From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.92.40.10]) by mx.groups.io with SMTP id smtpd.web11.4452.1665472172581829183 for ; Tue, 11 Oct 2022 00:09:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@outlook.com header.s=selector1 header.b=m1Xkf8Bg; spf=pass (domain: outlook.com, ip: 40.92.40.10, mailfrom: spbrogan@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ffNnNH51+duaV9RFbqGazvW1BuA3H6mbzZr31kFgJfaVFbgVQkLPJJbz8/1stmkdhrSlwubl5akAOv2gqVglxR3VpsGWjBE+2698D2n05vW9BReC1U7tHYpeyvAEvmty4A9k72FGwEzCAIrGzTI6CILKmRy91pXayriykPPq+zVpSkY5xkdw06L7o1EitTu01tqWyVWpHy+fgUyTW6nB1sxiSm5C9N0m+hcCMPYr3KNkeWGWBXpiDVDsEE+sBgzb6+IToObk54CCIKAmrcAZMLr8McaBYLUiMVb6RjcQ/kwqm85zl3X2cA3usz/D2REw2jl0MGB3HivkgtpvfjSUlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mWshFIjMBKNKxUAsK2hdsoD3FioGqulO5RA7K+Z5Xn4=; b=klNufp39rjZYkVBb55AqYk7mtWSDeWNw6Vrj50r6yvB/TmMycpS3FKtddThCy5xKJAB3pxzCyv9qkThton98NXNyersICKIOjQ8QNxpvNLLU2FwS48x0jxLj1VR5yWGfzA3Cnr/updzYretZJC0gzpMQ8gzj4qyTI1q3IO/1kqfE/1RTpO2U6fubH1XEdOb2a7izJlvokRkJREnlUg1xaS7FYTZCmk7LR92jHIzhUdUlkHFPEfHdlVZo+bdphGJ5tLT1vDZhlt+izzzWxHqR46hLi6kkIfx1hrBSt9HQWd+D1065eP787R5A0BfYDneH5doptuFOP1XWRegONnSfBw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mWshFIjMBKNKxUAsK2hdsoD3FioGqulO5RA7K+Z5Xn4=; b=m1Xkf8BgThtpLi42ROjNZuc7Vktv0iQ9oE+0TJCafeKAU04taIhmOPkMHr38/elKRJhMLn3xiYU/7qQiTbCmCF0J94oBP0sNlmxJO+zHoWekX4lb9R/kZLuOvsfUPBoGc+iWsb9xIE7hG2aT+u1mFQA9/uywNZ+Enb1inpPoFVoOrX3TtsrVo1Ws1yq7+FDBFzji/Xr4H5YIN6bXLTWVBCO+uwycKgAwtLZ3q252hq3uvKtOvnPMvKj62zVv51BehDqKlEHQtIMnIeh2RZ/gGOZLi2fXA/84eZr6IDWFaThdgz7iOhn9+3uHWxW51kLu+cSxsr0z3LqnXNR+3hxM/Q== Received: from BY3PR19MB4900.namprd19.prod.outlook.com (2603:10b6:a03:354::11) by IA1PR19MB7254.namprd19.prod.outlook.com (2603:10b6:208:42a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5676.39; Tue, 11 Oct 2022 07:09:30 +0000 Received: from BY3PR19MB4900.namprd19.prod.outlook.com ([fe80::f191:59c5:6dcc:44d4]) by BY3PR19MB4900.namprd19.prod.outlook.com ([fe80::f191:59c5:6dcc:44d4%5]) with mapi id 15.20.5709.021; Tue, 11 Oct 2022 07:09:30 +0000 From: "Sean" To: "Yao, Jiewen" , "devel@edk2.groups.io" , "Zhang, Qi1" CC: "Wang, Jian J" , "Lu, Xiaoyu1" , "Jiang, Guomin" Subject: Re: [edk2-devel] [PATCH V2 0/4] CryptoPkg: add more X509 functions. Thread-Topic: [edk2-devel] [PATCH V2 0/4] CryptoPkg: add more X509 functions. Thread-Index: AQHY3JwHSFIfptQpiUevRKB3UlVHaa4IHZ4AgAA8IYCAAG1p1A== Date: Tue, 11 Oct 2022 07:09:30 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-tmn: [wkRW2MJPptRGnt/yn5yXD51oD0LwdA/A] x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BY3PR19MB4900:EE_|IA1PR19MB7254:EE_ x-ms-office365-filtering-correlation-id: b5275cbe-0b7f-4c79-dcd8-08daab578ae7 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: