From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 201A580386 for ; Wed, 22 Mar 2017 09:20:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=intel.com; i=@intel.com; q=dns/txt; s=intel; t=1490199616; x=1521735616; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=hFE+Y09idIS+5Cz3tDOzzzz1qAjOLPWR7r7/AUcWkWE=; b=Sxsteaw0lFBjAWCDFV5nApX4gNDHAGQmDq4XUlFaZUI5y/pX0yA48wwt wC4nSOl/fuCCO9gXqH/jDClyKH0+dA==; Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Mar 2017 09:20:15 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.36,206,1486454400"; d="scan'208";a="1111117077" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by orsmga001.jf.intel.com with ESMTP; 22 Mar 2017 09:20:15 -0700 Received: from fmsmsx119.amr.corp.intel.com (10.18.124.207) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 22 Mar 2017 09:20:14 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by FMSMSX119.amr.corp.intel.com (10.18.124.207) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 22 Mar 2017 09:20:14 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.20]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.177]) with mapi id 14.03.0248.002; Thu, 23 Mar 2017 00:20:12 +0800 From: "Long, Qin" To: Laszlo Ersek , "edk2-devel@lists.01.org" CC: "ard.biesheuvel@linaro.org" , "Ye, Ting" , "ronald.cron@arm.com" , "Wu, Jiaxin" , "glin@suse.com" Thread-Topic: [edk2] [PATCH v1 0/9] *** Upgrade CryptoPkg to use the latest OpenSSL 1.1.0xx/stable release *** Thread-Index: AQHSolvMrVo8NYRiL0eSNJ4ytbRd/aGgTkkAgAC7vfA= Date: Wed, 22 Mar 2017 16:20:12 +0000 Message-ID: References: <20170321155612.1192-1-qin.long@intel.com> <4410fa53-b0e4-d64a-7b95-8a430a4c7b06@redhat.com> In-Reply-To: <4410fa53-b0e4-d64a-7b95-8a430a4c7b06@redhat.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v1 0/9] *** Upgrade CryptoPkg to use the latest OpenSSL 1.1.0xx/stable release *** X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2017 16:20:16 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Thank you, Ersek. The comments looks good to me. =20 Yes, I will send out the V2 patches to integrate those comments, after we f= inish the validations on TLS/HTTPS part with Thomas's suggestions about Tls= Lib wrapper. Best Regards & Thanks, LONG, Qin > -----Original Message----- > From: Laszlo Ersek [mailto:lersek@redhat.com] > Sent: Wednesday, March 22, 2017 9:02 PM > To: Long, Qin ; edk2-devel@lists.01.org > Cc: ard.biesheuvel@linaro.org; Ye, Ting ; > ronald.cron@arm.com; Wu, Jiaxin ; glin@suse.com > Subject: Re: [edk2] [PATCH v1 0/9] *** Upgrade CryptoPkg to use the lates= t > OpenSSL 1.1.0xx/stable release *** >=20 > On 03/21/17 16:56, Qin Long wrote: > > (https://github.com/qloong/edk2/tree/dev-openssl-stable) > > > > Current EDKII-CryptoPkg is leveraging OpenSSL-1.0.2xx as the > > underlying cryptographic provider, which requires some extra patches > > (EDKII-openssl-xxxx.patch) and installation scripts for EDKII build & u= sage. > > The latest stable version of OpenSSL was upgraded to the 1.1.0 series > > of release, with lots of EDKII-specific patches integration, which > > make CryptoPkg possbile to remove all extra patch and scripts for more > > native build support. > > > > This patch series is to update EDKII-CryptoPkg to support native > > building with the latest OpenSSL 1.1.0xx. (By now, the latest OpenSSL > > stable release is 1.1.0e). Refer > > "CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt" for the information > about the version and source installation. > > > > (NOTE: The extra build options for ARM/RVCT/XCODE were kept, which > expect > > further optimizations from community) > > > > Qin Long (9): > > CryptoPkg/OpensslLib: Update INF files to support OpenSSL-1.1.0xx bui= ld. > > CryptoPkg/OpensslLib: Remove patch file and installation scripts. > > CryptoPkg: Fix handling of &strcmp function pointers > > CryptoPkg/OpensslLib: Use new Perl script for file list generation. > > CryptoPkg: Clean-up CRT Library Wrapper. > > CryptoPkg: Add extra build option to disable VS build warning > > CryptoPkg: Update HMAC Wrapper implementation with opaque > HMAC_CTX object. > > CryptoPkg: Update PK Ciphers Wrapper Implementations work with > opaque objects. > > CryptoPkg/TlsLib: Update TLS Wrapper Library to align with OpenSSL > changes. >=20 > * I build-tested this series with ArmVirtQemu, as in: >=20 > build -a AARCH64 -t GCC5 -p ArmVirtPkg/ArmVirtQemu.dsc \ > -n 12 -b DEBUG -D DEBUG_PRINT_ERROR_LEVEL=3D0x8040004F \ > -D PURE_ACPI_BOOT_ENABLE --cmd-len=3D65536 -D SECURE_BOOT_ENABLE >=20 > Note that the buid does not cover TLS functionality (patch #9), because > ArmVirtQemu uses "OpensslLibCrypto.inf" >=20 > * I did some functional testing with OVMF (Ia32X64), again without enabli= ng > TLS (so patch #9 was likely not exercised.) Secure Boot remains enabled & > working for VMs that had it enabled earlier. Also, deleting the PK, and r= e- > enrolling all the keys (re-enabling SB) works too. > Unsigned images are rejected. >=20 > If this was the final version of the set, I'd give my T-b, for patches 1-= 8. But, I > think you are going to submit a v2 anyway, which I'll have to test again. >=20 > (I tested v1 to see if there was a functional problem that I should repor= t.) >=20 > Thanks! > Laszlo