From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=DsAkQqGW; spf=pass (domain: linaro.org, ip: 209.85.166.195, mailfrom: ard.biesheuvel@linaro.org) Received: from mail-it1-f195.google.com (mail-it1-f195.google.com [209.85.166.195]) by groups.io with SMTP; Tue, 21 May 2019 02:02:08 -0700 Received: by mail-it1-f195.google.com with SMTP id m141so3682231ita.3 for ; Tue, 21 May 2019 02:02:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RWq5Ypi89CDaSIHr52vD0ieP52k6l93nbiyzEz9nrHU=; b=DsAkQqGWC3QYZ+z+krQVqZRcpM8vgvLDtWaBXTfq3/eDP4BhqJUo8gR83jgiTJ+2Ye I3klkORcorPerebiyyb0wDbstfK0kylklsUTtC6751PDetJmOuOoHoQr/Gamm17Qa/Pu XiGqBh5KUHd8N+t7S4aChF2xmNQR9lHZG/y3Sf/166F0x2xtjJoPcyfawoUKsuknj0Ny GUm2wevc9jImaV+VVBCb4oJLehxXziapRMpBQ96E7qqSF7eViNb5khs5hNQVbEF1Br6v UIHa7MXozGDlGB1+FWYzc58cbNazz3FwC+QsKcNaLjNfNMpPqQOCLOk3Bmu2X6CBTkkK x/Yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RWq5Ypi89CDaSIHr52vD0ieP52k6l93nbiyzEz9nrHU=; b=Cknqc+ofwMn653RWIOVLvBbqN5i9Orb+Mu/40MVzsIOMXdYIFupBlmD2gJXd/lc+vL iZRn8cKW9NPDV1/HLBK2m/6A20T+W+NqrahxQ3OnRMlRNGn1IaeC9d1XrzuR6s1PTpAB 2zkX+Dxp0xhMFwFuIjeIbeJ/pDb9tUlu/jbPbUOOpD0bJSajex76OkOu6+VuKtm277ZG Dp6G7HkLnE8+AE3Q9Grmk5HoPfZKOWOiIlCjL6O0abqCvv6NZC5k9OvnQJDW18vlkgeO pajSkw2/cKzq/imNqguJ6NyASBHmX2MSlT8CJ62eU9tyVdXLU0lP6/JFz7T/LRpzoYLZ 912Q== X-Gm-Message-State: APjAAAXt2LoCuyPpQO8QJGBFsZHhKkg1Cv/EIUR0LLC5todZWVfRj0iA eGWlvn4Ggy219fNQND7kUb5SPPc79wcUj7Z3k53hGA== X-Google-Smtp-Source: APXvYqzCf6PAQusAtlF00rBQcIB5DLH2PE6SkwYNcmIiHY7Y8pp1EaIrro3eNKbFotK3QSDiOoD5Xh0Q1RHHHq5UZhU= X-Received: by 2002:a24:910b:: with SMTP id i11mr3173934ite.76.1558429327280; Tue, 21 May 2019 02:02:07 -0700 (PDT) MIME-Version: 1.0 References: <1557993298-22205-1-git-send-email-xiaoyux.lu@intel.com> <049e489c-b58f-0fc5-1c66-8ad920d93979@redhat.com> <0a6b50d4-3837-a5e6-7f3a-36386c65d42b@redhat.com> <75b13a2a-f570-97e9-a7df-5e24b2a2b22c@redhat.com> <15A0408CA29C0595.820@groups.io> In-Reply-To: From: "Ard Biesheuvel" Date: Tue, 21 May 2019 11:01:55 +0200 Message-ID: Subject: Re: [edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b To: "Wang, Jian J" Cc: "devel@edk2.groups.io" , Laszlo Ersek , "Lu, XiaoyuX" , "Ye, Ting" , Leif Lindholm , "Gao, Liming" Content-Type: text/plain; charset="UTF-8" On Tue, 21 May 2019 at 09:43, Wang, Jian J wrote: > > Hi Ard, > > Any comments? > > Regards, > Jian > > > -----Original Message----- > > From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Wang, > > Jian J > > Sent: Monday, May 20, 2019 9:41 AM > > To: devel@edk2.groups.io; ard.biesheuvel@linaro.org; Laszlo Ersek > > > > Cc: Lu, XiaoyuX ; Ye, Ting ; Leif > > Lindholm ; Gao, Liming > > Subject: Re: [edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to 1.1.1b > > > > Ard, > > > > > > > -----Original Message----- > > > From: devel@edk2.groups.io [mailto:devel@edk2.groups.io] On Behalf Of Ard > > > Biesheuvel > > > Sent: Friday, May 17, 2019 11:06 PM > > > To: Laszlo Ersek > > > Cc: Wang, Jian J ; devel@edk2.groups.io; Lu, XiaoyuX > > > ; Ye, Ting ; Leif Lindholm > > > ; Gao, Liming > > > Subject: Re: [edk2-devel] [PATCH v4 0/7] CryptoPkg: Upgrade OpenSSL to > > 1.1.1b > > > > > > On Fri, 17 May 2019 at 15:17, Laszlo Ersek wrote: > > > > > > > > On 05/17/19 15:04, Laszlo Ersek wrote: > > > > > On 05/17/19 07:11, Wang, Jian J wrote: > > > > >> Hi Laszlo, > > > > >> > > > > >> There's already a float library used in OpensslLib.inf. > > > > >> > > > > >> [LibraryClasses.ARM] > > > > >> ArmSoftFloatLib > > > > >> > > > > >> The problem is that the below instance doesn't implement __aeabi_ui2d > > > > >> and __aeabi_d2uiz (I encountered this one as well) > > > > >> > > > > >> ArmPkg\Library\ArmSoftFloatLib\ArmSoftFloatLib.inf > > > > >> > > > > >> I think we can update this library support those two APIs. So what about > > > > >> we still push the patch and file a BZ to fix this issue? > > > > > > > > > > I'm OK with that, but it will break ARM and AARCH64 platforms that > > > > > consume OpensslLib (directly or through BaseCryptLib), so this question > > > > > is up to Leif and Ard to decide. > > > > > > > > Correction: break ARM platforms only, not AARCH64. > > > > > > > > > > We obviously need to fix this before we can upgrade to a new OpenSSL version. > > > > > > Do we really have a need for the random functions? These seem the only > > > ones that use floating point, which the UEFI spec does not permit, so > > > it would be better if we could fix this by removing the dependency on > > > FP in the first place (and get rid of ArmSoftFloatLib entirely) > > > > > > > BaseCryptLib provides RandSeed/RandBytes interface which wrap openssl rand > > functionalities. These interfaces are used by following components in edk2 > > > > - CryptoPkg\Library\TlsLib\TlsInit.c > > - SecurityPkg\HddPassword\HddPasswordDxe.c > > > > Openssl components, like asn1, bn, evp, ocsp, pem, pkcs7, pkcs12, rsa, ssl (in > > addition > > to cms, dsa, srp, which are disabled in edk2) will call rand_* interface as well. > > If we have both internal (to Openssl) and external users of the RNG api, then I guess there is no way to work around this. It is unfortunate, since the RNG code in OpenSSL doesn't actually use double types except for keeping an entropy count, which could just as easily be kept in an integer variable. So we will need to fix ArmSoftFloatLib before we can merge this OpenSSL update. I'm happy to help doing that, could you please summarize what we are missing today?