iH2pvYf+PrLUx97csiIeGzlG0rf0tKPvT6v6DDjHtpXcfDH9cRhu4j7ffz9KTemjaIgmmxNmvRHOR8A8soEEOnSD5IuQThhyAJ+GM7JLfgqR7OXFOMl+WkJ+60+NkrBYrcbI6DxqNtZRDsqAL5ndWk2EOPopQAAa16ypi5wi93cl7vaWbuMQz9R0B9Dfo7P5mFrgeQYRllrmgakfYj5DnRzupO+GlmUcdfo494DE3AX5WjaViLd3nU/AmMbuXRBMXdJnIbV/GEtt8UqMesJwoTLbL3Xjglu/BEYKvyIvaRzqsNXADyFcpTZvQ99EkLtDMSMtsZl6/hSTk29NwhKfhrgZPJNrkpx+/I+M4OAZAzUzyBjiN01mI9iDmQOmr0RTYM43ssz0sesW2eNPcH0N2FAwKzn91kfUXgXSHX3Ayel5FcK94ES5fw2/q0UevvJjcjxmNXaGgBPWRSROoUMlvtVrjKzGMqt5ll8QC2unV8zaMPypfmeqMNdf5W1dlyGNPHDVi8XBgAr9OymOnr7v0QwrdV4TsyeIHOLPG0JraUBpVoaiQqVvOlcVnmbWKBEp3G5amEeC8GL81MVCnIOIAb0nKqu5veQEZBJqpXzjITjrfNcLxOmYRrCtnvHK/pLonRK6Oe5fZa7G4NgalRyFHTQw4DKpG7dsjV1+zm3dzZP1ByLkfuKBocdMGS9iZbzTmMQ8Wb/zfTsUp6B+WgJVKg== x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?ZCvYMLr+DngM5m4x9hZ00mEYpTOS2ZlRQI+FqJoIUaiyFMhQcyr4+/xB?= =?Windows-1252?Q?Yx+J+ACngjzqBaHPYzLk3YBPmBxrQpDhSeV4ScOUWeY3y78+032Dst86?= =?Windows-1252?Q?iQUjvIASuzqGza2KaiBuraGml6zA53FAJSTnCot3RGnYm3Y4qpxO9WxI?= =?Windows-1252?Q?RwE8RqkA1vAmXkTR5+vlgrZZTtnLM/UiY9RYqljeuoYHBEuPYCrM8aM6?= =?Windows-1252?Q?OxTjz+ETLvrMIq/sgu3Q3ekdXweDv9hBAHvEIVL1v9p1JmnBuL/yQon2?= =?Windows-1252?Q?SLWg1JHxP/Go/foezjedj2coTUyz6nAKqOSGcG+2Kvbg4SxEVig0XSYI?= =?Windows-1252?Q?+hSfgWyJ7eawe/LB9p59ysN20s8mqXXgG9k1DhMJhLDzGQbt5EJToxKv?= =?Windows-1252?Q?jPm6H8WTqFg2ggYBSBFl+GtPobI4tVbfFMroZP5t88cOBResuyRr5yOv?= =?Windows-1252?Q?4b0eA/P8MUFPo9j8StElKQQdcSLlE0jh0tkwTrv9mXO+BOoCpUH+rFf7?= =?Windows-1252?Q?PIwJaIBM87+giQa/eEE5R39XmwIaS7ODUA7dehQ44/DU4y/7z8LdyG+i?= =?Windows-1252?Q?QDo27q397cwcNxkcE+3RkrUuYkvw8db5knPgrIr5oNQMAo7zQyzjmAN6?= =?Windows-1252?Q?RRu8FTQWywF1jIgN2G5zFKmeNl1weBAycyOcGT/esPam1gT973tncmQM?= =?Windows-1252?Q?vCmY/UYMB88KRLM+IWAUq/CuYqN9EELNfNIg6D4+vgCpRLa3CZolPmM9?= =?Windows-1252?Q?e/g3TCIXdOzZqB05WGqEJcgaW0xm7CEHQewm2zGNbd6Yg6qpbOC/6q8P?= =?Windows-1252?Q?37mp+Ijc4noYlBZvAJpcNz/+yNeP38ey/204bg5bF+/mQMwD52FQOlER?= =?Windows-1252?Q?C+eesedp5lltxPK4U4BpD8dMJMkTd5FhgVO3/bKhPd6ZIubLkvYseUkP?= =?Windows-1252?Q?4W3L+6Yc6zKbPG67JjyCAg1mws7YGyphq5UC1Wic8Q+BM7q3qVaGgbHS?= =?Windows-1252?Q?W4B3nDo7SAtyExoHVfpFNN0O3Q7ZpGevt8rIHxAVOov8eLE/DRdw2AdK?= =?Windows-1252?Q?ECfNsLYIRHkBoCHpkUXGvF8Ug7m7V3fqjMAXzqRTYMtEUD88oEQ58PV+?= =?Windows-1252?Q?S6fMWMwzmW1RzGUWNrdXpLLtWuJVSFpIXRi6M/rz1OhX12rn1sd5f9fc?= =?Windows-1252?Q?cwrUuW9XBRKEovvD0ICg0tDeyw02IwCHez1gjuLh5sXFF3GWKckArzDm?= =?Windows-1252?Q?fftuI9QaFHGvCqJDgypwv0+HUB2dJmohFKCo43AKhO++FvmfVXGY+nSH?= =?Windows-1252?Q?mkjLA/YbFS2wEal/DRG80qjBRZUlOKmjQFagbtaoCAb0B0++5AcMKuT6?= =?Windows-1252?Q?0qdAmPhTf3BOWadjJ+s7gkM4oPMi0xCeGjo=3D?= MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BY3PR19MB4900.namprd19.prod.outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: b5275cbe-0b7f-4c79-dcd8-08daab578ae7 X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2022 07:09:30.6989 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR19MB7254 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_BY3PR19MB49001283A6D07AE220F096D1C8239BY3PR19MB4900namp_" --_000_BY3PR19MB49001283A6D07AE220F096D1C8239BY3PR19MB4900namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Thanks for the context I am very glad to see you all adding unit tests with the feature enablement= . Thanks Sean ________________________________ From: Yao, Jiewen Sent: Monday, October 10, 2022 5:36:21 PM To: Sean Brogan ; devel@edk2.groups.io ; Zhang, Qi1 Cc: Wang, Jian J ; Lu, Xiaoyu1 ; Jiang, Guomin Subject: RE: [edk2-devel] [PATCH V2 0/4] CryptoPkg: add more X509 functions= . HI Sean You are right that the purpose is NOT to expose *all* APIs. Our purpose is = still to export *necessary* APIs only. This X.509 is for SPDM support. (https://www.dmtf.org/dsp/DSP0274). The BIO= S may need collect the device identity (certificate) and validate the integ= rity of the certificate chain. As such, the BIOS will check the device certificate based upon the definiti= on in SPDM specification. For example, SPDM 1.2.1 (https://www.dmtf.org/sites/default/files/standards= /documents/DSP0274_1.2.1.pdf) - 10.8.2 SPDM certificate requirements and re= commendations, Table 33 =97 Required fields, Table 34 =97 Optional fields. To summarize our recent change: 1) ECC in OpensslLib is to support more TLS cipher suite 2) ECC (EC-DH), BigNumber and TLS new APIs in BaseCryptoLib are to support = WPA3 3) SHA-384 (HMAC/HKDF), ECDSA, AEAD (AES-GCM) and X.509 new APIs in BaseCry= ptoLib are for SPDM. All functions are associated with PCD family bit. For old platform, if this= new feature is not required, they can just be turned off. We also evaluated to implement same API with other crypto lib, such as mbed= tls. It is also feasible. As such, those APIs are openssl-agnostic. Thank you Yao Jiewen > -----Original Message----- > From: Sean Brogan > Sent: Tuesday, October 11, 2022 5:01 AM > To: devel@edk2.groups.io; Zhang, Qi1 > Cc: Yao, Jiewen ; Wang, Jian J > ; Lu, Xiaoyu1 ; Jiang, > Guomin > Subject: Re: [edk2-devel] [PATCH V2 0/4] CryptoPkg: add more X509 > functions. > > Can you provide some context as to why we need to make all these x509 > functions external? > > BaseCryptLib was intended to simplify crypto usage and not be a full > featured crypto library interface. > > At some point we might as well just open up the openssl export table and > wrap that in a dynamically generated protocol/ppi. > > If this is intended to make an Edk2 crypto library api that is > implementation agnostic but full featured then maybe you could do as Tls > did which was create your own usage specific API/wrapper. Then CryptoPkg > API surface will increase but it doesn't have to all be in one > monolithic library. > > > Thanks > > Sean > > > > > On 10/10/2022 4:32 AM, Qi Zhang wrote: > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4082 > > > > This patch serial is to add more CryptoX509 functions. > > > > Tested by: > > 1. https://github.com/tianocore/edk2-staging/tree/DeviceSecurity. > > 2. Unit test: CryptoPkg/Test/UnitTest/Library/BaseCryptLib/X509Tests.c > > > > Review PR: https://github.com/tianocore/edk2/pull/3380. > > > > V2 change: rename X509SetDateTime() to X509FormatDateTime(). > > > > Cc: Jiewen Yao > > Cc: Jian J Wang > > Cc: Xiaoyu Lu > > Cc: Guomin Jiang > > Signed-off-by: Qi Zhang > > > > Qi Zhang (4): > > CryptoPkg: add new X509 function definition. > > CryptoPkg: add new X509 function. > > CryptoPkg: add new X509 function to Crypto Service. > > CryptoPkg: add Unit Test for X509 new function. > > > > CryptoPkg/Driver/Crypto.c | 432 ++++++- > > CryptoPkg/Include/Library/BaseCryptLib.h | 374 ++++++ > > .../Pcd/PcdCryptoServiceFamilyEnable.h | 34 +- > > CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 1036 > +++++++++++++++++ > > .../Library/BaseCryptLib/Pk/CryptX509Null.c | 429 +++++++ > > .../BaseCryptLibNull/Pk/CryptX509Null.c | 429 +++++++ > > .../BaseCryptLibOnProtocolPpi/CryptLib.c | 415 +++++++ > > CryptoPkg/Private/Protocol/Crypto.h | 390 +++++++ > > .../BaseCryptLib/BaseCryptLibUnitTests.c | 1 + > > .../Library/BaseCryptLib/TestBaseCryptLib.h | 4 + > > .../BaseCryptLib/TestBaseCryptLibHost.inf | 1 + > > .../BaseCryptLib/TestBaseCryptLibShell.inf | 1 + > > .../UnitTest/Library/BaseCryptLib/X509Tests.c | 631 ++++++++++ > > 13 files changed, 4166 insertions(+), 11 deletions(-) > > create mode 100644 > CryptoPkg/Test/UnitTest/Library/BaseCryptLib/X509Tests.c > > --_000_BY3PR19MB49001283A6D07AE220F096D1C8239BY3PR19MB4900namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
Thanks for the context 

I am very glad to see you all adding unit tests with the f= eature enablement.  

Thanks
Sean
From: Yao, Jiewen <jiewe= n.yao@intel.com>
Sent: Monday, October 10, 2022 5:36:21 PM
To: Sean Brogan <spbrogan@outlook.com>; devel@edk2.groups.io &= lt;devel@edk2.groups.io>; Zhang, Qi1 <qi1.zhang@intel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, Xiaoyu1 <xiao= yu1.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com>
Subject: RE: [edk2-devel] [PATCH V2 0/4] CryptoPkg: add more X509 fu= nctions.
 
HI Sean
You are right that the purpose is NOT to expose *all* APIs. Our purpose is = still to export *necessary* APIs only.

This X.509 is for SPDM support. (https://www.dmtf.org/dsp/DSP0274). The BIOS may need collect the dev= ice identity (certificate) and validate the integrity of the certificate ch= ain.

As such, the BIOS will check the device certificate based upon the definiti= on in SPDM specification.
For example, SPDM 1.2.1 (https://www.dmtf.org/sites/default= /files/standards/documents/DSP0274_1.2.1.pdf) - 10.8.2 SPDM certificate= requirements and recommendations, Table 33 =97 Required fields, Table 34 =97 Optional fields.


To summarize our recent change:
1) ECC in OpensslLib is to support more TLS cipher suite
2) ECC (EC-DH), BigNumber and TLS new APIs in BaseCryptoLib are to support = WPA3
3) SHA-384 (HMAC/HKDF), ECDSA, AEAD (AES-GCM) and X.509 new APIs in BaseCry= ptoLib are for SPDM.

All functions are associated with PCD family bit. For old platform, if this= new feature is not required, they can just be turned off.
We also evaluated to implement same API with other crypto lib, such as mbed= tls. It is also feasible. As such, those APIs are openssl-agnostic.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Sean Brogan <spbrogan@outlook.com>
> Sent: Tuesday, October 11, 2022 5:01 AM
> To: devel@edk2.groups.io; Zhang, Qi1 <qi1.zhang@intel.com>
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J
> <jian.j.wang@intel.com>; Lu, Xiaoyu1 <xiaoyu1.lu@intel.com>= ;; Jiang,
> Guomin <guomin.jiang@intel.com>
> Subject: Re: [edk2-devel] [PATCH V2 0/4] CryptoPkg: add more X509
> functions.
>
> Can you provide some context as to why we need to make all these x509<= br> > functions external?
>
> BaseCryptLib was intended to simplify crypto usage and not be a full > featured crypto library interface.
>
> At some point we might as well just open up the openssl export table a= nd
> wrap that in a dynamically generated protocol/ppi.
>
> If this is intended to make an Edk2 crypto library api that is
> implementation agnostic but full featured then maybe you could do as T= ls
> did which was create your own usage specific API/wrapper. Then CryptoP= kg
> API surface will increase but it doesn't have to all be in one
> monolithic library.
>
>
> Thanks
>
> Sean
>
>
>
>
> On 10/10/2022 4:32 AM, Qi Zhang wrote:
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4082
> >
> > This patch serial is to add more CryptoX509 functions.
> >
> > Tested by:
> > 1. https://github.com/tianocore/edk2-staging/tree/DeviceSecurity.
> > 2. Unit test: CryptoPkg/Test/UnitTest/Library/BaseCryptLib/X509Te= sts.c
> >
> > Review PR: https://github.com/tianocore/edk2/pull/3380.
> >
> > V2 change: rename X509SetDateTime() to X509FormatDateTime().
> >
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
> > Cc: Guomin Jiang <guomin.jiang@intel.com>
> > Signed-off-by: Qi Zhang <qi1.zhang@intel.com>
> >
> > Qi Zhang (4):
> >    CryptoPkg: add new X509 function definition. > >    CryptoPkg: add new X509 function.
> >    CryptoPkg: add new X509 function to Crypto Serv= ice.
> >    CryptoPkg: add Unit Test for X509 new function.=
> >
> >   CryptoPkg/Driver/Crypto.c    &nbs= p;            &= nbsp;   |  432 ++++++-
> >   CryptoPkg/Include/Library/BaseCryptLib.h  &= nbsp;   |  374 ++++++
> >   .../Pcd/PcdCryptoServiceFamilyEnable.h  &nb= sp;     |   34 +-
> >   CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 1036<= br> > +++++++++++++++++
> >   .../Library/BaseCryptLib/Pk/CryptX509Null.c &nbs= p; |  429 +++++++
> >   .../BaseCryptLibNull/Pk/CryptX509Null.c  &n= bsp;    |  429 +++++++
> >   .../BaseCryptLibOnProtocolPpi/CryptLib.c  &= nbsp;   |  415 +++++++
> >   CryptoPkg/Private/Protocol/Crypto.h   =         |  390 +++++++
> >   .../BaseCryptLib/BaseCryptLibUnitTests.c  &= nbsp;   |    1 +
> >   .../Library/BaseCryptLib/TestBaseCryptLib.h &nbs= p; |    4 +
> >   .../BaseCryptLib/TestBaseCryptLibHost.inf  =    |    1 +
> >   .../BaseCryptLib/TestBaseCryptLibShell.inf  = ;  |    1 +
> >   .../UnitTest/Library/BaseCryptLib/X509Tests.c | = 631 ++++++++++
> >   13 files changed, 4166 insertions(+), 11 deletions(-)=
> >   create mode 100644
> CryptoPkg/Test/UnitTest/Library/BaseCryptLib/X509Tests.c
> >
--_000_BY3PR19MB49001283A6D07AE220F096D1C8239BY3PR19MB4900namp_--