Re: [PATCH v1 0/9] *** Upgrade CryptoPkg to use the latest OpenSSL 1.1.0xx/stable release ***

["Long, Qin" <qin.long@intel.com>]

Thank you, Ersek.

The comments looks good to me.  
Yes, I will send out the V2 patches to integrate those comments, after we finish the validations on TLS/HTTPS part with Thomas's suggestions about TlsLib wrapper.


Best Regards & Thanks,
LONG, Qin

> -----Original Message-----
> From: Laszlo Ersek [mailto:lersek@redhat.com]
> Sent: Wednesday, March 22, 2017 9:02 PM
> To: Long, Qin <qin.long@intel.com>; edk2-devel@lists.01.org
> Cc: ard.biesheuvel@linaro.org; Ye, Ting <ting.ye@intel.com>;
> ronald.cron@arm.com; Wu, Jiaxin <jiaxin.wu@intel.com>; glin@suse.com
> Subject: Re: [edk2] [PATCH v1 0/9] *** Upgrade CryptoPkg to use the latest
> OpenSSL 1.1.0xx/stable release ***
> 
> On 03/21/17 16:56, Qin Long wrote:
> > (https://github.com/qloong/edk2/tree/dev-openssl-stable)
> >
> > Current EDKII-CryptoPkg is leveraging OpenSSL-1.0.2xx as the
> > underlying cryptographic provider, which requires some extra patches
> > (EDKII-openssl-xxxx.patch) and installation scripts for EDKII build & usage.
> > The latest stable version of OpenSSL was upgraded to the 1.1.0 series
> > of release, with lots of EDKII-specific patches integration, which
> > make CryptoPkg possbile to remove all extra patch and scripts for more
> > native build support.
> >
> > This patch series is to update EDKII-CryptoPkg to support native
> > building with the latest OpenSSL 1.1.0xx. (By now, the latest OpenSSL
> > stable release is 1.1.0e). Refer
> > "CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt" for the information
> about the version and source installation.
> >
> > (NOTE: The extra build options for ARM/RVCT/XCODE were kept, which
> expect
> >        further optimizations from community)
> >
> > Qin Long (9):
> >   CryptoPkg/OpensslLib: Update INF files to support OpenSSL-1.1.0xx build.
> >   CryptoPkg/OpensslLib: Remove patch file and installation scripts.
> >   CryptoPkg: Fix handling of &strcmp function pointers
> >   CryptoPkg/OpensslLib: Use new Perl script for file list generation.
> >   CryptoPkg: Clean-up CRT Library Wrapper.
> >   CryptoPkg: Add extra build option to disable VS build warning
> >   CryptoPkg: Update HMAC Wrapper implementation with opaque
> HMAC_CTX object.
> >   CryptoPkg: Update PK Ciphers Wrapper Implementations work with
> opaque objects.
> >   CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL
> changes.
> 
> * I build-tested this series with ArmVirtQemu, as in:
> 
> build -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtQemu.dsc \
>   -n 12 -b DEBUG -D DEBUG_PRINT_ERROR_LEVEL=0x8040004F \
>   -D PURE_ACPI_BOOT_ENABLE --cmd-len=65536 -D SECURE_BOOT_ENABLE
> 
> Note that the buid does not cover TLS functionality (patch #9), because
> ArmVirtQemu uses "OpensslLibCrypto.inf"
> 
> * I did some functional testing with OVMF (Ia32X64), again without enabling
> TLS (so patch #9 was likely not exercised.) Secure Boot remains enabled &
> working for VMs that had it enabled earlier. Also, deleting the PK, and re-
> enrolling all the keys (re-enabling SB) works too.
> Unsigned images are rejected.
> 
> If this was the final version of the set, I'd give my T-b, for patches 1-8. But, I
> think you are going to submit a v2 anyway, which I'll have to test again.
> 
> (I tested v1 to see if there was a functional problem that I should report.)
> 
> Thanks!
> Laszlo