATH)/ssl/t1_trce.c > - $(OPENSSL_PATH)/ssl/ssl_utst.c >=20 > # Autogenerated files list ends here >=20 > diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.uni > b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni > similarity index 67% > copy from CryptoPkg/Library/OpensslLib/OpensslLib.uni > copy to CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni > index 0dffec1c98a3..7891b135953b 100644 > --- a/CryptoPkg/Library/OpensslLib/OpensslLib.uni > +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.uni > @@ -1,7 +1,7 @@ > // /** @file > -// This module provides openSSL Library implementation. > +// This module provides openSSL Library implementation (libcrypto only, = no > libssl). > // > -// This module provides OpenSSL Library implementation. > +// This module provides OpenSSL Library implementation (libcrypto only, = no > libssl). > // > // Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved. // > @@ -16,7 +16,7 @@ // **/ >=20 >=20 > -#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library > implementation" > +#string STR_MODULE_ABSTRACT #language en-US "OpenSSL Library > implementation (libcrypto only, no libssl)" >=20 > -#string STR_MODULE_DESCRIPTION #language en-US "This module > provides OpenSSL Library implementation." > +#string STR_MODULE_DESCRIPTION #language en-US "This module > provides OpenSSL Library implementation (libcrypto only, no libssl)." >=20 > diff --git a/CryptoPkg/Library/OpensslLib/process_files.sh > b/CryptoPkg/Library/OpensslLib/process_files.sh > index 6f069ce264ac..9f10409824d1 100755 > --- a/CryptoPkg/Library/OpensslLib/process_files.sh > +++ b/CryptoPkg/Library/OpensslLib/process_files.sh > @@ -1,8 +1,8 @@ > #!/bin/sh > # > -# This script runs the OpenSSL Configure script, then processes the -# > resulting file list into our local OpensslLib.inf and also takes -# a cop= y of > opensslconf.h. > +# This script runs the OpenSSL Configure script, then processes the > +resulting # file list into our local OpensslLib.inf and > +OpensslLibCrypto.inf, and also # takes a copy of opensslconf.h. > # > # This only needs to be done once by a developer when updating to a # n= ew > version of OpenSSL (or changing options, etc.). Normal users @@ -10,6 > +10,12 @@ # git repository for them. >=20 > OPENSSL_PATH=3D$(sed -n '/DEFINE OPENSSL_PATH/{s/.* \(openssl-[0- > 9.]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLib.inf) > +OPENSSL_CRYPTO_PATH=3D$(sed -n '/DEFINE OPENSSL_PATH/{s/.* > +\(openssl-[0-9.]*[a-z]*\)[[:space:]]*/\1/ p}' OpensslLibCrypto.inf) > + > +if [ "$OPENSSL_PATH" !=3D "$OPENSSL_CRYPTO_PATH" ]; then > + echo "OPENSSL_PATH diverges between OpensslLib.inf and > OpensslLibCrypto.inf" > + exit 1 > +fi >=20 > if ! cd "${OPENSSL_PATH}" ; then > echo "Cannot change to OpenSSL directory \"${OPENSSL_PATH}\"" > @@ -65,6 +71,8 @@ cd - >=20 > function filelist () > { > + SSL_SELECT=3D"$1" > + > echo '1,/# Autogenerated files list starts here/p' > echo '/# Autogenerated files list ends here/,$p' > echo '/# Autogenerated files list starts here/a\' > @@ -76,18 +84,25 @@ function filelist () > ;; > LIBSRC=3D*) > LIBSRC=3D$(echo "$LINE" | sed s/^LIBSRC=3D//) > - for FILE in $LIBSRC; do > + if [ "$RELATIVE_DIRECTORY" !=3D "ssl" ] || > + [ "$SSL_SELECT" =3D "crypto-and-ssl" ]; then > + for FILE in $LIBSRC; do > if [ "$FILE" !=3D "b_print.c" ]; then > echo -e ' > $(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\ > fi > - done > + done > + fi > ;; > esac > done > echo -e \\r > } >=20 > -filelist < "${OPENSSL_PATH}/MINFO" | sed -n -f - -i OpensslLib.inf > +filelist crypto-and-ssl < "${OPENSSL_PATH}/MINFO" \ > +| sed -n -f - -i OpensslLib.inf > + > +filelist crypto-only < "${OPENSSL_PATH}/MINFO" \ > +| sed -n -f - -i OpensslLibCrypto.inf >=20 > # We can tell Windows users to put this back manually if they can't run = # > Configure. For now, until the git repository is fixed to store things > -- > 2.9.3 >=20 >=20 > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel